Cyber Expedite  – Insight Series

Insight Series is a collection of exclusive security related content by industry experts and organisations to keep you informed of current best practices.

VMGroup is a global firm, operating since 2014, providing extensive knowledge and expertise in the area of Digital Forensics, eDiscovery, Data Recovery, Information Security consulting, IT Audit, Risk Assurance services, and all related areas to their clients.

 

Click here to go directly to our featured supplier!

Connect to Featured Service Provider for free!

We expand on the 12 Steps to Cyber Security from the NCSC with insight provided by industry leaders.

l

Step 3 – Understand the threats!

U

To start, could you explain why a Cyber Threat Intelligence (CTI) capability is need, regardless of your scale or size of the business you operate?

The Cyber threat intelligence (CTI) capability is required regardless of the scale or size of the business because it:

1. Helps organizations better protect against cyberattacks
2. Gives security teams a comprehensive view of the threat landscape
3. Enables security teams to make better decisions

4. Reveals adversarial motives and their tactics, techniques, and procedures (TTPs)
5. Helps security professionals better understand the threat actor’s decision- making process
6. Prevents attacks from occurring in the present day and in the future
7. Creates a more targeted, proactive defense against cyber-attacks
8. Supports sustainable, ongoing protection from all angles

Depending on your risk, scale, type of business, this might push smaller organisations to leave this capability until the end, why is it important they don’t?

Anyone who connects to the internet or stores data in the cloud or on a hard drive should consider threat intelligence. Small businesses in particular, need to understand the concept in order to ensure that, in their attempts to prevent cyberattacks, they adequately secure their assets without going bankrupt from overkill.
Cyber Threat Intelligence (CTI) has become an integral component of modern business operations in today’s digital world. CTI refers to the collection, analysis, and dissemination of information about potential threats and attacks on an organisation’s IT infrastructure.This information is critical for mitigating potential risks and protecting against cybersecurity threats.

Preventing modern cyber-attacks is as much about knowing your attackers as it is your own weaknesses. Where do organisations start to try and understand their likely assets of interest to attackers?

Organizations must be aware of the technology they use, what and who it is communicating with, and then keep a close eye on it in order to provide a secure working environment. The trick is to be observant. To embed security into an organization’s DNA, everyone from the board and C-suite down must be on the same page and treat security as a constant activity that balances technology with people and processes.

How do they use this information to gauge their control effectiveness or gaps?

As part of the tabletop/scenario exercise, organizations should use the following checklist to assess the control efficacy of their IRP Plan:
1. Ownership and responsibilities
2. Roles and contacts
3. Communication methods and contact list
4. Incident Identification and confirmation
5. Containment (This typically means stopping the threat to prevent any
further damage
6. Eradication (Restore the systems to a
pre-incident state)
7. Recovery (Need to recover from the
incident and ensure systems integrity)
8. Lessons learned (It’s important to learn
from the cyber incident)

Could you expand on the common types of threat actors organisations face, such as activists, cyber criminals, etc?

There are several threats that organizations may encounter, and this issue cannot be covered in a few pages. However, the following are examples of prevalent categories of threat actors:


1.Organized Cybercriminals: Profiting from Cybercrime: These threat actors focus on stealing sensitive financial data from corporations, money from financial systems, or personal information from customer records. They are also known to use ransomware to extort business owners directly.
2.Cyber Activism with a Dark Side: These threat actors have strong political affiliations or social ideologies coupled with expert hacking skills. They demonstrate vulnerabilities in systems and networks aimed at raising cybersecurity awareness (or sometimes advancing socio-political agendas.
3.Insider Threats: The Danger Within –
Insider threats are more common. Sometimes a company’s employees, contractors, or partners may misuse their authorized access privileges to steal data. Their motive may be financial gain, or they may do it for other reasons, such as using customer data for their initiatives or leaking out proprietary information to a competitor they wish to join.
4.Script Kiddies: Amateur Threat Actors
These types of cyber threat actors /hackers don’t have sophisticated techniques and often lack serious hacking skills. They usually rely on pre-written scripts and tools developed by other types of threat actors to penetrate a network or system

In your experience what’s the greatest threat to an organisation these days and why?

Please refer to above (1. Organized Cybercriminals: Profiting from Cybercrime)- Ransomware/malware threatens the organization with publishing the victim’s personal data or permanently blocking access to it until a ransom is paid. So, Ransware is the greatest threart for small, medium and large business.

What are some of the common lessons learnt every organisation goes through once an attack has been experienced?

The common lessons from recent cyber security attacks are listed below. By implementing these suggestions, organizations can strengthen their cyber security posture, increase their resilience, and guard against potential harm.


1. Patch your systems regularly;
2. Back up your data;
3. Report incidents and respond
quickly;
4. Do not pay the ransom; and
5. Train your staff.

To understand the threats, it is critical you understand what your protecting and how that asset is vulnerable. What steps or controls would you encourage any organisation to implement quickly?

In order to maintain a secure working environment, organizations must be aware of the technology they use, what and who it is connecting with, and then keep an ongoing watch on it.
Understood who the attackers are and what motivates them to attack your asset (for example, money, ideology, competitive advantage, etc.).

Organisation should consider the vulnerabilities and threats they face and their impact on the organisation. Consider the following focus area at bare minimum to assess vulnerabilities as it is important that organisation understand where there defences are weak. An annual security self- assessment is a great starting point for identifying security vulnerabilities.
Once established repeat the risk evaluation process on a regular basis to assist in informing and directing the cyber risk management program. Furthermore, participate in industry forums where threat intelligence is discussed.


Area of Focus
1. Unauthorised access;
2. Data Breach;
3. Network Compromise;
4. Unauthorised sharing;
5. Malware;
6. Malicious insiders;
7. Device misconfiguration;
8. unpatched Vulnerabilities;
9. Session Hijacking;
10. Man in the Middle attack; and
11. Brute-force attack

Could you expand on the ways an organisation could add Cyber Threat Intelligence (CTI), such as tools, services, manage service?

Organisation should adapt the following critical steps to safeguard from cyberattack
1. Put cyber decisions on the same level of importance as other important business decisions.
2. Spread information security awareness culture
3. Develop a comprehensive approach (Data breaches can happen to anyone, no matter how well-prepared you are)
4. Leverage AI for real-time monitoring of user activities, network inbound and outbound traffic, malware solutions, threat intelligence, and SIEM data.

5. Perform routine reviews (risk analyses, device configurations, gap analyses against global standards, policy reviews, network security reviews, etc.).
6. Ensure correct classification of assets and risks.
7. Use tools for threat intelligence (sharkstriker, Barracuda,Paradyn)
8. Managed SOC service (24*7 or 8*5) with third party vendor

In mapping and designing possible attack scenarios, what steps would be involved in ensuing an organisations controls are effective?

• Identifying vulnerabilities
• Improving incident response readiness
• Enhancing communication and
coordination
• Providing a cost-effective solution to
compliance and building confidence
• Developing a better understanding of
the impact of a breach in a cost-
efficient manner
• Maintaining a positive reputation
through transparency and
communication
• Solidifying roles and responsibilities and
exploring decision-making processes
• Assessing the capabilities of your
existing resources

Obviously desktop simulation exercise are one route especially with the assistance of an 3rd party security company. If someone wanted to carry out their own exercise, how would they carry out that table top?

Discussion-based exercises in which individuals (incident management team) gather in a classroom or in breakout groups to explore their roles during an emergency and their answers to a specific emergency situation. A facilitator provides a scenario and asks exercise participants questions about it, which sparks a conversation about roles, responsibilities, coordination, and decision-making. A tabletop exercise consists solely of talk and does not entail the deployment of equipment or other resources.

Why it is so important to carry out this type of exercise regularly?

The feasibility of an Incident Response Plan (IRP) is a major consideration when putting it into action. Tabletop exercises should be undertaken at least once a year to ensure that IRP can be triggered when needed.

What open/free threat feeds would you recommend that could be of value for any type of organisation, regardless whether they have dedicated security professionals or not?

1. AlienVault Open Threat Exchange: Best for community-driven threat feeds

2. FBI Infragard: Best for critical infrastructure security

3. abuse.ch URLhaus: Best for malicious URL detection

4. SANS- Internet Storm Center: Best for threat explanations

What open forums would you normally recommend organisations avail of?

1. The Hacker News 2. Bleeping Computer

What is the one key initiative you are helping organisations with on a regular basis and why is it so important today?

VMGroup is a global firm providing extensive knowledge and expertise in the area of Digital forensics, eDiscovery and Information Security and Risk. VMGroup are leaders in the field, providing professional and expert consulting in the respective specialist areas.
VMGroup service offerings can be split into four pillars of service, each in their own right separate to the others, however, with a synergy of expertise throughout to deliver high quality services.
VMSecurity & Compliance offer following services under the security and compliance pillar
• Cyber Security Audits
• CISO as a service – providing security
consulting to firms who aren’t big enough for a CISO/are finding it difficult to find a qualified resource
• ISO27001 Pre Certification Audit and preparatory work
• ISAE Audit (pre Audits and Preparatory work)
• SOC I / SOC II Pre Audits and preparatory work
• GDPR/Data Protection Audit
• Internal Audit Function
• Audit Controls review and development
• Audit Guidance

U

Recommended Cyber Expedite Workflow.

 

Incident Response

s

Every organisation at some point will deal with an incident, the key is always speed at which you respond and well you are prepared to minimise any such incident.

This build will highlight the urgency to the Service provider and allow you to send your full unredacted Cyber Expedite as quickly as you need too along with giving you access to emergency incident response contact details immediately.

Please note: You can bypass the regular payment by using our chatbot and requesting a free voucher. This will allow you to scope and connect to the featured service provider for free!