Podcasts about mitre att ck

Play Episode Listen Later Apr 30, 2025 21:09

In this On Location Brand Story episode, Sean Martin speaks with Hugh Njemanze, Founder and CEO of Anomali, who has been at the center of cybersecurity operations since the early days of SIEM. Known for his prior work at ArcSight and now leading Anomali, Hugh shares what's driving a dramatic shift in how security teams access, analyze, and act on data.Anomali's latest offering—a native cloud-based next-generation SIEM—goes beyond traditional detection. It combines high-performance threat intelligence with agentic AI to deliver answers and take action in ways that legacy platforms simply cannot. Rather than querying data manually or relying on slow pipelines, the system dynamically spins up thousands of cloud resources to answer complex security questions in seconds.Agentic AI Meets Threat IntelligenceHugh walks through how agentic AI, purpose-built for security, breaks new ground. Unlike general-purpose models, Anomali's AI operates within a secure, bounded dataset tailored to the customer's environment. It can ingest a hundred-page threat briefing, extract references to actors and tactics, map those to the MITRE ATT&CK framework, and assess the organization's specific exposure—all in moments. Then it goes a step further: evaluating past events, checking defenses, and recommending mitigations. This isn't just contextual awareness—it's operational intelligence at speed and scale.Making Security More Human-CentricOne clear theme emerges: the democratization of security tools. With Anomali's design, teams no longer need to rely on a few highly trained specialists. Broader teams can engage directly with the platform, reducing burnout and turnover, and increasing organizational resilience. Managers and security leaders now shift focus to prioritization, strategic decision-making, and meaningful business conversations—like aligning defenses to M&A activity or reporting to the board with clarity on risk.Real-World Results and Risk InsightsCustomers are already seeing measurable benefits: an 88% reduction in incidents and an increase in team-wide tool adoption. Anomali's system doesn't just detect—it correlates attack surface data with threat activity to highlight what's both vulnerable and actively targeted. This enables targeted response, cost-effective scaling, and better use of resources.Learn more about Anomali: https://itspm.ag/anomali-bdz393Note: This story contains promotional content. Learn more.Guest: Hugh Njemanze, Founder and President at Anomali | https://www.linkedin.com/in/hugh-njemanze-603721/ResourcesLearn more and catch more stories from Anomali: https://www.itspmagazine.com/directory/anomaliLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25______________________Keywords:sean martin, hugh njemanze, siem, cybersecurity, ai, threat intelligence, agentic ai, risk management, soc, cloud security, brand story, brand marketing, marketing podcast, brand story podcast______________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

What Endpoint Security Isn't Catching: Why Network Visibility Still Matters | A Brand Story with Brian Dye from Corelight | An On Location RSAC Conference 2025 Brand Story

The Social-Engineer Podcast

Play Episode Listen Later Apr 30, 2025 18:49

At RSAC Conference 2025, Sean Martin catches up with Brian Dye, CEO of Corelight, to explore a recurring truth in cybersecurity: attackers adapt, and defenders must follow suit. In this episode, Dye lays out why traditional perimeter defenses and endpoint controls alone are no longer sufficient—and why it's time for security teams to look back toward the network for answers.Beyond the Perimeter: Visibility as a Force MultiplierAccording to Dye, many organizations are still relying on security architectures that were top-of-the-line a decade ago. But attackers have already moved on. They're bypassing endpoint detection and response (EDR) tools, exploiting unmanaged devices, IoT, and edge vulnerabilities. What's left exposed is the network itself—and that's where Corelight positions itself: providing what Dye calls “ground truth” through network-based visibility.Rather than rearchitecting environments or pushing intrusive solutions, Corelight integrates passively through out-of-line methods like packet brokers or traffic mirroring. The goal? Rich, contextual, retrospective visibility—without disrupting the network. This capability has proven essential for responding to advanced threats, including lateral movement and ransomware campaigns where knowing exactly what happened and when can mean the difference between paying a ransom or proving there's no real damage.Three Layers of Network InsightDye outlines a layered approach to detection:1. Baseline Network Activity – High-fidelity summaries of what's happening.2. Raw Detections – Behavioral rules, signatures, and machine learning.3. Anomaly Detection – Identifying “new and unusual” activity with clustering math that filters out noise and highlights what truly matters.This model supports teams who need to correlate signals across endpoints, identities, and cloud environments—especially as AI-driven operations expand the attack surface with non-human behavior patterns.The Metrics That MatterDye points to three critical success metrics for teams:• Visibility coverage over time.• MITRE ATT&CK coverage, especially around lateral movement.• The percentage of unresolved cases—those embarrassing unknowns that drain time and confidence.As Dye shares, organizations that prioritize network-level visibility not only reduce uncertainty, but also strengthen every other layer of their detection and response strategy.Learn more about Corelight: https://itspm.ag/coreligh-954270Note: This story contains promotional content. Learn more.Guest: Brian Dye, Chief Executive Officer, Corelight | https://www.linkedin.com/in/brdye/ResourcesLearn more and catch more stories from Corelight: https://www.itspmagazine.com/directory/corelightLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25______________________Keywords:sean martin, brian dye, network, visibility, ransomware, detection, cybersecurity, soc, anomalies, baselining, brand story, brand marketing, marketing podcast, brand story podcast______________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

Ep. 301 - Security Awareness Series - Leadership Relationships and Becoming a CISO with Travis Farral

Play Episode Listen Later Apr 21, 2025 30:16

Today on the Social-Engineer Podcast: The Security Awareness Series, Chris is joined by Travis Farral. Travis has been working in information security since the 90s at places such as Nokia, ExxonMobil, and XTO Energy. He is currently VP & CISO at Archaea Energy, a bp owned, renewable natural gas company based in Houston, Texas. He has spoken at events around world on topics such as Cyber Threat Intelligence, MITRE ATT&CK, and Incident Response. Notable activities during his career include everything from programming logic controllers, building and leading SOCs, driving forklifts, standing up cybersecurity teams, developing threat intelligence programs, and handling responses to incidents, among many other things over the last few decades. [April 21, 2025] 00:00 - Intro 00:18 - Intro Links: - Social-Engineer.com - http://www.social-engineer.com/ - Managed Voice Phishing - https://www.social-engineer.com/services/vishing-service/ - Managed Email Phishing - https://www.social-engineer.com/services/se-phishing-service/ - Adversarial Simulations - https://www.social-engineer.com/services/social-engineering-penetration-test/ - Social-Engineer channel on SLACK - https://social-engineering-hq.slack.com/ssb - CLUTCH - http://www.pro-rock.com/ - innocentlivesfoundation.org - http://www.innocentlivesfoundation.org/ 02:08 - Travis Farral Intro 02:58 - A Different Path than Today 05:25 - Healthy Hacking 08:08 - Anything Can Be Weaponized 10:54 - Questionable Behavior 14:31 - Smash That Report Button!!! 18:58 - Improving Our Odds 21:00 - You Have to Keep It Simple 22:25 - Letters to a Young CISO 24:20 - Find Travis Farral online - LinkedIn: linkedin.com/in/travisfarral 25:01 - Mentors - Shawn Edwards - Jay Leek 27:02 - Book Recommendations - R. E. Lee: A Biography - Douglas Southall Freeman 29:34 - Wrap Up & Outro - www.social-engineer.com - www.innocentlivesfoundation.org

Building the SOC of the Future - JP Bourget, Michael Mumcuoglu - ESW #399

Play Episode Listen Later Mar 24, 2025 110:43

What does a mature SecOps team look like? There is pressure to do more with less staff, increase efficiency and reduce costs. JP Bourget's experience has led him to believe that the answer isn't a tool upgrade, it's better planning, architecture, and process. In this interview, we'll discuss some of the common mistakes SecOps teams make, and where to start when building the SOC of the future. It feels like forever ago, but in the mid-2010s, we collectively realized, as an industry, that prevention was never going to be enough. Some attacks were always going to make their way through. Then ransomware got popular and really drove this point home. Detection engineering is a tough challenge, however. Where do we start? Which attacks should we build detections for? How much of the MITRE ATT&CK matrix do we need to cover? How often do these detections need to be reviewed and updated? Wait, are any of our detections even working? In this interview with Michael Mumcuoglu, we'll discuss where SecOps teams get it wrong. We'll discuss common pitfalls, and strategies for building more resilient and effective detections. Again, as an industry, we need to understand why ransomware attacks keep going unnoticed, despite attackers using routine techniques and tools that we see over and over and over again. Session Resources: Rethinking Threat Exposure Management: A Unified Approach to Reducing Risk This week, JP Bourget from Blue Cycle is with us to discuss Building the SOC of the Future Then, Michael Mumcuoglu (Moom-cuoglu) from CardinalOps joins us to talk about improving detection engineering. In the enterprise security news, Google bets $32B on a Wiz Kid Cybereason is down a CEO, but $120M richer EPSS version 4 is out Github supply chain attacks all over A brief history of supply chain attacks Why you might want to wait out the Agentic AI trend Zyxel wants you to throw away their (old) products HP printers are quantum resilient (and no one cares) A giant rat is my hero All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-399

ceo google building hp github detection soc 120m bourget secops zyxel mitre att ck enterprise security weekly

Building the SOC of the Future - JP Bourget, Michael Mumcuoglu - ESW #399

Play Episode Listen Later Mar 24, 2025 110:43

What does a mature SecOps team look like? There is pressure to do more with less staff, increase efficiency and reduce costs. JP Bourget's experience has led him to believe that the answer isn't a tool upgrade, it's better planning, architecture, and process. In this interview, we'll discuss some of the common mistakes SecOps teams make, and where to start when building the SOC of the future. It feels like forever ago, but in the mid-2010s, we collectively realized, as an industry, that prevention was never going to be enough. Some attacks were always going to make their way through. Then ransomware got popular and really drove this point home. Detection engineering is a tough challenge, however. Where do we start? Which attacks should we build detections for? How much of the MITRE ATT&CK matrix do we need to cover? How often do these detections need to be reviewed and updated? Wait, are any of our detections even working? In this interview with Michael Mumcuoglu, we'll discuss where SecOps teams get it wrong. We'll discuss common pitfalls, and strategies for building more resilient and effective detections. Again, as an industry, we need to understand why ransomware attacks keep going unnoticed, despite attackers using routine techniques and tools that we see over and over and over again. Session Resources: Rethinking Threat Exposure Management: A Unified Approach to Reducing Risk This week, JP Bourget from Blue Cycle is with us to discuss Building the SOC of the Future Then, Michael Mumcuoglu (Moom-cuoglu) from CardinalOps joins us to talk about improving detection engineering. In the enterprise security news, Google bets $32B on a Wiz Kid Cybereason is down a CEO, but $120M richer EPSS version 4 is out Github supply chain attacks all over A brief history of supply chain attacks Why you might want to wait out the Agentic AI trend Zyxel wants you to throw away their (old) products HP printers are quantum resilient (and no one cares) A giant rat is my hero All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-399

ceo google building hp github detection soc 120m bourget secops zyxel mitre att ck enterprise security weekly

We need better detection feedback loops - Michael Mumcuoglu - ESW #399

detection feedback loops secops mitre att ck

Play Episode Listen Later Mar 24, 2025 31:34

It feels like forever ago, but in the mid-2010s, we collectively realized, as an industry, that prevention was never going to be enough. Some attacks were always going to make their way through. Then ransomware got popular and really drove this point home. Detection engineering is a tough challenge, however. Where do we start? Which attacks should we build detections for? How much of the MITRE ATT&CK matrix do we need to cover? How often do these detections need to be reviewed and updated? Wait, are any of our detections even working? In this interview with Michael Mumcuoglu, we'll discuss where SecOps teams get it wrong. We'll discuss common pitfalls, and strategies for building more resilient and effective detections. Again, as an industry, we need to understand why ransomware attacks keep going unnoticed, despite attackers using routine techniques and tools that we see over and over and over again. Show Notes: https://securityweekly.com/esw-399

We need better detection feedback loops - Michael Mumcuoglu - ESW #399

detection feedback loops secops mitre att ck

Play Episode Listen Later Mar 24, 2025 31:34

It feels like forever ago, but in the mid-2010s, we collectively realized, as an industry, that prevention was never going to be enough. Some attacks were always going to make their way through. Then ransomware got popular and really drove this point home. Detection engineering is a tough challenge, however. Where do we start? Which attacks should we build detections for? How much of the MITRE ATT&CK matrix do we need to cover? How often do these detections need to be reviewed and updated? Wait, are any of our detections even working? In this interview with Michael Mumcuoglu, we'll discuss where SecOps teams get it wrong. We'll discuss common pitfalls, and strategies for building more resilient and effective detections. Again, as an industry, we need to understand why ransomware attacks keep going unnoticed, despite attackers using routine techniques and tools that we see over and over and over again. Show Notes: https://securityweekly.com/esw-399

How threat-informed defense benefits each security team member - Frank Duff, Nathan Sportsman - ESW #389

Play Episode Listen Later Jan 13, 2025 120:38

We're thrilled to have Frank Duff on to discuss threat-informed defense. As one of the MITRE folks that helped create MITRE ATT&CK and ATT&CK evaluations, Frank has been working on how best to define and communicate attack language for many years now. The company he founded, Tidal Cyber is in a unique position to both leverage what MITRE has built with ATT&CK and help enterprises operationalize it. Segment Resources: Tidal Cyber website Tidal Cyber Community Edition We're a fan of hacker lore and history here at Security Weekly. In fact, Paul's Security Weekly has interviewed some of the most notable (and notorious) personalities from both the business side of the industry and the hacker community. We're very excited to share this new effort to document hacker history through in-person interviews. The series is called "Where Warlocks Stay Up Late", and is the creation of Nathan Sportsman and other folks at Praetorian. The timing is crucial, as a lot of the original hackers and tech innovators are getting older, and we've already lost a few. References: Check out the Where the Warlocks Stay Up Late website and subscribe to get notified of each episode as it is released Check out the anthropological hacker map and relive your misspent youth! In this latest Enterprise Security Weekly episode, we explored some significant cybersecurity developments, starting with Veracode's acquisition of Phylum, a company specializing in detecting malicious code in open-source libraries. The acquisition sparked speculation that it might be more about Veracode staying relevant in a rapidly evolving market rather than a strategic growth move, especially given the rising influence of AI-driven code analysis tools. We also covered One Password's acquisition of a UK-based shadow IT detection firm, raising interesting questions about their expansion into access management. Notably, the deal involved celebrity investors like Matthew McConaughey and Ashton Kutcher, suggesting a trend where Hollywood influence intersects with cybersecurity branding. A major highlight was the Cyber Haven breach, where a compromised Chrome extension update led to stolen credentials. The attack was executed through a phishing campaign disguised as a Google policy violation warning. To their credit, Cyber Haven responded swiftly, pulling the extension within two hours and maintaining transparency throughout. This incident underscored broader concerns around the poor security of browser extensions, an issue that continues to be exploited due to lax marketplace oversight. We also reflected on Corey Doctorow's concept of "Enshittification," critiquing platforms that prioritize profit and engagement metrics over genuine user experiences. His decision to disable vanity metrics resonated, especially considering how often engagement numbers are inflated in corporate settings. The episode wrapped with a thoughtful discussion on how CISOs can say "no" more effectively, emphasizing "yes, but" strategies and the importance of consistency. We also debated the usability frustrations of "magic links" for authentication, arguing that simpler alternatives like passkeys or multi-factor codes could offer a better balance between security and convenience. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-389

How threat-informed defense benefits each security team member - Frank Duff, Nathan Sportsman - ESW #389

Play Episode Listen Later Jan 13, 2025 120:38

We're thrilled to have Frank Duff on to discuss threat-informed defense. As one of the MITRE folks that helped create MITRE ATT&CK and ATT&CK evaluations, Frank has been working on how best to define and communicate attack language for many years now. The company he founded, Tidal Cyber is in a unique position to both leverage what MITRE has built with ATT&CK and help enterprises operationalize it. Segment Resources: Tidal Cyber website Tidal Cyber Community Edition We're a fan of hacker lore and history here at Security Weekly. In fact, Paul's Security Weekly has interviewed some of the most notable (and notorious) personalities from both the business side of the industry and the hacker community. We're very excited to share this new effort to document hacker history through in-person interviews. The series is called "Where Warlocks Stay Up Late", and is the creation of Nathan Sportsman and other folks at Praetorian. The timing is crucial, as a lot of the original hackers and tech innovators are getting older, and we've already lost a few. References: Check out the Where the Warlocks Stay Up Late website and subscribe to get notified of each episode as it is released Check out the anthropological hacker map and relive your misspent youth! In this latest Enterprise Security Weekly episode, we explored some significant cybersecurity developments, starting with Veracode's acquisition of Phylum, a company specializing in detecting malicious code in open-source libraries. The acquisition sparked speculation that it might be more about Veracode staying relevant in a rapidly evolving market rather than a strategic growth move, especially given the rising influence of AI-driven code analysis tools. We also covered One Password's acquisition of a UK-based shadow IT detection firm, raising interesting questions about their expansion into access management. Notably, the deal involved celebrity investors like Matthew McConaughey and Ashton Kutcher, suggesting a trend where Hollywood influence intersects with cybersecurity branding. A major highlight was the Cyber Haven breach, where a compromised Chrome extension update led to stolen credentials. The attack was executed through a phishing campaign disguised as a Google policy violation warning. To their credit, Cyber Haven responded swiftly, pulling the extension within two hours and maintaining transparency throughout. This incident underscored broader concerns around the poor security of browser extensions, an issue that continues to be exploited due to lax marketplace oversight. We also reflected on Corey Doctorow's concept of "Enshittification," critiquing platforms that prioritize profit and engagement metrics over genuine user experiences. His decision to disable vanity metrics resonated, especially considering how often engagement numbers are inflated in corporate settings. The episode wrapped with a thoughtful discussion on how CISOs can say "no" more effectively, emphasizing "yes, but" strategies and the importance of consistency. We also debated the usability frustrations of "magic links" for authentication, arguing that simpler alternatives like passkeys or multi-factor codes could offer a better balance between security and convenience. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-389

How threat-informed defense benefits each security team member - Frank Duff - ESW #389

benefits defense threats informed team members duff mitre security team mitre att ck

Play Episode Listen Later Jan 12, 2025 34:48

We're thrilled to have Frank Duff on to discuss threat-informed defense. As one of the MITRE folks that helped create MITRE ATT&CK and ATT&CK evaluations, Frank has been working on how best to define and communicate attack language for many years now. The company he founded, Tidal Cyber is in a unique position to both leverage what MITRE has built with ATT&CK and help enterprises operationalize it. Segment Resources: Tidal Cyber website Tidal Cyber Community Edition Show Notes: https://securityweekly.com/esw-389

How threat-informed defense benefits each security team member - Frank Duff - ESW #389

benefits defense threats informed team members duff mitre security team mitre att ck

Play Episode Listen Later Jan 12, 2025 34:48

We're thrilled to have Frank Duff on to discuss threat-informed defense. As one of the MITRE folks that helped create MITRE ATT&CK and ATT&CK evaluations, Frank has been working on how best to define and communicate attack language for many years now. The company he founded, Tidal Cyber is in a unique position to both leverage what MITRE has built with ATT&CK and help enterprises operationalize it. Segment Resources: Tidal Cyber website Tidal Cyber Community Edition Show Notes: https://securityweekly.com/esw-389

D3FEND 1.0: A Milestone in Cyber Ontology - Peter Kaloroumakis - ESW #388

Play Episode Listen Later Dec 20, 2024 102:49

Since D3FEND was founded to fill a gap created by the MITRE ATT&CK Matrix, it has come a long way. We discuss the details of the 1.0 release of D3FEND with Peter in this episode, along with some of the new tools they've built to go along with this milestone. To use MITRE's own words to describe the gap this project fills: "it is necessary that practitioners know not only what threats a capability claims to address, but specifically how those threats are addressed from an engineering perspective, and under what circumstances the solution would work" Segment Resources: https://d3fend.mitre.org In the enterprise security news, a final few fundings before the year closes out Arctic Wolf buys Cylance from Blackberry for cheap, a sentence that feels very weird to say the quiet HTTPS revolution passkeys are REALLY catching on resilience keeps showing up in the titles of news items Apple Intelligence insults the BBC's intelligence MITRE ATT&CK evals drama Lastpass breach drama continues All that and more, on this episode of Enterprise Security Weekly As we wrap up the year, we have an honest discussion about how important security really is to the business. We discuss some of Katie's predictions for AppSec in 2025, as well as "what sucks" in security! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-388

bbc cyber milestone blackberry lastpass ontology mitre appsec arctic wolf cylance mitre att ck segment resources

D3FEND 1.0: A Milestone in Cyber Ontology - Peter Kaloroumakis - ESW #388

Play Episode Listen Later Dec 20, 2024 102:49

Since D3FEND was founded to fill a gap created by the MITRE ATT&CK Matrix, it has come a long way. We discuss the details of the 1.0 release of D3FEND with Peter in this episode, along with some of the new tools they've built to go along with this milestone. To use MITRE's own words to describe the gap this project fills: "it is necessary that practitioners know not only what threats a capability claims to address, but specifically how those threats are addressed from an engineering perspective, and under what circumstances the solution would work" Segment Resources: https://d3fend.mitre.org In the enterprise security news, a final few fundings before the year closes out Arctic Wolf buys Cylance from Blackberry for cheap, a sentence that feels very weird to say the quiet HTTPS revolution passkeys are REALLY catching on resilience keeps showing up in the titles of news items Apple Intelligence insults the BBC's intelligence MITRE ATT&CK evals drama Lastpass breach drama continues All that and more, on this episode of Enterprise Security Weekly As we wrap up the year, we have an honest discussion about how important security really is to the business. We discuss some of Katie's predictions for AppSec in 2025, as well as "what sucks" in security! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-388

bbc cyber milestone blackberry lastpass ontology mitre appsec arctic wolf cylance mitre att ck segment resources

Final fundings for 2024, Blackberry sells Cylance cheap, Product Testing Drama - ESW #388

drama bbc cheap sells blackberry lastpass product testing arctic wolf cylance mitre att ck fundings

Play Episode Listen Later Dec 20, 2024 33:45

In the enterprise security news, a final few fundings before the year closes out Arctic Wolf buys Cylance from Blackberry for cheap, a sentence that feels very weird to say the quiet HTTPS revolution passkeys are REALLY catching on resilience keeps showing up in the titles of news items Apple Intelligence insults the BBC's intelligence MITRE ATT&CK evals drama Lastpass breach drama continues All that and more, on this episode of Enterprise Security Weekly Show Notes: https://securityweekly.com/esw-388

Episode 368: The Latest on MITRE ATT&CK with Cat Self

Mac Admins Podcast

Play Episode Listen Later Jun 18, 2024 68:17

In this episode, we'll talk about security, ATT&CK, and the changing landscape of Mac security with one of our favoritest guests, Cat Self. Hosts: Tom Bridge - @tbridge@theinternet.social Marcus Ransom - @marcusransom Guests: Cat Self - LinkedIn Links: MITRE ATT&CK® Getting Started with ATT&CK (video) ATT&CK Framework v15 Update Log What is STIX/TAXII? | Cloudflare Blog on pulling MITRE ATT&CK data sources with JuypterLab Malware Unicorn: Dylib Injection Attacks Atomic Red Team Tests I created Lutherans Atomic Test Harness zScaler Advisories https://x.com/Technop54777070/status/1788603343843074187 Claimed by hackers, Zscaler says there's no impact or compromise | Cybernews The ESF Playground – The Mitten Mac A Deep Dive into the OceanLotus Adversary Emulation for macOS & Linux https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/ocean_lotus/Emulation_Plan/OceanLotus_Scenario.md Sponsors: Kandji 1Password Watchman Monitoring If you're interested in sponsoring the Mac Admins Podcast, please email podcast@macadmins.org for more information. Get the latest about the Mac Admins Podcast, follow us on Twitter! We're @MacAdmPodcast! The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include Weldon Dodd, Damien Barrett, Justin Holt, Chad Swarthout, William Smith, Stephen Weinstein, Seb Nash, Dan McLaughlin, Joe Sfarra, Nate Cinal, Jon Brown, Dan Barker, Tim Perfitt, Ashley MacKinlay, Tobias Linder Philippe Daoust, AJ Potrebka, Adam Burg, & Hamlin Krewson

mac claimed william smith zscaler dan mclaughlin dan barker mitre att jon brown mitre att ck justin holt

Deception Is on the Rise, But Is It Time to Unleash Engagement Operations? | An RSA Conference 2024 Conversation With Ondrej Nekovar and Jan Pohl | On Location Coverage with Sean Martin and Marco Ciappelli

Play Episode Listen Later May 1, 2024 23:46

Guests:Ondrej Nekovar, Director of Cyber Security, Board Member, SPCSS s.p. [@csirtspcss]On LinkedIn | https://www.linkedin.com/in/onekovar/At RSAC | https://www.rsaconference.com/experts/Ondrej%20NekovarJan Pohl, Analyst, SPCSS s.p. [@csirtspcss]On LinkedIn | https://www.linkedin.com/in/jan-pohl-89231a264/At RSAC | https://www.rsaconference.com/experts/Jan%20Pohl____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesOn this new On Location episode, Sean Martin and Marco Ciappelli dive into the intricate world of cyber deception and engagement operations with guests Ondrej Nekovar and Jan Pohl. The conversation kicks off with an intriguing discussion about the art of deception, drawing parallels between magician tricks and psychological manipulation in cybersecurity. Sean and Marco navigate through the complexities of cyber deception, shedding light on its historical roots and modern applications.Ondrej and Jan, experts in the field of cybersecurity strategy and active defense, share their expertise on the evolving landscape of cyber threats and the role of deception in defense mechanisms. Their journey into cyber deception unfolds as they highlight the necessity of incorporating false assets to mislead adversaries in the digital realm. The duo emphasizes the importance of leveraging cyber threat intelligence and modern defense techniques to stay ahead of malicious actors.Furthermore, the discussion pivots towards the strategic implementation of deception in security programs. Ondrej and Jan elaborate on the significance of creating a cohesive narrative to anticipate and thwart potential cyberattacks. They underscore the meticulous planning required to craft deceptive scenarios that outsmart adversaries and bolster organizational defenses.As the conversation progresses, the guests delve into the nuanced world of cyber counterintelligence and the utilization of frameworks like MITRE ATT&CK to enhance defense strategies. Ondrej and Jan's insightful case study during their upcoming RSA Conference talk promises to offer profound insights into the practical application of cyber deception and active defense mechanisms.Key Questions AddressedWhat is the role of deception in defense mechanisms?How can cyber deception enhance organizational defenses?What are the strategic insights provided by Ondrej and Jan for fortifying digital defenses?Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:

Deception Is on the Rise, But Is It Time to Unleash Engagement Operations? | An RSA Conference 2024 Conversation With Ondrej Nekovar and Jan Pohl | On Location Coverage with Sean Martin and Marco Ciappelli

Redefining CyberSecurity

Play Episode Listen Later May 1, 2024 23:46

Guests:Ondrej Nekovar, Director of Cyber Security, Board Member, SPCSS s.p. [@csirtspcss]On LinkedIn | https://www.linkedin.com/in/onekovar/At RSAC | https://www.rsaconference.com/experts/Ondrej%20NekovarJan Pohl, Analyst, SPCSS s.p. [@csirtspcss]On LinkedIn | https://www.linkedin.com/in/jan-pohl-89231a264/At RSAC | https://www.rsaconference.com/experts/Jan%20Pohl____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesOn this new On Location episode, Sean Martin and Marco Ciappelli dive into the intricate world of cyber deception and engagement operations with guests Ondrej Nekovar and Jan Pohl. The conversation kicks off with an intriguing discussion about the art of deception, drawing parallels between magician tricks and psychological manipulation in cybersecurity. Sean and Marco navigate through the complexities of cyber deception, shedding light on its historical roots and modern applications.Ondrej and Jan, experts in the field of cybersecurity strategy and active defense, share their expertise on the evolving landscape of cyber threats and the role of deception in defense mechanisms. Their journey into cyber deception unfolds as they highlight the necessity of incorporating false assets to mislead adversaries in the digital realm. The duo emphasizes the importance of leveraging cyber threat intelligence and modern defense techniques to stay ahead of malicious actors.Furthermore, the discussion pivots towards the strategic implementation of deception in security programs. Ondrej and Jan elaborate on the significance of creating a cohesive narrative to anticipate and thwart potential cyberattacks. They underscore the meticulous planning required to craft deceptive scenarios that outsmart adversaries and bolster organizational defenses.As the conversation progresses, the guests delve into the nuanced world of cyber counterintelligence and the utilization of frameworks like MITRE ATT&CK to enhance defense strategies. Ondrej and Jan's insightful case study during their upcoming RSA Conference talk promises to offer profound insights into the practical application of cyber deception and active defense mechanisms.Key Questions AddressedWhat is the role of deception in defense mechanisms?How can cyber deception enhance organizational defenses?What are the strategic insights provided by Ondrej and Jan for fortifying digital defenses?Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:

What can we do today to prevent tomorrow's breach? - Michael Mumcuoglu - ESW #352

Play Episode Listen Later Mar 8, 2024 47:07

Defenders spend a lot of time and money procuring and implementing security controls. At the heart of SecOps and the SOC are technologies like XDR, SIEM, and SOAR. How do we know these technologies are going to detect or prevent attacks? Wait for the annual pen test? Probably not a good idea. In this segment, we'll talk with Michael Mumcuoglu about how MITRE's ATT&CK framework can help defenders better prepare for inevitable attack TTPs they'll have knocking on their doors. Segment Resources: CardinalOps Contributes to MITRE ATT&CK for Fourth Consecutive Release ESG Report: Operationalize MITRE ATT&CK with Detection Posture Management Report: Enterprise SIEMs offer inadequate threat detection 2023 State of SIEM Detection Risk Report Show Notes: https://securityweekly.com/esw-352

state prevent defenders soar breach soc mitre siem xdr secops ttps mitre att ck

What can we do today to prevent tomorrow's breach? - Michael Mumcuoglu - ESW #352

Play Episode Listen Later Mar 8, 2024 47:07

Defenders spend a lot of time and money procuring and implementing security controls. At the heart of SecOps and the SOC are technologies like XDR, SIEM, and SOAR. How do we know these technologies are going to detect or prevent attacks? Wait for the annual pen test? Probably not a good idea. In this segment, we'll talk with Michael Mumcuoglu about how MITRE's ATT&CK framework can help defenders better prepare for inevitable attack TTPs they'll have knocking on their doors. Segment Resources: CardinalOps Contributes to MITRE ATT&CK for Fourth Consecutive Release ESG Report: Operationalize MITRE ATT&CK with Detection Posture Management Report: Enterprise SIEMs offer inadequate threat detection 2023 State of SIEM Detection Risk Report Show Notes: https://securityweekly.com/esw-352

state prevent defenders soar breach soc mitre siem xdr secops ttps mitre att ck

What can we do today to prevent tomorrow's breach? - Michael Mumcuoglu - ESW #352

Play Episode Listen Later Mar 7, 2024 107:13

Defenders spend a lot of time and money procuring and implementing security controls. At the heart of SecOps and the SOC are technologies like XDR, SIEM, and SOAR. How do we know these technologies are going to detect or prevent attacks? Wait for the annual pen test? Probably not a good idea. In this segment, we'll talk with Michael Mumcuoglu about how MITRE's ATT&CK framework can help defenders better prepare for inevitable attack TTPs they'll have knocking on their doors. Segment Resources: CardinalOps Contributes to MITRE ATT&CK for Fourth Consecutive Release ESG Report: Operationalize MITRE ATT&CK with Detection Posture Management Report: Enterprise SIEMs offer inadequate threat detection 2023 State of SIEM Detection Risk Report In the enterprise security news, Axonius raises $200M and is doing $100M ARR! Claroty raises $100M and is doing $100M ARR! Crowdstrike picks up DSPM with Flow Security CyCode picks up Bearer Are attackers like lawyers? How a bank failed (with no help from a cyber attack) the FTC cracks down on customer data collection Apple's car sadly won't be a thing any time soon or maybe ever. All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-352

apple state prevent defenders 100m soar breach ftc crowdstrike 200m soc mitre siem xdr secops ttps 100m arr claroty axonius mitre att ck dspm enterprise security weekly

What can we do today to prevent tomorrow's breach? - Michael Mumcuoglu - ESW #352

Play Episode Listen Later Mar 7, 2024 107:13

Defenders spend a lot of time and money procuring and implementing security controls. At the heart of SecOps and the SOC are technologies like XDR, SIEM, and SOAR. How do we know these technologies are going to detect or prevent attacks? Wait for the annual pen test? Probably not a good idea. In this segment, we'll talk with Michael Mumcuoglu about how MITRE's ATT&CK framework can help defenders better prepare for inevitable attack TTPs they'll have knocking on their doors. Segment Resources: CardinalOps Contributes to MITRE ATT&CK for Fourth Consecutive Release ESG Report: Operationalize MITRE ATT&CK with Detection Posture Management Report: Enterprise SIEMs offer inadequate threat detection 2023 State of SIEM Detection Risk Report In the enterprise security news, Axonius raises $200M and is doing $100M ARR! Claroty raises $100M and is doing $100M ARR! Crowdstrike picks up DSPM with Flow Security CyCode picks up Bearer Are attackers like lawyers? How a bank failed (with no help from a cyber attack) the FTC cracks down on customer data collection Apple's car sadly won't be a thing any time soon or maybe ever. All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-352

apple state prevent defenders 100m soar breach ftc crowdstrike 200m soc mitre siem xdr secops ttps 100m arr claroty axonius mitre att ck dspm enterprise security weekly

Aidan Holland, Kelly Shortridge - ESW #339

internet holland google chrome ciso mitre att ck kelly shortridge censys

Play Episode Listen Later Nov 10, 2023 159:57

Today, we discuss the state of attack surface across the Internet. We've known for decades now that putting an insecure service on the public Internet is a recipe for disaster, often within minutes. How has this knowledge changed the publicly accessible Internet? We find out when we talk to Censys's Aidan Holland today. We've reached an inflection point in security. There are a handful of organizations regularly and successfully stopping cyber attacks. Most companies haven't gotten there, however. What separates these two groups? Why does it seem like we're still failing as an industry, despite seeming to collectively have all the tools, intel, and budget we've asked for? Kelly Shortridge has studied this problem in depth. She has created tools (https://www.deciduous.app/), and written books (https://www.securitychaoseng.com/) to help the community approach security challenges in a more logical and structured way. We'll discuss what hasn't worked for infosec in the past, and what Kelly thinks might work as we go into the future. During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds. We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-339

Aidan Holland, Kelly Shortridge - ESW #339

internet holland google chrome ciso mitre att ck kelly shortridge censys

Play Episode Listen Later Nov 10, 2023 159:57

Today, we discuss the state of attack surface across the Internet. We've known for decades now that putting an insecure service on the public Internet is a recipe for disaster, often within minutes. How has this knowledge changed the publicly accessible Internet? We find out when we talk to Censys's Aidan Holland today. We've reached an inflection point in security. There are a handful of organizations regularly and successfully stopping cyber attacks. Most companies haven't gotten there, however. What separates these two groups? Why does it seem like we're still failing as an industry, despite seeming to collectively have all the tools, intel, and budget we've asked for? Kelly Shortridge has studied this problem in depth. She has created tools (https://www.deciduous.app/), and written books (https://www.securitychaoseng.com/) to help the community approach security challenges in a more logical and structured way. We'll discuss what hasn't worked for infosec in the past, and what Kelly thinks might work as we go into the future. During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds. We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-339

Palo Alto buys Talon, the changing world of security exits, 6 Qs to ask your CISO - ESW #339

security buys palo alto exits changing world google chrome ciso mitre att ck kelly shortridge

Play Episode Listen Later Nov 10, 2023 69:05

During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds. We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes. Show Notes: https://securityweekly.com/esw-339

Palo Alto buys Talon, the changing world of security exits, 6 Qs to ask your CISO - ESW #339

security buys palo alto exits changing world google chrome ciso mitre att ck kelly shortridge

Play Episode Listen Later Nov 10, 2023 69:05

During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds. We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes. Show Notes: https://securityweekly.com/esw-339

Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations | A Conversation with Kate Esprit and Cat Self from MITRE | Las Vegas Black Hat 2023 Event Coverage | Redefining CyberSecurity Podcast With Sean Martin and Marco Ciappell

office chief software general managers sr campfires product development rsa kaur information security cisa active directory chris kennedy rsac mitre att ck james stanley purple teaming semperis

Play Episode Listen Later Aug 7, 2023 35:49

Guests: Cat Self, Principal Adversary Emulation Engineer, MITRE [@MITREcorp]On Linkedin | https://www.linkedin.com/in/coolestcatiknow/On Twitter | https://twitter.com/coolestcatiknowKate Esprit, Senior Cyber Threat Intelligence Analyst at MITRE [@MITREcorp]On Linkedin | https://www.linkedin.com/in/kate-e-2b262695/____________________________Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast and Audio Signals PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________This Episode's SponsorsIsland.io | https://itspm.ag/island-io-6b5ffd____________________________Episode NotesIn this new Chats on the Road to Black Hat USA 2023 on the ITSPmagazine Podcast Network, hosts Sean and Marco are joined by Cat and Kate from MITRE to discuss the world of adversary emulation and its importance in improving cybersecurity. The conversation covers MITRE's role as an industry thought leader and their focus on making the cyber world a safer place. They explain how MITRE ATT&CK, a framework based on observations from blue and red engagements, led to the development of ATT&CK evaluations, which aim to raise the standard of the industry and provide transparency. The hosts and guests emphasize the need for transparency in adversary emulation and how MITRE releases their methodology, results, and code to make the practice more accessible.The group also discusses the challenges faced in aligning emulation plans with the diverse and unique solutions deployed by different vendors and the importance of maintaining the integrity of what the adversaries would actually do. The conversation also touches on the differences between adversary emulation and simulation. While emulation replicates the actions and techniques of specific adversaries, simulation allows for more flexibility and blends different components of multiple adversaries.The hosts and guests also explore the power and responsibility that comes with conducting adversary emulation, drawing parallels to superheroes like Batman and Spider-Man.About the session — Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK EvaluationsBatman once said, "you either die a hero or live long enough to see yourself become the villain." What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by "becoming the villain." We study some of the world's most advanced threat actors, develop a scenario, build malware and tools, then execute the operations against major EDR vendors. And the best part? Not only do we get the business justification of becoming a villain to advance defenders, but our code is also open-sourced.Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.First, our cyber threat intelligence team (CTI) demonstrates how to evaluate reports with the sufficient technical data needed to emulate the adversary's usage of particular techniques. We will build a scenario, create CTI diagrams based on our analysis, address gaps in data, and create alternative attack methods for the red team.Next, the red team enters the scene to collaborate with the CTI team. They begin building malware, tools, and infrastructure. Translating approved open-source CTI reporting into code, we will walk through process injection, persistence, hands-on-keyboard discovery, and lateral movement for the emulation. Finally, it is time to launch the attack and see how our defenders respond, discern where to search for clues, and help them uncover our plot.To coincide with this presentation, our code, research, and emulation plans will be publicly released. We hope this empowers the community to use our "become the villain" methodology to improve defenses. Helping defenders discern where to look for our footprints is how we justify our villainous acts.Subscribe to our podcast, share it with your network, and join us in pondering the questions this conversation raises. Be part of the ongoing dialogue around this pressing issue, and we invite you to stay tuned for further discussions in the future.Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa____________________________ResourcesBecoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations: https://www.blackhat.com/us-23/briefings/schedule/index.html#becoming-a-dark-knight-adversary-emulation-demonstration-for-attck-evaluations-33209Post: https://medium.com/mitre-engenuity/managed-services-evaluations-round-2-2023-attribution-and-speed-and-efficiency-oh-my-59aa207641faPodcast: https://itspmagazine.simplecast.com/episodes/mitre-att-ck-a-conversation-at-the-edge-with-katie-nickels-fred-wilmot-and-ryan-kovarFor more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegasAre you interested in telling your story in connection with our Black Hat coverage? Book a briefing here:

Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations | A Conversation with Kate Esprit and Cat Self from MITRE | Las Vegas Black Hat 2023 Event Coverage | Redefining CyberSecurity Podcast With Sean Martin and Marco Ciappell

Redefining CyberSecurity

Play Episode Listen Later Aug 7, 2023 35:49

Guests: Cat Self, Principal Adversary Emulation Engineer, MITRE [@MITREcorp]On Linkedin | https://www.linkedin.com/in/coolestcatiknow/On Twitter | https://twitter.com/coolestcatiknowKate Esprit, Senior Cyber Threat Intelligence Analyst at MITRE [@MITREcorp]On Linkedin | https://www.linkedin.com/in/kate-e-2b262695/____________________________Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast and Audio Signals PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________This Episode's SponsorsIsland.io | https://itspm.ag/island-io-6b5ffd____________________________Episode NotesIn this new Chats on the Road to Black Hat USA 2023 on the ITSPmagazine Podcast Network, hosts Sean and Marco are joined by Cat and Kate from MITRE to discuss the world of adversary emulation and its importance in improving cybersecurity. The conversation covers MITRE's role as an industry thought leader and their focus on making the cyber world a safer place. They explain how MITRE ATT&CK, a framework based on observations from blue and red engagements, led to the development of ATT&CK evaluations, which aim to raise the standard of the industry and provide transparency. The hosts and guests emphasize the need for transparency in adversary emulation and how MITRE releases their methodology, results, and code to make the practice more accessible.The group also discusses the challenges faced in aligning emulation plans with the diverse and unique solutions deployed by different vendors and the importance of maintaining the integrity of what the adversaries would actually do. The conversation also touches on the differences between adversary emulation and simulation. While emulation replicates the actions and techniques of specific adversaries, simulation allows for more flexibility and blends different components of multiple adversaries.The hosts and guests also explore the power and responsibility that comes with conducting adversary emulation, drawing parallels to superheroes like Batman and Spider-Man.About the session — Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK EvaluationsBatman once said, "you either die a hero or live long enough to see yourself become the villain." What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by "becoming the villain." We study some of the world's most advanced threat actors, develop a scenario, build malware and tools, then execute the operations against major EDR vendors. And the best part? Not only do we get the business justification of becoming a villain to advance defenders, but our code is also open-sourced.Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.First, our cyber threat intelligence team (CTI) demonstrates how to evaluate reports with the sufficient technical data needed to emulate the adversary's usage of particular techniques. We will build a scenario, create CTI diagrams based on our analysis, address gaps in data, and create alternative attack methods for the red team.Next, the red team enters the scene to collaborate with the CTI team. They begin building malware, tools, and infrastructure. Translating approved open-source CTI reporting into code, we will walk through process injection, persistence, hands-on-keyboard discovery, and lateral movement for the emulation. Finally, it is time to launch the attack and see how our defenders respond, discern where to search for clues, and help them uncover our plot.To coincide with this presentation, our code, research, and emulation plans will be publicly released. We hope this empowers the community to use our "become the villain" methodology to improve defenses. Helping defenders discern where to look for our footprints is how we justify our villainous acts.Subscribe to our podcast, share it with your network, and join us in pondering the questions this conversation raises. Be part of the ongoing dialogue around this pressing issue, and we invite you to stay tuned for further discussions in the future.Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa____________________________ResourcesBecoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations: https://www.blackhat.com/us-23/briefings/schedule/index.html#becoming-a-dark-knight-adversary-emulation-demonstration-for-attck-evaluations-33209Post: https://medium.com/mitre-engenuity/managed-services-evaluations-round-2-2023-attribution-and-speed-and-efficiency-oh-my-59aa207641faPodcast: https://itspmagazine.simplecast.com/episodes/mitre-att-ck-a-conversation-at-the-edge-with-katie-nickels-fred-wilmot-and-ryan-kovarFor more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegasAre you interested in telling your story in connection with our Black Hat coverage? Book a briefing here:

RSAC 2023 Special Edition Campfire Chats - Part 2

The Cyber Ranch Podcast

Play Episode Listen Later Jun 5, 2023 36:12

This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023. Guests include: Gary Hayslip, CISO @ Softbank Investment Advisers Michael Calderin, CISO @ YAGEO Group David Cross, CISO @ Oracle SaaS Cloud Audra Streetman, Security Strategist @ Splunk Adrian Peters, CISO @ Vista Equity Partners Robin Sundaram, CISO @ RELX Merritt Baer, Office of the CISO @ AWS Rob Wood, CISO @ Centers for Medicare & Medicaid Services Bryan Green, CISO Americas @ ZScaler Stephanie Derdouri, Sr. Manager, Information Security and Technology Risk Management @ Capital Group Andres Andreu, CISO @ 2U Paul Love, CISO & Chief Privacy Officer @ Co-op Solutions Royce Markose, former CISO Bob Schuetter, CISO @ Ashland Susan Thomas, CEO @ 10Fold Brian Markham, CISO @ EAB Ken Foster, VP of IT GRC @ FLEETCOR Elizabeth Martinez, Account Exec @ ThreatLocker Josiah Dykstra, Senior Fellow, Office of Innovation @ The NSA Kevin Brown, CEO @ Innit Brent Deterding, CISO @ Afni Audra Streetman, Security Strategist @ Splunk Wendy Whitmore, SVP, Unit 42 @ Palo Alto Networks I ask my guests several questions including: How do you impact the top and bottom line? What topics are you tired of in cybersecurity? There are also some special interviews at the end - discussions about the RSA conference itself, tech stack sprawl, and personal branding and marketing for CISOs. Oh - and a question about how vendors and CISOs can work better together AND a conversation about how government and industry can work together in cybersecurity. Give this one a listen! It's jam-packed with great insights! Sponsored by AttackIQ & Semperis. AttackIQ offers a new fully managed breach and attack simulation service. They are the premier provider of MITRE ATT&CK-based security control validation. https://attackiq.com Semperis provides the industry's most comprehensive Active Directory and Azure AD cyber resilience platform, supported by specialized AD incident response expertise. https://semperis.com

office sr svp senior fellow campfires rsa information security cisos active directory rsac mitre att ck gary hayslip attackiq

RSAC 2023 SPECIAL EDITION Campfire Chats - Part 1

The Cyber Ranch Podcast

Play Episode Listen Later May 22, 2023 31:50

This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023. Guests include: Chris Kennedy, CISO @ Citadel Gary Hayslip, CISO @ Softbank Investment Advisers Michael Calderin, CISO @ YAGEO Group Reet Kaur, CISO @ Portland Community College Rob LaMagna-Reiter, CISO @ Hudl Matthew Lang, vCISO David Cross, CISO @ Oracle SaaS Cloud Audra Streetman, Security Strategist @ Splunk Vishal Amin, General Manager of Security Solutions (Federal) @ Microsoft Adrian Peters, CISO @ Vista Equity Partners Kelly Shortridge, Author of “Security Chaos Engineering: Sustaining Resilience in Software and Systems” Robin Sundaram, CISO @ RELX Merritt Baer, Office of the CISO @ AWS Tim Rohrbaugh, former CISO & Industry Leader Rob Wood, CISO @ Centers for Medicare & Medicaid Services Bryan Green, CISO Americas @ ZScaler Stephanie Derdouri, Sr. Manager, Information Security and Technology Risk Management @ Capital Group Andres Andreu, CISO @ 2U Paul Love, CISO & Chief Privacy Officer @ Co-op Solutions Royce Markose, former CISO Bob Schuetter, CISO @ Ashland I ask my guests several questions: What is the best part of RSAC 2023 for you? What is the single most critical skill a security leader needs? What's missing in cybersecurity? What is your take on Purple Teaming and MITRE ATT&CK? How do you co-lead the organization? There is also a VERY special interview with James Stanley, Chief of Product Development at CISA at the end. Don't miss it! Sponsored by Semperis & AttackIQ. Semperis provides the industry's most comprehensive Active Directory and Azure AD cyber resilience platform, supported by specialized AD incident response expertise. https://semperis.com AttackIQ offers a new fully managed breach and attack simulation service. They are the premier provider of MITRE ATT&CK-based security control validation. https://attackiq.com

Navigating the AI Security Frontier: Balancing Innovation and Cybersecurity | ITSPmagazine Event Coverage: RSAC 2023 San Francisco, USA | A Conversation with Dr. Christina Liaghati

next level cto cyber security strategy isaca kill chain mitre att ckc mitre att ck

Play Episode Listen Later Apr 21, 2023 27:49

Guest: Dr. Christina Liaghati, AI Strategy Execution & Operations Manager for MITRE's AI and Autonomy Innovation Center [@MITREcorp]On LinkedIn | https://www.linkedin.com/in/christina-liaghati/On Twitter | https://twitter.com/CLiaghatiAt RSAC | https://www.rsaconference.com/experts/dr%20christina%20liaghati____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________This Episode's SponsorsBlackCloak | https://itspm.ag/itspbcwebBrinqa | https://itspm.ag/brinqa-pmdpSandboxAQ | https://itspm.ag/sandboxaq-j2en____________________________Episode NotesIn this Chats on the Road to RSA Conference podcast episode, listeners are treated to an insightful discussion between Dr. Christina Liaghati, Sean Martin, and Marco Ciappelli about the evolving landscape of AI security, its impact on various sectors, and the proactive steps being taken to address emerging threats. Dr. Liaghati shares her unique experiences working with government sponsors and her involvement in the development of MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems), a knowledge base of adversary tactics, techniques, and case studies for machine learning (ML) systems based on real-world observations, demonstrations from ML red teams and security groups, and the state of the possible from academic research. ATLAS is modeled after the MITRE ATT&CK framework and its tactics and techniques are complementary to those in ATT&CK.The conversation highlights how the rapid adoption of AI systems, combined with the lack of understanding of the risks involved, has led to new vulnerabilities and threats that need to be addressed. Listeners are also offered a glimpse into the challenges presented by the integration of AI into various systems, the need for collaboration between the AI and cybersecurity sectors, and the importance of understanding the new threat landscape created by AI adoption. Dr. Liaghati shares real-life examples of attacks on AI systems, emphasizing the need for constant vigilance and collaboration between industry, government, and academia to tackle these challenges.The conversation also digs deeper into the potential consequences of AI deployment in high-stakes environments, such as finance and healthcare, and the importance of allocating resources to red teaming to identify vulnerabilities and secure these critical systems. By examining the current state of AI security and discussing the steps being taken to ensure its future, this episode provides an engaging and informative look at the complex interplay between AI, cybersecurity, and the systems we rely on every day.____________________________ResourcesSession | Hardening AI/ML Systems - The Next Frontier of Cybersecurity: https://www.rsaconference.com/USA/agenda/session/Hardening%20AIML%20Systems%20-%20The%20Next%20Frontier%20of%20CybersecurityLearn more about MITRE Atlas: https://atlas.mitre.org/MITRE Atlas on Slack (invitation): https://join.slack.com/t/mitreatlas/shared_invite/zt-10i6ka9xw-~dc70mXWrlbN9dfFNKyyzQLearn more about MITRE ATT&CK framework: https://attack.mitre.org/Learn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw____________________________For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverageAre you interested in telling your story in connection with RSA Conference by sponsoring our coverage?

Navigating the AI Security Frontier: Balancing Innovation and Cybersecurity | ITSPmagazine Event Coverage: RSAC 2023 San Francisco, USA | A Conversation with Dr. Christina Liaghati

Redefining CyberSecurity

Play Episode Listen Later Apr 21, 2023 27:49

Guest: Dr. Christina Liaghati, AI Strategy Execution & Operations Manager for MITRE's AI and Autonomy Innovation Center [@MITREcorp]On LinkedIn | https://www.linkedin.com/in/christina-liaghati/On Twitter | https://twitter.com/CLiaghatiAt RSAC | https://www.rsaconference.com/experts/dr%20christina%20liaghati____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________This Episode's SponsorsBlackCloak | https://itspm.ag/itspbcwebBrinqa | https://itspm.ag/brinqa-pmdpSandboxAQ | https://itspm.ag/sandboxaq-j2en____________________________Episode NotesIn this Chats on the Road to RSA Conference podcast episode, listeners are treated to an insightful discussion between Dr. Christina Liaghati, Sean Martin, and Marco Ciappelli about the evolving landscape of AI security, its impact on various sectors, and the proactive steps being taken to address emerging threats. Dr. Liaghati shares her unique experiences working with government sponsors and her involvement in the development of MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems), a knowledge base of adversary tactics, techniques, and case studies for machine learning (ML) systems based on real-world observations, demonstrations from ML red teams and security groups, and the state of the possible from academic research. ATLAS is modeled after the MITRE ATT&CK framework and its tactics and techniques are complementary to those in ATT&CK.The conversation highlights how the rapid adoption of AI systems, combined with the lack of understanding of the risks involved, has led to new vulnerabilities and threats that need to be addressed. Listeners are also offered a glimpse into the challenges presented by the integration of AI into various systems, the need for collaboration between the AI and cybersecurity sectors, and the importance of understanding the new threat landscape created by AI adoption. Dr. Liaghati shares real-life examples of attacks on AI systems, emphasizing the need for constant vigilance and collaboration between industry, government, and academia to tackle these challenges.The conversation also digs deeper into the potential consequences of AI deployment in high-stakes environments, such as finance and healthcare, and the importance of allocating resources to red teaming to identify vulnerabilities and secure these critical systems. By examining the current state of AI security and discussing the steps being taken to ensure its future, this episode provides an engaging and informative look at the complex interplay between AI, cybersecurity, and the systems we rely on every day.____________________________ResourcesSession | Hardening AI/ML Systems - The Next Frontier of Cybersecurity: https://www.rsaconference.com/USA/agenda/session/Hardening%20AIML%20Systems%20-%20The%20Next%20Frontier%20of%20CybersecurityLearn more about MITRE Atlas: https://atlas.mitre.org/MITRE Atlas on Slack (invitation): https://join.slack.com/t/mitreatlas/shared_invite/zt-10i6ka9xw-~dc70mXWrlbN9dfFNKyyzQLearn more about MITRE ATT&CK framework: https://attack.mitre.org/Learn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw____________________________For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverageAre you interested in telling your story in connection with RSA Conference by sponsoring our coverage?

National Cybersecurity Strategy, CISA delivers Decider, Bookstore chains hacked

Cyber Security Headlines

Play Episode Listen Later Mar 3, 2023 7:15

White House gets tough with new National Cyber Strategy CISA releases free ‘Decider' tool to help with MITRE ATT&CK mapping British retail chain WH Smith says data stolen in cyberattack Thanks to this week's episode sponsor, Conveyor Just because your security questionnaire is from the stone age, doesn't mean you have to answer it with cave-era tools. At Conveyor, we implemented GPT-3 into our first-of-its-kind questionnaire eliminator so teams of all sizes can blast through questionnaires faster than you can say “prehistoric”. Go beyond re-writing mediocre matches, to getting your questionnaire auto-filled with the exact answers customers need. Join the top SaaS companies in the GPT-3 powered future by using Conveyor. Learn more at conveyor.com. For the stories behind the headlines, head to CISOseries.com.

british white house saas chains delivers gpt hacked bookstores cisa decider conveyor cybersecurity strategy wh smith national cybersecurity mitre att ck ciso series

Taking Security Strategy to the Next Level: The Cyber Kill Chain vs. MITRE ATT&CK

ISACA Podcast

Play Episode Listen Later Nov 22, 2022 23:10

In an era of rampant ransomware and other malicious cyberattacks, it's mandatory to double down on cybersecurity analysis and strategy to ensure an optimal security posture and the protection of critical assets and data. Today, two models can help security professionals harden network resources and protect against modern-day threats and attacks: the cyber kill chain (CKC)and the MITRE ATT&CK framework. Tim Liu, long-term security technologist, co-founder, and CTO, will provide an overview of these two frameworks and the limitations or benefits of each approach. To read Taking Security Strategy to the Next Level, please visit www.isaca.org/taking-security-strategy-to-the-next-level. To listen to more ISACA podcasts, please visit www.isaca.org/podcasts.

PSW #763 - Dan DeCloss

Play Episode Listen Later Nov 10, 2022 207:24

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. Segment Resources: Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/ Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them! In the Security News: submerged under blankets in a popcorn tin is where they found it, Indirect Branch Tracking, don't hack me bro, we're here from the government to scan your systems, Fizzling out security, static and dynamic analysis for the win, BYODC, Bring your own domain controller, application context matters, if you want an update better have an Intel CPU, one-time programs, urlscan is leaking, hacking load balancers, and its all about the company you keep. Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw763

roi coverage intel cpus security news fizzling mitre att ck owasp top ten ai hunter

A Case for Threat Informed Penetration Testing - Dan DeCloss - PSW #763

threats roi coverage informed penetration testing mitre att ck owasp top ten

Play Episode Listen Later Nov 10, 2022 59:45

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. Segment Resources: Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/ Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw763

PSW #763 - Dan DeCloss

Paul's Security Weekly (Podcast-Only)

Play Episode Listen Later Nov 10, 2022 207:24

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. Segment Resources: Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/ Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them! In the Security News: submerged under blankets in a popcorn tin is where they found it, Indirect Branch Tracking, don't hack me bro, we're here from the government to scan your systems, Fizzling out security, static and dynamic analysis for the win, BYODC, Bring your own domain controller, application context matters, if you want an update better have an Intel CPU, one-time programs, urlscan is leaking, hacking load balancers, and its all about the company you keep. Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw763

roi coverage intel cpus security news fizzling mitre att ck owasp top ten ai hunter

A Case for Threat Informed Penetration Testing - Dan DeCloss - PSW #763

Paul's Security Weekly (Video-Only)

Play Episode Listen Later Nov 10, 2022 59:45

Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. Segment Resources: Hack Your Pentesting Routine WP: https://plextrac.com/resources/white-papers/hack-your-pentesting-routine/ Effective Purple Teaming WP: https://plextrac.com/effective-purple-teaming/ This segment is sponsored by PlexTrac. Visit https://securityweekly.com/plextrac to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw763

threats roi coverage informed penetration testing mitre att ck owasp top ten

#98 - Outrunning the Bear

CISO Tradecraft

Play Episode Listen Later Oct 3, 2022 33:12

Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today we are going to discuss how nation state conflict and sponsored cyberattacks can affect us as non-combatants, and what we should be doing about it. Even if you don't have operations in a war zone, remember cyber has a global reach, so don't think that just because you may be half a world away from the battlefield that someone is not going to reach out and touch you in a bad way. So, listen for what I think will be a fascinating episode, and please do us a small favor and give us a "like" or a 5-star review on your favorite podcast platform -- those ratings really help us reach our peers. It only takes a click -- thank you for helping out our security leadership community. I'm not going to get into any geopolitics here; I'm going to try to ensure that this episode remains useful for quite some time. However, since the conflict in Ukraine has been ongoing for over two hundred days, I will draw examples from that. The ancient Chinese military strategist Sun Tzu wrote: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” That's a little more detailed than the classic Greek aphorism, "know thyself," but the intent is the same even today. Let me add one more quote and we'll get into the material. Over 20 years ago, when he was Secretary of Defense, Donald Rumsfeld said: "As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones. So, knowledge seems extremely important throughout the ages. Modern governments know that, and as a result all have their own intelligence agencies. Let's look at an example. If we go to the CIA's website, we will see the fourfold mission of the Central Intelligence Agency: Collecting foreign intelligence that matters Producing objective all-source analysis Conducting effective covert action as directed by the President Safeguarding the secrets that help keep our nation safe. Why do we mention this? Most governments around the world have similar Nation State objectives and mission statements. Additionally, it's particularly important to understand what is wanted by "state actors" (note, I'll use that term for government and contract intelligence agents.). What are typical goals for State Actors? Let's look at a couple: Goal 1: Steal targeting data to enable future operations. Data such as cell phone records, banking statements or emails allow countries to better target individuals and companies when they know that identifying information. Additionally, targeting data allows Nation state organizations to understand how individuals are connected. This can be key when we are looking for key influencers for targets of interest. All targeting data should not be considered equal. Generally, Banking and Telecom Data are considered the best for collecting so be mindful if that is the type of company that you protect. State Actors target these organizations because of two factors:The Importance of the Data is the first factor. If one party sends a second party an email, that means there is a basic level of connection. However, it's not automatically a strong connection since we all receive emails from spammers. If one party calls someone and talks for 10 minutes to them on a phone call, that generally means a closer connection than an email. Finally, if one party sends money to another party that either means a really strong connection exists, or someone just got scammed. The Accuracy of the Data is the second factor. Many folks sign up for social media accounts with throw away credentials (i.e., fake names and phone numbers). Others use temporary emails to attend conferences, so they don't get marketing spam when they get home. However, because of Anti Money Laundering (or AML) laws, people generally provide legitimate data to financial services firms. If they don't, then they risk not being able to take the money out of a bank -- which would be a big problem. A second goal in addition to collecting targeting data, is that State Actors are interested in collecting Foreign Intelligence. Foreign Intelligence which drives policy-making decisions is very impactful. Remember, stealing secrets that no one cares about is generally just a waste of government tax dollars. If governments collect foreign intelligence on sanctioned activity, then they can inform policy makers on the effectiveness of current sanctions, which is highly useful. By reporting sanctioned activity, the government can know when current sanctions are being violated and when to update current sanctions. This can result in enabling new intelligence collection objectives. Examples of this include:A country may sanction a foreign air carrier that changes ownership or goes out of business. In that case, sanctions may be added against different airlines. This occurred when the US sanctioned Mahan Air, an Iran's airline. Currently the US enforces sanctions on more than half of Iran's civilian airlines. A country may place sanctions on a foreign bank to limit its ability to trade in certain countries or currencies. However, if sanctioned banks circumvent controls by trading with smaller banks which are not sanctioned, then current sanctions are likely ineffective. Examples of sanctioning bank activity by the US against Russia during the current war with Ukraine include:On February 27th sanctions were placed against Russian Banks using the SWIFT international payment systems On February 28th, the Russian Central Bank was sanctioned On March 24th, the Russian Bank Sberbank CEO was sanctioned On April 5th, the US IRS suspended information exchanges with the Russian tax authorities to hamper Moscow's ability to collect taxes. On April 6th, the US sanctioned additional Russian banks. These sanctions didn't just start with the onset of hostilities on 24 February 2022. They date back to Russia's invasion of Crimea. It's just that the US has turned up the volume this time. If sanctions are placed against a country's nuclear energy practices, then knowing what companies are selling or trading goods into the sanctioned country becomes important. Collecting information from transportation companies that identify goods being imported and exported into the country can also identify sanction effectiveness. A third goal or activity taken by State Actors is covert action. Covert Action is generally intended to cause harm to another state without attribution. However, anonymity is often hard to maintain.If we look at Russia in its previous history with Ukraine, we have seen the use of cyber attacks as a form of covert action. The devastating NotPetya malware (which has been generally accredited to Russia) was launched as a supply chain attack. Russian agents compromised the software update mechanism of Ukrainian accounting software M.E. Doc, which was used by nearly 400,000 clients to manage financial documents and file tax returns. This update did much more than the intended choking off of Ukrainian government tax revenue -- Maersk shipping estimates a loss of $300 million. FedEx around $400 million. The total global damage to companies is estimated at around $10 billion. The use of cyberattacks hasn't been limited to just Russia. Another example is Stuxnet. This covert action attack against Iranian nuclear facilities that destroyed nearly one thousand centrifuges is generally attributed to the U.S. and Israel. Changing topics a little bit, we can think of the story of two people encountering a bear. Two friends are in the woods, having a picnic. They spot a bear running at them. One friend gets up and starts running away from the bear. The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching. “Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend. “You can't outrun a bear!” “I don't have to outrun the bear,” said the second friend. “I only have to outrun you.” So how can we physically outrun the Cyber Bear? We need to anticipate where the Bear is likely to be encountered. Just as national park signs warn tourists of animals, there's intelligence information that can inform the general public. If you are looking for physical safety intelligence you might consider:The US Department of State Bureau of Consular Affairs. The State Department hosts a travel advisory list. This list allows anyone to know if a country has issues such as Covid Outbreaks, Civil Unrest, Kidnappings, Violent Crime, and other issues that would complicate having an office for most businesses. Another example is the CIA World Factbook. The World Factbook provides basic intelligence on the history, people, government, economy, energy, geography, environment, communications, transportation, military, terrorism, and transnational issues for 266 world entities. Additionally you might also consider data sources from the World Health Organization and The World Bank If we believe that one of our remote offices is now at risk, then we need to establish a good communications plan. Good communications plans generally require at least four forms of communication. The acronym PACE or Primary, Alternate, Contingency, and Emergency is often usedPrimary Communication: We will first try to email folks in the office. Alternate Communication: If we are unable to communicate via email, then we will try calling their work phones. Contingency Communication: If we are unable to reach individuals via their work phones, then we will send a Text message to their personal cell phones. Emergency Communication: If we are unable to reach them by texting their personal devices, then we will send an email to their personal emails and next of kin. Additionally, we might purchase satellite phones for a country manager. Satellite phones can be generally purchased for under $1,000 and can be used with commercial satellite service providers such as Inmarsat, Globalstar, and Thuraya. One popular plan is Inmarsat's BGAN. BGAN can usually be obtained from resellers for about $100 per month with text messaging costing about fifty cents each and calls costing about $1.50 per minute. This usually translates to a yearly cost of $1,500-2K per device. Is $2K worth the price of communicating to save lives in a high-risk country during high political turmoil? Let your company decide. Note a great time to bring this up may be during use-or-lose money discussions at the end of the year. We should also consider preparing egress locations. For example, before a fire drill most companies plan a meetup location outside of their building so they can perform a headcount. This location such as a vacant parking lot across the street allows teams to identify missing personnel which can later be communicated to emergency personnel. If your company has offices in thirty-five countries, you should think about the same thing, but not assembling across the street but across the border. Have you identified an egress office for each overseas country? If you had operations in Ukraine, then you might have chosen a neighboring country such as Poland, Romania, or Hungary to facilitate departures. When things started going bad, that office could begin creating support networks to find local housing for your corporate refugees. Additionally, finding job opportunities for family members can also be extremely helpful when language is a barrier in new countries. If we anticipate the Bear is going to attack our company digitally, then we should also look for the warning signs. Good examples of this include following threat intelligence information from: Your local ISAC organization. ISAC or Information Sharing Analysis Centers are great communities where you can see if your vertical sector is coming under attack and share your experiences/threats. The National Council of ISACs lists twenty-five different members across a wide range of industries. An example is the Financial Services ISAC or FS-ISAC which has a daily and weekly feed where subscribers can find situational reports on cyber threats from State Actors and criminal groups. InfraGard™ is a partnership between the Federal Bureau of Investigation and members of the private sector for the protection of US Critical Infrastructure. Note you generally need to be a US citizen without a criminal history to join AlienVault offers a Threat Intelligence Community called Open Threat Exchange which grants users free access to over nineteen million threat indicators. Note AlienVault currently hosts over 100,000 global participants, so it's a great place to connect with fellow professionals. The Cybersecurity & Infrastructure Security Agency or CISA also routinely issues cybersecurity advisories to stop harmful malware, ransomware, and nation state attacks. Helpful pages on their websites include the following:Shields Up which provides updates on cyber threats, guidance for organizations, recommendations for corporate Leaders and CEOs, ransomware responses, free tooling, and steps that you can take to protect your families. There's even a Shields Technical Guidance page with more detailed recommendations. CISA routinely puts out Alerts which identify threat actor tactics and techniques. For example, Alert AA22-011A identifies how to understand and mitigate Russian State Sponsored Cyber Threats to US Critical Infrastructure. This alert tells you what CVEs the Russian government is using as well as the documented TTPs which map to the MITRE ATT&CK™ Framework. Note if you want to see more on the MITRE ATT&CK mapped to various intrusion groups we recommend going to attack.mitre.org slant groups. CISA also has notifications that organizations can sign up for to receive timely information on security issues, vulnerabilities, and high impact activity. Another page to note on CISA's website is US Cert. Here you can report cyber incidents, report phishing, report malware, report vulnerabilities, share indicators, or contact US Cert. One helpful page to consider is the Cyber Resilience Review Assessment. Most organizations have an IT Control to conduct yearly risk assessments, and this can help identify weaknesses in your controls. Now that we have seen a bear in the woods, what can we do to put running shoes on to run faster than our peers? If we look at the CISA Shield Technical Guidance Page we can find shields up recommendations such as remediating vulnerabilities, enforcing MFA, running antivirus, enabling strong spam filters to prevent phishing attacks, disabling ports and protocols that are not essential, and strengthening controls for cloud services. Let's look at this in more detail to properly fasten our running shoes. If we are going to remediate vulnerabilities let's focus on the highest priority. I would argue those are high/critical vulnerabilities with known exploits being used in the wild. You can go to CISA's Known Exploited Vulnerabilities Catalog page for a detailed list. Each time a new vulnerability gets added, run a vulnerability scan on your environment to prioritize patching. Next is Multi Factor Authentication (MFA). Routinely we see organizations require MFA access to websites and use Single Sign On. This is great -- please don't stop doing this. However, we would also recommend MFA enhancements in two ways. One, are you using MFA on RDP/SSH logins by administrators? If not, then please enable immediately. You never know when one developer will get phished, and the attacker can pull his SSH keys. Having MFA means even when those keys are lost, bad actor propagation can be minimized. Another enhancement is to increase the security within your MFA functionality. For example, if you use Microsoft Authenticator today try changing from a 6 digit rotating pin to using security features such as number matching that displays the location of their IP Address. You can also look at GPS conditional policies to block all access from countries in which you don't have a presence. Running antivirus is another important safeguard. Here's the kicker -- do you actually know what percentage of your endpoints are running AV and EDR agents? Do you have coverage on both your Windows and Linux Server environments? Of the agents running, what portion have signatures updates that are not current? How about more than 30 days old. We find a lot of companies just check the box saying they have antivirus, but if you look behind the scenes you can see that antivirus isn't as effective as you think when it's turned off or outdated. Enabling Strong Spam Filters is another forgotten exercise. Yes, companies buy solutions like Proofpoint to secure email, but there's more that can be done. One example is implementing DMARC to properly authenticate and block spoofed emails. It's the standard now and prevents brand impersonation. Also please consider restricting email domains. You can do this at the very top. Today, the vast majority of legitimate correspondents still utilize one of the original seven top-level domains: .com, .org, .net, .edu, .mil, .gov, and .int, as well as two-letter country code top-level domains (called ccTLDs). However, you should look carefully at your business correspondence to determine if communicating with all 1,487 top-level domains is really necessary. Let's say your business is located entirely in the UK. Do you really want to allow emails from Country codes such as .RU, .CN, and others? Do you do business with .hair, or .lifestyle, or .xxx? If you don't have a business reason for conducting commerce with these TLDs, block them and minimize both spam and harmful attacks. It won't stop bad actors from using Gmail to send phishing attacks, but you might be surprised at just how much restricting TLDs in your email can help. Note that you have to be careful not to create a self-inflicted denial of service, so make sure that emails from suspect TLDs get evaluated before deletion. Disabling Ports and Protocols is key since you don't want bad actors having easy targets. One thing to consider is using Amazon Inspector. Amazon Inspector has rules in the network reachability package to analyze your network configurations to find security vulnerabilities in your EC2 Instances. This can highlight and provide guidance about restricting access that is not secure such as network configurations that allow for potentially malicious access such as mismanaged security groups, Access Control Lists, Internet Gateways, etc. Strengthening Cloud Security- We won't go into this topic too much as you could spend a whole talk on strengthening cloud security. Companies should consider purchasing a cloud security solution like Wiz, Orca, or Prisma for help in this regard. One tip we don't see often is using geo-fencing and IP allow-lists. For example, one new feature that AWS recently created is to enable Web Application Firewall protections for Amazon Cognito. This makes it easier to protect user pools and hosted UIs from common web exploits. Once we notice there's likely been a bear attack on our peers or our infrastructure, we should report it. This can be done by reporting incidents to local governments such as CISA or a local FBI field office, paid sharing organizations such as ISAC, or free communities such as AlienVault OTX. Let's walk through a notional example of what we might encounter as collateral damage in a cyberwar. However, to keeps this out of current geopolitics, we'll use the fictitious countries Blue and Orange. Imagine that you work at the Acme Widget Corporation which is a Fortune 500 company with a global presence. Because Acme manufactures large scale widgets in their factory in the nation of Orange, they are also sold to the local Orange economy. Unfortunately for Acme, Orange has just invaded their neighboring country Blue. Given that Orange is viewed as the aggressor, various countries have imposed sanctions against Orange. Not wanting to attract the attention of the Orange military or the U.S. Treasury department, your company produces an idea that might just be crazy enough to work. Your company is going to form a new company within Orange that is not affiliated with the parent company for the entirety of the war. This means that the parent company won't provide services to the Orange company. Additionally, since there is no affiliation between the companies then the legal department advises that there will not be sanction evasion activity which could put the company at risk. There's just one problem. Your company has to evict the newly created Orange company (Acme Orange LLC) from its network and ensure it has the critical IT services to enable its success. So where do we start? Let's consider a few things. First, what is the lifeblood of a company? Every company really needs laptops and Collaboration Software like Office 365 or GSuite. So, if we have five hundred people in the new Acme Orange company, that's five hundred new laptops and a new server that will host Microsoft Exchange, a NAS drive, and other critical Microsoft on premises services. Active Directory: Once you obtain the server, you realize a few things. Previous Acme admin credentials were used to troubleshoot desktops in the Orange environment. Since exposed passwords are always a bad thing, you get your first incident to refresh all passwords that may have been exposed. Also, you ensure a new Active Directory server is created for your Orange environment. This should leverage best practices such as MFA since Orange Companies will likely come under attack. Let's talk about other things that companies need to survive: Customer relations management (CRM) services like Salesforce Accounting and Bookkeeping applications such as QuickBooks Payment Software such as PayPal or Stripe File Storage such as Google Drive or Drop Box Video Conferencing like Zoom Customer Service Software like Zendesk Contract Management software like DocuSign HR Software like Bamboo or My Workday Antivirus & EDR software Standing up a new company's IT infrastructure in a month is never a trivial task. However, if ACME Orange is able to survive for 2-3 years it can then return to the parent company after the sanctions are lifted. Let's look at some discussion topics. What IT services will be the hardest to transfer? Can new IT equipment for Acme Orange be procured in a month during a time of conflict? Which services are likely to only have a SaaS offering and not enable on premises during times of conflicts? Could your company actually close a procurement request in a one-month timeline? If we believe we can transfer IT services and get the office up and running, we might look at our cyber team's role in providing recommendations to a new office that will be able to survive a time of turmoil. All laptops shall have Antivirus and EDR enabled from Microsoft. Since the Acme Orange office is isolated from the rest of the world, all firewalls will block IP traffic not originating from Orange. SSO and MFA will be required on all logins Backups will be routinely required. Note if you are really looking for effective strategies to mitigate cyber security incidents, we highly recommend the Australian Essential Eight. We have a link in our show notes if you want more details. Additionally, the ACME Orange IT department will need to create its own Incident Response Plan (IRP). One really good guide for building Cyber Incident Response Playbooks comes from the American Public Power Association. (I'll put the link in our show notes.) The IRP recommends creating incident templates that can be used for common attacks such as: Denial of Service (DoS) Malware Web Application Attack (SQL Injection, XSS, Directory Traversal, …) Cyber-Physical Attack Phishing Man in the middle attack Zero Day Exploit This Incident Response Template can identify helpful information such as Detection: Record how the attack was identified Reporting: Provide a list of POCs and contact information for the IT help desk to contact during an event Triage: List the activities that need to be performed during Incident Response. Typically, teams follow the PICERL model. (Preparation - Identification - Containment - Eradication - Recovery - Lessons Learned) Classification: Depending on the severity level of the event, identify additional actions that need to occur Communications: Identify how to notify local law enforcement, regulatory agencies, and insurance carriers during material cyber incidents. Additionally describe the process on how communications will be relayed to customers, employees, media, and state/local leaders. As you can see, there is much that would have to be done in response to a nation state aggression or regional conflict that would likely fall in your lap. If you didn't think about it before, you now have plenty of material to work with. Figure out your own unique requirements, do some tabletop exercises where you identify your most relevant Orange and Blue future conflict, and practice, practice, practice. We learned from COVID that companies that were well prepared with a disaster response plan rebranded as a pandemic response plan fared much better in the early weeks of the 2020 lockdown. I know my office transitioned to remote work for over sixty consecutive weeks without any serious IT issues because we had a written plan and had practiced it. Here's another one for you to add to your arsenal. Take the time and be prepared -- you'll be a hero "when the bubble goes up." (There -- you've learned an obscure term that nearly absent from a Google search but well-known in the Navy and the Marine Corps.) Okay, that's it for today's episode on Outrunning the Bear. Let's recap: Know yourself Know what foreign adversaries want Know what information, processes, or people you need to protect Know the goals of state actors:steal targeting data collect foreign intelligence covert action Know how to establish a good communications plan (PACE)Primary Alternate Contingency Emergency Know how to get out of Dodge Know where to find private and government threat intelligence Know your quick wins for protectionremediate vulnerabilities implement MFA everywhere run current antivirus enable strong spam filters restrict top level domains disable vulnerable or unused ports and protocols strengthen cloud security Know how to partition your business logically to isolate your IT environments in the event of a sudden requirement. Thanks again for listening to CISO Tradecraft. Please remember to like us on your favorite podcast provider and tell your peers about us. Don't forget to follow us on LinkedIn too -- you can find our regular stream of low-noise, high-value postings. This is your host G. Mark Hardy, and until next time, stay safe. References https://www.goodreads.com/quotes/17976-if-you-know-the-enemy-and-know-yourself-you-need https://en.wikipedia.org/wiki/There_are_known_knowns https://www.cia.gov/about/mission-vision/ https://www.cybersecurity-insiders.com/ukraines-accounting-software-firm-refuses-to-take-cyber-attack-blame/ https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ https://www.nationalisacs.org/member-isacs-3 https://attack.mitre.org/groups/ https://data.iana.org/TLD/tlds-alpha-by-domain.txt https://www.publicpower.org/system/files/documents/Public-Power-Cyber-Incident-Response-Playbook.pdf

covid-19 google israel uk running russia office chinese ukraine data russian microsoft leaders modern fortune greek bear fbi defense goal iran companies ceos navy figure emergency cia poland orange paypal gps windows secretary ukrainian ip steal pace saas moscow investigation banking primary nas denial swift crm iranians doc romania helpful hungary world health organization collecting marine corps mfa generally treasury av satellites fedex gmail kidnappings state department us department aws alternate protocols accuracy national council ru 2k crimea bamboo google drive wiz bookkeeping orca alerts contingencies federal bureau sun tzu acme aml cn civil unrest violent crimes cisa antivirus prisma donald rumsfeld g suite maersk incident response nation state ssh pocs sso stuxnet edr uis microsoft exchange active directory isac anti money laundering proofpoint dmarc tld outrunning xss notpetya cves irp ip address ttps infragard inmarsat globalstar single sign on tlds covert action state bureau mitre att ck isacs fs isac web application firewall linux servers american public power association us cert amazon cognito collaboration software cctlds amazon inspector us irs

The DISARM Framework Helps Bring Focus to the Disinformation Problem with Executive Director of the DISARM Foundation Jon Brewer

Cloud Security Podcast by Google

Play Episode Listen Later Jul 26, 2022 24:18

In episode 80 of The Cyber5, we are joined by Executive Director of the DISARM Foundation, Jon Brewer. We discuss the mission of the DISARM Framework, which is a common framework for combating disinformation. Much like how the MITRE ATT&CK framework is used for combating cyber attacks, the DISARM framework is used to identify what Jon calls “cognitive security.” What that means is all the tactics, techniques, and procedures used in crafting disinformation attacks and influencing someone's mind. This includes the narratives, accounts, outlets, and technical signatures used to influence a large population. We chat about what success looks like for the foundation and specific audiences used to help the population in understanding how disinformation actors work. Three Takeaways: 1. What is the DISARM Framework? DISARM is the open-source, master framework for fighting disinformation through the coordination of effective action. It was created by cognitive security expert SJ Terp. It is used to help communicators, from whichever discipline or sector, to gain a clear, shared understanding of disinformation incidents and to immediately identify the countermeasure options that are available to them. It is similar to the MITRE ATT&CK framework which provides a list of TTPs that malicious actors conduct cyber attacks. 2. Similarities Between DISARM and MITRE ATT&CK Frameworks: Cognitive Security vs Cyber Security Cognitive security and the DISARM framework is analogous to cyber security and the MITRE ATT&CK framework. Cognitive security are the TTPs that actors influence minds and cyber security are actors' ability to steal data from networks. MITRE ATT&CK's list covers the different TTPs of the cyber kill chain: Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration DISARM's list covers different TTPs of the disinformation chain: Plan Strategy Plan Objectives Target Audience Analysis Develop Narratives Develop Content Establish Social Assets Establish Legitimacy Microtarget Select Channels and Affordances Conduct Pump Priming Deliver Content Maximize Exposure Drive Online Harms Drive Offline Activity Persist in Information Environment Assess Effectiveness 3. Disinformation: A Whole of Society Problem While MITRE ATT&CK is mostly a business to business framework for enterprises to defend against cyber attacks. The DISARM framework is both a B2B framework for companies like technology and journalism, but also more broadly to consumers. This will take much more support from non-profits and public sector organizations like police and education systems.

EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response?

Play Episode Listen Later Jul 25, 2022 30:16

Guest: Ben Johnson, CTO/co-founder @ Obsidian Security Topics: Why is there so much attention lately on SaaS security? Doesn't this area date back to 2015 or so? What do you see as the primary challenges in securing SaaS? What does a SaaS threat model look like? What are the top threats you see? CASB has been the fastest growing security market and it has grown into a broad platform and many assume that “securing SaaS = using CASB”, what are they missing? Where would another technology to secure SaaS fit architecturally, inline with CASB or as another API-based system? Securing IaaS spanned a robust ecosystem of vendors (CWPP, CSPM, now CNAPP) and many of these have ambitions for securing SaaS, thus clashing with CASB. Where do you fit in this battle? For a while, you were talking more about CDR - what is it and do we really need a separate CDR technology? Resources: Obsidian Security blog and Resource Center Does the World Need Cloud Detection and Response (CDR)? blog Does the world need Cloud Detection and Response (CDR) as a new market segment? poll MITRE ATT&CK for SaaS matrix CISA SCUBA resource “Essentialism” book.

cloud secure saas cto api detection powering essentialism cdr cloud security casb cspm mitre att ck cnapp

Threat Intelligence Usage in API Security and DevSecOps with Snap Finance Chief Security Officer Upendra Mardikar

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

Play Episode Listen Later May 24, 2022 34:05

In episode 73 of The Cyber5, we are joined by Snap Finance Chief Security Officer Upendra Mardikar. We discuss how threat intelligence is used in application programming interface (API) security and development security operations (devsecops). Any organization building an application has data or user-generated content as the primary product. Once connected to customers, consumers, clients, or partners there is a new set of security considerations generated. The API serves as the software intermediary that allows two applications to talk to one another. It's bad enough if an attacker exfiltrates sensitive data, but imagine if they are able to gain visibility to see who is querying for the data held in the application. Imagine if Russia can see who is querying certain individuals in a credit bureau data set. That's a whole other set of problems organizations face. As we've talked about in previous podcasts, devsecops is the security of protecting the software development lifecycle (SDLC). We talk about why API security should be added to the wider MITRE ATT&CK framework and further discuss the impact of organizational immaturity as it relates to tackling API and DevOps security. Five Key Takeaways: 1) APIs are at the Forefront of Digital Transformation and Must be Protected APIs go north/south between the company and customers and east/west establishing interconnectivity between different applications within the enterprise. A giant need exists to go “outside the firewall” to observe threats that are attacking APIs because they are fundamental to many enterprise functions, regardless of industry. 2) API Security is Very Immature in Enterprise Many security practitioners focus on north/south protections of APIs and implement firewalls and DDoS protections to keep intruders out of the environment. However this is a myopic strategy because it does not protect against lateral movement and privilege escalation when an attacker compromises perimeter security. When perimeter security is compromised, protecting east/west APIs becomes critical. We are seeing trends around Zero Trust. Zero Trust is based on the premise that location isn't relevant and users and devices can't be trusted until they are authenticated and authorized. To gain security from a zero trust security model, we must therefore apply these principles to our APIs. This aligns well since modern API-driven software and apps aren't contained in a fixed network — they're in the cloud — and threats exist throughout the application and infrastructure stack. An API-driven application can have thousands of microservices, making it difficult for security and engineering teams to track all development and their security impact. Adopting zero trust principles ensures that each microservice communicates with the least privilege, preventing the use of open ports and enabling authentication and authorization across each API. The end goal is to make sure that one insecure API doesn't become the weakest link, compromising the entire application and data. 3) Integrating API Security into the MITRE ATT&CK Framework API Security is different from traditional application security (OWASP), which is integrated into the MITRE ATT&CK Framework along with attacks on servers, endpoints, and TLS, etc. API security focuses more on the potential attacks of exposed, internet-facing microservices in addition to the business logic. API security primarily focuses on: Users: The most common API vulnerabilities tend to be centered around issues with an authorization that enables access to resources within an API-driven application. Transactions: Ensuring that transport layer security (TLS) encryption is enforced for all transactions between the client and application ensures an extra layer of safety. Since modern applications are built on microservices, software developers should enforce encryption between all microservices. Data: It is increasingly important to ensure sensitive data is protected both at rest and while in motion and that the data can be traced from end-to-end. Monitoring: This means collecting telemetry or meta-data that gives you a panoramic view of an application, how it behaves and how its business logic is structured. 4) Improvements for Threat Intelligence Against APIs of Applications Threat intelligence providers need to go beyond the features of user stories, but also be able to alert and automate when malicious actors are targeting the microservices of APIs as the business logic of these APIs are more central to business operations. 5) Threat Intelligence Should Try to Integrate with Threat Hunting to Conduct Proper Malicious Pattern Matching, Reducing False Positives Pattern matching to detect malicious behavior over legitimate user traffic has evolved over time: Netflow: track network traffic emanating from the routers to the endpoints Applications: track application traffic to deter anomalies of authentication Data: track data flows in motion and at rest in the data lakes Devices: mapping devices to determine proper asset inventory Users: tracking user behavior such as off business hour queries to sensitive databases The industry still needs solutions that detect and correlate these behaviors at scale because thus far this has been extremely fragmented.

ISC StormCast for Thursday, April 28th, 2022

Play Episode Listen Later Apr 28, 2022 6:07 Very Popular

MITRE ATT&CK v11 https://isc.sans.edu/forums/diary/MITRE+ATTCK+v11+a+small+update+that+can+help+not+just+with+detection+engineering/28590/ Microsoft Special Report: Ukraine https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd Linux Privilege Escalation Nimbuspwn https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ npm Package Planting https://blog.aquasec.com/npm-package-planting

business internet news network security computers cybersecurity cyber hacking infosec mitre att ck isc stormcast

ISC StormCast for Thursday, April 28th, 2022

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

Play Episode Listen Later Apr 28, 2022 6:07

MITRE ATT&CK v11 https://isc.sans.edu/forums/diary/MITRE+ATTCK+v11+a+small+update+that+can+help+not+just+with+detection+engineering/28590/ Microsoft Special Report: Ukraine https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd Linux Privilege Escalation Nimbuspwn https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ npm Package Planting https://blog.aquasec.com/npm-package-planting

business internet news network security computers cybersecurity cyber hacking infosec mitre att ck isc stormcast

Defining Metrics for Attribution in Cyber Threat Intelligence and Investigations

Play Episode Listen Later Jan 19, 2022 31:10

In episode 63 of The Cyber5, we are again joined by Sean O'Connor, Head of Global Cyber Threat Intelligence for Equinix. We discuss attribution in the cyber threat intelligence and investigation space, and what the private sector can learn from public sector intelligence programs. We also discuss different levels of attribution, the outcomes, and the disruption campaigns that are needed to make an impact on cybercriminals around the world. We define the impact of attribution with different stakeholders throughout the business and how the intelligence discipline will likely evolve over the next five to 10 years. Five Key Takeaways: Lessons For Private Sector Intelligence Teams from Public Sector National Security Apparatus (Intelligence Life Cycle, MITRE ATT&CK, Cyber Kill Chain) Many cybersecurity best practices and frameworks originate from the US public sector: Intelligence life cycle: Defining priorities and communicating intelligence to stakeholders Lockheed Martin Cyber Kill Chain: Defining broad malicious actions in IT networks MITRE ATT&CK Framework: Identifying more specific malicious movements in IT networks Structured analytical techniques by CIA analysts, such as Richard Kerr. 2) Attribution is Critical in Cybersecurity to Warrant an Action Attribution to cyber threat actors by industry is still important as a starting point to derive appropriate controls for the SOC and the CERT within a large organization. How these threats pose a risk of monetary loss are important elements of context when providing these threats to business executives. Here are two typical starting points: Review phishing telemetry for common TTPs and create rule-based detections based on phishing infrastructure used by actors. External threat landscape assessment for TTPs resulting in targeted threat hunts for most notorious ransomware gangs. Creating custom detections is typically the outcome until the appropriate disruptions can be put in place. 3) Disruption Campaigns Happen with Successful Information Sharing Successful disruption campaigns come from non-public information sharing between vendors, enterprises, and public sector institutions like CISA or the FBI. They typically do not originate from marketing blog posts. 4) Threat Intelligence is a Service-Based Role that Goes Beyond the SOC Success in cybersecurity (SOC and CERT) is keeping security incidents limited to “events” and ensuring they do not escalate into breaches. This occurs from multiple stakeholders having the proper visibility to ensure network telemetry is complete, accurate, and truthful. However, due to the services nature of intelligence work, it goes beyond just the SOC. 5) Threat Intelligence Should be a Floating Team to the Business Threat intelligence should be a floating team that can operate outside of the SOC and is an asset to the overall business, not just limited to combating cyber threats. Often executives want intelligence on mergers and acquisitions and market entry in a given geopolitical area, and threat analysis needs to be tailored to different customers. A Chief Intelligence Officer may be more widely accepted in the future as the needs of the business expand and diversify.

Book | Threat Hunting In The Cloud | Redefining Security With Abbas Kudrati, Binil Pillai, And Diana Kelley

Play Episode Listen Later Dec 14, 2021 46:04

The cloud changes many things for businesses and the teams responsible for running their operations in one or more of these as-a-service-oriented environments. An organization's security operations for (and in) the cloud must follow suit.Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against CyberattacksBook AbstractIn Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks, celebrated cybersecurity professionals and authors Chris Peiris, Binil Pillai, and Abbas Kudrati leverage their decades of experience building large scale cyber fusion centers to deliver the ideal threat hunting resource for both business and technical audiences. You'll find insightful analyses of cloud platform security tools and, using the industry leading MITRE ATT&CK framework, discussions of the most common threat vectors.You'll discover how to build a side-by-side cybersecurity fusion center on both Microsoft Azure and Amazon Web Services and deliver a multi-cloud strategy for enterprise customers. And you will find out how to create a vendor-neutral environment with rapid disaster recovery capability for maximum risk mitigation.Perfect for technical executives (i.e., CTO, CISO), technical managers, architects, system admins and consultants with hands-on responsibility for cloud platforms, Threat Hunting in the Cloud is also an indispensable guide for business executives (i.e., CFO, COO CEO, board members) and managers who need to understand their organization's cybersecurity risk framework and mitigation strategy.____________________________GuestsAbbas KudratiOn LinkedIn | https://www.linkedin.com/in/akudrati/On Twitter | https://twitter.com/askudratiBinil PillaiOn LinkedIn | https://www.linkedin.com/in/binilpillai/On Twitter | https://twitter.com/pillai_binil____________________________Co-HostDiana KelleyOn ITSPmagazine

Automating Cyber Threat Intelligence 101

Play Episode Listen Later Apr 26, 2021 18:49

In episode 44 of The Cyber5, we are joined by Ronald Eddings. Ron is a Security Engineer and Architect for Marqeta, host of Hack Valley Studio podcast, and a cybersecurity expert and blogger have earned him a reputation as a trusted industry leader. In this episode, we discuss the fundamentals of automating threat intelligence. We focus on the automation and analysis of forensic artifacts such as indicators of compromise and actual attacker behaviors within an environment. We also discuss metrics that matter when the objective is to show progress for a security engineering program. 5 Topics Covered in this Episode: Define the Use Cases: (01:19 - 04:17) For a mature security team, the automation of cyber threat intelligence should start with defining use cases. An enterprise should ask, “What problems am I trying to solve?” Detecting malicious binaries on devices is a good place. For example, let's start with a problem that plagues all organizations: phishing. Creating an inbox for phishing emails is a good first step. Then, an organization needs to make a decision whether to automate the extraction of file hashes, URLs, and IPs for analysis or to direct employees not to click on the link or open the file. Storage and Logging Components that Need to be In Place: (04:17 - 06:59) For security engineering to be effective, data must be available. Security engineers should define a data acquisition strategy by eliciting stakeholder requirements and assessing your collection plan. The right data is often spread across multiple tools and systems. This must be consolidated into one location for automation to be effective. For example, if an organization wants to detect lateral movement from an Advanced Persistent Threat and is only storing a month of Windows event logs, success is unlikely. To be effective, the following logging should be in place: 1) Windows event logs 2) Netflow (which can be expensive) 3) Cloud logs 4) EDR logs from endpoint devices, and 5) VPN and RDP logs. Prioritizing MITRE ATT&CK in Security Engineering: (06:59 - 10:12) When beginning a program, security engineering should resist the temptation to automate APT groups. Instead, they should automate alerts in the reconnaissance stages within MITRE ATT&CK and then work down the cyber kill chain towards exfiltration. Reconnaissance stages are easier to automate and by the time an attack escalates to the lateral movement stage, automation will facilitate and speed human analysis. Security Orchestration and Automated Response (SOAR): (10:12 - 12:00) Python and Go are helpful languages to learn in the SOAR process and useful with incident response. Useful Metrics and What Cannot be Automated in Security Engineering: (12:00 - 19:00) Mean time to detection, response, and remediation are critical metrics for security engineers to measure. Case management systems such as JIRA can facilitate interaction between the security team roles, including SOC, Incident Response, Security Engineering, Threat Hunt, Threat Intel, Vulnerability Management, Application Security, Business Units, and Red Team. Identifying new threats and understanding why a threat occurred is almost impossible to automate and will always require analysis.

Building an Enterprise Intelligence Program