The CYBER5 is hosted by Landon Winkelvoss, Co-Founder at Nisos, and features cybersecurity and investigations industry leaders' thoughts and answers to five questions on one topic on actionable intelligence to enterprise revolving around third-party risk management, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection, disinformation, and cyber threat intelligence.
Operational Resiliency Framework Pertaining to Supply Chains by Foundation for Defense of Democracies George Shea
In Episode 85 of TheCyber5, we are joined by Chief Technologist of Transformative Cyber Innovation Lab for the Foundation for Defense of Democracies (FDD) Dr. George Shea.
Here are four topics we discuss in this episode:
What is the Operational Resiliency Framework (ORF)? The Operational Resiliency Framework (ORF) is a framework that is intended to be used by executives to ensure business continuity processes when their suppliers are knocked offline during natural disasters and cyber attacks.
Defining Minimum Viable Services Step one, and the most important step, is defining a minimum level of service for all products and services. When disasters or cyber attacks occur, the minimum viable service will reveal the critical suppliers that need extra attention from a redundancy and monitoring perspective.
Resilience is Not Going to Stop a Cyber Attack The ORF is not a compliance requirement nor will this framework stop a cyber attack. However, this framework is designed to help organizations respond when an attack has taken place and is ongoing. For example, if an attacker is already within the system, it’s important to keep valuable services running and ensure the suppliers that enable those critical services don’t go down. This framework goes beyond your perimeter to the suppliers and customers.
Cyber Configurations Are Critical While this is not a cyber security framework, technical controls and configurations on the suppliers is an important part of the process for minimum viable services to be up and running.
Integrating Attack Simulation with Intelligence to Provide Actionable Outcomes with CrossCountry Consulting
In Episode 84 of TheCyber5, we are joined by members of the CrossCountry Consulting team: Brian Chamberlain, Offensive R&D Lead, Eric Eames, Associate Director, and Gary Barnabo, Director, Cyber and Privacy.
Here are five topics we discuss in this episode:
Adversary Emulation vs. Simulation and Use of Threat Intelligence Replaying attacks from adversaries is considered adversary emulation. The pros of emulation are you can react and defend against threat intelligence and the actual techniques during a penetration test. The cons are that many times these are yesterday’s threats. Simulation is the art of coming up with new attack vectors with nuanced penetration testers. The pros are that these attacks give blue teams new ways to think ahead and adapt their defenses before threat actors do. The cons are that these attacks aren’t yet in the wild and the probability of such attacks are not known.
Values of Threat Intelligence with Red Teams Indicators of Compromise (IOCs) are immediately relevant with something that is actionable even though the value of IOCs is overcome by events (OBE) in hours. Threat intelligence IOCs are not relevant to heuristics of sophisticated adversaries and that is what sophisticated adversary simulation and threat intelligence combined attempts to overcome. For example, if an enterprise can defend against Malicious HTML Applications (HTAs), that protects them against any sort of adversary using that vector. Another example would be to have a simulated ransomware event, based on threat intel, that drops in several places and simulates everything that six different ransomware families would do (up until encryption).
Tools Are Not Enough Enterprises struggle to defend if a security product does not catch an actor in the environment nor how to react in a way that forensically preserves the attacker’s initial access vector. Training incident response and conducting external threat hunting are critical elements to defend and react when an attacker creates a new way to penetrate an environment.
Satisfying a Chief Financial Officer’s Appetite for Security In today’s information technology environments, CFOs need to be conversant in cyber security, not experts. Some considerations should be:
A considerable accountability on security tooling needs to be considered by CFOs because there is an overconsumption of tooling that simply does not make an impact. Further, corporate development, merger and acquisition strategy, and payments to vendors, are critical business aspects a CFO should be concerned to protect. A CFO should be empowered to initiate a penetration test unbeknownst to the security team. Adversary simulations are often highly political as a result but this kind of dialogue is beneficial for understanding incident response preparation and threat intelligence of how to defend against certain threat actors. If a company is in growth mode and over $1B in annual revenue, and if IT cannot integrate acquisitions quick enough, more should be spent on security. If a company is in profitability mode, streamlining security is probably more important. If companies are under $1B in annual revenue, spending on security is always challenging and managed services and consulting come more into play. Benchmarks Can Be Challenging Many companies want benchmarks on how they stack up to industry peers. Every company is different and no two environments are the same so stacking up against industries like third party risk “scores” is challenging and not advisable.
Data Governance and Threat Intelligence Converge with Egnyte’s Chief Governance Officer Jeff Sizemore
Topic: Title: Data Governance and Threat Intelligence Converge
In Episode 83 of TheCyber5, we are joined by our guest, Egnyte’s Chief Governance Officer, Jeff Sizemore.
We discuss the Cybersecurity Maturity Model Certification (CMMC) and the impact on Department of Defense (DOD) contractors to mature their cybersecurity hygiene in order to compete for US government contracts. CMMC was based on NIST Standards 800-71.
Here are 4 topics we discuss in this episode:
Why Does CMMC Matter? In the near future, contracts are going to be rated L1-3 and if contractors are not certified up to a certain level, they cannot bid on the contract. This is more focused on the smaller defense contractors who up to now, have generally disregarded compliance measures yet are major targets for nation state cyber attacks.
Failure to Comply with CMMC Could Mean Perjury Compliance for DOD contractors is not new and companies were previously allowed to self-attest. When DOD regulatory bodies did the research, 75% of companies were found to be not in compliance. For enforcement, the Department of Justice is now involved and if contractors lie, it’s considered perjury.
Compliance Cybersecurity Controls Contractors Can Implement Before choosing an email provider, cloud environment, or file share, be sure they are FedRamp compliant. Automate the search capability within secure enclaves so CUI is detected in an environment. Automate the ability to be audited so contractors aren’t wasting time in spreadsheets. Incident Response and Threat Intelligence Controls Needed Threat intelligence is in an evolutionary stage for larger contractors to monitor their subcontractors to determine if they have vulnerabilities and/or if they have been breached. Third party risk score cards are generally not actionable for defense contractors because the vulnerabilities are not put into context to a business risk. The key is to bring together a threat intelligence picture that can alert on actionable data leaks.
Driving Diversity in Cyber Security and Intelligence with BGH Security CEO Tennisha Martin
In episode 82 of The Cyber5, we are joined by guest moderator and senior intelligence analyst for Nisos, Valerie Gallimore, and CEO of BGH Security, Tennisha Martin.
In this episode, we discuss the challenges and opportunities of promoting and enabling diversity and inclusion in cyber security.
Showing Impact for Diversity and Inclusion (D&I) within Security
Beyond filling cyber security skills gaps, some metrics that show success in D&I include:
Jobs Feeling more confident in interviews Recommending minorities for employment opportunities Educate about opportunities outside of the technical positions such as project management, customer success, product management, marketing, and sales Certifications Transition to cyber security from other career fields 2) Giving back to the Cybersecurity Community
Volunteering to help educate the next generation of ethical hackers or cybersecurity specialists. Donating funds to nonprofit organizations that assist people interested in pursuing a career in cybersecurity. Volunteering time instructing courses or sessions on issues to assist individuals in gaining exposure to the cybersecurity sector. 3) Being part of a supportive virtual community.
Having a community of people that you can talk to, even though they're not necessarily near you, about issues you are encountering in the industry. Having people that you can relate to and reach out to because they are navigating through the same path as you are. Having a psychological safe space for people to problem solve, and brainstorm and feel like they're not being judged. Help people that are new in cybersecurity feel comfortable and stay in the industry.
Leveraging Open Source Intelligence in Insider Threat Programs with Vaillance Group CEO, Shawnee Delaney
In episode 81 of The Cyber5, we are joined by the Head of Insider Threat at Uber and CEO of Vaillance Group, Shawnee Delaney.
In this episode, we provide an overview of different functions within an insider threat program. We also discuss the support open source intelligence provides to such programs and how to change company culture to care about insider threats. We also discuss the ROI metrics that are important to different stakeholders when implementing an insider threat program.
Departments and Functions within Insider Threat Insider threat programs are relatively new in enterprise security and often change from company to company. Open source intelligence can be a standalone role or be cross functional among all departments. Common departments and functions can be:
Open source intelligence. Forensics monitoring. Training and awareness (steering committees for stakeholders, benchmarking). Technical and behavioral monitoring (UEBA or DLP). Supplier due diligence. Global investigations. Global intelligence analysis. 2) Common Problems Faced by Insider Threat Teams
Common challenges faced by insider threat teams:
Privacy to ensure employee confidentiality is not violated. Tooling to have visibility into malicious events from normal behavior. Finding practitioners that can do the technical monitoring and open source intelligence. Shifting culture to be more security conscious. Focus on physical security issues, like active shooter situations, just as much as data exfiltration and other cyber concerns. 3) Role of Open Source intelligence in Insider Threat Programs
An Insider threat program is a key stakeholder for a threat intelligence program, not the individual buyer. Three key areas where open source intelligence (OSINT) supports insider threat programs:
Employee lifecycle management: ensuring employees, former employees, and prospects are not an insider threat based on what they post on the internet. Validating red flag indicators with OSINT. Investigations into vendors.
The DISARM Framework Helps Bring Focus to the Disinformation Problem with Executive Director of the DISARM Foundation Jon Brewer
In episode 80 of The Cyber5, we are joined by Executive Director of the DISARM Foundation, Jon Brewer.
We discuss the mission of the DISARM Framework, which is a common framework for combating disinformation. Much like how the MITRE ATT&CK framework is used for combating cyber attacks, the DISARM framework is used to identify what Jon calls “cognitive security.” What that means is all the tactics, techniques, and procedures used in crafting disinformation attacks and influencing someone's mind. This includes the narratives, accounts, outlets, and technical signatures used to influence a large population. We chat about what success looks like for the foundation and specific audiences used to help the population in understanding how disinformation actors work.
1. What is the DISARM Framework?
DISARM is the open-source, master framework for fighting disinformation through the coordination of effective action. It was created by cognitive security expert SJ Terp. It is used to help communicators, from whichever discipline or sector, to gain a clear, shared understanding of disinformation incidents and to immediately identify the countermeasure options that are available to them. It is similar to the MITRE ATT&CK framework which provides a list of TTPs that malicious actors conduct cyber attacks.
2. Similarities Between DISARM and MITRE ATT&CK Frameworks: Cognitive Security vs Cyber Security
Cognitive security and the DISARM framework is analogous to cyber security and the MITRE ATT&CK framework. Cognitive security are the TTPs that actors influence minds and cyber security are actors’ ability to steal data from networks. MITRE ATT&CK’s list covers the different TTPs of the cyber kill chain:
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration DISARM’s list covers different TTPs of the disinformation chain:
Plan Strategy Plan Objectives Target Audience Analysis Develop Narratives Develop Content Establish Social Assets Establish Legitimacy Microtarget Select Channels and Affordances Conduct Pump Priming Deliver Content Maximize Exposure Drive Online Harms Drive Offline Activity Persist in Information Environment Assess Effectiveness 3. Disinformation: A Whole of Society Problem
While MITRE ATT&CK is mostly a business to business framework for enterprises to defend against cyber attacks. The DISARM framework is both a B2B framework for companies like technology and journalism, but also more broadly to consumers. This will take much more support from non-profits and public sector organizations like police and education systems.
Great Podcast Sean!!!
Awesome up to date content and solid delivery.