The problem with gatekeeping in the cyber security industry

Stark Realities

Imagine having an industry where you can’t be in it without already being an expert in all fields, imagine having to be able to command policy and drive strategy but not having anyone having ever helped you learn how to do this, imagine that if you did all the activities involved with secure service and yet people say you aren’t part of the industry because your job title doesn’t have the word “security” in it and imagine if that you are told you aren’t part of the cyber security industry because you also have to worry about budgets, sales, marketing, new business initiatives, IT services and well anything else!

What would happen if we had this as our cyber security industry principles… well that’s simple?

Leadership

The Art of Cyber

Cyber Security is an intersection of different activities, processes and capabilities. It uses skills from multiple traditional roles. As such the definition of it, often seems to lie in the reader. I did a poll the other day on twitter where ~30% of people thought a scenario I described wasn’t cyber because basically an “IT” person did the activity or they made assumptions that the IT person was told to do it (they were not). This led me to try and describe what Cyber means to me:

Defense

Can Cyber Deception be used as a force for…

Scams, Disinformation & Supply Chain Compromise

Now this might come to a shock to some of you but I’m not actually (as my LinkedIn profile currently says) Tony Stark! I know, shocking but it’s true. Why I’m experimenting with this will hopefully be apparent after reading this post (although this isn’t an explanation specifically). What I’m looking at is how deception is used from a range of perspectives from marketing, cybercrime and how we can use deception in a positive way, to actively defend ourselves from the cyber criminals! Read more “Can Cyber Deception be used as a force for good?” →

Leadership

Cyber Security Architecture

I remember (now it was a long time ago) when I worked in a support role and my dream job was being a technical architect, back in the warm and fuzzy days of no host-based firewalls, IPsec being something only MCPs knew about other than the networking team and when cybercrime was a shadow of how it is today.

It wasn’t until I had a few more notches under my belt when I realised that architecture in technology has different viewpoints, not only that but even the industry can’t agree on what things are or are not. That aside the reality is, is that architecture has different domains, specialisms, views, and viewpoints. I often find myself working across a whole range of areas, that is driven largely by specific customer requirements and scenarios (this is why I have a cool lab and lots of kit!)

When we consider a business technology system it has risk and by nature cyber security in that view. To think of this not being the case would be odd because ultimately “business” is the highest abstraction, and let’s think about what makes up a business: Read more “Cyber Security Architecture” →

Leadership

Measuring Cyber Defence Success

What does “good” cyber security look like? Sure, we can run a maturity assessment and see what good indicators are and we can create a baseline of our current state to establish where we are and what gaps we have (honestly in real terms this isn’t something to consider you should be doing this!) but how do we measure success in cyber security? Is every success an invisible outcome? Because one question that often comes to mind here is, just because we don’t see something, does that mean everything is ok? In the fast-paced world of cyber security, measuring success isn’t as easy as you would think. I’ll give an example of this, let’s say we don’t monitor, we get breached, but the threat actor just performs crypto mining (let’s say this is on premises) and we never really notice in the grand scheme of the world that our energy consumption costs have increased, if we didn’t know this had occurred, we might think our security is good. Read more “Measuring Cyber Defence Success” →

Defense

Would you know if these remote access tools were…

Introduction

Remote management and monitoring (RMM) and other remote access solutions are fantastic for enabling remote support of environments. Like most things in life though the intent of the user changes the tool from a force for good to a weapon of evil (I hate the use of the word weapon with software but it’s a blog so I’ll self-cringe).

Kill Chain Summary

The kill chain in the attack outlind by sophos isn’t one that you will be suprised at:

Initial access was via a known software vulnerability (unpatched Exchange server)
The attackers dropped a web shell
The attackers had SYSTEM level access
The attackers dumped memory to obtain hashes
The hashes were cracked (they escalated to domain admin)
7 (yes seven!) backdoors were implaneted into the target network (hence this blog post)
Lateral movement was made to domain controllers
Large volumes of data were exfiltrated
The rest of the environment was then pwn3d

What might shock you more is the speed at which this was conducted. It’s not months or weeks, it’s hours and days (see the Sophos blog for more details!)

Conti Actors Remote Access Toolkits

Remote access tools being abused isn’t a new thing but following a great writeup (https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/?cmp=30728) of a Conti kill chain from Sophos Labs I figured I’d try and raise more awareness of some of the threats that organisations face, and the reality that defending against all threats is actually quite difficult for a lot of organisations (hell it’s technically not simply for anyone!) Read more “Would you know if these remote access tools were being used in your network environment?” →

Guides

What do you need to be Cyber Leader?

Introduction

What does it take to be a cyber leader? How do we address a broad challenge we have in today’s business world?

There are a huge number of organisations whereby the leadership do not have domain expertise in cyber and related disciplines. There are decision makers who are having to best guess. On the other end of the spectrum, we have thousands and thousands of people trying to “break into cyber” yet they face largely insane entry requirements with the forementioned adding things to junior and entry level role which include:

Must have a CISSP (CISSP requires 5 years’ experience and is an Information Security certificate that is very broad and not very deep, it also covers a range of areas that in my opinion aren’t even required for many cyber security capabilities inside organisations)
Must have a Certified Ethical Hacker (this exam includes remember historic malware dates, is that really what we need from our leaders?)
Must have a very large level of experience of be from an existing cyber role

Leadership

There’s never any time – A mRr3b00t Adventure

Introduction

I’ve been working with technology and its security for a while, I have travelled to different parts of the world, I’ve worked with major organisations, and I’ve worked with a whole range of organisations both from strategic advisory and at the coal face perspective. Now over the last twenty years I thought about how much has changed… and honestly, I don’t think much has.

Technology innovation, miniaturisation and adoption rates are through the roof, but I still see massively similar patterns. I’m not going to try and quote statistics, but I think it’s a fair to say the threat landscape has changed somewhat (for the worse!)

Back in the 2000s era we had networks running Windows 2000 and Windows Server 2000/2003, we had clients with open services which could largely be accessed from anywhere on the network. We had host-based firewalls from third party vendors, but these were rarely implemented, MSBlaster and Windows XP changed this dynamic somewhat, to say things haven’t improved on one front would be a lie, however the level of crime and access to technology globally has changed massively. Read more “There’s never any time – A mRr3b00t Adventure” →

Defense

Changing a security posture requires changing your own behaviours

I’m sure you will have had a marketing firm or some random sales person on Linkedin tell you that security should be simple and that their product will save you from all the ATPs and nation state hax0rs under the sun. However let’s get real, thats almost certainly not true and also security isnt simple or we’d all be out of jobs and everyon woulndn’t be getting owned all the time.

Getting real

Defense

My MSBlaster Story

We looked after about 3-3500 endpoint devices. We were running Windows servers/clients and we leveraged technologies such as:

Dameware Tools
Remote Desktop Protocol
GFI LanGuard
RCP/SMB/WMI
McAfee Antivirus

Category: Leadership

Stark Realities

Scams, Disinformation & Supply Chain Compromise

Introduction

Kill Chain Summary

Conti Actors Remote Access Toolkits

Introduction

Introduction

Getting real