Red Team Readiness Assessment

I am seeing lots of “debate” about the value in red teaming, so I thought I would put together my thought process of how I look at as a broad stroke when I consider a generic starting position in an organisation. When I’m defending a business, I tend to ask myself (and the team/customers etc.) these kind of questions (they are not exhaustive):

Do you have a good understanding of your Enterprise Architecture?
Do you understand your service architectures?
Do you understand your security architecture/s?
Have you done an asset discovery exercise?
Have you modelled data flows?
Have you conducted security hardening of the environment/scope?
Have you done vulnerability assessments?
Have you done penetration testing?
Have you done control on/off testing?
Have you got a defensive security capability/team?
Have you reviewed your monitoring capabilities against common and known exploitation paths?
Do you need/want external help to understand your posture, capability strength and detection and response capabilities?

If yes to all the above: Conduct a red team exercise!

If no consider this question:

Do the key stakeholders understand the value of investing in security? If they don’t and you can’t secure resources to do the first tranche of activities, you may want to conduct an offensive security testing exercise to demonstrate the value in having a good security posture. This however may not be the only route, you may simply need to do a contract review and understand the delta between contractual requirements to customers and the current state of an organisation, the revenue/income loss risk (let alone the potential legal costs) may be enough to tip the scales and change mindsets (there is never “just” 1 path that works for every organisation or scenario).

“Understand and review before pew pew!” – mrr3b00t

Almost everything in life “depends”. I would however not want to have my ass kicked by an external team if I didn’t have a handle on the current state, resources to defend and had already invested in creating a strong defence (unless I was struggling to get investment. then f*ck it, pew pew all the way home!)

UK laws and cyber security considerations for business

I am not a legal export! Haha get used to saying that a lot if you work in cyber and are not in fact a legal expert! I wanted to put together a list of common laws that people should be aware of when doing business in the UK, it’s just a starter for 10 and there are likely others, but this should get people started for their security awareness and security policy documentation:

Data Protection Act 2018
Freedom of Information Act
Communications Act
Computer Misuse Act 1990
Investigatory Power Act 2016 (IPA)
Theft Act 1990
Terrorism Act 2000
The General Data Protection Regulation (GDPR)
The Privacy and Electronic Communications Regulations 2003 (PECR)
The Regulation of Investigatory privacy Act 2000 (RIPA)
Official Secrets Act 1989 (OSA)
Companies Act 2006
Copyright and Design patents Act 198
Trademarks Act 1994
The Malicious Communication Act 1988
Forgery and Counterfeiting Act 1981
Police and Criminal Evidence Act 1984
Contracts (Rights of Third Parties) Act 1999
Fraud Act 2006
Network and Information Systems Regulations 2018 (NIS)
Telecommunications (Security) Act 2021
The Bribery Act 2010
Freedom of Information Act 2000
Defence of the Realm Act 1914

can you think of any others that I should add?

Thanks Gary and Kevin and the other AVIS I can’t name for inputting!

Organisational Approach to Technology and Security

How an organization approaches the challenge of technology and security management, well that’s the difference between leveraging technology to deliver value efficiently and effectively vs technical debt and inefficient deployment of technology which may hinder the organisation in its pursuit of its mission.

When we consider how technology is managed, we need to look at it from multiple viewpoints with different views:

Read more Organisational Approach to Technology and Security” →

mRr3b00t’s little blog about the Cyberz and getting into…

Where to start!

Everyone loves talking about how to get into Cyber! It’s like the cliché thing to talk about! Hell, there’s people who have been in jobs for minutes writing guides, It’s odd… my advice, gardening! Seriously you will see the outside, will learn skills that are useful and keep physically fit! Wait you still want to cyber? You sure? Ok there’s some super awesome fun parts of cyber, not going to lie, it sounds super cool! What do you do? I’m a CYBER! See cool AF!

Cyber Security in a business environment

“You will respect my authority” … is a sure fast way to be ignored in the business world!

Much like gatekeeping, excessive focus on policies, lack of engagement with the audience and generally mandating security policies and procedures that are not practical will likely not end with a robust, resilient security posture. Read more “Cyber Security in a business environment” →

Supplier Assurance Tools

Do they replace the need for OSINT and Supplier engagement?

I’ve been conducting sales and assurance-based activities for some while (I’m not counting it will make me feel old!) and I have started looked at a range of supplier management tools which leverage tool-based OSINT, attack surface mapping and manual data inputs and I have to say this:

Read more “Supplier Assurance Tools” →

Cyber Insurance: How would I decide to buy it…

Is Cyber Insurance right for you?

Wow a big question, right? I can’t answer this for you, obviously I’d recommend that you consider cyber insurance, however I’d also recommend that you:

Understand your business and it’s supply chain with regards to financials and linkages to cyber risk
Understand your current cyber asset, threat, vulnerability and therefore risk landscape
Ensure you have a good understanding to make informed decisions

I’m not going to write lots this evening on the subject, but I was reviewing a report and thought in line with some research that I started recently (but was side-tracked) and then have seen the report so purchased that instead! (Sometimes it’s easier to not do everything yourself right!)

Vulnerability Management Concerns by Role Type

Have you ever thought about what kind of data/intelligence you may need with regards to vulnerability management? It tends to vary at levels of abstraction based on the audiance, but don’t think the person doing the patching may not be considernig upwards or that someone in a C level position won’t care about the zeros and ones (life doesn’t work that way!)

Anyway I was talking to a friend and came up with these so thought I’d share them with the world. Have I done a decent job? can you think of others? How do you measure and report? What are your concerns?

Let’s take a look at what I came up with (this wasn’t a very long time in the making 😉 )

UK NCSC Active Cyber Defence (ACD)

Defending a single server is often far more complex than people apreciate, defending a single organisation is significantly harder than a single server, defending a country… a much more complex challenge than I think people actually realise.

What is ACD?

According to the NCSC:

The aim of ACD is to “Protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks the majority of the time.” We do this through a wide range of mechanisms, which at their core have the ability to provide protection at scale.
ACD is intended to tackle the high-volume commodity attacks that affect people’s everyday lives, rather than the highly sophisticated and targeted attacks, which NCSC deal with in other ways.
UK NCSC

NCSC Active Cyber Defence

What is included?

The UK NCSC offer and run a range of Active Cyber Defence capabilities which include the following:

Board Level Security Metrics

Everyone always asks what are the best security metrics to have? The answer is simple to me, use metrics that are valuable to your business governance and decision-making processes! Easy right.

Not so easy in real life right!