Share the CYBER5
Share to email
Share to Facebook
Share to X
By Nisos, Inc.
5
2323 ratings
The podcast currently has 91 episodes available.
In Episode 90 of TheCyber5, we are joined by Peter Warmka, founder of the Counterintelligence Institute. Warmka is a retired senior intelligence officer with the U.S. Central Intelligence Agency (CIA) where he specialized in clandestine HUMINT (human intelligence) collection. With 20+ years of breaching security overseas for a living, Warmka now teaches individuals and businesses about the strategy and tactics of “human hacking”.
Warmka highlights how insiders are targeted, the methods used by nationstates for committing crimes, and what organizations need to help focus their security training to prevent a breach.
Below are the three major takeaways:
Prevalent open source techniques for targeting a person or company as an insider threat:
A website that defines the key personnel and mission statement of an organization provides critical context of how to target employees using social engineering techniques. Bad actors use job descriptions that provide critical targeting information about the enterprise and security technologies that are used so they may target potential technology vulnerabilities and subsequently penetrate the organization. Lastly, social media and open source content typically offer information about employees and companies that can be used for nefarious purposes.
Employees are recruited for nation state espionage or crime:
Adversaries pose as executive recruiters through direct engagement and through hiring platforms to elicit sensitive company information. Employees allow themselves to be socially engineered from a spearphish. Threat actors will also go so far as to create deep fakes to help sell the impression that they are a senior company executive.
Security awareness training should focus on verification:
There are several ways to defend yourself and your enterprise, but consistent education and training are tried and true successful methods for defense. However, annual videos for security training will not change employee behavior. They are too infrequent to modify human behavior. Employees need to be taught to be apprehensive about unsolicited outreach through email, phone call, social media, or SMS. Business procedures need to focus on quick and timely verification of suspicious activity. A policy of “trust but verify” is likely going to be too late.
In Episode 89 of TheCyber5, we are joined by Nisos Research Principal, Vincas Ciziunas.
It was 7 years ago, at a restaurant in Ashburn, Virginia, when Nisos’ co-founders Justin Zeefe and Landon Winkelvoss met Vincas. At the time, Vincas was working as a contractor for the US government but was considering a pivot into the private sector.
It was Vincas’ impressive intellect, strategic thinking, and technical capabilities that made him the ideal intelligence operator on whom to depend for the launch of Nisos. Over the course of several years, Vincas’ experience, as a developer, open threat intelligence analyst, hacker, threat detection, and threat hunting expert would prove crucial to solving some of the most complex challenges Nisos’ clients would bring us to solve.
Once just the trio, but now known as the Nisos Dogpile, our diverse and unique team members huddle together to solve the most intractable cyber, physical, and fraud threats faced by enterprises.
In this episode, Landon and Vincas recount some anonymized but most memorable investigations. These stories helped put Nisos on the map and range from Nisos’ core capabilities of open source and threat intelligence, direct threat actor engagement, and technical signature analysis against cyber threat actors, to validating physical security threats, trust and safety issues, and insider threats.
Make sure to follow Vincas on LinkedIn for more insights and commentary on the world of Managed Intelligence™.
In Episode 88 of TheCyber5, we are joined by Nisos Senior Director for Customer Success, Brandon Kappus.
Here are five topics we discuss in this episode:
Playbooks should include three major steps. The first step is education on how intelligence is going to be consumed and not be nonstop noise. Discussions between customers and vendors should start around requirements that customers are trying to address with business stakeholders.
The next step in any playbook needs to be about what data is needed to cover unique intelligence requirements. Social media, passive DNS, foreign media, business entity, person, and netflow datasets are all available, but they’re meaningless without understanding what a security team is trying to accomplish.
A threat intelligence program by itself is not generally a compliance regulation like anti-virus or a DLP program. However, there are many aspects of a threat intelligence program that are inherent with compliance spending such as the ability to monitor third parties, manage vulnerabilities, track credential and data leaks, as well as mitigate against insider threats. Flexibility to adapt to compliance needs is critical for maintaining the program and is as important as addressing routine vulnerability disclosures for the SOC or giving business units a competitive advantage.
Two general backgrounds are common with building intelligence programs: US government intelligence community experience and those with a data engineering background. While data engineering is important for automation and bringing indicators into network defense tooling like a SIEM, intelligence community backgrounds are critical for building relationships and crafting winning value propositions across a stakeholder community. Asking the question, “what does success look like for you,” goes a long way between customers and vendors, particularly when a program is starting.
When an intelligence program is starting, requirements are collected, and data that is needed is purchased, oftentimes return on investment comes in the form of storytelling. For example sharing how you’re stopping credentials from being used or stopping an insider threat from leaking data. Over time these stories become common themes that can be built out at scale and will ultimately be used to capture “prevention dollars” and potential dollar loss from leaving the company. This story telling to capture of dollar loss should be the pinnacle of any threat intelligence program maturation.
In Episode 87 of TheCyber5, we are joined by senior information security leader Charles Garzoni.
Here are five topics we discuss in this episode:
Many corporations are not overly concerned with attribution against cyber adversaries, they just want to get back to business operations. However, if someone robbed your house, you would want to know if it was a random drive-by, or if it was your neighbor because that will inform your defenses much more appropriately.
The ability to attribute between crime groups and nation states has large implications on a defense posture. First, organizations need to conduct a victimology assessment against themselves to determine what actors would want to steal from them. Second, an organization should list out priority threat actors targeting your sector and intellectual property. Third, they should look for customized detections and prioritized alerts as the resulting output.
Engaging directly with threat actors (a different kind of human intelligence-HUMINT) is critical in understanding the human element of attribution, such as their motivation, TTPs, and intent. For ransomware actors, understanding their past actions will inform future recovery and negotiation efforts, for example. Organizations cannot do this without having attribution. For nation states, geopolitical context is critical to understanding security incidents, not to mention the “how” and “why” they are moving in your network.
Public disclosures and indictments are effective disruption efforts, depending on the nation state. For example, demarche and indictment efforts against China put them on their heels and have a debilitating effect because of how they want to be seen in the world. However, Russian state operators look at disclosures as a badge of honor. Disclosures by private sector companies also can have just as much impact if the goal is to have disruption.
While it’s easy to say you are someone else, it’s challenging to look like someone else. Adversaries think masking their infrastructure to look like another adversary makes attribution challenging. Fortunately for analysts, it’s very hard to mimic TTPs exactly like an adversary, thus making attribution easier for defenders. Adversaries would need to study how the TTP implementation works, and they typically don’t do that. For example, when North Korea attacked Sony in 2015, their actions mimicked the same attack against a South Korean bank a year earlier in 2014 that made attribution straightforward. While they tried to improve and encrypt their command and control in 2015, the session logs between the two attacks looked almost identical.
In Episode 86 of TheCyber5, we are joined by Senior Manager of Threat Management for Nvidia Chris Cottrell.
Here are six topics we discuss in this episode:
Threat management departments are usually formed when security teams become mature and have table stakes functions within threat intelligence, red team, penetration testing, and threat hunting. These functions are usually formed after compliance, risk, governance, vulnerability management, and security operations center (SOC) are operational. Unfortunately, threat management is not a well defined lexicon in enterprise. For example, “threat hunting” in one organization could mean a SOC escalating alerts in another company.
Incident response is usually a separate capability from threat management (red team, threat hunting, threat intelligence) and the governance, risk, and compliance (GRC) roles. Incident response is a reactive capability and has the ability to find an actor inside the environment, whereas SOC is the first reactive capability to stop the attacker at the perimeter. Threat management is still considered a proactive capability to keep attackers out at the perimeter.
Threat Hunt: Expert level investigators that know how to review network telemetry with a variety of tools and alerts and find an anomaly to investigate if an adversary is inside the environment. They usually take their clues from incident response, red team, or threat intelligence.
Threat Intelligence: Expert level analysts and engineers reviewing the types of threats that could attack an organization and develop alerts and playbooks for threat hunters. They also have many other roles depending on the business.
Red Team: Penetration testers that emulate or simulate adversaries within the environment to determine what alerts should be created and prioritized.
Threat intelligence is meaningless and not contextualized until analysts understand how the business makes money and the corresponding risks that could disrupt the business. Building a threat intelligence program from scratch can take up to a year, and the first six months will be building relationships with the business before any feeds can start to be incorporated.
Mean time to respond and mean time to alert are table stakes metrics for SOC, but are out of the control of the threat management team (red team, threat intel, etc). However, the better metrics for threat intelligence teams are success stories when information was actioned by a business unit and risk was averted.
The threat management department becomes critical during a security incident. Red teamers have the mindset to look for a mistake in a vulnerability or network defense. Threat hunters have mindsets to look for mistakes in adversaries. The same mindsets are critical to investigating security events and incidents with the incident response team. Threat intelligence can conduct external threat hunting outside the firewalls when an incident occurs.
In Episode 85 of TheCyber5, we are joined by Chief Technologist of Transformative Cyber Innovation Lab for the Foundation for Defense of Democracies (FDD) Dr. George Shea.
Here are four topics we discuss in this episode:
The Operational Resiliency Framework (ORF) is a framework that is intended to be used by executives to ensure business continuity processes when their suppliers are knocked offline during natural disasters and cyber attacks.
Step one, and the most important step, is defining a minimum level of service for all products and services. When disasters or cyber attacks occur, the minimum viable service will reveal the critical suppliers that need extra attention from a redundancy and monitoring perspective.
The ORF is not a compliance requirement nor will this framework stop a cyber attack. However, this framework is designed to help organizations respond when an attack has taken place and is ongoing. For example, if an attacker is already within the system, it’s important to keep valuable services running and ensure the suppliers that enable those critical services don’t go down. This framework goes beyond your perimeter to the suppliers and customers.
While this is not a cyber security framework, technical controls and configurations on the suppliers is an important part of the process for minimum viable services to be up and running.
In Episode 84 of TheCyber5, we are joined by members of the CrossCountry Consulting team: Brian Chamberlain, Offensive R&D Lead, Eric Eames, Associate Director, and Gary Barnabo, Director, Cyber and Privacy.
Here are five topics we discuss in this episode:
Replaying attacks from adversaries is considered adversary emulation. The pros of emulation are you can react and defend against threat intelligence and the actual techniques during a penetration test. The cons are that many times these are yesterday’s threats. Simulation is the art of coming up with new attack vectors with nuanced penetration testers. The pros are that these attacks give blue teams new ways to think ahead and adapt their defenses before threat actors do. The cons are that these attacks aren’t yet in the wild and the probability of such attacks are not known.
Indicators of Compromise (IOCs) are immediately relevant with something that is actionable even though the value of IOCs is overcome by events (OBE) in hours. Threat intelligence IOCs are not relevant to heuristics of sophisticated adversaries and that is what sophisticated adversary simulation and threat intelligence combined attempts to overcome. For example, if an enterprise can defend against Malicious HTML Applications (HTAs), that protects them against any sort of adversary using that vector. Another example would be to have a simulated ransomware event, based on threat intel, that drops in several places and simulates everything that six different ransomware families would do (up until encryption).
Enterprises struggle to defend if a security product does not catch an actor in the environment nor how to react in a way that forensically preserves the attacker’s initial access vector. Training incident response and conducting external threat hunting are critical elements to defend and react when an attacker creates a new way to penetrate an environment.
In today’s information technology environments, CFOs need to be conversant in cyber security, not experts. Some considerations should be:
Many companies want benchmarks on how they stack up to industry peers. Every company is different and no two environments are the same so stacking up against industries like third party risk “scores” is challenging and not advisable.
Topic: Title: Data Governance and Threat Intelligence Converge
In Episode 83 of TheCyber5, we are joined by our guest, Egnyte’s Chief Governance Officer, Jeff Sizemore.
We discuss the Cybersecurity Maturity Model Certification (CMMC) and the impact on Department of Defense (DOD) contractors to mature their cybersecurity hygiene in order to compete for US government contracts. CMMC was based on NIST Standards 800-71.
Here are 4 topics we discuss in this episode:
In the near future, contracts are going to be rated L1-3 and if contractors are not certified up to a certain level, they cannot bid on the contract. This is more focused on the smaller defense contractors who up to now, have generally disregarded compliance measures yet are major targets for nation state cyber attacks.
Compliance for DOD contractors is not new and companies were previously allowed to self-attest. When DOD regulatory bodies did the research, 75% of companies were found to be not in compliance. For enforcement, the Department of Justice is now involved and if contractors lie, it’s considered perjury.
Threat intelligence is in an evolutionary stage for larger contractors to monitor their subcontractors to determine if they have vulnerabilities and/or if they have been breached. Third party risk score cards are generally not actionable for defense contractors because the vulnerabilities are not put into context to a business risk. The key is to bring together a threat intelligence picture that can alert on actionable data leaks.
In episode 82 of The Cyber5, we are joined by guest moderator and senior intelligence analyst for Nisos, Valerie G., and CEO of BGH Security, Tennisha Martin.
In this episode, we discuss the challenges and opportunities of promoting and enabling diversity and inclusion in cyber security.
Key Takeaways:
Beyond filling cyber security skills gaps, some metrics that show success in D&I include:
2) Giving back to the Cybersecurity Community
3) Being part of a supportive virtual community.
In episode 81 of The Cyber5, we are joined by the Head of Insider Threat at Uber and CEO of Vaillance Group, Shawnee Delaney.
In this episode, we provide an overview of different functions within an insider threat program. We also discuss the support open source intelligence provides to such programs and how to change company culture to care about insider threats. We also discuss the ROI metrics that are important to different stakeholders when implementing an insider threat program.
Three Takeaways:
Insider threat programs are relatively new in enterprise security and often change from company to company. Open source intelligence can be a standalone role or be cross functional among all departments. Common departments and functions can be:
2) Common Problems Faced by Insider Threat Teams
Common challenges faced by insider threat teams:
3) Role of Open Source intelligence in Insider Threat Programs
An Insider threat program is a key stakeholder for a threat intelligence program, not the individual buyer. Three key areas where open source intelligence (OSINT) supports insider threat programs:
The podcast currently has 91 episodes available.