Every organisation has experienced, or will experience, a cyber security incident; depending on what you define the term as, most organisations have multiple every day.

Increasingly punitive data protection regulation (such as the GDPR’s ability to fine organisations up to 4% of global turnover for data breaches) coupled with increasing public awareness and scrutiny of organisations’ public responses means that it’s more important than ever to effectively respond to these incidents.

There are five key things that I think every cyber security team needs to effectively prepare for an incident, and which can minimise the security, operational and financial risk…

How to assess and improve your cyber incident response plans

One of the biggest predictors of an organisation’s response to a cyber security incident is the quality of its cyber incident response plan. An effective plan can be a guide-rail for an experienced team, and a lifeline to the less experienced. This blog summarises some top tips for writing effective cyber incident response plans, to help ensure an effective response.

Before I begin, it’s worth noting that a “plan” often means one thing to one organisation (or even team), and a very different thing to another. Here, I’m referring to a document used by the IT Security or Cyber Security…

A malware analysis walkthrough


  • This blog post analyses a Portable Executable file first identified as being submitted by a user in Libya in 2011 to VirusTotal, identified by targeted searches to identify malware potentially linked to the Libyan Civil War.
  • My analysis identified that the file is highly likely a variant of the Delphi-based CYBERGATE Remote Access Trojan (RAT).
  • The file connects to ahmed9909.no-ip[.]biz, and IP addresses linked to this domain around the time of file compilation were registered to Libya’s (then) state-run telecommunications company.
  • The file has the capability to remotely access and control a victim’s computer, including the capability to view and…

Assessing possible links between the Russian state and destructive “criminal” cyber attacks

At the end of November, a tweet rapidly made its way around the cyber security community, claiming to show evidence a number of prominent human-operated ransomware groups were “directly connected with the Russian government”.

Regardless of the contents of this tweet, I don’t think there is enough evidence to make a credible overall assessment on whether the Russian government is connected to human-operated ransomware. However, there are four relevant things we can credibly talk about, and that can inform the overarching discussion.

  1. The Russian government has strong links to serious and organised crime
  2. Russia-based cyber crime groups have been…

Hacking for Gaddafi

The Libyan Electronic Army (LEA) was a hacking group operating during the First Libyan Civil War in support of, and directed by, the then-ruling Gaddafi regime. This post explores the history and capabilities of the LEA.

Emergence of the LEA

Small groups of pro-government hacking groups emerged in Libya during the 2000s at the urging of Mutassim Gaddafi (son of the ruling Colonel Muammar Gaddafi) charged with removing online content unfavourable to the family and their regime.

These groups initially conducted basic information operations, requesting the removal of anti-Gaddafi material by falsely claiming it infringed copyright law or represented inappropriate content, and promoting pro-Gaddafi…

10 things I learned from Radical Candor

Kim Scott’s great book “Radical Candor” really impacted my view of leadership and management in business. Her core message is that managers (or leaders, bosses, etc) need to both care personally about the people they work with, and be prepared to challenge them directly. Doing both will result in great work and real personal development, an doing one, or neither, will result in little or no change.

A quadrant with two axes: challenge directly, and care personally.

Here are 10 things I learned from Radical Candor:

  1. Kim Scott says “managers guide a team to deliver results”. To her, this means they are responsible creating a culture of guidance (i.e. …

Taking clear action in the first few hours of a crisis to minimise future risk

Incident response is hard, and the hardest part can often be in the first few hours where chaos reigns supreme and nobody really knows what’s going on or what they should be doing.

Follow the seven steps for immediate incident response to provide clear direction, take appropriate action, and lay the foundations for an effective response: confirm, triage, document, escalate, plan, mobilise, and report. These are shown as a linear process, however the reality may of course be different, with concurrent or reordered tasks.

Seven steps for immediate incident response

Seven Steps for First Responders


Confirm that the incident report is not a false-positive (for example, through verification of logging or…

Understanding cyber operations in the hermit kingdom

The vast majority of North Korean hacking, or offensive computer network operations (CNO), comes directly under the control of the North Korean military.

Formally known as the Korean People’s Army, or KPA, North Korea’s military is formed of five branches: the Ground Force, the Navy, the Air Force, the Strategic Rocket Forces, and the Special Operation Force. Command and control is executed through the General Staff Department (GSD), which provides administrative, logistical and operational direction and support to other branches.

As well as being responsible for conventional and nuclear military operations, the KPA controls almost all foreign intelligence activity through…

This blog post analyses a really common cryptocurrency scam that has been widely reported on, and presents a number of open source intelligence tools that can be used to investigate such a scam. It’s not anything ground breaking, but is intended to provide an easy-to-understand overview of the technique and a simple introduction to tools that can be used for analysis.

If you’ve been a victim of a cryptocurrency scam you should contact local law enforcement to report the incident and obtain guidance. In the UK contact Action Fraud, and in the US contact the FBI’s Internet Crime Complaint Center.

The scam


This is a blog post about “threat intelligence”. For the avoidance of doubt, this means…

Information about threats and threat actors that provides sufficient understanding for mitigating a harmful event. (Source: Bank of England)

Specifically, this is a blog post about getting started in threat intelligence with the right technology sitting behind you, but without requiring either significant technical expertise or financial investment. For the purpose of clarity it’s structured around the phases of the intelligence lifecycle: direction (although that isn’t relevant here), collection, processing and dissemination.

What this blog post isn’t about is all the other things that are…

Gabriel Currie

Cyber Defence Lead at the UK Government’s @Cabinet_Office

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store