Every organisation has experienced, or will experience, a cyber security incident; depending on what you define the term as, most organisations have multiple every day.
Increasingly punitive data protection regulation (such as the GDPR’s ability to fine organisations up to 4% of global turnover for data breaches) coupled with increasing public awareness and scrutiny of organisations’ public responses means that it’s more important than ever to effectively respond to these incidents.
There are five key things that I think every cyber security team needs to effectively prepare for an incident, and which can minimise the security, operational and financial risk…
One of the biggest predictors of an organisation’s response to a cyber security incident is the quality of its cyber incident response plan. An effective plan can be a guide-rail for an experienced team, and a lifeline to the less experienced. This blog summarises some top tips for writing effective cyber incident response plans, to help ensure an effective response.
Before I begin, it’s worth noting that a “plan” often means one thing to one organisation (or even team), and a very different thing to another. Here, I’m referring to a document used by the IT Security or Cyber Security…
ahmed9909.no-ip[.]biz, and IP addresses linked to this domain around the time of file compilation were registered to Libya’s (then) state-run telecommunications company.
At the end of November, a tweet rapidly made its way around the cyber security community, claiming to show evidence a number of prominent human-operated ransomware groups were “directly connected with the Russian government”.
Regardless of the contents of this tweet, I don’t think there is enough evidence to make a credible overall assessment on whether the Russian government is connected to human-operated ransomware. However, there are four relevant things we can credibly talk about, and that can inform the overarching discussion.
The Libyan Electronic Army (LEA) was a hacking group operating during the First Libyan Civil War in support of, and directed by, the then-ruling Gaddafi regime. This post explores the history and capabilities of the LEA.
Small groups of pro-government hacking groups emerged in Libya during the 2000s at the urging of Mutassim Gaddafi (son of the ruling Colonel Muammar Gaddafi) charged with removing online content unfavourable to the family and their regime.
These groups initially conducted basic information operations, requesting the removal of anti-Gaddafi material by falsely claiming it infringed copyright law or represented inappropriate content, and promoting pro-Gaddafi…
Kim Scott’s great book “Radical Candor” really impacted my view of leadership and management in business. Her core message is that managers (or leaders, bosses, etc) need to both care personally about the people they work with, and be prepared to challenge them directly. Doing both will result in great work and real personal development, an doing one, or neither, will result in little or no change.
Here are 10 things I learned from Radical Candor:
Incident response is hard, and the hardest part can often be in the first few hours where chaos reigns supreme and nobody really knows what’s going on or what they should be doing.
Follow the seven steps for immediate incident response to provide clear direction, take appropriate action, and lay the foundations for an effective response: confirm, triage, document, escalate, plan, mobilise, and report. These are shown as a linear process, however the reality may of course be different, with concurrent or reordered tasks.
Confirm that the incident report is not a false-positive (for example, through verification of logging or…
The vast majority of North Korean hacking, or offensive computer network operations (CNO), comes directly under the control of the North Korean military.
Formally known as the Korean People’s Army, or KPA, North Korea’s military is formed of five branches: the Ground Force, the Navy, the Air Force, the Strategic Rocket Forces, and the Special Operation Force. Command and control is executed through the General Staff Department (GSD), which provides administrative, logistical and operational direction and support to other branches.
As well as being responsible for conventional and nuclear military operations, the KPA controls almost all foreign intelligence activity through…
This blog post analyses a really common cryptocurrency scam that has been widely reported on, and presents a number of open source intelligence tools that can be used to investigate such a scam. It’s not anything ground breaking, but is intended to provide an easy-to-understand overview of the technique and a simple introduction to tools that can be used for analysis.
If you’ve been a victim of a cryptocurrency scam you should contact local law enforcement to report the incident and obtain guidance. In the UK contact Action Fraud, and in the US contact the FBI’s Internet Crime Complaint Center.
This is a blog post about “threat intelligence”. For the avoidance of doubt, this means…
Information about threats and threat actors that provides sufficient understanding for mitigating a harmful event. (Source: Bank of England)
Specifically, this is a blog post about getting started in threat intelligence with the right technology sitting behind you, but without requiring either significant technical expertise or financial investment. For the purpose of clarity it’s structured around the phases of the intelligence lifecycle: direction (although that isn’t relevant here), collection, processing and dissemination.