Got off the strangest call just now.
Company called me for advice for dealing with "the cyber war"
A few min into the call I realized there were differing opinions of some of the people on the call.
I'm sharing an anonymized version. There's LOTS to unpack.
1
Company called me for advice for dealing with "the cyber war"
A few min into the call I realized there were differing opinions of some of the people on the call.
I'm sharing an anonymized version. There's LOTS to unpack.
1
q: is anything different? Are attacks going up?
a: outside of Eastern Europe, it's shockingly calm (at least to me). Things have ramped up a bit, but mostly in the form of scams (donate now type stuff)
so far, it's been quieter than I'd expect
2
a: outside of Eastern Europe, it's shockingly calm (at least to me). Things have ramped up a bit, but mostly in the form of scams (donate now type stuff)
so far, it's been quieter than I'd expect
2
That said, it's always a good idea to be evaluating your defensive posture. I think it's safe to say that the status quo is fragile, and things can get bad fast. If you have reasonable/credible reason to believe you are the target of a nation state, please re-up your d now.
3
3
If you're NOT the likely target of a nation state (this is most of you reading this tweet btw), you are SOMEBODY's target. You should be double checking your posture.
Understand that you may be a jumping off point to the real target. Don't aid your enemy.
4
Understand that you may be a jumping off point to the real target. Don't aid your enemy.
4
q: should we freeze all vacations and just rebuild our defenses?
a: HELL TO THE NO. This is a marathon, not a sprint. If your first reaction is to light your hair on fire, you'll be burned out in no time flat.
5
a: HELL TO THE NO. This is a marathon, not a sprint. If your first reaction is to light your hair on fire, you'll be burned out in no time flat.
5
When times are getting tough, just stop. Pause. Think.
Assuming your opponent has been planning things, they already have the initiative on you. Making dumb twitch responses is what the skillful adversary is hoping for and anticipating.
Breathe. Make strategic responses.
6
Assuming your opponent has been planning things, they already have the initiative on you. Making dumb twitch responses is what the skillful adversary is hoping for and anticipating.
Breathe. Make strategic responses.
6
q: what can we do to show we're taking these threats seriously?
a: (1st great question!)
Hopefully, you have a list of options for how you're going to respond. Prioritize them and hit the low hanging fruit first. Even if they don't move the needle much... it is an improvement.
7
a: (1st great question!)
Hopefully, you have a list of options for how you're going to respond. Prioritize them and hit the low hanging fruit first. Even if they don't move the needle much... it is an improvement.
7
For all other improvements, rank them by estimated level of effort vs impact. If it's low effort, but medium impact, it may make sense to do that before a high effort/high impact. Right now, your goals are to improve. Don't try to "solve" anything. just get a little better.
8
8
q: how are we doing compared to our competitors?
a: (WORST QUESTION EVER)
Even if you somehow got viable KPI on your competitors, they will be meaningless to you. While the products/services you do will be similar, *how* you do it will be radically different.
9
a: (WORST QUESTION EVER)
Even if you somehow got viable KPI on your competitors, they will be meaningless to you. While the products/services you do will be similar, *how* you do it will be radically different.
9
Bluntly said, any comparison from org to org is, stupid.
It's not an apples-to-apples comparison. And even if it were, so what? I don't know of many market verticals where being "average" or just slightly above it is a desired state.
Look at the breach reports!
10
It's not an apples-to-apples comparison. And even if it were, so what? I don't know of many market verticals where being "average" or just slightly above it is a desired state.
Look at the breach reports!
10
Some favor market vertical comparisons because they think if they're better at security attackers will target the weaker in that vertical. NDAs prevent me from sharing details, but that's not what I've seen/experienced. Nor does it fit with what peers have told me.
11
11
If someone has data/use cases that prove weaker in market verticals are targeted, please let me know!
Attackers fall into one of two camps.
- opportunistic
- targeting
12
Attackers fall into one of two camps.
- opportunistic
- targeting
12
Opportunisitc attackers will go after EVERYONE in a market vertical who has a specific flaw. They are REALLY good at finding a particular weakness and hit everyone they can.
This means you can still be best in the market vertical and still be targeted if you have the flaw
13
This means you can still be best in the market vertical and still be targeted if you have the flaw
13
Targeting attackers are after you and you alone. There's not a damn thing you can do to stop them. What you *should* do is start listening to how they're attacking you and shore up your D to meet their attempts.
The best CTI is your own logs!
14
The best CTI is your own logs!
14
q: besides our own logs, what CTI should we subscribe to?
a: Your own telemetry will be lightyears ahead what you're getting from others. My next best suggestion would be from your ISAC. Your org should already belong to one. If not, join up.
nationalisacs.org
15
a: Your own telemetry will be lightyears ahead what you're getting from others. My next best suggestion would be from your ISAC. Your org should already belong to one. If not, join up.
nationalisacs.org
15
Don't think that paid CTI will be better/worse than free or homegrown. You must test the CTI feed before you pay to see if you can act upon it.
CTI gets a bad rap because people misuse it. It's an indicator... like a weather report.
16
CTI gets a bad rap because people misuse it. It's an indicator... like a weather report.
16
You wouldn't go outside with an umbrella up because you were told it is supposed to rain. You'd check first. You might be more inclined to take your umbrella with you, but you'd check first. Same with CTI. It's not scripture... it's a weather report. Treat it as such.
17
17
q: what's the biggest risk right now?
a: I worry that orgs will overreact and cause outages or break things to "protect" against a threat. It's OK to move faster, but be reasonable about it. There's WAAAAAY too much hype right now. Try to streamline where it makes sense.
18
a: I worry that orgs will overreact and cause outages or break things to "protect" against a threat. It's OK to move faster, but be reasonable about it. There's WAAAAAY too much hype right now. Try to streamline where it makes sense.
18
I hope this thread helps folks! You can fight and win at infosec as a defender. I'm glad that others are taking things a little more seriously... and you should too! But let's keep it all in reason. Keep making things incrementally better. You got this. LMK if I can help.
fin.
fin.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
