Volume 5 (2021-22)

Each volume of Cyber Security: A Peer-Reviewed Journal consists of four 100-page issues published in both print and online.

Volume 5 Number 4

  • Editorial
    Simon Beckett, Publisher
  • The new offensive cyber security: Strategically using asymmetrical tactics to promote information security
    Christopher Ott, Attorney, Rothwell Figg

    Since the very first hack, cyber security professionals have sought to take the fight back to the hackers. Offensive cyber security operations usually focus upon proactive technical attacks on hackers to disrupt their operations and deter future attacks, and there are currently efforts by governments to expand these capabilities. Cyber security professionals are locked in an unfair, asymmetrical conflict with hackers, but they need not confine their thinking to historical rules of engagement. This paper briefly traces the theories of asymmetrical warfare in the 21st century, including its cyber security dimensions, to explore how companies and cyber security decision-makers can learn from the lessons of the past while changing the rules of the conflict in their favour.
    Keywords: cyber security, asymmetrical warfare, offensive cyber security, active cyber security defence, cyber security theories

  • How to stop attackers from owning your Active Directory
    Carolyn Crandall, Chief Security Advocate and Tony Cole, Chief Technology Officer, Attivo Networks

    More than 90 per cent of organisations use Active Directory (AD) as their identity management system, which serves as a master directory and the means to control access to enterprise services. Its central role in governing user identity and authentication means AD is a primary target for threat actors. Compromising AD means attackers can access the most critical systems and assets on the network or gain administrator privileges to take over the domain. Many traditional security solutions will not notice this activity because the user account appears to be operating within the scope of its privileged access rights. The tactics the attackers use can evade traditional detection systems since they are not designed to detect credential theft, privilege escalation and lateral movement. Identity visibility solutions reduce the attack surface by identifying exposed credentials, domain controller vulnerabilities and cloud overprovisioning. Identity detection and response (IDR) solutions add detection of attempts to exploit AD and credential protection from theft and misuse. This paper will discuss how threat actors attack and exploit AD, and what organisations can do to protect their AD environments.
    Keywords: Active Directory protection, cyber deception, credential protection, identity detection and response (IDR), identity security, domain controller attacks, ransomware preparedness

  • The imperative of enterprise-grade security for 5G
    Leonid Burakovsky, Senior Director and Danielle Kriz, Senior Director, Palo Alto Networks

    5G is a major transformational technology, the impact of which will largely be on enterprises and government users. This is a radical change from previous generations of mobile technology, including 3G and 4G, which were arguably largely used by consumers. In contrast, 5G will enable digital transformation of entire industry sectors and government activities and will come to underpin entire economies. Security technologies used in the past (and in many current networks) are incapable of securing the 5G opportunity of the future. Security for 3G and 4G was not focused on detecting and preventing attacks on all layers, all locations/interfaces, all attack vectors and all software life cycle stages. For example, there are no security mechanisms in 3G and 4G networks that can detect and prevent attacks from infected devices/botnets. This paper explains why, given the mission criticality of 5G, its security must be enterprise-grade. The paper further explains what ‘enterprise-grade’ security means.
    Keywords: 5G security, 5G security for enterprise, 5G enterprise-grade security, 5G security for government, 5G IoT security, 5G device security

  • How well-thought-out incident response can take the advantage back from attackers
    James Christiansen, Vice President, Netskope

    The formation of an incident response (IR) team and IR testing are the most significant actions an organisation can take to reduce the cost of a security breach, but organisations are often challenged to build the right IR team with the right outputs and outcomes decided — especially when IR itself needs an aggressive rethinking in an era of thousands of software-as-a-service (SaaS) applications in use by businesses. This paper will explore how to build the right IR team processes, key roles, tabletop exercises, protocols, executive management and other important considerations. It will highlight both hard and soft skills needed for successful IR, especially in the less-discussed but hugely important latter category, the need for expectations setting with leadership, and the right ways to convey vague and incomplete information in the early stages of IR and breach analysis by using actual cases from past experience.
    Keywords: incident response, IR, SaaS, cloud security, cost of a breach, cyber security

  • Focusing on the primary purpose: Protecting the attorney–client privilege and work product doctrine in incident response
    Ashley Taylor, Partner, Troutman Pepper, et al.

    Organisations responding to cyber security incidents must manage their incident response efforts while maintaining two critical legal protections: the attorney–client privilege and the work product doctrine. This paper analyses how the attorney–client privilege and the work product doctrine, when properly maintained, prevent information regarding an organisation’s thoughts and discussions from being disclosed or used in subsequent proceedings. It discusses how recent judicial decisions analysing the application of these two doctrines have emphasised the importance of seemingly minor details that may be overlooked during incident response efforts that can have significant consequences in subsequent legal actions when asserting protections. In particular, courts will focus on the stated purpose for any step in the incident response process (eg business versus legal), and any discrepancies between the stated purpose and conduct can have disastrous effects on future claims of protection in legal proceedings. This paper puts forward that organisations should craft incident response plans with the maintenance of these protections in mind. Practical steps organisations can take include carefully scrutinising the language in retainer agreements, involving in-house or outside counsel at the earliest opportunity, limiting the disclosure of privileged materials, and exercising caution when documenting during incident response. After-the-fact attempts to shield the results of any investigation from opposing parties in litigation are rarely successful, so organisations should take affirmative steps to ensure the vitality of these two critical legal protections from the earliest stages of incident response, which start with the planning and preparation.
    Keywords: attorney–client privilege, work product doctrine, privacy, disclosure, incident response, protection

  • A modern approach to cyber threat protection: The holy grail of cyber security departments?
    Dariusz Trocyszyn, Consulting Manager South-East Asia, Comarch (Thailand) Co. Ltd and Adrian Korczyński, Director, Cyber Security Business Unit, Comarch SA

    Cyber security is not only a hot topic debated intensely among business managers, but also a growing concern that enforces unplanned and often undesirable changes. Too tight security measures usually result in a spike in customer complaint volumes; too slack cause a lot of grey hair, especially after a breach. Continuously accelerating growth in number of IT applications, proliferation of various types of devices, software versions, channels and endpoints are significantly increasing the surface area of potential attacks. For professionals with strong links with the world of finance and security, it comes as no surprise that the old approaches are rapidly becoming obsolete. In many cases they cannot handle new challenges, not to mention elaborate and constantly evolving sociological theft strategies. New approaches are desperately sought. The hunt for the holy grail in a cyber security area has been on for quite some time now — apparently without a clear conclusion, as cybercrime is on the rise, regardless of the industry or geographical region. Data leaks and account takeovers have become daily news stories that many people pay attention to. This is why decision makers are exploring different approaches to security by venturing into new territories that were previously not purely classified as directly connected with security issues. Yet, if we want to ensure our clients’ finances, data and interests are appropriately protected, surely all options should be considered? This paper aims to shift the way managers view security in their institutions by highlighting alternative ways of approaching the subject. By incorporating into security interconnected and interdependent layers of verification mechanisms, higher fraud/takeover detection rates can be achieved without affecting usability. Readers will gain complex insights as to how these layers behave and how they operate within the financial institutions.
    Keywords: cyber security, cyber threat protection, monitoring, frauds, leaks

  • Eliminating the blind spots: How to be accountable for an organisation’s overall security
    Lorraine Dryland, Chief Information Security Officer, First Sentier Investors

    The aim of this paper is to share my experiences of being accountable for an organisation’s overall security and the challenges I have faced. In particular, this paper focuses on being accountable for the protection of data. I found that it was impossible for me to achieve my goals given that you cannot protect what you cannot see, which is true for so many aspects of the security world. I found that to be in a position to protect data, I first needed visibility and then needed to ensure that the business was able to manage and control the data. Depending on the size of the company, it often falls to information security to drive such initiatives, as often the security technologies are able to provide this visibility and the security policies support the control and continued management. Specifically, this paper has a tight focus on building foundational capability that can support data protection, life cycle management, integrity and many of the other components needed for data management, touching on each but not in significant detail, as these topics justify papers in their own right. My hope is that if, like me, you are in the sphere of managing data, you can take some comfort that you are not alone, and that this paper has mirrored some or all of your journey, or that one or more of these insights and lessons learned are helpful in your considerations in managing your data.
    Keywords: data management, data visibility, data protection, data security, data discovery, data life-cycle

  • A principles-led approach to information assurance and governance in local government
    Mark Brett, Visiting Fellow, Cyber Security Centre, London Metropolitan University

    This practice-based paper explores a principles-led approach to cyber information governance for local authorities (LAs) in England and Wales, while linking it to a corporate information governance regime to support cyber security and resilience. Over the past 15 years the author has worked with several LA regional cyber security groups known as WARPs (Warning, Advice and Reporting Points). The paper goes on to propose an approach to cyber maturity, offering a novel way to think about the issues, while exploring a number of tools and techniques. This work has used a practice-based approach to help develop usable artefacts for policy readers as well as technical ones. We especially explore the contention between policies and principle-based approaches to information risk management (IRM). The National Cyber Security Centre (NCSC) has recently blogged about a principles-led approach to cyber security. We will consider the move from a policy (rules)-based approach to a principles-based approach around information assurance and risk management, all of which ultimately supports strategic decision making around IRM, information assurance and cyber resilience.
    Keywords: cyber security, resilience, information assurance, agile, principles, policy, cyber maturity, information governance, local government, audit, compliance, information risk management, cyber strategy

Volume 5 Number 3

  • Editorial
    Simon Beckett, Publisher
  • Tackling cybercrime and ransomware head-on: Disrupting criminal networks and protecting organisations
    Marja Laitinen, Digital Crimes Unit Lead and Sarah Armstrong-Smith, Chief Security Advisor, Microsoft EMEA

    This paper provides a look into the current cybercrime trends, fuelled by the ongoing digital transformation and global pandemic, proliferating across organisations of all sizes and posing high socio-economic risk to critical infrastructure and supply chains. Attackers are capitalising on the technological advances, cloud adoption and hybrid working environments through launching targeted and persistent, human-operated ransomware campaigns. A coordinated and sustained effort is required between governments and the private sector to disrupt criminal infrastructures and global networks that cybercriminals rely on to launch and profit from their attacks. Collaboration and partnerships are also required to support organisations with building necessary cybersecurity capability to prevent, detect and respond to ransomware threats, through adopting zero trust principles and architectures by design and default.
    Keywords: cybercrime, ransomware, law enforcement, organised crime, cyberattacks, cyber security protection, zero trust

  • Paradigm of cyber security transformation in Lithuanian Railways during a pandemic
    Antanas Kedys, Head of Cyber Security, Žaneta Navickienė, Head of Business Safety and Rolandas Šlepetys, Head of Safety and Risk Management, JSC Lithuanian Railways

    Cyber security is not a complete process, so businesses cannot fully ensure cyber resilience in their activities. Every business can be vulnerable, no matter how it is able to respond to the need for security, create a secure cyber environment and apply modern cyber security measures. Therefore, in a changing operating environment, it is very important to find the right balance to meet the needs of business through targeted cyber security measures, as well as to anticipate potential risks and prepare for preventive action. The study described in this paper focuses on the cyber security challenges, threats and adequate mechanisms for managing them during the COVID-19 pandemic. The main aim of the research was to measure the current cyber security state of JSC Lithuanian Railways (also known as LTG) with the following two objectives: 1) to evaluate LTG cyber security practices impacted by COVID-19; 2) to reveal LTG’s cyber security transformation. This paper analyses LTG’s experience in managing cyber security risks during a pandemic. The results of the analysis showed that it is important to identify the peculiarities of emerging risks and their impact on the business environment. Also, it is necessary to assess the possibilities of integrated application of organisational and technical measures aimed at eliminating or minimising the emerging risks.
    Keywords: cyberspace, cyber awareness, cyber security, cyber risks, COVID-19

  • Application security automation in development
    Mike Kennedy, Senior Manager, Medtronic Global Security Office, et al.

    Automated security services can provide on-demand resources that are easily adopted by development teams. To save time and money, application security should be incorporated as early as possible in the application development process. Security requirements are the earliest opportunity to build a secure foundation. Using automation, security requirements can be aligned to system and project attributes and used as a foundation for additional security activities such as secure coding examples and security testing. Later in the development process, automated testing services provide development teams with vulnerability scanning options, depending on whether legacy or modern development practices are used. Legacy development projects can benefit from on-demand source code scanning that does not require tool set-up or configuration. Modern development processes are a better fit for incorporating security testing in automated build-and-test pipelines using working example scripts. When created with development team needs in mind, automated application security services can be valuable resources for development teams that drive better security outcomes. This paper will discuss an approach to building and delivering consumable development security services to drive better security.
    Keywords: application security-as-a-service, automation, best practices, security pipeline, security requirements, security testing

  • Achieving least privilege at cloud scale with cloud infrastructure entitlements management
    Maya Neelakandhan, Head of Customer Success and Support, Guruprasad Ramprakash, Software Engineer and Mrudula Gaidhani, Customer Success and Support, CloudKnox Security

    Managing identities and permissions for enterprises at cloud scale is a major problem today. Cloud infrastructure entitlement management (CIEM) focuses on cloud access risk by providing enterprises with a robust platform for governance and entitlement controls and managing risk. Scaling out an enterprise’s infrastructure using public cloud comes with its own set of risks, including knowing all the identities that have access to your infrastructure and the permissions that they have once access is permitted. Ignoring the proliferation of identities and their associated permissions increases the potential attack surface for hackers who get access to cloud infrastructure. Implementing the principle of least privilege with CIEM helps enterprises manage their growing cloud infrastructure while keeping security in mind. This paper provides an overview of the problems that enterprises face with managing identities and permissions and how CIEM solutions can be effective for these issues.
    Keywords: multi-cloud, CIEM, entitlements management, zero trust, least privilege

  • Enabling cyber incident collaboration in UK local government through fast-time communication
    Mark Brett, Visiting Fellow, London Metropolitan University

    This paper brings together concepts and ideas to support organisations in implementing cyber incident response and coordination, especially focusing on the need for fast-time communications. Normal business operations are slow-time communication, with the shift to fast-time communication occurring during an operational incident. A good example of fast-time communication is instant messaging as opposed to slow-time e-mail. We are proposing a number of strands to formulate an approach. We realised the standard Playstation 3 theme (P3T) approach applies to fast-time communications and can be augmented to provide a novel application of the P3T. We propose to add governance to ensure that the scope application and use is appropriate, within the scope of a threat profile. We also propose to make use of the consequence relevance acceleration severity and harm (crash) gate framework which facilitates the definition of trigger points for escalation in cyber incident response planning and response. We will present some use cases and explain how to integrate them into existing operating processes and procedures. The temporal activities matrix is discussed, which explains the different slowtime/fast-time activities in a cyber response team/security operations centre (SOC). This paper comes at the end of a three-year work programme for local government in England led by MHCLG which focused on cyber resilience from the ICT side and started to build an approach and capacity within the Local Resilience Forums (LRFs). The work delivered a wide range of workshops and cyber exercises for the English LRFs. There was also a similar programme run by the Welsh Government for the wider public sector in Wales. Finally we explore future research considering an additional application around smart cities, incorporating zero trust architecture.
    Keywords: trigger points, fast-time communications, cyber templates, cyber incident response, cyber collaboration, incident message taxonomy, CUON, CCCG, smart cities, smart places, zero trust architecture

  • How national CSIRTs leverage public data, OSINT and free tools in operational practices: An empirical study
    Sharifah Roziah Binti Mohd Kassim, PhD Student, Shujun Li, Professor of Cyber Security and Budi Arief, Senior Lecturer, University of Kent

    Computer security incident response teams (CSIRTs) have been established at national and organisational levels to coordinate responses to computer security incidents. It is known that many CSIRTs, including national CSIRTs, routinely use public data, opensource intelligence (OSINT) and free tools in their work. The current literature, however, lacks research on how such data and tools are used and perceived by the staff of national CSIRTs in their operational practices. To fill such a research gap, an online survey and 12 follow-up semi-structured interviews with staff of 13 national CSIRTs from Asia, Europe, Caribbean and North America were carried out. The aim was to gain detailed insights on how such data and tools are used and perceived by staff in national CSIRTs. The study was conducted in two stages: first with MyCERT (Malaysia’s national CSIRT) to gain some initial results, and then with 12 other national CSIRTs to expand the results from the first stage. Thirteen participants from MyCERT completed the survey and seven of them took part in a semi-structured interview; 12 participants from 11 other national CSIRTs took the survey and five participants from five national CSIRTs were interviewed. Results from the survey and the interviews led to three main findings. First, the active use of public data, OSINT and free tools by national CSIRT staff was confirmed, eg all 25 participants had used public data for incident investigation. Second, all except two (ie 23 out of 25, 92 per cent) participants perceived public data, OSINT and free tools to be useful in their operational practices. Third, there are a number of operational challenges regarding the use of public data, OSINT and free tools. In particular, there is a lack of standard and systematic approaches on how such data and tools are used across different national CSIRTs. There is also a lack of standard and systematic processes for validating such data and tools. These findings call for further research and development of guidelines to help CSIRTs to use such data and tools more effectively and more efficiently.
    Keywords: CSIRT, computer security incident response team, national CSIRT, CERT, computer emergency response team, staff, perception, cyber incident, public data, OSINT, open-source intelligence, free tool

Volume 5 Number 2

  • Editorial
    Simon Beckett, Publisher
  • Digital contact tracing: Privacy versus efficiency
    Ieva Ilves, Adviser to the President of Latvia, Chancery of the President of Latvia

    This paper discusses recently introduced digital technology to limit the spread of COVID-19 by tracing patients’ contacts backwards and sending warning of potential exposure to the virus. While the spread of COVID-19 had devastating consequences and certain technology was made available to limit it, quick and broad application was impeded by privacy and security concerns. The paper explores how the current digital contact tracing technology was designed to operate globally and address these concerns. Digital contact tracing has not reached the expected user rates in democratic societies, which limits its impact on public health. The author analyses the connection between privacy, trust and efficiency of the COVID tracing apps and illustrates the conflict whereby privacy-preserving technology denies access to any data and thus lessens the application of the tool for the benefit of public health. The author argues that with additional layers of privacy protection such as rule of law, transparency and democratic oversight, the minimum data necessary for public health would not compromise privacy yet would contribute to improving the technology and lead to better use in crisis situations such as a pandemic, environmental disaster or war. The research paper is a work in progress, as it is based on one-year experience since the outbreak of the COVID-19 virus, when the crisis is not yet over and partial data limits in-depth studies.
    Keywords: digital contact tracing, privacy, security, COVID-19, democracy, pandemic

  • Improving threat detection with a detection development life cycle
    Augusto Barros, VP Cyber Security Evangelist, Securonix

    Threat detection is one of the main activities of an information security programme. Performing threat detection goes beyond deploying threat detection technologies. These technologies can be highly effective in their job of detecting threats, but their effectiveness is dependent on what detection specialists usually call detection content. Detection content is usually detached from the data analytics capabilities of the tool and needs to be constantly updated to ensure the most recent threats can be detected. These updates are generally developed by the detection technology provider as part of a subscription service, or by the organisation deploying and operating the technology, as part of activities commonly described as detection engineering. This paper describes the implementation and operation of a detection development life cycle (DDLC) process, which can be used to control the selection, creation and management of threat detection content.
    Keywords: security information and event management (SIEM), detection engineering, detection use cases, detection content, detection development life cycle (DDLC)

  • Maturing operational security with an automation-first approach to IAM
    Bryan Christ, IT Specialist

    Over the last few decades, organisations have adhered to a number of security practices that are showing their age. With the explosion of remote work and software as a service (SaaS) adoption, this has become more pronounced. In pursuit of greater operational maturity, initiatives such as Zero Trust have placed these practices under scrutiny and the evidence suggests they are wanting. The rise of new technologies like adaptive authentication, enterprise federation and next-gen IAM offers new options and techniques — options that were once considered hypothetical. Among those worthy of consideration are an automation-first approach to identity and access management (IAM). In organisations where Zero Trust initiatives are being scoped, intelligent IAM can play a foundational role. Notwithstanding, IAM deployments should be regarded as multi-phase projects accompanied by unique obstacles that stakeholders would do well to avoid.
    Keywords: deperimeterisation, Zero Trust, identity and access management, operational maturity, identity and access management (IAM), identity governance, authentication, access requests, systems of record (SoR), joiner-mover-leaver (JML)

  • Optimising cyber threat intelligence for your organisation
    Christina Girtz, Senior Manager, General Mills

    As the sophistication and capabilities of cyber threat actors increase, so does the need for cyber threat intelligence (CTI). Most organisations, however, do not have the resources for a large CTI team. Organisations can offset this disparity by optimising resources and focusing on what really matters. Even one CTI analyst can make a significant difference for an organisation by identifying business assets, aligning those assets to potential threats, and then working with cyber security components to prioritise detection and mitigation efforts. Getting to know the organisation and working with key stakeholders to build priority intelligence requirements will help a CTI team identify where to effectively focus its efforts. A small CTI team must also find force multipliers internal and external to the organisation, tailor deliverables and manage expectations. By following these guidelines, a CTI function will help move the cyber security posture of an organisation from reactive to proactive and gain an advantage over the adversary.
    Keywords: cyber threat intelligence (CTI), priority intelligence requirements (PIR), threat

  • Cyber security and data protection: Learning from your own mistakes is good, learning from somebody else’s mistakes is better — the reasons underpinning fines and what regulators expect of cyber security
    Peter Craddock, Partner and Eline Van Bogget, Associate, NautaDutilh

    Cyber security legislation goes far beyond data protection rules. Data protection, however, offers a very useful point of reference for both information security professionals and lawyers, with important lessons for non-personal data. This paper describes recent decisions that give an indication of how authorities assess potential risks, and thus indirectly help to highlight best practices.
    Keywords: cyber security, data protection, liability, data breaches, cybercrime, ethical hacking

  • The high-performing low-risk mainframe: Reassess security in the context of changing operations to extinguish risk before it bursts out of control
    Mary Ann Furno, Offering Manager, Mainframe Security

    Re-evaluation of ‘low-risk’, data-rich, mission-critical mainframes is a security essential. Solutions against modern-day threats have been implemented on distributed platforms, but implementation of solutions for these threats on the mainframe lags implementation on other platforms due to a perception of ‘low-risk’ operations on the mainframe. This may leave an exposure in the environment that can quickly get out of control. This paper analyses how assessment of the environment against the security plan and changing context of mainframe operations will expose gaps and enable an action plan to mitigate risk.
    Keywords: mainframe, modernise, privileged account management, zero trust, hybrid IT

  • Securing the public cloud estate of a digital-native bank
    Avi Shua, CEO and Co-founder, Orca Security and Thomas Hill, CISO, Live Oak Bank

    Fifteen years ago, the idea of a completely digital-native bank would have been seen as too risky and speculative. Many large institutions built internal IT and development groups solely to digitise their processes as a competitive edge. Where cloud computing was employed, it was private cloud, on-prem and specific to the institution. In this paper, the authors will explore how one financial institution, Live Oak Bank, launched its business as a cloud-first pioneer, leveraging the cloud to disrupt traditional banking competitors while offering improved services and customer engagement with a laser focus on top-tier security. The authors will explore how Live Oak met its goals to build a new bank while also creating technology spin-offs to power new entrants in the financial services industry, with the help of technology partners such as Orca Security and others.
    Keywords: cloud security, financial services, digital transformation, compliance, risk reduction

  • Security and safety incidents and standards
    Robert Kemp, Security and Risk Manager and Richard Smith, Associate Head of School and Head, Cyber Technology Institute, De Montfort University

    Safety and security incidents continue to take place within the critical infrastructure industry. Often the organisations involved in the incidents are following safety and security standards but yet the incidents still take place. This paper analyses safety and security incidents for critical infrastructure and non-critical infrastructure organisations and examines why the standards fail to prevent the incident taking place and whether cyber security safety standards should be merged. It also investigates what standards were being followed and what requirements of the standards would have helped with the incident in question.
    Keywords: security, safety, incident, critical infrastructure, standards, breach

Volume 5 Number 1

  • Editorial
    Simon Beckett, Publisher
  • The human variable: Designing a security strategy for a future in flux
    Gary Sorrentino, Global Deputy CIO, Zoom Video Communications

    The hybrid workforce is no longer a concept, it is a reality. But as employees embrace new working environments and flow in and out of the office, this hybrid approach poses a unique challenge for security leaders. This paper explores how organisations will need to create a security strategy rooted in the variability of the hybrid workforce — one that meets employees where they are and helps them learn the role they play in securing this new model. This strategy is rooted in three key principles: adopt a zero-trust approach, personalise data protection and bolster hands-on, robust training. Readers can expect to learn what it really takes to put this approach into practice — and what threats and roadblocks they should anticipate along the way.
    Keywords: hybrid workforce, security strategy, zero-trust approach, data protection, security training

  • Staying one step ahead of your adversaries: How to build a cyber threat intelligence team capable of delivering business value
    Keith Nicholson, Head of Cyber Threat Operations, Her Majesty’s Revenue and Customs

    From enabling security teams to effectively respond to incidents to ensuring security investments are targeted on real-world risk, when effectively implemented, a cyber threat intelligence (CTI) team can deliver value against a broad range of operational and strategic requirements. While many organisations recognise the value CTI can provide, delivering on that value proposition is often more difficult. CTI is a data-driven process; however, building an effective CTI capability requires far more than effective data collection and exploitation. This paper contends that for many organisations the challenge in realising value from their CTI team is not a data problem, it is a communication problem. To address this challenge, security leaders need to look beyond the traditional intelligence life cycle and a consider a number of organisational factors which, taken together, provide a firm foundation to enable a CTI team to effectively communicate and influence stakeholders across the organisation. Specifically, security leaders should position the team strategically, populate that team with a diverse blend of skills, provide a clear direction and purpose, and implement a robust communication and influencing strategy. Together these measures improve the ability of the organisation to realise business value from CTI.
    Keywords: cyber security, cyber threat intelligence, strategy, influencing stakeholders, communication

  • Discovering CovidLock
    Chad Anderson, Senior Security Researcher, Tarik Saleh, Senior Malware Researcher and Sean M. McNee, Director of Research, DomainTools

    In this paper the authors show the breadth of Coronavirus-themed maliciousness and how they prioritised their hunting across such a large influx of malicious infrastructure to discover CovidLock, a novel Android-based screen locker malware. A full technical analysis of CovidLock and its functions provides a basis for analysing other Android malware. This full-depth paper will show everything from hunting automation and prioritisation techniques to the reversing of the malicious application.
    Keywords: malware, mobile malware, mobile threat research, COVID-19, ransomware

  • Scaling cyber physical systems throughout the organisation
    Matt Leipnik, Lead Industrial Cyber Security Specialist, Nexus Controls

    This paper outlines a realistic and practical examination regarding the considerations and factors in scaling complex cyber physical systems alongside modern digital transformation: a guide for how businesses can strategically and operationally navigate (both proactively and reactively) the ‘unknown unknowns’ not just simply to survive but to be resilient and adaptive, leveraging their own internal processes, structures and constraints without significant disruption or radical changes. It is designed to equip the reader with a blend of strategic, operational, technical and human business thinking paired with a concept of ‘visibility’ beyond just situational business awareness. It aims to guide businesses through management of new business trends, ever -standards and compliance requirements, including larger and more complex developments such as 5G operationalisation, geostrategic challenges and political factors that are increasingly important to and unavoidable for businesses. The paper touches on a variety of disciplines and their convergence within business considerations and their integration and scaling within an organisation.
    Keywords: framework, scale, design, Industrial Internet of Things (IIoT), cyber, physical, maturity model, life cycle

  • Is ransomware winning?
    Chris Goettl, Senior Director of Product Management, Ivanti

    This paper evaluates the performance of ransomware attacks and looks at the tactics and successes to determine effective counterstrategies. By analysing lagging indicators of the successes of ransomware, we can reverse-engineer an effective counterstrategy to fight back and significantly reduce the effectiveness of ransomware. This paper argues that the biggest challenge in countering modern ransomware is that the approach most companies are taking is too narrow. There is no one solution answer to this challenge. The most effective counter to modern ransomware is a balanced security strategy of preventative and detect and response, layered in such a way as to disrupt, reduce and eliminate the tools and tactics that make modern ransomware effective. This also includes activities that happen well in advance of the ransomware attack and devices that may not even be part of the actual attack itself. This paper will also propose an effective strategy to counter modern ransomware and provide organisations with key technologies to remove critical capabilities from our adversary’s arsenal and disrupt the tactics that have made modern ransomware so successful.
    Keywords: zero trust, cyber security, ransomware, risk-based prioritisation, cyberattacks, phishing

  • Home-grown machine learning implementation for a SIRT: A use case — detecting domain-generating algorithms
    Brennan Lodge

    There is a flurry of discussion, press and vendors explaining how helpful data science techniques can assist in cyber security defence; however, there is little information available about how to effectively leverage and implement data science techniques within a company’s cyber security defence team. The goal of this paper is to empower security incident response teams (SIRTs) to seamlessly build, deploy and operate ML solutions at scale. Our proposed solution is designed to cover the end-to-end ML workflows. Take-aways include managing and deploying a prediction pipeline, training data, prediction model evaluations and continuously monitoring these deployments to assist in SIRTs’ ability to defend and thwart cyber security attacks. An additional use case of implementing a machine learning (ML) application to predict domain-generating algorithms with the integrated data science pipeline and platform is also discussed and used as a reference.
    Keywords: data science, machine learning (ML), blue team, domain-generating algorithms (DGAs)

  • Zero trust computing through the application of information asset registers
    Mark Brett, Visiting Fellow, Cyber Security Centre, London Metropolitan University

    It is proposed that information asset registers are a key enabler towards the implementation of zero trust computing (ZTC), which requires a detailed knowledge of the information being processed and especially a detailed, well-documented knowledge of the network and technical infrastructure in order to support a zero-trust environment. ZTC also requires detailed documentation to facilitate operational cyber resilience. Asset registers are a key resource to speed up incident response and recovery. Information asset registers are part of the information management, assurance and governance (IMAG) approach. It is proposed the information asset database is at the heart of the information assurance and ZTC ecosystem. This fact has been partially recognised through the Information Technology Infrastructure Library (ITIL) configuration management database (CMDB). We also explore issues related to hybrid infrastructures.
    Keywords: zero trust computing (ZTC), information asset registers, information governance, information assurance risk management, cyber incident response, information taxonomies, hybrid zero trust environments/operational resilience