EXPLORING THE MINDSET OF CYBER THREAT ACTORS: A WEBINAR PERSPECTIVE
With the constant development of our digital landscape and its expanding capabilities, cyber threats are on the increase. New regulations like NIS2 are now on the horizon as having robust crisis management and resilience plans is paramount to maximised security in our ever-changing modern world.
In Secura’s latest webinar, we’ve offered a unique perspective on Crisis Management protocols through pitting a cybercriminal gang against a crisis management team, demonstrating to participants the mindset of a threat actor.
The webinar aims to shed light on the intricate processes involved in a cyber-attack orchestrated by threat actors, while also highlighting proactive measures organisations can adopt to fortify their crisis management teams against potential cyber onslaughts.
One of the key takeaways from the session is the urgency for effective crisis management throughout the lifecycle of a cyber-attack. With a surge in ransomware attacks globally, regulators are enforcing stringent measures like NIS2, DORA, and UK FCA/PRA Operational Resilience, underlining the critical need for robust crisis management frameworks.
During the webinar, Luke Fletcher, Senior Crisis Consultant at Secura, and Daniel Maine, Red Team Lead at Direct Line Group, offer invaluable insights into the dynamics of cyber-attacks from both offensive and defensive standpoints. Drawing from their extensive experience in understanding threat actor methodologies, executing red team exercises, and responding to cyber incidents, they provide a comprehensive walkthrough of a cyber attack's lifecycle.
Daniel, assuming the role of a threat actor, reveals the intricacies of targeting victims and employing sophisticated attack tactics. Meanwhile, Luke plays the role of the unfortunate victim’s crisis management team highlighting resilience and crisis management procedures and discussing their efficacy when responding to each stage of a cyber-attack.
DOWNLOAD OUR CRISIS RESILIENCE SERVICES BROCHURE
About the Presenters:
Luke brings over a decade of experience in crisis management and operational resilience across various sectors. He has coordinated the response to several major crises and spearheaded numerous crisis and resilience projects, specializing in the facilitation of crisis simulations.
Daniel boasts 15 years of expertise in cybersecurity roles, encompassing incident response, offensive security, and mentorship. With a diverse background spanning legal, oil & gas, and insurance sectors, Daniel is committed to enhancing cybersecurity awareness and preparedness through mentorship and education initiatives.
Please find below the questions that were asked during the Live webinar on Cyber Crisis Management:
-
Is there a reliable method for gauging the likelihood of data restoration post-ransomware payment?
Evaluating the probability of data restoration post-ransomware payment is complex, lacking a straightforward "Tripadvisor" equivalent. While threat actors may assist in recovery post-payment to enhance their credibility, success isn't guaranteed. Instances of successful recovery exist, but decryptor tools may fail or pose additional risks during the recovery process.
-
Do organisations often possess actionable Incident Response Plans that are actively practiced and followed during severe incidents?
Based on our observations, Incident Response Plans often serve compliance requirements more than practical application. While crucial for development, their effectiveness increases through simulations and real-life incidents. Adaptability is key, as rigid plans may falter in the face of unique incidents.
-
What are your thoughts on the risks versus benefits of single sign-on (SSO)?
Single sign-on (SSO) poses notable risks, especially in OT systems, potentially granting threat actors widespread access post-breach. While opinions on SSO's suitability vary, enforcing privilege separation, especially in critical systems, remains crucial to mitigate risks.
-
How does incident response work in a large multilayer organisation and how do you implement crisis management on different levels?
Crisis management in large organisations necessitates a robust framework detailing coordination between operational and strategic teams. Clarifying roles, effective communication channels, and regular simulations are essential for seamless crisis management across hierarchical levels.
-
Are there any specifics to consider for cyber incident response for the OT environment?
Cyber incident response in OT environments demands specific considerations due to potential threats to physical infrastructure. Threat actors may exploit OT systems to inflict physical damage or disrupt production, emphasising the need for tailored response strategies.
-
Given the entry point of weak passwords into ABC/CBA, how much improvement would MFA be?
Multifactor authentication (MFA) significantly enhances security by mitigating risks associated with weak passwords. However, thorough implementation remains crucial, as phishing campaigns and other tactics can bypass MFA measures.
-
Are there known cases where blob storage from a big tech company has been compromised and encrypted?
While less common, attacks against cloud storage, like Google Drive, have occurred, often due to misconfigurations. While ransomware threats exist, immutability features and flexible recovery options mitigate risks, with local and on-premises syncs posing potential vulnerabilities.
-
In stage four, where do you place the specific disaster recovery plans per team in the framework?
Disaster recovery plans should be integrated within the operational layer of the framework, with technical representatives advising on recovery strategies. At the tactical layer, senior IT members should provide holistic reports to facilitate informed decision-making.
-
What's your advice to increase protection for admin and domain admin accounts?
Enhancing protection for admin and domain admin accounts requires limiting their numbers, enforcing stringent password policies, and implementing a "2nd admin" policy to compartmentalise access. User behaviour analytics tools can provide early warnings of irregular account usage.
-
Can you tell me how to detect and stop an attack in an early stage (with the cyber kill chain in mind)?
Early detection and prevention of cyber-attacks, aligned with the cyber kill chain methodology, necessitate robust controls, user education, and proactive monitoring. A combination of email and perimeter security, along with user education programs, can aid in identifying and mitigating early-stage attacks.