2023: A Cybersecurity Review

What a year! I swear the 'Theory of Relativity' gets truer year on year, as the days rocket past us. IT & Security teams faced a trial by fire in 2023 due to the sheer volume of high profile breaches, so now that we’re in 2024 I've taken a look in the rear view mirror and put together some thoughts, recommendations and mad dog predictions. A word to the wise, if we don’t change our approach, breaches in the mirror may be closer than they appear ????.

Knowledge is Power

Rather than playing the role of Chief Information Scapegoat Officer (CISO), it's important to understand and explain risk to the business. For those of us looking to better educate their executive team/board and build out business cases/presentations for IT & Security strategy, our partner community released plenty of insightful reports and collateral in 2023:

• Questions for Boards to Ask About Cyber Security: Given how often we’ve seen cyber issues in news headlines, I’ve unsurprisingly seen a huge uptake in boards asking IT "What are we doing about cybersecurity?" The ACSC article will help you prepare for any questions thrown your way, and is an excellent resource to prepare yourself for potential questions from the powers that be. Once you have the answers, share this publication with the board to raise the profile of security issues and bring them front of mind
• CISO Lens 2022 Benchmark was released to support cybersecurity governance, cyber resilience and challenge/validate the management and resource allocation of cybersecurity. Good to see that 'security budgets increased by an average of 14%' and interesting that '75% of respondents reported an overall increase in their team size' over the past year. The top priorities highlighted by benchmark respondents for 2024 are; Identity and Access Management, Maturing existing capability, Vulnerability Management, Uplifting capability and Cloud
• CISO MindMap 2023: What do InfoSec Professionals Really do? This is a great resource to print out for the office, use as a talking point with your team/s and identify potential areas for investment. Alternatively, show the family what your job entails and why you spend so long behind a keyboard yelling into a headset (definitely not playing solitaire ??)
• CrowdStrike Global Threat Report is full of great intel around Threat Landscape, Emerging/Continuous Cyber Themes, eCrime Index and Recommendations. FYI the 'average eCrime breakout time is now 84 minutes', and concerningly '71% of attacks CrowdStrike Intelligence detected were malware-free'. Another concern is the increase in social engineering attacks and access brokers who acquire credentials then provide/sell this access to other threat actors, including ransomware operators
• Proofpoint State of the Phish takes a look at Phishing in the APJ region for 2023. The report has some really good content around end-user awareness, resilience and risk. In the APJ region, Australian organisations unfortunately topped the charts as most likely to experience both 'successful phishing (94% vs 84% global average)' and 'supply chain attacks (80% vs 69% global)'
• Phish in a Barrel has some real world Cyber Attack examples which can be used to paint a vivid security picture for both executive teams and staff
• Fortinet 2023 Global Cyber Skills Gap Report recommends that 'organisations should recruit from a more diverse talent pool'. Whilst the CISO Lens Benchmark says that teams have grown, staff are still under the pump and having to juggle BAU, projects and audits. The report estimates a 'shortage of 3.4 million professionals required to fill the gap'. Hiring from within your business is a good strategy, as well as creating/pursuing initiatives to attract a broader set of candidates. Having worked as a recruiter for 7 years I'm always happy to provide advice on CVs, Interviews, etc.
• Data Loss Prevention and Data Security Survey Report was developed to better understand the industry’s knowledge, attitudes, and opinions regarding DLP in cloud-first technology environments. Cloud is now the predominant means for transferring/sharing data and with the majority of workers being remote, organisations need simplified management of DLP
• ADAPT Top Emerging Tech and Value Priorities for 2023 outlines the top emerging technology priorities and unsurprisingly Robotic Process Automation (RPA), Artificial Intelligence and Machine Learning (AI/ML) and Internet of Things (IoT) topped the list
• 2023 Adversary Infrastructure Report provides considerations when evaluating your own threat models and assist the community in seeing a better overall picture of the state of malicious infrastructure for 2023. The top offensive security tools observed this year include CobaltStrike, Viper, and Meterpreter. Remote Access Tools (RATs) topping the list are AsyncRAT, QuasarRAT, PlugX, ShadowPad, and DarkComet

If I've missed any good reports from the last year please share in the comments section below ????

GenAI and Robots

Ad-libbing on a quote I heard at the Netskope Summit "ChatGPT is like a powerdrill... It'll get the task done quicker, but you still need the personal touch of a screwdriver to finish the job". Being an OG collector of books and vinyl records, I like things done the old school way, however businesses need to consider appropriate/inappropriate use of GenAI. Without the proper guardrails/processes and education, staff and organisations will unfortunately lose PII/PHI out into the ether. Team8's CISO’s Guide Generative AI and ChatGPT Enterprise Risks will enable you to make the Generative AI leap by assessing the risks and opportunities of GenAI, as well as policy development. If you’re looking to create your own Acceptable Use policy (without using ChatGPT ??), a sample policy for Generative AI is on page 27, appendix 2.

Whilst there are a lot of positives to GenAI (depending who you speak with), there is no doubt it will allow unskilled hackers to create malware and speed up skilled coders. GenAI has also had a huge effect on 'improved' and hard to spot phishing emails, which I'll cover in the Human Firewall section below.

But let’s talk about using GenAI for good. As an FYI, The Missing Link have added ChatGPT & MS 365 Copilot to our Automation tools for clients. The combination of RPA and AI can create a smarter and more efficient automation solution. Matt Dunn and our Automation team are also providing ChatGPT Training and Integration to support the effective and safe adoption of ChatGPT & 365 Copilot within your organisation.

Cyber Insurance & GRC

If you've gone down the path of getting Cyber Insurance, I highly recommend you read over your Insurance documents to understand IR process, approved response firms, coverage, etc. It's worthwhile having a chat with your Cyber Insurer (making sure you’re not on the clock and charging you ??) to discuss their approach and understand "What is their stance on paying a ransom?" "At what stage do you engage with ACSC, AFP?" Check out some example questions to explore.

We joke that Excel is the most widely used Cybersecurity tool. If you do a quick google of "Questions to Ask Vendors to Reduce Cyber Risk" you'll find a plethora of articles with examples of what you should be asking third parties. Removing the manual element, there are plenty of ways to automate the process, both internally for GRC and externally responding to Security Questionnaires. Feel free to reach out to know how we internally manage and automate GRC/Audits.

Threat Intel

Hopefully over the Holiday break you got to catch up with your family and play my favourite Christmas game, Have I Been Pwned? It's always fun to see if your crazy uncle has been involved in any data breaches and teach the whole family some good cybersecurity practices i.e. use Password Manager & MFA everything!

Over the past year I've seen a huge uptake in organisations utilising Threat Intelligence Platforms (TIPs) and Threat Intelligence Feeds (TIFs) to enrich their Security Operations through the collection, management and sharing of threat intel. There are many platforms and feeds we partner with, so I'm always happy to share intel on threat intel.

If you're looking for tools/intel for your SecOps team to play with (ripped from Daniel Kelley), here's a bunch of fun cybersecurity search engines:

1. DeHashed: View leaked credentials
2. SecurityTrails: Extensive DNS data
3. DorkSearch: Really fast Google dorking
4. ExploitDB: Archive of various exploits
5. ZoomEye: Gather information about targets
6. Pulsedive: Search for threat intelligence
7. GrayHatWarfare: Search public S3 buckets
8. PolySwarm: Scan files and URLs for threats
9. Fofa: Search for various threat intelligence
10. LeakIX: Search publicly indexed information
11. DNSDumpster: Search for DNS records quickly
12. FullHunt: Search and discovery attack surfaces
13. ONYPHE: Collects cyber-threat intelligence data
14. Grep App: Search across a half million git repos
15. URL Scan: Free service to scan and analyse websites
16. Vulners: Search vulnerabilities in a large database
17. WayBackMachine: View content from deleted websites
18. Shodan: Search for devices connected to the internet
19. Netlas: Search and monitor internet connected assets
20. CRT sh: Search for certs that have been logged by CT
21. Wigle: Database of wireless networks, with statistics
22. PublicWWW: Marketing and affiliate marketing research
23. Binary Edge: Scans the internet for threat intelligence
24. GreyNoise: Search for devices connected to the internet
25. Hunter: Search for email addresses belonging to a website
26. Censys: Assessing attack surface for internet connected devices
27. IntelligenceX: Search Tor, I2P, data leaks, domains, and emails
28. Packet Storm Security: Browse latest vulnerabilities and exploits
29. SearchCode: Search 75 billion lines of code from 40 million projects

Everybody has a plan, until they get punched in the face

The Optus outage which shook the nation reinforced the important of preparedness, regularly testing backups, practicing BCP and considering worst case scenarios. It's awesome to see a huge uptake in both Physical/Red Team Penetration Testing and also Incident Response Simulation/Tabletop Exercises.

Physical Penetration Testing is a great way to demonstrate the link between an adversary gaining access to a site, then linking to the findings of an Internal Penetration Test if a malicious/compromised insider was roaming wild in your business. Purple Teaming is another great exercise, once you have built up your security ecosystem and operations, to run collaborative 'spy v spy' testing to ensure efficiency and effectiveness, whilst working together to remediate and improve.

IR Tabletop Exercises are a great way to walkthrough a scenario i.e. Ransomware, to ensure the business is prepared for the worst. The age old saying "It's not a matter of if, but when" rings true now more than ever, so exercise your IR/BCP plans and processes, as the last thing you want is to practice IRL when the proverbial has hit the fan. . Consider the possible bad timing of an attack and ask yourself, "What if the CISO is on sick leave that day?", "What if your vendor contact in your IR process has moved on?", "What if comms went down?", "How do you equip your reception staff to handle a call from a news reporter?".

To help prepare for the worst (although we always hope for the best) we've been conducting IR exercises across three layers; Technical (how do you detect/respond/eradicate/escalate), Executive (how does the Exec team control/handle IR and when do you engage ACSC/AFP/Insurer) and Board (what is the Boards role, how do they manage the IR and also educationally, what are the risks to the business and why is cyber important?).

Even though World Backup Day has passed, it’s fair to say Backup and Disaster Recovery is important every day of the year. As businesses rely more and more on technology, the importance of backups cannot be overstated. Data is the lifeblood of modern companies and losing it can have serious consequences.

So, in that spirit, let me pose you a few serious (but well-intentioned) questions about your backup:

• How confident are you that your current backup strategy is working and can be restored quickly?
• Have you tested your backup and disaster recovery recently (within the last three months)?
• Do you have a trusted partner to manage the whole process?

Ponder the above and check out our article on The importance of backup and how to get it right to help you along the way.

The Human Firewall

Verizon’s 2023 Data Breach Investigations Report (DBIR) informs that "74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering." As mentioned above, unfortunately we're seeing GenAI and ChatGPT being used for nefarious purposes to 'improve' phishing emails, which will only exacerbate the human element of breaches. As you can see below phishing emails are evolving through the use of GenAI and how they hackers can misuse OpenAI/ChatGPT to create phishes.

Check out my 2022: A Cybersecurity Review for some good tips on how to enable your staff as the Human Firewall.

Essential 8 Changes

In November 23, the ASD updated the Essential Eight Maturity Model (E8MM). Key focus areas for this update included:

• Balancing patching timeframes
• Increasing adoption of phishing-resistant multifactor authentication
• Supporting management of cloud services
• Performing incident detection and response for internet-facing infrastructure

I'm a strong believer in the Essential 8 as a tangible framework to drive uplift (it's called the Essential 8 for a reason) and report improvements. It's also a good stepping stone for organisations to move to ISO and NIST.

Something I've been advised is to prepare for Cloud Security Posture Management (CSPM) to be included in E8 July 2024 onwards ??

Government Strategy

It's great to see the planning of Australia’s ‘Australian Cyber Security Strategy 2023-2030’ put into an Action Plan. The Plan is broken down into 6 shields with actions and accountability;

• Shield 1: Strong businesses and citizens
• Shield 2: Safe technology
• Shield 3: World-class threat sharing and blocking
• Shield 4: Protected critical infrastructure
• Shield 5: Sovereign capabilities
• Shield 6: Resilient region and global leadership

As part of any good roadmap, I'm keen to understand which of the 20 actions will be the core focus and what are the “quick wins” for immediate ROI and uplift. Of the AUKUS (Australia, United Kingdom, United States) partnership we're the least mature, so looking forward to the Action Plan being actioned.

Are you not entertained?!?

"All work and no play makes Jack a dull boy" so I've compiled a list of my favourite IT & Cyber documentaries/series for your enjoyment. Maybe you can even convince the boss you're doing "research" during work hours ??

• Mr. Robot - MUST WATCH SERIES! Young, anti-social computer programmer Elliot works as a cybersecurity engineer during the day, but at night he is a vigilante hacker. Gripping and thrilling ??
• Cyberwar - Journalist Ben Makuch meets with hackers, government officials and dissidents to investigate cyberwarfare and computer security issues
• Zero Days - Tells the story of Stuxnet, a self-replicating computer malware, known as a "worm" for its ability to burrow from computer to computer on its own. The USA and Israel unleashed the virus to destroy a key part of an Iranian nuclear facility, which ultimately spread beyond its intended target. It's the most comprehensive accounting to date of how a clandestine mission hatched by two allies with clashing agendas opened forever the 'Pandora's Box' of cyber-warfare
• Deep Web - Feature documentary that explores the rise of a new Internet; decentralised, encrypted, dangerous and beyond the law; with particular focus on the FBI capture of the Tor hidden service Silk Road, and the judicial aftermath
• The Great Hack - Explore how a data company named Cambridge Analytica came to symbolize the dark side of social media in the wake of the 2016 US presidential election
• Web of Make Believe: Death, Lies and the Internet - Conspiracy. Fraud. Violence. Murder. What starts out virtual can get real all too quickly - and when the web is worldwide, so are the consequences
• 21st Century Hackers - Learn about "white hat" hackers, the US Secret Service's cyber crime division working to protect us from the risks associated with persistent connectivity. This Hacking documentary takes you to the world of Modern Hackers and their Hacking techniques
• How cyber-crime has become organised warfare - Four Corners investigates the cyber gangs behind cyber assaults in Australia, cracking open their inner operations and speaking to a hacker targeting Australian with no remorse
• The Dark Web - There’s a dark side to the internet, and you probably don’t even know it exists. Look behind the positive veneer of social media, communication apps and platforms that have made our lives easier and more connected, and you’ll find criminals using the same apps and platforms to run illicit and dangerous activities
• Eat the Rich: The GameStop Saga - A community of amateur crypto traders enact a daring plan to get rich quick and wreak havoc on the stock market to beat Wall Street at their own game

Mad Dog Predictions

Thinking about the year that's been and the year to come, here are my Mad Dog predictions for 2024;

• Education is key! Make sure you're conducting Security Awareness Training on a Quarterly basis, at a minimum, and provide targeted training to individual departments i.e. Finance, Marketing, Executive. GenAI is going to make it harder to spot phishing so we need to stay vigilant
• Scattered Spider, responsible for the MGM Grand cyber attack, has started to target Australia and they're getting brazen in their attempts. MGM Grand fell victim to a phone call to their IT help desk requesting assistance logging into their accounts. We need to ensure we train our Support Desks to smell for anything 'phishy' and improve Authentication controls/processes
• VPN is out, SSE is in. With over 119 VPN vulnerabilities disclosed in 2023, we'll continue to see growth in Zero Trust and Security Service Edge (SSE)
• Similar to the misunderstanding of shared responsibility model for Cloud, without the proper guardrails and education we will fall victim to the same with GenAI and ChatGPT
• 'Over three-fifths (62%) of global CISOs are concerned about being held personally liable for successful cyber-attacks that occur on their watch.' We need to ensure we are doing our due diligence in timely reporting risk to the business, whilst also ensuring we look after our physical/mental health. Burnout is real ??
• Mergers, Acquisitions and Venture Capitalist buyouts will continue to increase in 2024. Organisations need to ensure they are following proper GRC, doing your research with Threat Intelligence and ringfencing new business with controls i.e. IDAM, Private Access, Micro-Segmentation, etc.
• We need to add Sec to the our DevOps to ensure the development lifecycle is following appropriate SecDevOps processes and practices, whether that be education/training, DAST, SAST, SCA. Empower your internal developers and if development is done out of house, ensure you're using DAST as the gatekeeper to ensure an application is 'clean' before release
• I mentioned in my last yearly review that arguably 'Data is the new Oil'. Organisations need to understand their data risk posture and implement Data Security Controls. Dave Bingham wrote an excellent article on A practical approach to modern Data Security

Stay safe, stay vigilant, have fun, celebrate the wins & let the good times roll ??