Is the CrowdStrike incident a security issue? | Issue #7

Welcome to issue #7 of the ThreatReady!?

ThreatReady is your source of actionable truth based on the latest industry news. It offers a people-centric perspective that connects deeply with the challenges and triumphs of leading security teams and strategy.

If the cybersecurity landscape were a chessboard, the ThreatReady newsletter would be your strategic guide to staying three moves ahead of bad actors.

Let’s talk about the CrowdStrike incident?

With 8.5 million Microsoft devices affected worldwide and more than 600 flight cancellations , the global tech outage from CrowdStrike’s recent software update has triggered an ongoing debate:?

Is it a cybersecurity or admin issue??

The incident is closer to a technical malfunction than a cybersecurity breach.?

So it’s a stretch to say it’s an issue security operators can train against.

Approaching this from a proactive mindset, security & IT leaders should focus on crisis management and how cyber attackers could potentially exploit the outage for criminal activities—like using faulty EDR and ELAM drivers.?

Due to the very busy weekend cyber teams have experienced working on the outage (most of them part of our community), we are extending the deadline to complete our Operation Shield Wall scenarios until August 2nd, 2024.?

Each individual completing the entire series will receive an exclusively crafted coin recognizing their efforts and dedication to developing their skills and threat-readiness!

Operation Shield Wall features realistic purple-team scenarios that simulate strategies, procedures, and protocols for responding to large-scale cybersecurity incidents affecting critical infrastructure—such as telecom networks, power grids, and federal services.

Learn more about Operation Shield Wall

The anatomy of Cuttlefish Malware (mapped to MITRE ATT&CK)

The Cuttlefish Malware is a recent zero-click malware variant identified and analyzed by Lumen Technologies’ Black Lotus Labs, who publicly reported it in May 2024.?

However, the malware has been active since at least July 2023, and likely earlier.?

It also has significant similarities to HiatusRAT, which has been active since at least July 2022.

As part of our new “Attack Anatomy” series, we mapped HiatusRAT’s capabilities to MITRE techniques.

For each technique used, we’ve linked to relevant educational resources that operational & strategic teams can use to better understand the malware and improve threat readiness and response.

Dive into the Attack Anatomy of Cuttlefish Malware?

Strengthen security strategy with MITRE ATT&CK & HTB

The MITRE ATT&CK framework contains an ocean of information on how cyber attacks work and how defenses should be designed to address them.?

Its breadth of coverage means there are many ways to apply it to address business needs.?

For example, security teams need to develop threat models, evaluate security tool efficacy, develop detection strategies, and prioritize security investments.

This is why we carefully map our courses and labs to the MITRE ATT&CK framework.?

But how should leaders align the framework with their security, compliance, and incident response needs??

We cover the most common use cases and examples in our guide on applying MITRE ATT&CK to your security strategy .?

Win of the month (let’s celebrate fellow security leaders) ??

Taher Amine , Senior Cybersecurity Consultant and Trainer:?

A client was facing a critical situation, having their information systems down, their business data encrypted, and their different data centers 80% disrupted due to a ransomware incident. We started a DFIR (Digital Forensics and Incident Response) operation and luckily, managed to rectify the situation and provide actionable insights in terms of restoring their critical business operations.

Mayur Parmar, Pentesting Team Lead:

During the engagement with a banking application, I was able to escalate privileges from a normal user to an admin by exploiting a vulnerability in the registration functionality. By intercepting the registration request, I discovered a role parameter that was set to "user" I modified this parameter to "admin" which allowed me to create a new admin account, bypassing the intended application flow. This finding highlights a critical security vulnerability in the system.

?? Share your win with the community

Your expertise and insights are invaluable. And we’re eager to share them with our vast audience of over 2.6 million members.

We’d be honored to feature your top "win" of the month related to your team, department, or security program in the next edition of ThreatReady.

A “win” could be:

• Achieving compliance or industry standards.
• Successfully onboarding new team members.
• Celebrating your team’s performance.

The top wins will be shared in the next month’s edition of ThreatReady (and if it’s really good, may get some additional love on social media). Want to share your win?

Drop a comment below telling us what it is??