It's Monday Morning June 24th .... opening day of Hunting Season for Security Professionals
Caleb Barlow
CEO | Board Member | Investor | Innovator | Incident Responder | Team Builder | Mentor | CISO |
Now I’m not talking about hunting for a game trophy. I'm talking about the immediate pivot security operations centers need to make this Monday morning to focus on HUNT activities due to growing tensions around Iran. A few things to take into consideration as you start your day today:
1. If you are not familiar with Shamoon, Chafer, ITG07 or APT 33 it’s time to read up, become familiar with the TTPs and indicators. As most of these attacks occurred in the Middle East they were poorly covered here in the US and many security teams are unfamiliar.
2. Pivot your thinking from data exfiltration to DESTRUCTIVE. The response is totally different in a destructive attack as you need to think about business resiliency. Do you have plans for alternative operations if you lose your IT environment? Can you even communicate as an organization? There is no paying a ransom to get your data back in a destructive attack.
3. Pivot the Security Operations Center out of the ticket based queue and into HUNT. Those indicators you saw a few months ago, could not explain and eventually ignored as they did not happen again… that’s where you need to spend your time this week. Your hunt teams need to be looking at everything you cannot explain and if you do not have a Hunt team, if you do not have EDR in place … now is the time to get some outside help.
4. Prioritize any environment where you have a “loss-of-control.” We often see situations with actor activity but no exfiltration and those are rarely disclosed or prioritized as nothing was “lost.” Any environment with continued bad actor activity and an inability to regain control needs to be prioritized even if there is no sign of exfiltration.
5. Dust off those runbooks and make sure they have been rehearsed. A destructive incident is a whole of business response and you need to know who is in charge, who is on the team and how you make decisions quickly.
??Cybersecurity / Career Job Search Mentor @George Mason University / Chief Information Security Officer / Collaborator / Fierce Female award from Women-in-Tech organization / Seeking cybersecurity adventure??
5 年Was lunching w/a cyber friend and were discussing if we are in cyberwar now with Iran (or China, Russia, North Korea). We agreed that no one was going to make an announcement that "cyber is now begun." So I was going to write an article about how U.S. organizations face a changed threat then I saw Caleb's article. He nailed it. Thanks. One addition: How often do you hear "they" (whoever that may be) are not interested in my company" "or "our data is not important." His article does not apply only to defense contractors, the U.S. government, utilities, etc. Whoever is giving orders to attack the U.S. is not saying to their bots/people, "ignore U.S. companies under 500 employees, healthcare providers, funeral homes, whatever." The bad guys are not going through your data and then saying "never mind we will attack someone else." All U.S. organizations are now at higher risk.
Cybersecurity Leader | Driving Collaborative Cybersecurity Solutions Across Public and Private Sectors | 20+ Years of Experience in Federal Cybersecurity
5 年Caleb, thank you for foot-stomping this and thank you for hosting CISA leadership this past week. It's encouraging to see the partnerships continue to grow.
Cybersecurity - Leadership - Risk Management - Crisis Response
5 年Prudent and timely advice indeed.