So, We Have A Cyber Incident Response Program. What’s Next?

No time to read? Listen to this episode here:



Before we jump into the business of the day, here are cybersecurity news you might've missed this week:


  • One of the biggest government password leaks ever. In what is recognized as one of the biggest data dumps ever, 3.2 billion passwords, including 1.5 million passwords linked to government-issued email addresses from top governments including the US, Canada, UK, China, and North Korea - were posted on the Internet. The passwords are alleged to have been possessed through phishing techniques, password hash cracking, and hacking into plaintext connections.

  • REvil Hackers threaten to leak Apple blueprints if a $50 million ransom isn't paid. Apple supplier, Quanta, announced that it suffered a ransomware attack from the infamous REvil hacking group. Quanta disclosed that the bad actors took possession of schematics of unreleased Macbooks and Apple Watches, demanding a $50 million ransom, and threatening to post the sensitive IP publicly otherwise.

  • Cybercriminals exploiting Telegram to deploy ToxicEye malware. Spread via phishing emails embedded with a malicious Windows executable file, ToxicEye uses Telegram to communicate with the command-and-control server and upload data to it. The malware also sports a range of exploits that allows it to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer's microphone and camera to record audio and video, and even encrypt files for a ransom.


And now to the topic of the day.


So, We Have A Cyber Incident Response Program. What’s Next?


In our 21st century, cybersecurity has become a matter of necessity for businesses of all sizes. Not a week goes by without news of yet another high-profile cyberattack or data breach, creating a certain cybersecurity news fatigue, if you will - a type of indifference where the public, including executives, tune it out as white noise.


While having a decent Cyber Incident Response Program is absolutely essential, it's not a panacea.

It's easy to dismiss such news thinking that your organization is secure, or perhaps too unimportant for anyone to target. This is precisely the kind of thinking that threat actors hope for, as complacency and satisfaction with the status quo lead to a tendency of downplaying the importance of the cybersecurity program components.


For example, while having a decent Cyber Incident Response Program is absolutely essential, it's not a panacea. An IR Program is only as formidable as the cybersecurity tools and controls around it; if your preventative controls, such as employee awareness training, patching, or cloud security settings are lacking, incidents can occur way too often; if your detection capabilities are low, you may simply miss the attack altogether.


So how can you reinforce your Cyber Incident Response Program across the board and ensure it's more than a collection of dusty PDFs?


Conduct Regular Penetration Tests


Cyberattacks exploit the vulnerabilities in the systems, processes, or people of an organization; without a weakness, there's nothing to exploit. Identifying and addressing such weaknesses as early as possible is key in fostering a formidable cyber defense.


The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
- Sun Tzu, The Art of War

A classic way to discover these vulnerabilities would be to conduct an external Penetration Test, and this likely isn't the first time the topic crossed your mind. But consider this: most Penetration Tests these days are framework-driven, in that the testers would approach such engagement "by the book" using ISO27001 or the like as a basis. Such tests can provide little practical insight as to the exploitability of a particular weakness, as they are done in a sort of a regulatory vacuum.


Alternatively, approaches like STAR-FS by CREST outline the procedures for Cyber Threat Intelligence-driven Penetration Testing. The STAR-FS process utilizes threat intelligence collection in order to define realistic and current threat scenarios that will be used by the Penetration Testing team to replicate real-world attacks on financial services companies, making them that much more applicable to situations that can occur in the real world and drastically increasing the effectiveness of your mitigation efforts. Moreover, different "flavors" of STAR can be applied to companies operating in any sector.


Another direction to consider is Penetration-Testing-as-a-Service (PTaaS).


PTaaS methodology suggests a continuous cycle of testing and remediation, typically triggered either by changes within the in-scope systems (such as a new deployment of an app or an updated infrastructure), or simply on a particular schedule. This approach allows the organization to gain a near real-time view of the current vulnerabilities and the possibility of their exploitation, augmenting the vulnerability management program and effectively combating constantly evolving threats.


Know Your Adversary


Operating a business in a world where any number of cyber threats can bring an organization to its knees can be downright terrifying at times, making staying in the dark a poor long-term survival strategy.


Threat intelligence, or Cyber Threat Intelligence (CTI), is a continuous process of collecting, disseminating and analyzing information an organization uses to understand the threats that have, will, or are currently targeting the business. This info is used to proactively prepare for attacks or prevent them altogether through early identification of the cyber threat actors looking to exploit the weaknesses in the company's infrastructure.

Cyber Threat Intelligence combines key data about new and existing threat actors, as well as their tools, tactics and procedures, the vulnerabilities they aim to exploit, and much more from publicly available and restricted sources. CTI teams then analyze the collected data to produce threat intelligence reports that drive proactive employee awareness training, vulnerability management, governance initiatives, or other defensive measures.


If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Sun Tzu, The Art of War

The fundamental purpose of this approach is to proactively mitigate the dangers that advanced persistent threats, new exploits, as well as both known and zero-day vulnerabilities represent, ideally, preventing attacks before they can even materialize - or, at the very least, making the Response efforts much more efficient.


Don't forget to subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!