Greg Day

What I learned today. Nice - I wasn't aware of the InstallProduct method from PowerShell to fetch a remotely hosted MSI file and subsequently install it. Invoke-WebRequest is one of the more popular methods, at least in our incident response cases. As always, there is more! Matthew Green wrote about PowerShell Download Cradles a few years back, with a ton of information from a detection engineering standpoint 🫶 [1] Elastic does not let us down, either. The rule here would detect the PowerShell code from the image below. [2] And here is the link to the full article from Recorded Future, where I took the screenshot from [3] [1] https://lnkd.in/eey77Yyh [2] https://lnkd.in/eCp8P4DP [3] https://lnkd.in/eUc39xt8

342

12 Comments

"We need to impose cost on adversaries and build evidence based resilience" - NCSC CTO Ollie Whitehouse at #BSidesCheltenham this morning. Disrupting attack chains by simulating adversarial behaviours and hardening Windows and Linux functions so that they cannot be exploited by adversaries can be a way to achieve this.

62

3 Comments

Vulnerability Management is Evolving. Are You Ready? The next version of the Vulnerability Management Maturity Model (VMMM) is coming this September — and it’s not just a facelift. We’ve rebuilt it from the ground up to match the speed and complexity of modern risk. Here’s what’s new: Threats move faster — your response must too Hybrid environments demand dynamic prioritization You’re expected to prove impact, not just patch counts This updated model is: -CTEM-aligned -Lifecycle-driven (PIACT) -Built for strategic decision-makers -Practical, not theoretical If you’ve used the original SANS VMMM — or struggled to define what good actually looks like in VM — this is your next step forward. Launching September Previews and behind-the-scenes insights dropping soon #VMMM #VulnerabilityManagement #CTEM #SecurityMaturity #CyberLeadership #StrategicVM #SANS #InfoSec #CyberSecurity

103

13 Comments

Proud to share the latest Dragos Knowledge Pack (KP) update, which my team significantly contributed to, focusing on enhancing the detection of ransomware threats targeting Industrial Control Systems (ICS). This update strengthens the Dragos Platform by incorporating new analytics and characterizations specifically designed to identify the evolving tactics ransomware groups use within operational technology (OT) environments. By improving visibility into these malicious activities, we're helping defenders bolster their defenses and better protect critical infrastructure from disruptive ransomware attacks. Check out the blog post for a deeper dive into how these new detections work and why they are crucial for robust ICS cybersecurity. https://lnkd.in/gdFfnUD9

62

4 Comments

Britain's National Cyber Security Centre recently issued a lukewarm verdict on passkeys as an authentication solution. On the Root Causes Podcast, Jason Soroko and I explore the problems with WebAuthn, including account recovery, spotty availability, inconsistent implementation, and lack of Linux support.  Audio: Video: https://lnkd.in/g6uHKii6

29

3 Comments

If you think Russian cyber actors are a threat, the time to start increasing your native CTI capability is NOW. As of last week, it's clear the federal government has its fingers on the attribution scale. Even commercial attribution is suspect given retribution against contractors.

87

4 Comments

It seems like every quarter is a solid quarter for Fortinet...but can they keep it going? They're facing tricky near-term challenges like tariffs while trying to grow at scale, diversify revenue streams, and seed long-term growth. Decent problems to have, no doubt (except for the tariff part). A few highlights from Fortinet's Q1'25 report: → They're not worried about tariffs...yet Analysts on the call asked tariff-related questions every which way — as they should given the size of Fortinet's hardware business and manufacturing outside the United States. Fortinet's leadership team didn't blink. They had an answer for everything. The short version is: no sales cycle impacts yet, no meaningful change (positive or negative) on to the anticipated hardware refresh cycle, no plans to raise prices if tariffs hit, and flexibility to relocate manufacturing if needed. Fortinet is in a tough spot if tariffs happen, but it's not going to ruin the business. They'll have a plan. Probably layers of plans. → Lower than expected contributions from acquisitions They mentioned minimal revenue impact from acquisitions, partly due to higher than expected churn. They were bullish on Next DLP, which they acquired late last year. Linksys is part of the equation, too. Ken Xie called it a long-term play and said it will take time to work their magic on the hardware side. By process of elimination, I'm just going to assume the problem was Lacework (they didn't say) — but I'm just guessing, so don't make any serious investment decisions here. Immaterial contributions and high churn has to be a disappointing result so far, but they knew what they were getting into when buying a distressed asset. → Both SASE and SecOps are doing well, though Tariffs or not, Fortinet needs revenue diversity. Their SASE and SecOps businesses are the centerpieces of the strategy. This quarter was a positive signal, with Unified SASE ARR up 26% and 30% YoY respectively. Combined ARR is now $1.6 billion, which is bigger than most of cybersecurity's public companies. Fortinet's playbook for large, boring enterprises (like financial services and healthcare) just crushes it. Buy hardware firewalls. Add SD-WAN. Upgrade to SASE. Repeat, repeat, repeat. Case in point: they're excited about Sovereign SASE, of all things — the fully self-hosted version that only massive enterprises want. Literally the opposite of Cloudflare's strategy...but it works. --- The macro environment and geopolitical tensions are disproportionately bad for companies like Fortinet, but their leadership team has been through economic cycles before. Their methodical consistency is going to get challenged here, but they'll find a way to get through it.

63

9 Comments

Thursday thoughts...challenges and opportunities for SOC teams in 2025. I’ve had a bit of a break from posting on here for a while, so I thought I’d get back to it with some thoughts on SOC in 2025. I think there will be a few key themes: AI and the impact it may have on both SOC operations and the job of the SOC itself (i.e. with businesses using more and more AI there will be more things for the SOC to cover an build use cases for). The SOC will need to keep up with AI adoption. Innovation in the SOC tooling and processes will be key. Value for money and cost optimisation may be more important then ever due to increased staff costs, the need to ingest and analyse more and more data and the potential extra costs (at least in the short term) of enabling AI to drive productivity. I think there are both challenges and opportunities here, should be an interesting year! #soc #2025 #trends

26

2 Comments

Let's talk about Non-Certification Assessments in CMMC. 🥇 Possibly the top question I get lately with clients is whether your C3PAO who's performing your L2 Cert Assessment can also do a 'Readiness Assessment' with you As always - IT DEPENDS! (yayy - our favorite) ❓But Matt - why the quotes on 'Readiness Assessment'? Because that's the whole point. One company's 'Readiness Assessment' doesn't necessarily mean the same thing as another's It's a non-official term. And depending on what they're doing in that assessment, that will dictate if they can still perform your L2 Cert Assessment 📄 So, what IS allowed? Well on page 12 of the CyberAB's Code of Professional Conduct, the term "Non-Certification Assessments" is defined: "A non-certification assessment is the conduct by a C3PAO of a full or partial cybersecurity assessment of an OSA that does not result in the issuance or denial of a formal certification." 😎 Okay, so there is a thing that the CyberAB allows C3PAOs to do outside of a formal cert assessment, but wouldn't that impede their independence? Lucky for us, the CoPC defines the exact scenario that needs to happen so that there is no conflict of interest!   Basically, to be regarded as a true mock assessment that does not create a conflict of interest the C3PAO must: A) Follow official assessment processes outlined in 32 CFR Part 170 B) C3PAO shall not provide recommendations, advice, or consulting C) OSA shall receive an official document with the results So it really comes down to - if they're doing A, B, and C of the above, there is no conflict of interest and you CAN use that C3PAO to still do the official Level 2 Certification 💡So, if a C3PAO proposes doing a gap, mock, or readiness assessment AND your Level 2 Certification - just make sure you understand what they are and aren't doing in that assessment before engaging

69

18 Comments

MDR sharpens visibility. Because resilient businesses need a clearer lens. In today’s cyber landscape, what you don’t see often matters more than what you do. Modern security teams face an overload of alerts. MDR steps in to give clarity where it matters most: - Filters noise so only real threats demand attention - Adds context to alerts for faster understanding - Guides action with expert-driven recommendations - Accelerates decisions when time is critical - Strengthens resilience by spotting what tools alone may miss MDR makes your defenses sharper, faster and more reliable. Graftronics is a Sophos MDR partner, transforming IT teams across organizations in multiple industries. Reach out to us for assessing MDR for your setup. - Vimesh Avlani Managed Detection & Response | Cyber Resilience | Trusted by Mid-Market CXOs

20

4 Comments

The UK Government has released guidance for a voluntary Software Security Code of Practice, with plans for offering a certification based on compliance. There are four themes: Secure design and development, Build environment security, Secure deployment and maintenance, and Communication with customers. The guidance consists of fourteen principles which are reasonable for vendors of all shapes and sizes to satisfy (at least to some degree). I typically dislike these generic guidance documents stating things like "Distribute software securely to customers," but not everyone is fortunate enough to have a team of internal security professionals. If it's any signal for software supply chain security, to see even the most fundamental guidance include software composition analysis and maintenance of third-party components is a huge win!

24

Welcome to Third Party Report Management: powered by the Compliance Theatre™️ TPRM is just compliance with extra steps removed. We kept the paperwork but dropped that pesky 'actually checking things' part. What it actually is: ❌ SOC 2 exists (Not Qualified for the semi-finals) ❌ ISO 27001 exists (What? "A Statement of Acceptability?") ❌ Questionnaire answered (They said yes to everything) ❌ Pentest passed (Nessus scan on the internal wiki) ❌ Trust Center exists (must be trusted) ❌ Incident response tested (they have a security email) ❌ Vendor assessed as critical (they're the only ones who replied back) Sample vendor security assessment: - Send 400-question clunky portal link - Receive 400 "Yes" answers - Ask for compliance certificates - "Can we use Okta?" - Do you think security is good? - Accept all risks because "business critical" - Risk score: Inherent is low, residual is kinda lower - Repeat annually regardless of changes Meanwhile, your vendors are: - Deploying to prod 100 times a day - Changing infrastructure hourly - Rotating entire environments weekly - Accessing your data continuously - But hey, I got their SOC2 Bridge Letter! Your "continuous monitoring" is: - Checking if certs expired - Validating security logos still exist - Making sure questionnaire is less than 1 year old - Ensuring screenshots are still in GDrive - Monitoring their Trust Center uptime What it could be (just some examples): ✅ Understanding vendor infrastructure -> Walk us through how configuration changes propagate from development to production, including approval gates and validation steps ✅ Analysing actual security controls -> How you validate security control effectiveness beyond simple existence checks ✅ Assessing real threat exposure -> Demonstrate how you identify and track shadow IT/unauthorized service usage in your environment ✅ Evaluating incident response capabilities -> Explain your automated response to a compromised production credential scenario ✅ Reviewing data flows -> Demonstrate how you identify and control sensitive data movement between environments ✅ Testing security assumptions -> Walk us through how you verify segmentation controls are working as intended ...But this takes too much time. There's no way I can do all of this for all of my vendors!!! Who said you should do it for all your vendors? You can't pinpoint your _really_ critical vendors? Maybe focus on them first, industrialise your approach for performing deep-dives. You can then tier your assessments in a way that makes more sense than SIG Core vs. SIG Lite. Some welcomed disruption is coming soon and building the foundation for scaling assessments that actually provide value to both parties. Watch this space! A funny note: TPRM is checking compliance worst than compliance themselves in order to stay compliant with their own compliance requirements... lol #GRCEngineering

121

49 Comments

As a managed Continuous Exposure Assessment and Validation provider at NST Cyber - Your Trusted Enterprise CTEM Partner we uncover millions of end user and other credential exposures daily, validating them against applications and endpoints to identify risks such as initial access and account takeovers. Despite advancements in AI-driven endpoint detection and network security, these incidents persist, underscoring the threat posed by infostealers. These advanced malware strains steal credentials, financial data, and other sensitive information using sophisticated techniques to bypass traditional and modern detection systems. Infostealers now use advanced tactics to evade detection, exposing the limitations of traditional defenses. ⚫️Why Traditional Defenses Fail: 1. Stealthy Operations • Fileless Attacks: Using tools like PowerShell to evade file-based detection. • Dynamic Payloads: Malware such as Vidar and RedLine build payloads on the fly, defeating static signatures. • Obfuscation: Raccoon Stealer employs polymorphism, constantly changing its code to avoid detection. 2. Advanced Evasion Techniques • Domain Generation Algorithms (DGAs): Generate new domains to bypass blacklists. • Fast Flux DNS: Use rapidly rotating IPs to maintain C2 connectivity. • Living-off-the-Land (LOTL): Abuse legitimate tools to blend into normal operations. 3. Static Defense Limitations • Reliance on historical data leaves systems vulnerable to zero-day exploits and small code changes. 🔴Innovations in Infostealer Detection: Combating infostealers requires moving beyond static rules to AI-driven and adaptive strategies. 1. Behavioral Intelligence • Detect unusual C2 activity, anomalous data exfiltration, and suspicious tool usage. 2. Adaptive Machine Learning • Identify behavioral anomalies, irregular data patterns, and correlate compromise indicators. 3. Proactive Threat Hunting • Use YARA/Sigma rules and real-time threat intelligence to stop emerging threats. 4. In-Memory Detection • Monitor runtime activity to detect fileless malware and abnormal processes. 5. AI-Powered Adaptation • Leverage predictive models and dynamic thresholds to reduce false positives. 🟣Preparing for Future Infostealer Threats: 1. Evolving Evasion: Infostealers will integrate smarter techniques to outpace detection. 2. Intelligent Defenses: AI, behavioral analytics, and threat intelligence are essential to combat them. Infostealers epitomize the rapidly evolving threat landscape, where static defenses are no longer enough. To stay ahead, organizations must adopt dynamic, AI-driven strategies that prioritize adaptability and vigilance. #infostealers #cybersecurity #endpointsecurity

37

1 Comment

Tomorrow is the #NISDUC conference on NIS2, and we would like to share how the Vulnerability-Lookup software can support NIS2 requirements and best practices. https://lnkd.in/e4kGBySt Vulnerability-Lookup is an open-source platform developed to help organizations identify, track, and manage software vulnerabilities. It aggregates data from multiple trusted sources, allows collaborative input, and supports processes aligned with vulnerability disclosure standards. The NIS2 Directive (Directive (EU) 2022/2555) establishes a high common level of cybersecurity across the EU. This document outlines how Vulnerability-Lookup helps stakeholders meet the directive’s key requirements, especially Articles 11, 12, 21, and 29. The following paragraphs analyse these articles and contextualise Vulnerability-Lookup’s feature support capabilities. #nis2 #cybersecurity #vulnerabilitymanagement #vulnerability CIRCL (Computer Incident Response Center Luxembourg)

111