Threat Intelligence Insights

🛡️SHIELDS-UP: In the wake of yesterday’s U.S. military action against Iranian nuclear targets, U.S. critical infrastructure owners & operators should be vigilant for malicious cyber activity. While it’s unclear whether its cyber capabilities were at all impacted by recent Israeli strikes, Iran has a track record of retaliatory cyber operations targeting civilian infrastructure, including: water systems; financial institutions; energy pipelines; government networks; and more. (https://lnkd.in/eaiK7mUC) U.S. critical infrastructure owners and operators—both at home & abroad—should be #ShieldsUp and prepared for malicious cyber activity, including: ⚠️ Credential theft & phishing campaigns ⚠️ Wipers disguised as ransomware ⚠️ Hacktivist fronts and false-flag ops ⚠️ Targeting of ICS/OT systems The playbook is known. So is the response, and it’s not rocket science: ✅ Enforce MFA across all cloud, IT, and OT systems ✅ Patch every Internet-facing asset ✅ Segment networks & elevate detection on OT traffic ✅ Conduct tabletop cybersecurity drills, in particular with ICS scenarios ✅ Subscribe to ISAC alerts for real-time intelligence (ICYMI: Recent statement from IT-ISAC & Ag-ISAC: https://lnkd.in/ePZdWPzr) ✅ Report suspicious activity immediately to the Cybersecurity and Infrastructure Security Agency or the Federal Bureau of Investigation (FBI) In cyberspace, proximity doesn’t matter—intent, capability, and access do. And Iran checks all three boxes.🚨Stay Vigilant.

Cyber Performance Goals (CPGs): What are they? Why should we care? 🤷♂️ Every organisation, regardless of industry or location, faces unique cyber threats. Traditional frameworks like #CIS, #ISO, and #NIST are a good starting point for security guidance, but they often lack clear connections between real threats, adversary attack techniques, and the associated mitigations. This is where Cyber Performance Goals come in. CPGs bridge that gap through traceability and practical application by starting with a good security outcome, linking this to a valid risk or TTP, and providing the recommended action to address the key risk(s). In CISA's words, “The CPGs are voluntary practices with high-impact security actions that outline the highest-priority baseline that measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats.” ⚡ Enhanced Cyber Performance Goals (eCPGs). CPGs alone are an excellent resource for understanding how to achieve secure outcomes, but using them in isolation won’t do much without the necessary business context. Here are my insights when working with CPGs in real-world engagements: 💡 Use Threat Events (as defined in NIST 800-31r1) - Sector-Specific Scenarios: Identify realistic threats and attack vectors relevant to your industry/organisation. - E.g. Threat = "Steal valid customer account information/online banking credentials". (Financial Services) - Threat Modeling: Identify and map potential attack paths and initial access vectors within your high-value assets and hosting environments. - Risk Prioritisation: Focus on high-impact, high-likelihood scenarios first. 💡 Vulnerability and Weakness Mapping (CVEs / CWEs) Before an attack can be successful, there must be a vulnerability or weakness. This part is crucial for validating any downstream attack TTPs and mitigating controls. - Example: Threat = "Steal valid customer account information/online banking credentials". ➡️ Weakness = "CWE-306: Missing Authentication for Critical Function", “CWE-308: Use of Single-factor Authentication". 💡 Link To Cyber Performance Goals (CPGs) - Leverage existing CPGs as adequate mitigating controls. - MITRE ATT&CK Alignment: CPGs already map ATT&CK TTPs to recommendations for threat-informed risk mitigation. - NIST CSF Compliance: Helps ensure control standards alignment for organisations that use NIST. 💡 Bringing it all together This might seem like a lot of effort, but in practice, it’s very straightforward once you understand the threats and weaknesses facing a target organisation. Using these CPGs with this approach gives your impact assessments and control recommendations a lot more credibility when they come from reputable and threat-informed sources, not just you. Check out the complete list of CPGs here: https://lnkd.in/gdTQ_n_W #cybersecurity #performance #goals #cpgs #threatintelligence #CISA #NIST #mitreattack

What Does Good Cyber Threat Intelligence Look Like? 👀 I've spent the last 15+ years on almost every side of Cyber Threat Intelligence (CTI) - DoD, USIC, contractor, supporting the DIB, working with CISA, being a Fed, and now in the private sector at a FAANG company. Let me be clear: Good CTI drives decisions and reduces risk. 👍 That's it. That's the post. 🔥 If a report exists just to talk about "cool threat actor stuff" without any clear tie to defensive action? That's not intelligence, that's marketing. And yes, I get it, marketing has its place. Some CTI is marketing, and some marketing masquerades as CTI. But can we please leave threat actor statues and at the door? 🚪 When I was supporting any number of teams or decision makers, here's what mattered to us: - A clear BLUF (Bottom Line Up Front) - Why should I read this? What's the risk? What's the so what? - Indicators & Observables - STIX, YARA, Sigma, CSVs of IOCs - whatever is needed to drop into the security stack right now. - Recommendations that are actionable - Tell me what to block, hunt, patch, or mitigate. - A format that respects my time - Tactical reports should be short, clear, and immediately usable. (Save the novel-length reports for deep-dive strategic studies.) Empathy Matters. 💜 If you’re writing CTI and haven’t thought deeply about who is going to read it, and how they’ll use it, you’re doing it wrong. Defenders don’t need a cool story. They need help. They need clarity. They need data that plugs into their tools. They need you to make their job easier, not harder. Final Thought: 🧠 Good CTI reduces uncertainty. It helps defenders act faster and leaders make better decisions. If your report doesn’t do that? It's just noise.

The Dubai Financial Services Authority (DFSA) published the report "Cyber and Artificial Intelligence Risk in Financial Services: Strengthening Oversight Through International Dialogue". The publication follows the DFSA’s inaugural Cyber and AI Risk Regulatory College, held in May 2025, which brought together 70 senior representatives from 18 financial authorities across the Middle East, North America, Europe, Africa, and Asia. It analyzes overall #cyber-risk, with focus on #quantum and #AI. On qauantum, it concludes: 👉 Quantum computing poses a direct threat to current public-key cryptography, which underpins secure communications across the financial sector. 👉 Without a timely and coordinated transition to PQC, financial stability could face significant risks within the next decade. 👉 Proactive steps toward PQC adoption should begin well ahead of widespread global standardisation and cross-industry implementation efforts. According to the report, a pathway toward #PQC could involve: 📌 raising awareness of quantumvulnerable cryptographic systems and building a cryptographic inventory; 📌 completing a risk assessment – including implications of ‘harvest now, decrypt later’ tactics, where encrypted data is collected now with the intention of decrypting it once CRQCs emerge; 📌 developing a quantum resilience roadmap, including a hybrid scheme during the transition while classical and PQC would coexist; and 📌 piloting PQC solutions for high-risk infrastructure and monitoring industry developments. It highlights that the tranisition represents not only a technical shift, but also a strategic transformation spanning risk, compliance, operations, and a long-term data management programme. My take: Regulatory and supervisory focus keeps growing in the financial sector, transforming the transition on a topic expanding from cybersecurity into risk and compliance teams. https://lnkd.in/dpxZ-7TE

🌍International Guidance for Enhanced Cybersecurity: Best Practices for Event Logging and Threat Detection🌍 The Australian Government's Australian Cyber Security Centre (ACSC), in collaboration with global partners like the #NSA, #CISA, the UK's #NCSC, and agencies from Canada, New Zealand, Japan, South Korea, Singapore, and the Netherlands, has released a comprehensive report on best practices for event logging and threat detection. 🚀The report defines a baseline for event logging best practices and emphasizes the importance of robust event logging to enhance security and resilience in the face of evolving cyber threats. Why Event Logging Matters: Event logging isn't just about keeping records—it's about empowering organizations to detect, respond to, and mitigate cyber threats more effectively. The guidance provided in this report aims to bolster an organization’s resilience by enhancing network visibility and enabling timely detection of malicious activities. 🔍 Key Highlights: 🔹Enterprise-Approved Event Logging Policy: Develop and implement a consistent logging policy across all environments to enhance the detection of malicious activities and support incident response. 🔹Centralized Log Collection and Correlation: Utilize a centralized logging facility to aggregate logs, making detecting anomalies and potential security breaches easier. 🔹Secure Storage and Event Log Integrity: Implement secure mechanisms for storing and transporting event logs to prevent unauthorized access, modification, or deletion. 🔹Detection Strategy for Relevant Threats: Leverage behavioral analytics and SIEM tools to detect advanced threats, including "Living off the Land" (LOTL) techniques used by sophisticated threat actors. 📊 Use Case: Detecting "Living Off the Land" Techniques: One highlighted use case involves detecting LOTL techniques, where attackers use legitimate tools available in the environment to carry out malicious activities. The report showcases how the Volt Typhoon group leveraged LOTL techniques, such as using PowerShell and other native tools on compromised Windows systems, to evade detection and conduct espionage. Effective event logging, including process creation events and command-line auditing, was crucial in identifying these activities as abnormal compared to regular operations. Couple this report with the CISA Zero Trust Maturity Model (ZTMM): The report's best practices align with CISA's ZTMM's Visibility and Analytics capability. By following these publications, organizations can progress along their maturity path toward optimal dynamic monitoring and advanced analysis. (Full disclosure: I was co-author of CISA's ZTMM) 💪Implementing these best practices from the Australian Signals Directorate & others is critical to achieving comprehensive visibility and security, aligning with global cybersecurity frameworks. #cybersecurity #zerotrust #digitaltransformation #technology #cloudcomputing #informationsecurity

India's financial sector is a powerhouse driving economic growth. However, a report by RBI raises a concerning trend: a surge in cyberattacks targeting these institutions. With over 13 lakh attacks reported last year, it's clear that robust defenses and proactive management of cyber risks are critical. So, what makes Indian banks vulnerable? ❗ Rapid technological adoption: While embracing innovation is great, the rush to implement new technologies, like cloud computing, can create security gaps in traditional systems. ❗Increased attack sophistication: Cybercriminals are constantly evolving. Gone are the days of simple denial-of-service attacks. Today's threats involve sophisticated ransomware, exploiting software vulnerabilities and even AI-powered attacks. ❗Interconnectedness: Banks rely heavily on third-party vendors and APIs. These connections can become weak points if not properly secured. How can finance companies build stronger defenses? 1. Have Multi-Layered Security Approach 2. Have Continuous Threat Intelligence 3. Conduct Security Awareness Training 4. Secure the Supply Chain 5. Invest in Advanced Solutions 6. Integrate Security by Design 7. Implement Risk Management Framework 8. Board Level Engagement Boardroom Involvement Matters. Why? Effective cybersecurity starts at the top. Boards of directors play a crucial role in setting the strategic direction for cyber risk management. Their active involvement is essential for, 🔵 Understanding Cyber Threats: Boards need to be educated on the evolving cyber threat landscape, including the potential impact on the institution's financial stability and reputation. 🔵 Allocating Resources: Cybersecurity requires ongoing investment. Boards need to approve adequate budgets for security technologies, employee training and incident response plans. 🔵 Oversight and Accountability: Boards should establish clear expectations for cybersecurity performance and hold management accountable for implementing effective controls. For finance professionals, building cybersecurity skills is no longer optional. Here are a few ways to stay ahead of the curve, ✅ Take online courses or attend workshops: Numerous resources are available to learn about cyber threats and best practices. ✅ Stay informed on the latest attack trends: Subscribe to cybersecurity news and reports to stay vigilant. ✅ Practice good cyber hygiene: Use strong passwords, be cautious with email attachments and report suspicious activity immediately. Security is a shared responsibility. By working together, financial institutions, professionals and regulators can create a more secure financial ecosystem for everyone. #bfsi #cybersecurity #cyberawareness #securitymatters #cyberattacks

As a SOC Analyst, it's tempting to rely on VirusTotal as the Ultimate Solution for spotting threats, but attackers know how to stay ahead. Here's a real-world example that demonstrates why behavioral detection matters more than static signatures: When analyzing binaries like Mimikatz, you might spot a string like "mimikatz_doLocal" being flagged as Malicious. However, attackers can easily evade this detection by tweaking the source code: 1- Changing strings: Replace "mimikatz_doLocal" with "anythingkatz_doLocal". 2- Renaming commands: Instead of "sekurlsa::logonpasswords," attackers use "securelsa::loginpasswordz." 3- Renaming prompts and executables: Change "mimikatz.exe" to "mimidogz.exe" and alter the application's interface to say "mimidogz." After recompiling, these small changes can bypass the AV and VirusTotal checks. Even if one part of the binary is flagged (like an error string), attackers will iterate until it’s clean. What Should SOC Analysts Do? - Focus on Behaviors: Tools like Mimikatz perform specific malicious actions (e.g., dumping LSASS memory). Behavioral detection makes it harder for attackers to evade. - Use Advanced Tools: Rely on EDR/XDR solutions that analyze patterns like process injection, suspicious memory reads, or credential dumping. - Contextualize Threats: Don't stop at VirusTotal scores. Investigate anomalies in logs, traffic patterns, and system behaviors. - Proactive Threat Hunting: Regularly hunt for renamed binaries, odd command usage, and unusual process trees in your environment. - Train Your Mindset: Always ask, "What is this file trying to achieve?" rather than, "What is its VirusTotal score?" Remember, attackers evolve their tactics to exploit over-reliance on static detections. To truly defend your organization, think like an attacker and hunt for what they do, not just the tools they use. #SOCAnalyst #ThreatHunting #DetectionTips #CyberSecurity

Ignoring cybersecurity just cost a major bank $250M in a single breach. Here's the harsh reality about cyber risk in finance: Implement continuous monitoring systems that detect suspicious activities in real-time, flagging unusual transactions and access patterns before they escalate into major security incidents. Deploy multi-layered authentication protocols across all financial systems, combining biometrics, hardware tokens, and behavioral analytics to create an impenetrable defense against unauthorized access. Establish automated backup systems that maintain encrypted copies of critical financial data, ensuring business continuity even if primary systems are compromised by ransomware or malicious attacks. Create dedicated incident response teams trained specifically for financial cyber threats, capable of containing breaches within minutes instead of hours and minimizing potential losses. Integrate AI-powered threat intelligence tools that predict and prevent emerging cyber threats, analyzing global attack patterns to strengthen financial security measures before vulnerabilities are exposed. Protection isn't expensive. Recovery is.

Traditional cybersecurity strategies like firewalls and antivirus are no longer enough to protect against today's evolving threats. It’s time for a new approach. Here’s why: → The Perimeter is Gone Remote work and advanced persistent threats (APTs) have blurred the lines between inside and outside the network. Traditional perimeter defenses can’t keep up. → Non-Malware Attacks are on the Rise Cybercriminals are using social engineering and phishing to infiltrate systems, bypassing traditional defenses. We need smarter, more proactive detection. → Zero Trust is the Future "Never trust, always verify." Zero Trust models continuously authenticate users, limit access, and reduce internal breaches. → AI & Machine Learning: The Game Changers AI and ML enhance threat detection, automate responses, and analyze user behavior to uncover hidden risks before they escalate. → SASE for Modern Workforces With Secure Access Service Edge (SASE), security and networking come together in the cloud, ensuring consistent protection across all environments. The landscape of cyber threats is changing fast—your defense strategies need to change with it. How is your organization evolving its cybersecurity playbook? Let’s discuss. 🔐

Hunting tip of the day: Keep an eye on legitimate Windows binaries that should not be talking to the Internet. In a recent hunt, we filtered network telemetry for outbound connections where the initiating process was regsvcs.exe, wscript.exe or even attrib.exe. None of these normally reach out to public IPs in a healthy / strictly controlled environment, yet multiple hosts showed external communication from them. Every confirmed case turned out to be part of a staged infection chain, where the initial dropper cleaned up after itself and left only the LOLBins to fetch second-stage payloads. This technique is especially useful when the filesystem has been wiped or the malicious PE never touched disk at all. The process name can lie, hashes can be different, and files can be gone, but network telemetry is harder to erase. If you’re threat hunting this week, treat unusual outbound traffic from Windows script hosts or service binaries as a high-signal indicator. It’s a small pivot that can expose a lot. #ThreatHunting #ThreatIntel #DFIR #DetectionEngineering #BlueTeam #MalwareAnalysis