As a Global Program Manager and Expert Leader, how do you ensure consistent and effective threat intelligence practices across different regions and diverse teams?
For my part, I start from an observation based on practice and accumulated experience in various sectors of the economy, in which I have been able to operate.
Knowledge in an organization is often fragmented or even stifled (the effect of internal taboo).
We must therefore try to coordinate and drain knowledge in the best conditions concerning trends and approaches to malicious phenomena in all spheres of the company.
There is also the transposition of phenomena to all sectors of the economy. Immunity is obtained collectively, and sharing is a favorable crucible for maintaining valid and equitable knowledge for all.
As the “crashers” or “crackers” mention, a perimeter hack test, if it proves effective, can be transposed and perhaps extended in a mass manner.
For a simple reason, we have the vast majority of the same tools, and therefore also similar flaws. Sometimes, we can encounter actors internal to the organization who assume that “misfortunes only happen to others.”
Piracy engineering is based on the principle of “one step ahead.”
Piracy has become considerably professionalized and industrialized in recent years, making it a legal and economically viable sector of activity.
Their survival is at stake because competition in the piracy environment is extremely strong.
This is why groups specializing in niche malicious acts are keen to maintain the monopoly established by the distribution of ever more advanced and structured kits.
They also invest in the development of processes or the innovation of approaches, as well as in the principle of affiliation of new members to deploy the kits, and thus increase the success of their operations.
Success is measured by the economic aspects of data resale or hold-up organized and communicated under the vector.
They have the habit of observing their targets in the medium to long term, and they do not hesitate to strike again those who have fallen into their clutches beforehand.
They assume that the organization will enhance its defensive capabilities over a short period. By the time the crisis fades and everyone quickly forgets.
In my experience, the appetite for monitoring differs depending on the culture of the organization and its structure.
No one has complete knowledge or “absolute truth.” However, we can try to constitute a form of “truth” based on the global knowledge distributed among all planetary actors.
For example, when we observe a wave of acts carried out against state or private data centers in around ten countries from Asia to Europe in less than three weeks, we can admit and think that this is a wave of attacks structured by a few specialized groups or state agencies, which have real technical know-how, which will spread much more quickly than expected.
For them, it is the continuity and economic survival of these groups, hence the need to maintain themselves.
In this sense, the American CISA publishes very precise notes on the phenomena observed.
The CSIRTs in the United States, Europe, and Asia allow us to observe consistent elements which suggest current trends and even innovations in piracy.
It is undeniable that global geopolitics and the stakes of economic warfare are also drivers to justify attacks or “innovation” in these environments.
The investment made by the pirates turns out to be quite low and extremely profitable, compared to the results obtained in the end.
Being curious and open-minded implies being interested in world news, and therefore documenting and reading as much information as possible in this regard.
It is necessary to have various sources to group together, complete, and attempt to analyze all these elements to establish the most complete scope.
I believe in the fusion of knowledge and expertise. In an increasingly connected world, the potential and effectiveness of cyberattacks are all the more increased in terms of their potential realization and the impacts that can result.
I discovered and developed an ability to think like pirates, at least I tried. Sometimes I present facts or scenarios, which may seem difficult to grasp.
Tenacity and will are two elements very present in the world of hacking in general.
I like to use a motto that sums up this observation well, which comes from my country of origin (Argentina): the impossible only takes a little longer.
Personally, I consider that this lends itself perfectly to cybernetic reality. Obviously, this only concerns me.
Here are some key points that can serve as a basis for reflection:
- Information is real power, in my humble opinion.
- Identify and note the most recent phenomena, which sometimes go unnoticed by some.
- Bring together knowledge and alert elements from state or private actors in global cybersecurity.
- Harmonizing practices within the organization by implementing international standards such as ISO is an area that can prove very effective.
- Driving a culture of change is not easy. That said, it remains vital.
- The difficulty of agreeing at the global level on international treaties that are in the direction and interests of businesses.
- The collateral damage suffered by companies is correlated with international issues of international politics and tensions between countries.
- Preventing and detecting remain key elements in accustoming reflexes in the company to unexpected or barely perceptible events. If we don’t train, we have difficulty responding to the reality that may arise.
- Change your mindset and try to think like a pirate.
- The major difficulty may be found in our practices. “Bring your own device” (BYOD) is a practical reality, which can be devastating for the organization concerned. This is often a headache for security teams.
- Crisis management and the organization’s image of trust can be altered in a very short time, hence the need to evolve in communication. For example, attackers do not hesitate to use laws or regulations against their targets. These same groups can contact control bodies to focus their attention on their targets and create a situation of increased stress. The fear of penalties in the context of personal data is now undeniable. It is also a proven means of pressure to encourage payment for ransomware operations by organizations targeted by hackers.
- Investing in security within the organization (people, infrastructure, and training of all staff) may be seen as a waste in the first place, however, it has been shown to significantly reduce costs and impacts on the organization in the event of an attack.
Can you share a detailed example of a global cyber threat that you managed, including the coordination efforts and key challenges faced during the incident response?
I experienced a case of ransomware in the past for an international company whose name I will not mention. The organization initially judged my warnings to be excessive.
Then reality caught up with us like an unpleasant kiss. The biggest challenge was to maintain a certain calm in the company because the panic had completely impacted the perception of what was happening, especially among the leaders.
We followed all the procedures we had in place. The following points were key elements in the resilience of the organization:
- Aligned with business needs
- Broke down initial silos
- Evolved and matured our metrics
- Practiced extensively
- Prepared the company through various training courses closest to reality
- Carried out internal challenges to put them in realistic situations
- Tested and evolved our architecture to be more resilient
- Remained vigilant and alert: before, during, and after the attack
- Shared our reality with service providers: shared responsibilities to better respond to the phenomenon
What allowed us to emerge from this crisis without much damage was my knowledge of piracy sites on the dark web, where I was able to recover a decryption key. We were able to get out quickly.
I remember a significant event that still resonates with me. I was contracted to fill this role, but no one said thank you. It’s something that had a profound impact on me, and while it may not be politically correct, it’s possible. That said, this is what I kept in mind from this experience.
What are the most critical components of a successful global threat intelligence center of excellence, and how do you maintain its high standards and performance?
- Good Resources
- Experienced Analysts
- Productive Processes
- Tactical
- Operational
- Strategic
- Data
- Variety, volume, and velocity of the data
- Including new sources of data not typically used for threat intelligence, such as system data, configuration data, policies, user behavior, and others
- Proper context for the data and patterns
How do you integrate threat intelligence insights into the broader cybersecurity strategy of your organization, and what impact has this integration had on your overall security posture?
Internal:
- Data from your network
- Firewall logs
- DNS logs
- Past security events
External:
- Open-source intelligence (blogs, news reports)
- Government intelligence
- Vendors of intelligence software
- Corporate sharing groups
- Threat intelligence exchanges
Evaluate Coverage
Assess Quality and Relevance
Make Sure Your Threat Intelligence Leverages AI
What innovative approaches or technologies are you currently exploring to advance your global threat intelligence capabilities, and how do you foresee these impacting the future of cyber threat management?
From my perspective, it’s a combination of topics and KPIs as described below:
- Integrating AI for Enhanced Threat Detection and Response
- Conducting Cybersecurity Readiness Assessments
- Penetration Testing for Software Cybersecurity Threats
- Educating and Training Employees
- Finding the Right Cybersecurity Partners
- Assessment Methods
- Countermeasures
- Risk-Level Parameters
- Website-Appearance Parameters