Why IR capabilities need to be stronger than ever | Issue #10
Welcome to issue #10 of the ThreatReady!
ThreatReady is your source of actionable truth based on the latest industry news. It offers a people-centric perspective that connects deeply with the challenges and triumphs of leading security teams and strategy.
If the cybersecurity landscape were a chessboard, the ThreatReady newsletter would be your strategic guide to staying three moves ahead of bad actors.
Your team’s IR capabilities need to be stronger than ever🛡️
Several regulatory bodies around the world have published draft regulations or enacted laws with new, stricter incident reporting requirements.
These include:
These regulations and standards implement much tighter reporting deadlines than the laws we had previously.
With the exception of certain industries or types of data, breach reporting was largely optional.
Now, some EU companies need to report security incidents to regulators within 24 hours of discovery.
In addition to ushering in a new era of breach transparency, these regulations also require an organization to have certain incident response capabilities in place.
Companies now need to be able to identify, triage, and contain incidents rapidly. This ensures:
Defensive teams get less training time than their offensive counterparts
To help businesses assess their preparedness for cyber threats, Hack The Box has released its "Cyber Attack Readiness Report 2024" for another consecutive year.
The report analyzes data from 943 security teams and 4,944 professionals worldwide who participated in this year’s Business CTF, a global competition for corporate teams.
Additionally, it includes survey insights from 699 active cybersecurity professionals within the Hack The Box community.
An interesting find from this year’s survey was the significant disparity in training frequency between red and blue teams.
Red team specialists engage in more frequent training, with nearly half completing weekly training—compared to less than one-third of blue team specialists training on a weekly basis.
It’s an imbalance that could lead to potential vulnerabilities, as defensive teams may not be as up-to-date with emerging threats and attack techniques.
The lower training frequency for blue team specialists is particularly concerning. They are often the first line of defense against attacks.
Force integration between red & blue for enterprise security
When we think of red teaming, we aren’t just thinking about one team.
In fact, it’s best utilized when the entire security team is in the room.
It's synonymous with a military term called "Force Integratio
It refers to the coordination and unification of different branches, units, or forces to achieve a common mission.
Recommended by LinkedIn
Each force—whether it’s infantry, artillery, air support, or intelligence—brings unique capabilities to the table.
When integrated properly, these capabilities amplify each other’s strengths to create a more effective and cohesive operation.
Where red teaming becomes a true asset for companies is when they have applied it as a joint learning process for collaboration and improvement.
Earlier this year, we spoke to a company who was doing just that.
Easi’s security team has been utilizing joint operations to not only help strengthen the individual skills, but create a 360 approach to their cyber workforce development process.
A purple team approach starts with having the dedication to create teams that replicate a threat inside of the enterprise.
Then bringing those teams together to find their roles in developing advanced training.
“What we’ve noticed is our red team is a little more advanced than our blue team. I believe that, at the moment, a lot of teams are at this stage—and it is very hard for them to train without having these dedicated environments.”
HTB makes it easier than ever to bring these important functions together for advanced training.
All scenarios are automatically available to corporate teams and organizations within the Professional Labs offering on HTB Enterprise Platform. It includes business-exclusive features such as MITRE ATT&CK mapping, Restore Point, official write-ups, CPE credits, and much more.
Exploring the Snowflake breach (Attack Anatomy)
The 2024 AT&T breach was one of the most significant security incidents in recent history. Attackers accessed the call metadata of nearly all of the company’s customers from March 1 through October 31, 2022.
Due to the potential national security implications of the breach, the American Securities and Exchange Commission (SEC) even provided a nearly three-month extension on its usual four-day notification rule (the breach was identified on April 19th but was publicly disclosed on July 12).
Who was responsible?
The ShinyHunters threat group.
They gained access to the companies’ Snowflake accounts via credential stuffing and a supply chain breach of EPAM Systems.
Once inside, ShinyHunters accessed and exfiltrated sensitive data from these cloud storage locations. Then, they demanded ransoms ranging from $300,000 to $5 million in exchange for deleting the data.
We deep dive into the Snowflake attack in our latest Attack Anatomy series. Through the lense of the MITRE ATT&CK framework, we explain the techniques attackers used in AT&T breach.
For each technique, we point to HTB resources that can provide hands-on training about how the technique works—and how to defend against it.
👉 Share your win with the community
Your expertise and insights are invaluable. And we’re eager to share them with our vast audience of over 3 million members.
We’d be honored to feature your top "win" of the month related to your team, department, or security program in the next edition of ThreatReady.
A “win” could be:
The top wins will be shared in the next month’s edition of ThreatReady (and if it’s really good, may get some additional love on social media). Want to share your win?
Drop a comment below telling us what it is👇
Security Analyst @ Wizard Cyber | HTB CDSA | CMPen | AZ-500 | SC-200 | SC-300
1moI couldn't agree more. Forcing integration between red and blue teams must be implemented in every cybersecurity firm