Why IR capabilities need to be stronger than ever | Issue #10

Why IR capabilities need to be stronger than ever | Issue #10

Welcome to issue #10 of the ThreatReady! 

ThreatReady is your source of actionable truth based on the latest industry news. It offers a people-centric perspective that connects deeply with the challenges and triumphs of leading security teams and strategy.

If the cybersecurity landscape were a chessboard, the ThreatReady newsletter would be your strategic guide to staying three moves ahead of bad actors.


Your team’s IR capabilities need to be stronger than ever🛡️ 

Several regulatory bodies around the world have published draft regulations or enacted laws with new, stricter incident reporting requirements.

These include:

  • Securities and Exchange Commission (SEC) Rules: Under new SEC rules, public companies in the U.S. must report “material” cybersecurity incidents within four days of determining their materiality.
  • Cybersecurity and Infrastructure Security Agency (CISA): The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates that companies report substantial cybersecurity incidents within 72 hours and ransom payments within 24 hours.
  • NIS2 Directive: The EU’s NIS2 Directive requires an early warning of significant incidents within 24 hours of discovery, followed by an intermediate warning at 72 hours, and a final report within a month.
  • Federal Trade Commission (FTC) Safeguards Rule: The FTC Safeguards Rule mandates reporting incidents affecting over 500 customers within 30 days.

These regulations and standards implement much tighter reporting deadlines than the laws we had previously. 

With the exception of certain industries or types of data, breach reporting was largely optional. 

Now, some EU companies need to report security incidents to regulators within 24 hours of discovery.

In addition to ushering in a new era of breach transparency, these regulations also require an organization to have certain incident response capabilities in place. 

Companies now need to be able to identify, triage, and contain incidents rapidly. This ensures: 

  1. They have the information needed to promptly make required reports.
  2. That a previously non-reportable incident doesn’t grow into one that is “material” or “significant”. (This also involves the ability to accurately assess “materiality” or “significance” in the absence of clear direction from regulators.)

👉 Learn more about key IR capabilities for swifter incident reporting.


Defensive teams get less training time than their offensive counterparts

To help businesses assess their preparedness for cyber threats, Hack The Box has released its "Cyber Attack Readiness Report 2024" for another consecutive year. 

The report analyzes data from 943 security teams and 4,944 professionals worldwide who participated in this year’s Business CTF, a global competition for corporate teams. 

Additionally, it includes survey insights from 699 active cybersecurity professionals within the Hack The Box community.

An interesting find from this year’s survey was the significant disparity in training frequency between red and blue teams. 

Red team specialists engage in more frequent training, with nearly half completing weekly training—compared to less than one-third of blue team specialists training on a weekly basis. 

It’s an imbalance that could lead to potential vulnerabilities, as defensive teams may not be as up-to-date with emerging threats and attack techniques.

The lower training frequency for blue team specialists is particularly concerning. They are often the first line of defense against attacks. 

👉 Read the full Cyber Attack Readiness Report.


Force integration between red & blue for enterprise security 

When we think of red teaming, we aren’t just thinking about one team. 

In fact, it’s best utilized when the entire security team is in the room. 

It's synonymous with a military term called "Force Integratio

It refers to the coordination and unification of different branches, units, or forces to achieve a common mission. 

Each force—whether it’s infantry, artillery, air support, or intelligence—brings unique capabilities to the table. 

When integrated properly, these capabilities amplify each other’s strengths to create a more effective and cohesive operation.

Where red teaming becomes a true asset for companies is when they have applied it as a joint learning process for collaboration and improvement. 

Earlier this year, we spoke to a company who was doing just that. 

Easi’s security team has been utilizing joint operations to not only help strengthen the individual skills, but create a 360 approach to their cyber workforce development process. 

A purple team approach starts with having the dedication to create teams that replicate a threat inside of the enterprise. 

Then bringing those teams together to find their roles in developing advanced training.

“What we’ve noticed is our red team is a little more advanced than our blue team. I believe that, at the moment, a lot of teams are at this stage—and it is very hard for them to train without having these dedicated environments.” 

HTB makes it easier than ever to bring these important functions together for advanced training. 

All scenarios are automatically available to corporate teams and organizations within the Professional Labs offering on HTB Enterprise Platform. It includes business-exclusive features such as MITRE ATT&CK mapping, Restore Point, official write-ups, CPE credits, and much more.

👉 Demo the HTB Enterprise platform


Exploring the Snowflake breach (Attack Anatomy) 

The 2024 AT&T breach was one of the most significant security incidents in recent history. Attackers accessed the call metadata of nearly all of the company’s customers from March 1 through October 31, 2022. 

Due to the potential national security implications of the breach, the American Securities and Exchange Commission (SEC) even provided a nearly three-month extension on its usual four-day notification rule (the breach was identified on April 19th but was publicly disclosed on July 12). 

Who was responsible? 

The ShinyHunters threat group.

They gained access to the companies’ Snowflake accounts via credential stuffing and a supply chain breach of EPAM Systems.

Once inside, ShinyHunters accessed and exfiltrated sensitive data from these cloud storage locations. Then, they demanded ransoms ranging from $300,000 to $5 million in exchange for deleting the data.

We deep dive into the Snowflake attack in our latest Attack Anatomy series. Through the lense of the MITRE ATT&CK framework, we explain the techniques attackers used in AT&T breach. 

For each technique, we point to HTB resources that can provide hands-on training about how the technique works—and how to defend against it.

👉 Read the breakdown


👉 Share your win with the community

Your expertise and insights are invaluable. And we’re eager to share them with our vast audience of over 3 million members.

We’d be honored to feature your top "win" of the month related to your team, department, or security program in the next edition of ThreatReady.

A “win” could be:

  • Achieving compliance or industry standards.
  • Successfully onboarding new team members.
  • Celebrating your team’s performance.

The top wins will be shared in the next month’s edition of ThreatReady (and if it’s really good, may get some additional love on social media). Want to share your win?

Drop a comment below telling us what it is👇


Mahmoud Elfawair

Security Analyst @ Wizard Cyber | HTB CDSA | CMPen | AZ-500 | SC-200 | SC-300

1mo

I couldn't agree more. Forcing integration between red and blue teams must be implemented in every cybersecurity firm

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics