Judge: Opposing Lawyers Get Consultants' Forensic Breach Report; Highly Customized Spear Phishing Attacks; Open Source Supply Chain Attack; DHS Cyber Essentials Toolkit

Subsequent to a breach, first hire experienced and competent legal counsel; let them hire and supervise the investigators. Any report of the investigators should be "attorney work product," so labeled, and arguably privileged. While transparency is desirable, litigation may increase transparency, and courts are entitled to all evidence, one does not want one's legitimate efforts used against one.

William Hugh Murray

Understanding data protection and disclosure restrictions, particularly around security audits, assessments, and reports is key before the engagement begins. When taking legal action, be certain that the case, for or against, doesn't depend on disclosing the very documents you wish to keep private. Sometimes a redacted document can be offered as a compromise, particularly when protecting information with regulatory driven or mandatory protections such as PII, HIPAA, and CUI; even so, your legal and information management teams should validate your assumptions up front.

Lee Neely

This attack leverages multiple techniques to avoid detection and analysis, including a deliberate PowerShell script "error" as well as downloading components from legitimate Internet sites. Segmentation or isolation is an important mitigation for control systems. Direct internet access, inbound our outbound, should not be available by default. Also make sure that credentials are unique for your control system so that credentials captured elsewhere are ineffective.

Lee Neely

All industrial control systems connected to the public networks must employ strong authentication to resist fraudulent reuse of compromised credentials.

William Hugh Murray

Kudos to GitHub for being so open with this incident and for sharing their report. It is through sharing that we as an industry can learn how to improve our processes and responses.

Brian Honan

As a new or seasoned CISO, this reference provides an easy to read list of essential actions and supporting resources which will aid getting a handle on your current cyber readiness and starting to assess your corresponding risks. Future toolkits will focus on awareness, protection, access controls, backups, and business continuity.

Lee Neely

The new modus operandi for ransomware is to extensively compromise systems and exfiltrate information well before encrypting the data. Also, ransomware operators are starting to include brute force attacks, reducing reliance on social engineering. Knowing where your data is housed and the value of those repositories is essential to assessing the impact of exposure and to using a risk-based approach to application of security protections.

Lee Neely

A reminder that under GDPR a ransomware attack can be considered a data breach as, in effect, you have lost control of that personal data entrusted to your organization. If GDPR applies to your organization, review your Incident Response processes for ransomware attacks to ensure they include an assessment of what personal data has been affected and whether you need to report the breach to your Supervisory Authority.

Brian Honan

Due to code reuse across products, the vulnerability had to be corrected in multiple places and while the severity rating has not yet been published, timely deployment of the updates is warranted. Note that this fix also closes the vulnerability used by the Unc0ver jailbreak.

Lee Neely

Timely disabling of accounts and changing of shared credentials is key when staff separates, particularly system and network administrators. Monitoring use of disabled accounts as well as privileged accounts, including those with domain or device administration rights, is important in detecting this type of threat. Also, make sure that remote administration of network and boundary control devices require the use of a secure entry point - not only to prevent unauthorized user modification, but also to protect devices from direct exploitation of vulnerabilities.

Lee Neely