Cyber Security Expertise

My incident detection & response approach

A business-aligned and adaptive Cyber Defence capabilities, enabled by a clear internal context knowledge and by the Cyber Threat Intelligence is the target to move towards in order to counter face the new challenging and dynamic cyber threats. In an asymmetric scenario, like a cyber security issue, trusted and skilled people, that perform process and use technologies, is the key factor to develop, implement and handle cyber defense activities and projects. The definition of a Cyber Defence maturity model allows for measuring the effectiveness and the efficiency of this new approach following an ad hoc roadmap tailored to the business sector, the regulations, the risk analysis, and the pre-assessed skills and capability in IT operation.
In implementing security controls and technologies my posture always keeps in mind the business, the customers, and the users: it is mandatory that all the security policies are usable for all players in your organization otherwise you will fail.
Try for a marathon, not for a sprint: It is a relay race, not a lonely escape. This is a looping challenge like a never-ending story.

Known yourself, then you will know your enemy

The knowledge of the cyber threat landscape, the technologies put in place in your large and distributed organization (es. partners, supply chain, multiple clouds) like their patching policies and change management is good literature and targets to achieve, but in an existing organization could be a nightmare, especially during the digital transition and industry 4.0 scenario. New and old technologies live together in a hybrid manner with multi-cloud providers, different and divergent needs and each vendor has the right solution driving us in the new era... as usual. The "divide et impera" approach is a useful and actionable strategy in prioritizing processes and technology to rapidly achieve minimum detection capabilities with your resources making sustainable the transition, following a well-done and shared plan with all actors involved. However my favorite approach is based on zero trust access to a company's IT services or systems by employee, customers, consultants and their devices, internal or external to the organization network, must be possible only after authentication and constant verification.

A.I. machine learning? Please consider first if "all the little things" are all right

As a data scientist oriented to discover pattern attacks into hybrid domain cyber and physical security in a large organization, I think that it is possibly misleading to consider "big data" and "A.I." a must to have, a trend to follow. Pay attention: all the logs should be carefully evaluated with a specific process to ensure the best value in the collection to detect and understand attack patterns: quality before quantity to mitigate rumors, false positives, and then automate and apply A.I. Build a solid and honest baseline without false perspectives and follow your goal not the trend and the automagically tech solution. Be aware!

Cyber Threat Intelligence

Cyber threat intelligence in my opinion is the ability performed by a cross-team to follow processes, intuit, and creativity using and developing technology to process data from the internal and the external perimeter of an organization in order to deliver actionable information to the decision and policymakers. I think that CTI has to inspire SOC analysts, and incident responders to create a mindset to deprecate the product-driven approach and migrate into intelligence's analyst-guided approach. The technology is only a tool used by an analyst. if I can use a product, a solution, or a service, I am a good user but not a cyber threat intelligence analyst. Lateral thinking, unusual and unpredicted tactics, and techniques are added value to detecting, and understanding cyber threats. Link analysis, visual analytics, and A.I. algorithm are some features of the car where you are the pilot. I have successfully experienced involving software developers in the cyber security group to implement further and complementary technological solutions to commercial ones in production is a key value to better improve detection and analysis capabilities. A different approach and a different point of view to be independent of one provider and technological solution. Engage in open source projects to stay active in the international community producing also IoC and sharing it with peers in my opinion is a must to have.

Keep in mind that the cyber threat intelligence "prêt-à-porter" does not exist

An automagically TIP that performs all over operation is another utopia. If you want take under your own control your data and IT infrastructures, you put in place first a skilled and trusted team and then process, technologies and threat intelligence services. A consultant and partner is a friend but threat intelligence operations delivers information to decision maker and in the final step you are the only responsible of that choice: never share the ownership of choices about issues: I prefer decide following my evidences and not following only instrumental or third parties information.

Too much information makes a decision difficult. Few information makes a bad decision.

Tailoring information feed about cyber threats, like a log collection, on specific technologies, countries, and business sectors, is a more important and often undervalued activity. It seems that more information to process, like IoC for example, by automatic detection and response software assures more protection: certainly our perception. Consuming IoC or other kinds of threats feed without a policy and a strategy will be unsustainable considering the retention, the performance of the IT system, and the cost also from an environmental point of view.

Information forensics

Computer science related to discovering and restoring, in a forensically sound manner, evidence on a digital memory was involved in a changing paradigm. Mobile devices, cloud computing, cryptocurrencies, the dark web, deepfakes, and so on are now new and challenging domains where forensics is experiencing different approaches and technologies. The mantra of replicable operations on the device and post mortem analysis is declining. The information, the digital evidence is ever the focus of analysis, but it is distributed, fragmented, and strictly correlated with other evidence in multiples IT systems. To reveal a pattern, and to discover coherent information it is necessary to evaluate other sources to mitigate false positives and mistakes: confirmation bias is our enemy. Reliable sources, checking the configuration and the raw origin of the data, keeping in mind the motivation and the scenario, is a good posture to produce comprehensive and genuine analysis corroborated by a set of evidence not a single point of view or a piece of fragmented information.
In my experience computer forensics, like cyber threat intelligence, growth a lot in the last decade; but one thing is the same since the typewriter era: the writing tool used to report the analysis. So I have developed a web-based framework and mobile app that is able to suggest templates for each kind of report, referring attachments with metadata, the chain of custody, the acquisition method importing data from devices, link analysis, including paragraph structures, tables, image, infographics element to summarize some kind of result and so on. My idea is to reduce mistakes, adding value to analysis supporting the last phase of investigation: reporting.

From computer forensics to information forensics

The digital transformation and the pervasiveness of social media, gaming, and instant messaging engage more frequently the forensics analyst to retrieve and validate this kind of information. Cryptography, security features, privacy but also regulations often avoid the access at the raw data and only third parties products and services are able to access at some of this data. In this cases is mandatory a further feedback of the evidence and the right aquisition's method. Never base a technical evaluation only by the result of a single instrument. Information forensics should be a posture when digital evidence are managed: referring raw data as possibile, corroborate results with other sources using inference, follow also divergent pattern to mitigate bias and and discover "how deep the rabbit hole goes"

Pay attention to the report

All the investigations performed via technical operation using software or third parties services must be documented in a report. Often technicians are not so enthusiastic to write their analysis results, the method used, the goal achieved, and so on: more steps are taken for granted. The methodology of the investigation strategies, the scope of the analysis, and the tools used are a set of necessary elements to assume in the report to avoid misinterpretations or misunderstandings. According to my experience, the review of the report's draft is the responsibility of the head of the office who signs the document. It is a good practice to maintain the connection with the team, to stay up to date in technology and better evaluate critical issues and areas of improvement considering audience and verifing evidence attached.

Cyber Security Awareness

To put in place a cyber security awareness program that is not a meteor or a spot initiative, first of all I review all the previous training and campaigns, then check if it is a platform to deliver content and possibly some updated surveys. Risk analysis, cyber threat intelligence, and cybersecurity incidents are the driver of the cybersecurity awareness program to find the gap and improvement areas. According to the NIST framework, cyber security awareness is a key factor to prevent and mitigate cyber risks. In this scenario "what" is well defined, but "how" is the challenge to creating an efficient, sustainable, and RoI-oriented cyber security awareness program. In my experience, I have created multiple contents and use cases for an engaging cyber security awareness training course oriented to social engineering in the cyberattack pattern related to the cyber kill chain model: reconnaissance and delivery attack phase. Most cyber attacks' risks are triggered by exploiting the human factor: the most difficult system to maintain up-to-date!

Gamification

Introducing gamification and a different and divergent approach to teaching by sharing tricks and tips, and producing user-generated video clips telling experiences in cybersecurity-related issues is one of my methods.
Anonymized mistakes in museums, comics strip, and tests before and after the training in an unusual manner are part of my teaching strategy.

Engaging pepole

To improve the dissemination of cyber security awareness content, I develop and use an ad hoc web portal, integrated with the organization's intranet ecosystem, to deliver digital informative and entertaining content related to cyber and info security issues. Digital signage is placed in the hall, near and inside the elevators, in the meeting areas, and so on. Notifications, through the mobile app, could be used to deliver content. Displaying a message on the laptop lockdown's screen or using other enterprise applications could be a pervasive method to engage people: for example, before downloading a paycheck or welfare bonus and ticket.
My teaching posture is to share information that is really and practically actionable not only in the organization's contest but also in the life outside the organization to catch the interest obtaining attention and collaboration