Countering the cyber threatOllie Whitehouse, Technical Director, NCC Group

Before we begin… What is NCC Group?

• £110 million revenue FTSE company• Cyber Security Assurance Practice• 180 UK technical assurance consultants

o applied research o technical security assessmentso cyber forensics incident responseo 50 UK risk/audit consultantso 90 US technical assurance consultants

• Escrow & Software Assurance = sister business units

Before we begin…

Offence v Defense

Offence: demonstrating exposure

Defense:defense in depth

Defense

Defense: Training

• Executive

• Risk & Security Teams

• Technical Teams

• General Staff Population

Defense: Governance

• Accountability

• Visibility

• Validation

All within the organisations Cyber & Information security framework

Defense: Risk Management

• Business

• Technology

• Compliance

Defense: Compliance

• Ethical

• Regulatory

• Legal

• Other…

Defense: Counter Measures & Controls

Defense: Monitoring & Incident Response

• It will happen

• Have processes & procedures in place

• Have ability to detect and investigate

• Have the skill sets and capability

• Perform fire drilling

Offence

Offense: Penetration Testing

• Reconnaissance

• Mapping

• Identity vulnerabilities (VA)

• Exploit (Penetrate)

• Trust relationships (Lateral)

Offense: Social Engineering

• Appear legitimate

• Goalso Gain somethingo Instruct or convince

• Examples:o Credentialso Building entry

Offence: Phishing Simulation• Example of social engineering

o Click this linko Click this link & supply credentialso Open this attachmento Supply this information

• Can be used too Gain informationo Exploit computer systems

Offence: Open Source Intelligence Profiling

• Company or people

• Direct information

• Information to facilitate other attacks

• Documents, technologies, hobbies, conferences, attendees

Offence: Red Teaming

• Blended attacks• Physical, Social & Cyber

• Emulates motivated external threat actor

• Does not emulate motivated internalemployee

Offence: APT Simulation• Blended attacks

• Social and Cyber

• Emulates organised crime & nation state threat actors• Inbound attacks & staff training• Lateral movement & exfiltration• Persistence

• Assess defences, detection & response

There is always more…

Standards

• Cyber Essentials

• Cyber Essentials+

• ISO:27001

• Etc…

More…

• Supply chain security

• Security Development Life-Cycle

• Home infection leading to corporate compromise

Summary..• Cyber security is a complex problem

• It’s a business, human & technology problem

• Visibility & understanding at the executive level has historically been weak

• It should always be proportional

Final thought

EuropeManchester - Head Office

Cheltenham

Edinburgh

Leatherhead

London

Milton Keynes

Amsterdam

Copenhagen

Munich

Zurich

North AmericaAtlanta

Austin

Chicago

Mountain View

New York

San Francisco

Seattle

AustraliaSydney

ThanksAny Questions?

Ollie Whitehouseollie.whitehouse@nccgroup.com