threats

5 Key Metrics to Enhance Cybersecurity Posture

/ bugejajoseph / Leave a comment

In cybersecurity, the right metrics help assess and improve an organization’s security posture. These five are especially effective at distinguishing strong programs from those at risk:

  1. Mean Time to Respond/Recover (MTTR). Speed matters. Top teams reduce MTTR through automation and regular incident response drills. The faster a threat is contained, the less damage it causes.
  2. Vulnerability Resolution Rate. The question is not how many vulnerabilities you fix — it is whether you are addressing the right ones. Smart security leaders prioritize based on business impact, not just severity scores.
  3. Security Awareness Engagement. When security becomes part of your culture, the metrics shift from “completion rates” to active participation. I have seen organizations transform their security posture when they started tracking how often employees report suspicious activities rather than just training attendance.
  4. Phishing Resilience. The most revealing metric is not your click rate — it is how that rate changes as your simulations become increasingly sophisticated. Organizations making real progress show declining click rates even as attacks grow more convincing.
  5. Patch Management Efficiency. Strong teams balance rapid patching with system stability, achieving high compliance without disrupting operations.

These metrics offer a clearer lens into actual security posture. What key indicators are driving your strategic decisions, and what innovative methods are you using to measure what truly safeguards your organization? I would love to hear your experiences.

The Diamond Model of Intrusion Analysis

/ bugejajoseph / Leave a comment
Photo by Michael Morse on Pexels.com

In the world of cyber security, effectively processing data and turning it into actionable intelligence is crucial. While the Cyber Kill Chain® and the MITRE ATT&CK Framework are commonly used methodologies, there is perhaps a lesser-known alternative called the Diamond Model of Intrusion Analysis. Developed in 2013 by renowned cyber security professionals, Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, this model is an indispensable resource for cyber security professionals. It offers a simple yet powerful way to analyze and document intrusion incidents.

The Diamond Model is composed of four features: adversary, infrastructure, capability, and victim. The adversary represents individuals, groups, or organizations that exploit vulnerabilities to achieve their goals. Capability encompasses the tools, techniques, and methods used by adversaries, while infrastructure refers to communication systems like IP addresses and domain names. Victims can be individuals, organizations, or specific assets such as target email addresses. In addition, it delineates supplementary meta-features that bolster higher-level constructs, while also incorporating measurement, testability, and repeatability to deliver a more encompassing scientific approach to analysis.

Despite its unassuming appearance, the Diamond Model possesses the ability to swiftly navigate intricate and multifaceted details. The dynamics of a threat actor exist in a perpetual state of flux, as attackers continuously modify their infrastructure and capabilities. Moreover, when integrated with the Cyber Kill Chain® and other frameworks, it contributes to the establishment of a comprehensive cyber security framework. This integration facilitates a deeper understanding of threats and strengthens incident response capabilities, empowering a more proactive defense posture.

An example of using the Diamond Model in practice is found here.

Essential Skills for Effective Threat Hunting

/ bugejajoseph / Leave a comment
Photo by Harrison Haines on Pexels.com

In today’s cyber security landscape, where cyber threats continue to evolve in sophistication, organizations must adopt proactive approaches to safeguard their networks and sensitive data. Threat hunting, a human-driven and iterative process, has emerged as a crucial aspect of cyber security. This article aims to highlight the essential skill set required to become a successful threat hunter.

Threat hunting tends to operate under the assumption that adversaries have already breached an organization’s defenses and are hiding within the corporate network. Unlike traditional security measures that tend to rely solely on automated detection tools and known indicators of compromise (IoCs), threat hunting leverages human analytical capabilities to identify subtle signs of intrusion that automated systems may miss.

A successful threat hunter requires a diverse skill set to navigate the complexities of modern cyber threats effectively. Here are some essential skills for aspiring threat hunters:

  • Cyber threat intelligence. Understanding cyber threat intelligence is foundational for any threat hunter. It involves gathering, analyzing, and interpreting information about potential threats and threat actors. This knowledge provides valuable insights into advanced persistence threats, various malware types, and the motivations driving threat actors.
  • Cyber security frameworks. Familiarity with frameworks like the Cyber Kill Chain and ATT&CK is invaluable for threat hunters. The Cyber Kill Chain outlines the stages of a cyber attack, from initial reconnaissance to the exfiltration of data, helping hunters identify and disrupt attack vectors. ATT&CK provides a comprehensive knowledge base of adversary tactics and techniques, aiding in the understanding of attackers’ behavior and their methods.
  • Network architecture and forensics. A strong grasp of network architecture and forensic investigation is crucial for analyzing network activity, identifying anomalous behavior, and tracing the root cause of security incidents. Additionally, threat hunters must be comfortable working with extensive log data and extracting meaningful insights from them.
  • Coding and scripting. Proficiency in coding and scripting languages, such as Python, PowerShell, or Bash, can be highly beneficial for threat hunters. These skills allow them to automate repetitive tasks, conduct custom analysis, and develop tools to aid in their investigations.
  • Data science. Threat hunting often involves dealing with vast amounts of data. Data science skills enable hunters to develop algorithms, create statistical models, and perform behavioral analysis, significantly enhancing their ability to detect and respond to threats effectively.
  • Organizational systems. Each organization operates differently, and threat hunters need to be well-versed in their organization’s systems, tools, and incident response procedures. This knowledge allows them to discern deviations from normal activity, leading to quicker response times and more accurate threat assessments.
  • Collaboration and communication. Threat hunters often work in teams and collaborate with other cybersecurity professionals. Strong communication skills are essential for sharing findings, coordinating responses, and effectively conveying complex technical information to non-technical stakeholders.

Threat hunting is not a one-size-fits-all approach, but a personalized, data-driven, and iterative process tailored to an organization’s unique risk profile. Cultivating a skilled team and proactive culture bolsters defenses against dynamic cyber threats. Staying informed, collaborating, and embracing technology ensures success in securing organizations from advanced adversaries.

Understanding Cyber Warfare Through Frameworks

/ bugejajoseph / Leave a comment
Photo by Joseph Fuller on Pexels.com

Cyber warfare is a rapidly evolving field, and various frameworks have been developed to better understand and defend against cyber attacks. Several cyber kill chains have been developed to explain what an attacker might do. The most commonly used at present are the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK framework.

The Lockheed Martin Cyber Kill Chain is a seven-stage framework that describes the steps an attacker might take in a cyber attack. It includes stages for reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. 

The MITRE ATT&CK framework is a comprehensive database of tactics, techniques, and procedures used by attackers that is organized into several categories such as initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, and exfiltration.

The Unified Kill Chain is a framework that combines elements from the Lockheed Martin Cyber Kill Chain, the MITRE ATT&CK framework, and other frameworks to provide a more comprehensive view of cyber attacks.  It includes eighteen attack phases, which are the steps a cyberattack may progress through.

Overall, cyber warfare is highly complex and requires extensive knowledge and understanding of the different frameworks and best practices for defending against attacks. By familiarizing ourselves with these frameworks, we can better prepare ourselves for the challenges ahead and ensure our networks remain secure.

Exploring the Interdependencies between AI and Cybersecurity

/ bugejajoseph / Leave a comment
Photo by Pixabay on Pexels.com

With the increasing prevalence of AI technology in our lives, it is important to understand the relationship between AI and cybersecurity. This relationship is complex, with a range of interdependencies between AI and cybersecurity. From the cybersecurity of AI systems to the use of AI in bolstering cyber defenses, and even the malicious use of AI, there are a number of different dimensions to explore.

  • Protecting AI Systems from Cyber Threats: As AI is increasingly used in a variety of applications, the security of the AI technology and its systems is paramount. This includes the implementation of measures such as data encryption, authentication protocols, and access control to ensure the safety and integrity of AI systems.
  • Using AI to Support Cybersecurity: AI-based technologies are being used to detect cyber threats and anomalies that may not be detected by traditional security tools. AI-powered security tools are being developed to analyze data and detect malicious activities, such as malware and phishing attacks.
  • AI-Facilitated Cybercrime: AI-powered tools can be used in malicious ways, from deepfakes used to spread misinformation to botnets used to launch DDoS attacks. The potential for malicious use of AI is a major concern for cybersecurity professionals.

In conclusion, AI and cybersecurity have a multi-dimensional relationship with a number of interdependencies. AI is being used to bolster cybersecurity, while at the same time it is being used for malicious activities. Cybersecurity professionals must be aware of the potential for malicious use of AI and ensure that the security of AI systems is maintained.

Threat Modeling: Some of the Best Methods

/ bugejajoseph / Leave a comment

Threat modeling methods are a set of general principles and practices for identifying cyber threats to computer systems and software. These methods can be applied during the design phase of new systems or when assessing existing security controls against new threats. There are several threat modeling methodologies in use today, ranging from informal processes to formalized models that can be captured within software tools. A summary of some of the most popular threat modeling methods is provided below:

• Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege (STRIDE) 

• Process for Attack Simulation and Threat Analysis (PASTA)

• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

• Trike

• Visual, Agile, and Simple Threat modeling (VAST)

• Common Vulnerability Scoring System (CVSS)

• Attack Trees 

• Persona non grata (PnG) 

• Security Cards 

• Hybrid Threat Modelling Method (hTMM)

• Quantitative Threat Modelling Method (QTMM)

• Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance (LINDDUN)

All of the above methods are designed to detect potential threats, except for CVSS. The number and types of threats will vary considerably between the different methods, as well as the quality and consistency of the methods. Which one is your favorite threat modeling method? Are you interested in using some of the methods above for your company or research project?

The Ultimate OSINT Collection

/ bugejajoseph / Leave a comment

For threat agents, reconnaissance (scouting) and gathering intelligence are vital. The aim is to get as much information about a potential target, as possible. With that information, they can exploit any weaknesses in a system or an individual, which will allow them to gain access to a system. One type of data that is often overlooked by victims and hackers alike is publicly available data. The collecting and analysis of data acquired from open sources (overt and publicly available sources) is known as open-source intelligence (OSINT). Some examples of OSINT are social media, forums, news, blogs, public data and reports, and other publicly available materials.

Red or blue, OSINT could effectively assist threat agents and researchers alike in discovering dark places that they may be unaware of. It allows them to create attack scenarios for red teams or hypotheses for threat hunting. Most cybersecurity initiatives, in my opinion, should include OSINT; a service that is often overlooked. A fantastic one-stop shop for the best OSINT content is compiled by @hatless1der and is available at the website: https://start.me/p/DPYPMz/the-ultimate-osint-collection.

Investigative tools/resources collection from Hatless1der OSINT collection.

Please remember to get in touch if you want to learn more about cyber security research and OSINT.

Lecture about IoT Security

/ bugejajoseph / Leave a comment

On Tuesday, September 28th, I delivered an online lecture to Bachelor’s students at Lund University in Sweden. In the lecture I covered the topic of IoT security, especially in relation to consumer IoT systems.

One of the slides that I discussed in my lecture is shown below. Mirai malware is seen as a watershed moment in the threat landscape, demonstrating that IoT botnets can be deployed in distributed denial-of-service (DDoS) attacks and do substantial damage.

  • The equipment that was used to deliver the online lecture (September 2021).

Recognizing the significance of addressing IoT security, especially as more and more things become connected to the Internet, European Commission President Ursula von der Leyen unveiled a Cyber Resilience Act on September 15, 2021. This Act lays out a common European approach to cyber security by establishing common cybersecurity standards for connected devices.

If you have any queries about information security or would like to collaborate with me, please contact me.

A Research Proposal about Poisoning Attacks

/ bugejajoseph / Leave a comment

On Tuesday, 29th June, I did my last presentation before taking my Summer vacation. In the presentation, I talked about a potential research proposal concentrated on data poisoning attacks. Specifically, I discussed how this attack class could target an IoT-based system, such as a smart building, resulting in potentially severe consequences to a business. While poisoning attacks have been researched for a bit, they are relatively understudied especially in contexts involving online learning and interactive learning.

Here is a link to a redacted version of my presentation:

Research ProposalDownload

In case you want to know more about cyber security especially its application to the IoT and Machine Learning based systems you are welcome to drop me a message.

Investigating Privacy Threats in Smart Homes

/ bugejajoseph / Leave a comment

On Tuesday, I gave a presentation at PerCom 2020. This was the first time, the conference was held completely online (due to the global pandemic of COVID-19), and speakers were asked to deliver their presentations remotely over Zoom.

In my case, I gave two live presentations in the Work In Progress (WiP) session being chaired by Diane Cook.  During this time, I discussed how smart connected homes can be formally modeled so that privacy threats can be systematically identified and analyzed.  Take a look at my short teaser clip below.

In case you are interested in the accompanying poster for my presentation, you can access it either from my Presentations menu tab or otherwise by clicking here.  Also, I have uploaded the slides for the video which you can access here.

As always, please feel free to contact me in case you want to know more about this paper, and about security and privacy in general. Finally, I want to remind and encourage you to submit to PerCom or its workshops. You can get some high-quality feedback on your work that can help you improve it and more.