joey Hernandez

The digital age has brought with it many benefits, but it has also made us vulnerable to malicious actors. One of the most dangerous threats we face today is ransomware. But, just as there is a problem, there is also a solution. By working together and implementing legislation that criminalizes ransomware attacks, we can fight back. This book is a guide to help organizations protect themselves from ransomware attacks based on best practices and industry standards from ENISA to NIST, CMMC to CISA. It covers everything from conducting Ransomware Readiness Assessments to managing assets and incident response. By taking proactive measures, businesses can significantly reduce their susceptibility to ransomware attacks. This book is not only informative but also empowering. It will give you the tools and knowledge you need to take control of your cybersecurity and protect your organization from the damaging effects of ransomware. With this book as your guide, you'll be able to turn the tide against ransomware threats and protect your organization from the damage they can cause. Although not exhaustive due to the rapid evolution of ransomware capabilities, the assessment will cover the following areas including.
Application Integrity
Asset Management
Incident Response
Network Perimeter Monitoring
Patch and Update Management
Phishing Prevention and Awareness
Risk Management
Data Backup
User and Access Management
Web Browser Management and DNS Filtering

One of the major reasons that website outages occur is based on issues with the secure socket layer (SSL) protocol. A key piece to this is many organizations now outsource their websites and often never attempt access to their company on a day to day basis via external resources. An example that most commonly occurs is when organizations forget to renew SSL certificates or auto renewing applications fail. Additionally, SSL insecurity can also occur when there are misconfigurations. The following is a foundational example of how to integrate real world failures into test, training and exercise events. Case Study: Service Outage Due to Mis-configured SSL Certificate BACKGROUND:

Active Cyber Defence in the OT environment remains a challenge to industry professionals based on our inability to focus more on the nuanced commonalities and instead focus on what we consider major differences. My first example to hopefully explain what I mean is the understanding of the original CIA, where we would work to ensure systems maintained confidentiality, integrity, and availability. We often prioritised the systems in the same way based on prioritisation or MAC level. Within essential services we still have the CIA prioritisation consideration the difference is there is often a coupling of Availability & Integrity prior to Confidentiality. (Simple Example: Water Flow from a dam). With 90% of Critical Infrastructure service providers having been impacted by at least one successful cyber attack , the key security enhancements can no longer be slow rolled. We need to obtain actionable visibility in the OT environment. In addition, implementing the suggestions below will help your organisation meet regulatory
Detection & Analysis in the (OT) Environment – To Meet Regulatory Compliance

Detecting an incident early is important to minimising the impact of a potential threat. Early detection is specifically important in the delivery of essential services as early detection will limit and potentially prevent damage to the underlying ICS. Detection in OT “always on” requires continuous monitoring for anomalies, prioritisation of event correlation, implementation of a log collection and analysing strategy for the environment.

The requirement for a collaborative effort to achieve a common set of security standards for use by entities that process, store or transport voter data. -More than 350,000 voting machines are used in the Unites States today in over 42 States (VerifiedVoting 2017). The rise in the use of electronic mediums has posed great concern for those voting and those running for office. In 2016, the State of Florida reported the targeted attempts by Russian hackers to infiltrate and manipulate electronic voting in as much as 67 elections offices. As well reporting from additional sources that as many as voter database compromises across 21 states and forensics discovery at attempts by hackers to infiltrate the networks of voting equipment vendors, local election boards, political parties and email and social media accounts for candidates.  The industry and cyber security community has not discovered a process to protect the most democratic process in the world to date – Voting remains a target held at risk. 2018 Elections are critical to moving the U.S. forward to recovery - Feel free to reach out if you need support or have any additional questions.

To minimize the chances of getting A.S.S, one needs to have strong morals and beliefs to attenuate Stockholm Syndrome. In the case of being an assessor, be prepared. Always work with organizations ahead of time to ease fears and tension by providing clear guidance from the strategic, to hands-on methods that will be employed during the assessment. Working together before hand will minimize the excuses, violations, and need to bond – Allowing you to HELP organizations mature their cybersecurity posture. Don't get attached!

Working in Cyberspace Operations from multiple aspects has led me to question the multiple methods and frameworks used to defend enterprises. This has also led to an effort of integrating military operational frameworks where focuses remain on small, yet focused, synchronized integrated teams. This is unfortunately a new concept for cyberspace teams. It has led to some heated discussions among my colleagues because we all know all frameworks are wrong, but some are useful and further every analytical operator has internal prejudices. I seek to present F3EAD as a framework for DCO-RA & possible Offensive Cyber Operations.

As we continue to develop capabilities within organizations providing Defensive Cyber Operations it is critical to develop organizational maturity. Current methodologies although effective are unsustainable do to the rapid evolvement of cyber threat.
A organizational level approach can be made by adopting some of the following objectives:
1. Increase the pay scale for “qualified” CND Analysts - CIRT staff are often the lowest paid tier of Incident Response personnel.
2. Hire “Analytical” people – A Great Sys Admin does not a Great System Defender Guarantee. “Better analytical capability makes up for a lot of memorized technical knowledge. Having both makes you a god.”
3. Function Rotation – Although specialization is a critical capability, functional rotations assists in creating analytical thought by adding perspective and insight to all aspects of DCO.
4. Teach analyst how to communicate - share your best business practices what's worked and not worked. Not only with internal teams, but with colleagues in industry. It is terrible to have great analysts that nobody wants to work with..
5. Hire passionate team players - I can send you to all the certification training in infosec the world has to offer but if you aren't doing this because you live it.... We are both wasting our time.
6. Employ - “better leadership to foster Passion”
7. Start utilizing the sensors and systems in place to their capacity/capability - Too many times systems are not employed fully whether lack of system training or misunderstood vendor support agreements. Garbage in garbage out.. Nothing in nothing out
8. Require training and certification - Ensure a common baseline for both the technical and communication side (GCIH, CISM, Project Management, MBCI) the management piece is to ensure analysts can write and follow from beginning to the end and understand the operational impact of incidents. Although this seems obvious take a look around
9. Exercise your capabilities - through, xnet or similar means to make teams operate together
10. Audit and assess - internally often, (show me, tell me, provide me documentation) to ensure organizational maturity. The team will have a vested interest.
Proactive efforts to accomplish specific steps will assist in maturing the DCO craft.
A passion for this work helps people dig for root cause, and gets people looking for the needles in needle stacks, fixing the broke, and documenting processes to help build the whole team rather than oneself.

Key Questions:
What is the Cyber Kill Chain Process
What can we do to mitigate attacks sooner
How do we improve Incident Response

Recently, the the view of Cyberspace as an Ecosystem has become a subject of increasing interest to professionals in multiple ICT disciplines. Much of the interest has been stimulated by the growing problems within the environment, and the emergence and/or reemergence of viruses, malware and growth in Advanced Persistent Threats worldwide. The Miasmatic Theory originated in the 19th century and based on the belief that "diseases" were caused by the presence of a poisoned fog/mist in the ecosystem, which contained infected matter (miasmata). The Miasmatic position was that the spread of diseases were the product of environmental factors including contaminated water, air, soil and overall poor hygienic conditions. Key to the theory is that infections were not passed between individuals but rather affect individuals who resided within the particular location. Second, infected & contaminated space was identifiable. The creation of Top Level Domains such as .RU for Russian and .CN for Chinese domains as well as geolocated IP addressing for countries has created a similar environment for locales. These locales require direction and coordination to provide leadership on establishing norms, policy institution, technical support and monitoring and assessing health trends. Protecting the cyberspace ecosystem is a shared responsibility and required to provide a collective defense against the miasmatic threat. Joey Hernandez CISM, CISSP

"In today’s information-driven business environment, enterprise systems and processes capture an ever-increasing amount of data. To derive meaningful and actionable information from this data, businesses are compelled to commit significant resources to perform the necessary analysis. While all business areas are impacted to varying degrees, few face a greater challenge than the information security department. To support its mission to protect critical information assets, the information security department must maintain an ongoing process to capture, analyze and subsequently act on log and alert information collected from a wide array of systems across the enterprise.
Typically, these data must be analyzed and actionable.... Joey Hernandez worked as a SME Reviewer for this ISACA effort"

"Elevated age in cyber warfare
Malware has become focused
SCADA Systems (Stuxnet)
Malware performs Operational Preparation of the Environment (OPE)
Conficker (Millions still infected)
Ransomeware
Data is being held hostage
The advanced capability of the threat has increased the risk.
Understanding the risk allows employment of defensive measures to mitigate the risk – “Risk will always be present”"

"Similar Squatting
Targets BRAND NAME domains
Relies on typographical errors made by direct input URLs
Often involved with illegal activity
Also used for FINANCIAL gain
According to Brandjacking Index, the risk of brand misuse worldwide is the highest in US, Germany and UK.
59%+ all websites using brand names for illegal purposes originate from these three countries.
Organization Focused on defeating these efforts
Alias Encore 

Hacker groups Anonymous R00tbeer Dark.Team

Joey Hernandez for more information"

A CARVER assessment is the first step in helping organizations obtain insight to their critical assets as systems which process, store, and transmit information critical to business operations. Foundational, the approach leverages an often overlooked adversarial prospective with subjective functional focused critical asset identification. Increased measure to protect, detect and defend against threat will reduce attack surfaces and require future evaluation to identify gaps and validate input.

Background/ Explanation of Issues: Joint Publication 1-02 states deterrence “prevents adversary action through the presentation of a credible threat of unacceptable counteraction and belief that the cost of the action outweighs the perceived benefit” (Joint Publication 1-02, 2015 p.67). Deterrence has long been a part of our military doctrine and can be implemented in various aspects of joint operations to include the range of military operations. Today, we see deterrence used in the form of strategic messaging with the end goal of persuading a population towards a particular national strategic objective. In the past, the threat of military force and nuclear warfare were enough of a deterrent to obtain national objectives. As we approach the age of cyberwarfare, social media has become a major platform for deterrence messaging. Our adversaries understand this and have designed overt and covert measures to disrupt military and civilian operations. This is political warfare through a cyber-domain (Giannetti, 2017).
Recent accusations of Russian meddling in the 2016 United States (U.S.) elections have ignited the debate regarding the use of strategic communication and deterrence messaging. Once relics of the Cold War, deterrence messaging and propaganda were employed by both the U.S. and the former Soviet Union as a way to indirectly wage war against one another, specifically within Third World countries.

Keywords:  Deterrence, Joint Publication, Russia, Elections, Cyber, China, Russia, North Korea, Iran, and Transnational Threat Actors, Clinton, Trump, COA, DINFOS, DOTMLP, Weighted Sum, NGO, IOC

This article was presented at the European Cyber Security Summit 2016 in Prague Czech Republic. The focus was on the following points:
- Fundamentals of Cyber Intelligence
- Strategic To Tactical Approach
- Understanding The Cyber Kill Chain - and STAR
- A Little Bit About Targeting In Cyberspace
- Where You Should Be Today
- What You Need To Do To Mature Your Cyber Intelligence Capability

The digital age has brought with it many benefits, but it has also made us vulnerable to malicious actors. One of the most dangerous threats we face today is ransomware. But, just as there is a problem, there is also a solution. By working together and implementing legislation that criminalizes ransomware attacks, we can fight back. This book is a guide to help organizations protect themselves from ransomware attacks based on best practices and industry standards from ENISA to NIST, CMMC to CISA. It covers everything from conducting Ransomware Readiness Assessments to managing assets and incident response. By taking proactive measures, businesses can significantly reduce their susceptibility to ransomware attacks. This book is not only informative but also empowering. It will give you the tools and knowledge you need to take control of your cybersecurity and protect your organization from the damaging effects of ransomware. With this book as your guide, you'll be able to turn the tide against ransomware threats and protect your organization from the damage they can cause. Although not exhaustive due to the rapid evolution of ransomware capabilities, the assessment will cover the following areas including.
Application Integrity
Asset Management
Incident Response
Network Perimeter Monitoring
Patch and Update Management
Phishing Prevention and Awareness
Risk Management
Data Backup
User and Access Management
Web Browser Management and DNS Filtering