Tracey Jones, Senior Analyst at the Bank of England; Gian Andrea Padovani, Senior Manager in the PRA’s Cyber-Resilience team; and Chris Ensor, Deputy Director for Cyber Growth at the NCSC. Their discussion turns a spotlight on an issue that rarely makes headlines yet shapes every breach report we read: professional standards.

The Credibility Gap

Finance lives on confidence. When penetration testers walk into a systemic bank or when threat-intelligence teams map criminal campaigns, boards and regulators must trust the people, not just the tools. That trust now depends on well-defined accreditation schemes—CBEST in the UK finance sector is one example—where only practitioners holding the highest recognised certifications can touch live systems. Ensor argues that, without such benchmarks, even the best framework slides into “guesswork hiring” and inconsistent risk judgements.

Enter the UK Cyber Security Council

Ensor outlines a three-part mandate for the fledgling Council: spell out what “good” looks like for each specialism, audit the bodies that award qualifications, and maintain a public register of professionals who meet four ascending levels of competence. It is a model borrowed from medicine and law, adjusted for a discipline whose job titles still vary wildly between companies.

More Than Tech Skills

Jones and Padovani insist that the next generation must pair deep technical insight with something harder to teach: translation. Cyber threats are now boardroom risks, so packet captures and CVE lists have to be recast as business narratives. The mythical “unicorn”—the engineer who codes exploits at night and briefs CEOs at dawn—may remain rare, but multi-disciplinary teams can cover the gap if each member’s specialism is clear.

How Finance Is Leading

Within the Bank of England, cross-market groups such as CMORG convene CISOs to trade playbooks on issues like AI governance and software-supply-chain security. These sessions turn regulator guidance (for instance, the NCSC’s recent software-security principles) into practical checklists, then recycle lessons back into sector-wide guidance. The loop works only because participants share a baseline language of standards and certifications; without it, meetings would stall in definitional debates.

Bridging the Skills Shortage

All three guests converge on one plea: industry must take ownership of entry-level experience. Certifications prove knowledge, not judgement under pressure. Much as law firms nurture trainee solicitors, security consultancies and in-house teams have to invest in apprenticeships and rotations, or the UK skills gap will persist no matter how tidy the standards framework becomes.

Reasons for Optimism

Jones sees hope in culture: cybersecurity has moved from “IT problem” to board-level priority. Padovani welcomes growing recognition of cyber roles by both government and private sector. Ensor bets on the Council to provide the cohesion the field lacks—and urges companies and regulators alike to require its standards so that demand, as well as supply, drives professionalisation.

Bottom line: if boards want fewer nasty surprises and practitioners want clearer career maps, backing a single, transparent set of professional standards is the fastest lever both groups can pull.

At its core, TLPT helps organizations understand how their critical systems, people, and processes hold up against modern, targeted cyber threats.

Who Needs Threat Led Pentesting?

TLPT is not just for big banks anymore. While financial services organizations—such as banks, insurers, and payment providers—are required to conduct TLPT under frameworks like TIBER-EU, CBEST, and DORA, its value extends to:

• Critical infrastructure providers (energy, transportation, healthcare)
• Large enterprises managing sensitive data or operations
• Technology companies supporting national or regional infrastructure
• Any business with board-level concern about cyber resilience

If your organization handles high-value data, provides essential services, or faces persistent threats from well-resourced adversaries, TLPT is an essential tool in your security arsenal.

What Drives the Demand for TLPT?

The demand for threat led penetration testing is growing fast, driven by several key factors:

• Regulatory compliance: Laws like DORA, NIS2, and sector frameworks like TIBER-EU and CBEST mandate TLPT for financial services and critical sectors. Failure to conduct regular TLPT can lead to penalties or loss of trust.
• Realistic risk assessment: TLPT maps cybersecurity gaps to actual business risk, helping boards and leadership teams make informed decisions.
• Detection and response validation: Classic pentests check if you’re vulnerable; TLPT checks if you can stop an attack in progress. It validates both technology and human readiness.
• Rising threat sophistication: Cybercriminals, nation-state actors, and organized groups are more capable than ever. TLPT ensures your defenses evolve to match.

How to Choose the Right TLPT Provider

Selecting the right threat led pentesting provider is crucial. Here’s what to look for:

Threat Intelligence Capability

Your provider must have access to, or partner with, a qualified threat intelligence team that can profile the adversaries most relevant to your business, sector, and geography. In regulated TLPT (e.g., under TIBER-EU), the threat intelligence function is typically independent.

Red Team Proficiency

The provider must demonstrate experience in red team operations, with proven ability to emulate advanced persistent threats (APTs), conduct lateral movement, and operate undetected.

Compliance Alignment

If you’re subject to TIBER-EU, CBEST, or DORA, your provider should have credentials, references, or certifications showing compliance with those standards.

Clear Process and Transparency

Look for providers who offer structured, transparent TLPT delivery—covering scoping, intelligence gathering, red teaming, purple team workshops, and remediation support.

Industry Experience

A provider that understands the threat landscape and business environment of your sector will deliver better results. A TLPT for a bank differs significantly from one for a utility.

TLPT vs Red Teaming vs Classic Penetration Testing

TLPT combines elements of red teaming with threat intelligence and business risk focus, offering the most comprehensive view of your resilience against targeted cyberattacks.

What Is the Value of TLPT?

The value of threat led penetration testing (TLPT) includes:

• Real-world simulation of the most likely threats your organization faces
• Complete testing of technology, people, and processes
• Validation of your detection and response capabilities
• Clear evidence for board-level risk management and security investment
• Fulfillment of regulatory requirements such as DORA and TIBER-EU
• Improved knowledge and skills through collaborative purple team exercises

Why TLPT Matters for Modern Organizations

As cyberattacks become more sophisticated and targeted, threat led pentesting provides confidence that your security program can handle real adversaries. It helps organizations:

• Prepare for credible attack scenarios based on current threat intelligence
• Identify weaknesses beyond what traditional pentests find
• Strengthen detection, alerting, and incident response
• Align cybersecurity priorities with real business risks

Conclusion

Threat led penetration testing (TLPT) is the evolution of security testing. It combines intelligence, technical expertise, and business focus to help organizations build true cyber resilience. Whether required by regulation or adopted as a best practice, TLPT is a vital part of defending against today’s most dangerous threats.

Ready to strengthen your defenses with threat led penetration testing? Explore our penetration testing services for a comprehensive assessment of your systems, or discover how our application security approaches help secure your critical software from real-world threats. Let BSG help you build resilience through targeted, intelligence-driven testing.

Though some viewed it as a reaction to MITRE’s instability, the EUVD was long in the making. Its creation was mandated under the NIS2 Directive (Articles 62–63), adopted in 2022, which required ENISA to develop a vulnerability database serving the EU digital ecosystem.

Why EUVD Exists

The goal is both operational and political: build cybersecurity sovereignty and improve vulnerability visibility across EU infrastructure. Existing national databases, like the U.S. CVE and China’s CNNVD, have been criticized for selective disclosure—with some U.S. agencies delaying reports of zero-days for strategic reasons.

With the EUVD, Brussels is asserting control over vulnerability intelligence, subject to transparency and accountability rules that mirror EU values.

In ENISA’s words, the EUVD is a “central hub” for software and hardware vulnerability data, helping national CSIRTs, critical infrastructure providers, and software developers act faster on disclosed flaws (ENISA announcement).

How EUVD Works

The EUVD portal currently functions as an aggregator of known vulnerabilities. It assigns its own IDs but also mirrors CVEs. Notably, ENISA is an authorized CVE Numbering Authority (CNA)—but it’s also developing a parallel identification system, which could lead to some friction or confusion.

In the long term, this dual-ID model may enable the EU to spot omissions, lags, or discrepancies in U.S. or Chinese databases, bolstering resilience across the continent.

Powered by Law: NIS2 + Cyber Resilience Act

Two key regulations will give EUVD real teeth:

1. NIS2 requires large providers to report vulnerabilities.
2. The Cyber Resilience Act (effective September 2025) mandates vendors to report actively exploited bugs—which will feed directly into EUVD.

This legal backbone could transform EUVD from a passive aggregator into a leading vulnerability disclosure system in Europe.

What It Means for Security Teams

For cybersecurity vendors and defenders, EUVD brings:

• A redundant, independent source of vulnerability data.
• Faster alignment with EU-specific compliance regimes.
• A chance to cross-check disclosures across CVE and EUVD listings.

While still in early stages, EUVD is Europe’s bid to ensure vulnerability intelligence is not dependent on foreign actors—a strategic move in an era of digital autonomy.

Conclusion

The EUVD is more than just a database—it’s a political and regulatory instrument aimed at reshaping how vulnerability management works in Europe. It won’t replace CVE overnight, but it signals a shift toward a multipolar vulnerability landscape, where no single country controls the global flow of bug disclosures.

With enforcement of NIS2 and the Cyber Resilience Act on the horizon, expect the EUVD to play an increasingly central role in vulnerability response across Europe.

Though originally designed for public sector entities, this guide provides a concise, actionable framework that small and medium-sized businesses (SMBs) can adapt to strengthen their cyber incident response capabilities and recovery planning.

Why Small Businesses Need a Cyber Incident Response Plan

The frequency of cyberattacks on SMBs is rising, but many still lack formal response plans. A structured cyber incident response plan helps minimize downtime, reduce data loss, and prevent reputational damage. Drawing from the UK’s experience, small businesses can take proactive steps to build resilience.

1. Prepare a Hardcopy Cyber Incident Response Kit

When systems go down, digital playbooks may become inaccessible. The Grab Bag emphasizes the importance of a printed cyber incident response plan with contact lists, escalation paths, and business-critical functions. SMBs should prepare physical copies of:

• Key personnel and vendor contacts
• System recovery checklists
• Incident reporting and containment steps

Having this kit accessible ensures that response efforts continue even if digital infrastructure is compromised.

2. Map and Prioritize Critical Business Systems

The guide urges local governments to document their digital services. Similarly, SMBs should maintain an up-to-date inventory of:

• Essential business systems (e.g., accounting, CRM, POS)
• Data dependencies (e.g., customer records, invoices, backups)
• Recovery time objectives (RTOs)

Clear system mapping enables swift triage during a cyber incident response.

3. Define Roles for Cyber Incident Management

During a cyber crisis, confusion is costly. The Grab Bag recommends pre-assigning roles like incident coordinator, communications lead, and IT recovery manager. For small businesses, even a basic role matrix can:

• Speed up decision-making
• Clarify who talks to customers or regulators
• Avoid duplicated efforts

Defined roles make your cyber incident response plan more actionable and accountable.

4. Practice Cyber Incident Scenarios

UK councils are encouraged to run tabletop exercises simulating cyber incidents. SMBs can adopt this practice by rehearsing:

• What happens if the main server is encrypted
• How staff communicate during an outage
• Who handles media, customers, or regulators

Simulating attacks reveals weaknesses and builds team confidence in cyber incident response procedures.

5. Coordinate External Support in Advance

The Grab Bag stresses relationships with national incident response bodies and IT providers. For SMBs, this translates to:

• Knowing who to call (e.g., MSSPs, lawyers, insurers)
• Ensuring vendor SLAs cover cyber incident response
• Preparing backup communication channels (like a separate phone tree or alternate email system)

Establishing these contacts before an attack helps avoid costly delays during incident response.

6. Document and Review Each Cyber Incident

Post-incident reviews are vital. After any incident:

• Record what happened and what actions were taken
• Identify delays or failures in response
• Update your cyber incident response plan accordingly

Continuous improvement ensures stronger outcomes in future incidents.

Final Thought: Be Ready, Not Reactive

Cyber resilience isn’t just a concern for governments or big corporations. The “Cyber Incident Grab Bag” serves as a powerful reminder that preparation matters. By borrowing and tailoring its core principles, small businesses can build cost-effective, practical cyber incident response capabilities. When a breach happens—and it likely will—your ability to restore operations quickly will depend not on your size, but on your readiness.

What Is CVE and Why Is It So Important?

CVE, or Common Vulnerabilities and Exposures, is a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. Each CVE entry provides a unique ID for a specific vulnerability, along with basic descriptive information and references. This system enables consistent, cross-vendor communication about security issues.

For example, when a new vulnerability is discovered in a product, assigning it a CVE ID allows organizations, vendors, and threat intelligence tools to refer to it uniformly. CVEs are embedded in:

• Vulnerability scanners (like Nessus, Qualys, and NeXpose)
• Security advisories from vendors (like Microsoft, Cisco)
• Patch management systems
• SIEMs and SOAR tools
• Threat intelligence platforms

Without CVEs, the industry would lack a shared language for tracking threats, leading to inefficiencies and confusion across the entire cyber security domain.

What Is the CVE Database, NVD, and How Do They Work Together?

The CVE database, often referred to as the CVE List, is the official catalog of all CVE identifiers. While CVEs themselves only contain basic information, they act as the anchor point for a broader vulnerability ecosystem.

The National Vulnerability Database (NVD)—maintained by NIST—extends CVE data by providing severity metrics (such as CVSS scores), impact vectors, fix references, and exploitation details. Many security products consume NVD data to enrich alerts and drive prioritization.

Together, CVE and NVD form the backbone of vulnerability management globally. Their data feeds into thousands of cybersecurity systems, shaping decisions from patch prioritization to security budgeting.

What Role Does MITRE Play in the CVE Program?

MITRE is a nonprofit organization that has operated the CVE program since its creation in 1999. Under a contract with the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA), MITRE manages:

• The CVE List
• A global network of CVE Numbering Authorities (CNAs)—including major software vendors and security firms
• Coordination of the CVE Board, which governs policies and procedures
• Related taxonomies like the Common Weakness Enumeration (CWE) and the ATT&CK framework

MITRE’s role has been instrumental in keeping the CVE program transparent, neutral, and reliable.

Why Is the CVE Program Now Under Threat?

On April 16, 2025, MITRE’s federal contract to operate the CVE program expired. While MITRE had been expecting a renewal or extension, the funding was delayed or canceled due to broader budget decisions made by the current U.S. administration.

Security journalists and industry analysts have linked the funding lapse to cost-cutting measures and reorganization within the federal cybersecurity strategy. The consequences of this disruption are severe:

• Risk of delayed CVE assignments
• Inconsistent vulnerability reporting across vendors
• Erosion of trust in public vulnerability databases
• Disruption of tools and workflows that depend on CVE IDs

A temporary extension was granted at the last minute by CISA, but it only postpones the underlying issue. The future of the CVE program now hangs in the balance.

How Is the Cybersecurity Community Responding?

Recognizing the danger of allowing CVE operations to be dictated by short-term politics, members of the CVE Board and cybersecurity leaders are taking action:

• A new CVE Foundation has been launched to ensure long-term governance, independence, and funding of the CVE program
• The open-source and security research communities are advocating for a more decentralized, resilient infrastructure for vulnerability tracking
• Vendors and security platforms are preparing fallback mechanisms in case CVE publishing is interrupted

This response mirrors what many experts have called for over the years: a globally distributed model for vulnerability management that doesn’t rely on a single point of failure.

What’s Next? Stay Tuned

At BSG, we understand the foundational role that CVEs play in red teaming, threat modeling, incident response, and security automation. Whether you’re a security researcher or a CISO, your daily decisions rely on trusted, standardized vulnerability data.

We’re closely monitoring the CVE situation and will:

• Update clients and partners about any major changes to CVE access or structure
• Ensure our tools and services remain compatible with future formats like CVE JSON 5.0
• Continue to advocate for transparent, community-driven vulnerability disclosure processes

Stay secure. Stay updated.

Update (April 16, 2025): Shortly after public concern mounted, CISA confirmed a short-term extension of MITRE’s contract to operate the CVE program, temporarily averting a shutdown. The extension, executed as an option period on the existing agreement, ensures continued publication and maintenance of CVE records—for now. While this move buys the cybersecurity community some time, the future of the program remains uncertain, and long-term funding or structural reforms have yet to be announced. We will continue to monitor developments and update this post as the situation evolves.

Some are complicated, buried deep in obscure logic, or made possible by bleeding-edge exploit techniques. Others—well, others are glaringly obvious. These are the ones that make security professionals shake their heads and ask: How did this ever make it to production?

In a recent post, the UK’s National Cyber Security Centre (NCSC) offered a new way to think about security flaws: classify them as forgivable or unforgivable. This simple distinction challenges developers and product owners to reflect not just on what the vulnerability is, but why it happened—and what that says about their software development practices.

This isn’t a new concept. In 2007, Steve Christey of MITRE coined the term “unforgivable vulnerabilities” in a paper that remains remarkably relevant today. He also proposed a model—Vulnerability Assessment Assurance Levels (VAAL)—to measure the depth, complexity, and preventability of a vulnerability.

In this blog post, we explore what makes a vulnerability unforgivable, why it matters for your software security posture, and how this mindset can change the way your team handles vulnerability management.

What Are Unforgivable Software Vulnerabilities?

Christey’s concept of unforgivable software vulnerabilities is not about severity alone—it’s about obviousness, laziness, and negligence.

A software vulnerability is unforgivable when it:

• Has been widely known and well-documented for years
• Can be easily discovered with simple manual testing
• Uses canonical, low-effort attack techniques
• Is present in the most frequently used parts of an application
• Could be spotted in minutes by a security-aware developer or tester

Examples of Unforgivable Vulnerabilities:

• SQL Injection via login forms or user ID parameters
• XSS (Cross-site Scripting) using basic <script> tags in web input fields
• Remote File Inclusion using unsanitized GET/POST variables
• Directory Traversal with ../.. in file names
• Hard-coded admin passwords in production builds
• World-writable system executables or configuration files
• Authentication bypass using obvious tricks like authenticated=true

These aren’t rare edge cases. They’re foundational flaws that have been addressed in secure coding guides, university lectures, and OWASP Top 10 lists for over a decade. Their presence in modern software reveals a serious gap in secure development awareness.

VAAL: A Framework for Maturity in Software Vulnerability Management

To formalize this thinking, Christey proposed the Vulnerability Assessment Assurance Levels (VAAL)—a framework that looks beyond CVSS scores to assess a vulnerability’s broader context.

VAAL includes dimensions such as:

• Access constraints: Can an unauthenticated user exploit it?
• Feature frequency: Is the vulnerable code path commonly used?
• Novelty: Is the vulnerability a known class, or something new?
• Manipulation complexity: How easy is the exploit to craft?
• Effort to discover: Could it be found in five minutes with basic tools?
• Severity & ubiquity: Does it affect all installations, or just edge cases?

Unforgivable software vulnerabilities score low across these metrics—meaning they’re easy to find, easy to exploit, and hard to justify.

NCSC’s Take: Context and Culture Matter

The NCSC’s approach adds an ethical and cultural dimension to the technical framework. They encourage analysts and developers to ask:

“Given the maturity of the product, team, and context—should this vulnerability still be happening?”

It’s a subtle but powerful shift in thinking. A critical vulnerability might be forgivable if it’s highly complex or the result of a novel exploit. Conversely, a low-severity bug might be unforgivable if it’s the result of blind trust in user input, lack of validation, or copy-pasted insecure code.

This perspective invites software development teams to reflect not just on their software vulnerabilities, but on their processes, culture, and learning.

Why This Matters in 2025

Despite decades of secure coding education, unforgivable vulnerabilities are still rampant. At BSG, we regularly uncover issues during penetration testing that indicate not just individual mistakes—but fundamental development failures:

• Login forms vulnerable to SQL injection
• Client-side security checks with no server validation
• Open directories or world-writable configuration files
• Hardcoded backdoors “left in for testing”

These flaws aren’t just risky—they’re reputational liabilities.

In a world where software supply chain attacks and zero-day exploits dominate headlines, no organization can afford to ship code that breaks on page one of the security playbook.

How to Apply This Thinking

You don’t need to overhaul your entire SDLC to start identifying and preventing unforgivable software vulnerabilities. Start with these steps:

1. Make a checklist: Use Christey’s “Lucky 13” as a baseline during code reviews.
2. Shift-left with purpose: Train developers to spot “Found in Five” issues early.
3. Use smarter metrics: Don’t just track CVSS—track VAAL-like maturity signals.
4. Measure progress: Are you seeing fewer obvious bugs over time?
5. Assess third-party software: Demand secure-by-design practices from your vendors.

TL;DR: Forgive the Novel, Condemn the Negligent

The takeaway is simple: not all software vulnerabilities are forgivable. Some are signs of innovation. Others are signs of negligence.

If your product—or a product you’re relying on—still has unauthenticated RCE due to a hardcoded password, the issue isn’t just technical. It’s cultural.

By adopting a mindset that distinguishes between forgivable and unforgivable flaws, you improve not just your security posture, but your entire engineering discipline.

Want help reviewing your software for unforgivable vulnerabilities?

We specialize in secure development assessments, penetration testing, and risk-based remediation strategies. Let’s make sure your code reflects your commitment to security.

Contact us today

Attack Breakdown

Bybit employed cold wallets secured by hardware wallets (Ledger devices) and a multi-signature approval process requiring several key personnel to authorize transactions. Despite these precautions, attackers successfully compromised the exchange by:

1. Infecting Staff Devices: The attackers deployed malware on the computers of multiple Bybit employees, including its CEO. This malware enabled them to manipulate the multi-signature transaction approval process.
2. Fake UI for Multi-Signature Approval: Attackers created a fraudulent user interface that mimicked Bybit’s legitimate multi-signature process. This deceived employees into approving what appeared to be normal transactions, but in reality, these signed away control of the exchange’s cold wallet.
3. Blind Signing Exploitation: Bybit’s team used Ledger hardware wallets that displayed transaction details for verification. However, due to the complexity of multi-signature smart contract transactions, the wallets displayed opaque hexadecimal data rather than clear recipient information. Employees were likely conditioned to approve transactions without understanding the full details, making them susceptible to manipulation.
4. Deployment of a Malicious Smart Contract: The attackers pre-deployed a smart contract that mimicked the legitimate transaction approval function but instead transferred ownership of Bybit’s cold wallet to them.
5. Execution of Fraudulent Transactions: By obtaining legitimate multi-signature approvals, the attackers gained full control of Bybit’s cold wallet and transferred the funds into their own accounts.

Techniques Used by Attackers

The attack leveraged a combination of sophisticated cyber intrusion tactics and behavioral exploitation. Key techniques included:

• Social Engineering & UI Manipulation: Convincing staff to approve transactions without verifying them properly.
• Malware Deployment: Infecting key personnel’s systems to manipulate transaction approvals.
• Blind Signing Exploitation: Taking advantage of the lack of readable transaction details on hardware wallets.
• Smart Contract Proxy Attack: Deploying a malicious contract to impersonate legitimate transaction execution.
• Credential Theft & Persistence: Gaining persistent access to Bybit’s infrastructure for extended operational control.

Lessons for the Crypto Industry

This attack underscores the importance of robust operational security and strict procedural controls in managing high-value cryptocurrency transactions. Key takeaways include:

1. Independent Transaction Verification: Always verify transaction details on hardware wallets instead of relying on UI confirmations.
2. Dedicated Secure Devices: Conduct high-value crypto transactions only on isolated, single-purpose devices that are not used for regular browsing or email.
3. Behavioral Security Training: Staff should be trained to recognize and challenge unusual transaction requests, even if they appear routine.
4. Stronger Multi-Sig Controls: Consider requiring additional, independent verification outside of the compromised system before authorizing large transactions.
5. Regular Security Audits: Perform white-box penetration testing to identify software and process vulnerabilities before hackers do.
6. Continuous Monitoring: Regularly audit transaction history and blockchain interactions for anomalies.

Conclusion

The Bybit hack serves as a stark reminder that even sophisticated security measures can be undermined by human and procedural weaknesses. North Korean attackers successfully bypassed Bybit’s multi-signature protections through social engineering, malware, and smart contract exploitation. The crypto industry must learn from this breach and implement stronger operational controls to prevent similar attacks in the future.

Why the Cyber Kill Chain and ATT&CK Framework Matter for Cyber Defense

Cybercriminals continuously evolve their tactics, techniques, and procedures (TTPs), making it essential for organizations to stay ahead. The Cyber Kill Chain and MITRE ATT&CK Framework provide structured methodologies to:

• Identify attack patterns and predict attacker behavior.
• Improve threat detection by recognizing indicators of compromise (IOCs).
• Strengthen incident response with a clear understanding of adversary tactics.
• Optimize security controls by mapping real-world attacks to known techniques.

By leveraging these frameworks, cybersecurity teams can proactively disrupt attacks and enhance their security postures.

The Cyber Kill Chain: A Game-Changer in Cybersecurity

Introduced by Lockheed Martin in 2011, the Cyber Kill Chain applies a military-based strategy to cyber defense. This model breaks down cyberattacks into seven distinct phases:

1. Reconnaissance – Attackers gather intelligence on the target.
2. Weaponization – Malicious payloads are created.
3. Delivery – Malware is transmitted to the victim.
4. Exploitation – Vulnerabilities are exploited to gain access.
5. Installation – Malicious software is installed.
6. Command & Control (C2) – Attackers establish control over the compromised system.
7. Actions on Objectives – Attackers achieve their end goals, such as data exfiltration or system destruction.

This model transformed cybersecurity by emphasizing proactive defense. By disrupting attacks at any phase, security teams can prevent full-scale breaches.

MITRE’s Research: The Foundation of ATT&CK

MITRE’s Fort Meade Experiment (FMX) in 2013 laid the groundwork for ATT&CK by analyzing adversary behaviors in controlled environments. By tracking real-world cyber incidents, researchers built a comprehensive knowledge base of attack techniques, leading to the development of the MITRE ATT&CK Framework.

MITRE ATT&CK: A Universal Taxonomy of Cyber Threats

The MITRE ATT&CK Framework provides an extensive matrix of attacker TTPs across multiple domains, including Windows, macOS, Linux, mobile, and cloud environments. The framework is structured into three main components:

• Tactics: The why behind an attack (e.g., persistence, privilege escalation, data exfiltration).
• Techniques: The how attackers execute their tactics (e.g., credential dumping, phishing, DLL sideloading).
• Procedures: Variations in how techniques are applied in real-world attacks.

Security teams use ATT&CK to map threats, enhance detection rules, and simulate attacks using adversary emulation techniques.

The Importance of Cyber Threat Intelligence Sharing

Cyber threats impact organizations globally, making intelligence sharing critical for proactive defense. ATT&CK facilitates collaboration by:

• Providing a common language to describe and share threat intelligence.
• Enabling cross-sector collaboration between government, private sector, and research institutions.
• Supporting faster response times to emerging threats.
• Helping with threat attribution by linking attack techniques to known threat actors.

Organizations that adopt threat intelligence sharing platforms like MISP (Malware Information Sharing Platform) and MITRE CTI strengthen their overall security defenses.

Conclusion: Strengthening Cyber Defense with ATT&CK and Kill Chain

Both the Cyber Kill Chain and MITRE ATT&CK Framework have redefined how cybersecurity professionals understand and counter cyber threats. By implementing these frameworks, organizations can:

• Improve threat detection by identifying attack patterns.
• Optimize incident response through structured attack analysis.
• Enhance proactive security measures by disrupting adversaries early.
• Foster collaboration in cybersecurity through intelligence sharing.

For businesses looking to stay ahead of cyber threats, leveraging these frameworks is essential. If you need expert guidance in implementing advanced cybersecurity strategies, our team at BSG can help. Contact us today to strengthen your security posture and stay resilient against evolving cyber threats.

Two-factor authentication (2FA) helps by adding another layer of security, but it’s not perfect either. It can be inconvenient, especially if you lose your 2FA device. And some methods, like SMS-based codes, are vulnerable to SIM-swapping attacks where hackers hijack your phone number.

So, what’s the solution? Enter passkeys.

What Are Passkeys?

Passkeys are a new, secure way to log in without needing passwords. They use something called public key cryptography, along with your device’s built-in biometrics, like a fingerprint or face scan.

Here’s how they work:

• When you set up a passkey, your device creates two keys: a private one that stays on your device and a public one shared with the website or app.
• When you log in, the site sends a challenge to your device.
• Your device signs the challenge with the private key and verifies your identity using your biometrics.
• The site checks the signature using the public key, and you’re in—no passwords needed.

Major platforms like Apple, Google, and Microsoft already support passkeys, and they work seamlessly across devices through cloud backups.

Why Passkeys Are More Secure

Passkeys solve many of the security problems that come with passwords and 2FA:

• No Phishing: Since you don’t type anything, scammers can’t trick you into revealing your login details.
• No Credential Stuffing: Hackers can’t reuse stolen credentials from one site on another.
• No Keylogging: Passkeys don’t involve typing, so malware that records keystrokes won’t work.
• No Man-in-the-Middle Attacks: Passkeys rely on cryptographic exchanges, making interception pointless.

Challenges to Keep in Mind

While passkeys are a big improvement, they’re not perfect yet. Here are some things to consider:

• Limited Support: Not every service offers passkey logins yet, so you’ll still need passwords for some sites.
• Device Issues: If you lose the device with your passkeys, you’ll need to rely on cloud backups or recovery methods.
• Education: Many people don’t know about passkeys yet, so there’s a learning curve.
• Privacy Concerns: Some users worry about how their biometric data is handled, but it’s important to note this data is stored locally on your device, not shared.

Move Towards a Password-Free Future

Passkeys offer a simpler, more secure way to log in. If a service you use supports passkeys, try enabling them. They’re easier to use, safer from cyberattacks, and eliminate the frustration of remembering passwords.

If you run a business, now’s the time to start offering passkey support to protect your users and stay ahead of the curve. Together, we can make passwords a thing of the past and create a safer online world—one passkey at a time.

1. China’s Salt Typhoon Telecom Breaches

The Chinese cyber espionage group Salt Typhoon gained unauthorized access to U.S. telecom companies, including Verizon and AT&T. The group exploited vulnerabilities in network defenses to geolocate individuals and eavesdrop on private phone calls. Notably, the attackers targeted fewer than 150 individuals, such as those under U.S. wiretap orders, state department officials, and presidential campaign members.

What Went Wrong

• Weak segmentation of telecom infrastructure allowed attackers to access sensitive systems.
• Insufficient monitoring failed to detect prolonged unauthorized access.

Recommended Countermeasures

• Network Segmentation: Isolate sensitive systems to prevent lateral movement within networks.
• Advanced Threat Detection: Deploy AI-powered tools to identify anomalies and stop unauthorized access in real time.
• Zero-Trust Security Model: Assume all network traffic is hostile until proven otherwise and verify every access request.

2. Snowflake Customer Breaches

Attackers breached Snowflake’s client accounts using stolen passwords, affecting organizations such as Ticketmaster, Santander Bank, and Neiman Marcus. They accessed sensitive customer data and communications. AT&T admitted that nearly all customer communications from a seven-month period in 2022 had been compromised, highlighting the magnitude of the breach.

What Went Wrong

• Lack of mandatory multi-factor authentication (MFA) for user accounts.
• Reliance on weak password policies, making accounts vulnerable to credential-stuffing attacks.

Recommended Countermeasures

• Enforce MFA: Require all users to implement two-factor authentication for account access.
• Educate Users on Security Best Practices: Promote strong password creation and secure credential management.

• Zero-Trust Authentication: Continuously verify user identities even after login.

3. Change Healthcare Ransomware Attack

In February, the ALPHV/BlackCat ransomware group targeted Change Healthcare, affecting over 100 million individuals. The attack disrupted healthcare services nationwide and resulted in the exfiltration of personal and medical data.

What Went Wrong

• Lack of proactive ransomware detection tools.
• Insufficient offline backups of critical data, leaving the organization vulnerable to ransom demands.

Recommended Countermeasures

• Endpoint Protection: Deploy endpoint detection and response (EDR) solutions to identify ransomware before it spreads.
• Regular Backups: Store encrypted backups offline or in a secure, isolated environment.
• Incident Response Plans: Prepare and regularly test response plans for ransomware scenarios.

4. Russia’s Midnight Blizzard Attack on Microsoft

Midnight Blizzard, a Russian SVR-linked hacking group, exploited a legacy test account to breach Microsoft’s executive email systems. The attack revealed the risks of legacy accounts with elevated privileges and poor monitoring.

What Went Wrong

• Historic test accounts were not decommissioned or secured, providing a backdoor for attackers.
• Weak access controls enabled misuse of privileged accounts.

Recommended Countermeasures

• Regular Account Audits: Identify and disable unused accounts, especially those with elevated privileges.
• Principle of Least Privilege: Ensure all accounts have the minimum permissions required for their roles.
• Multi-Factor Authentication (MFA): Apply MFA to all accounts, especially for privileged access.

5. National Public Data Breach

The National Public Data breach exposed the personal information of 1.3 million individuals, including Social Security numbers, financial data, and contact details. The incident highlighted the consequences of poor encryption practices and delayed breach detection.

What Went Wrong

• Sensitive data was stored without adequate encryption, making it easy to exfiltrate.
• Lack of real-time intrusion detection allowed attackers to remain undetected for weeks.

Recommended Countermeasures

• Encrypt Data at Rest and in Transit: Use industry-standard encryption to protect sensitive information.
• Intrusion Detection Systems (IDS): Deploy IDS to detect unauthorized activity and breaches in real time.
• Incident Response Training: Train staff on breach detection and immediate response protocols.

6. North Korean Cryptocurrency Thefts

North Korean hackers escalated their activities in 2024, stealing $1.34 billion in cryptocurrency across 47 incidents. This accounted for 61% of global cryptocurrency thefts during the year. The attackers exploited weak platform security and user practices, targeting exchanges, wallets, and DeFi platforms.

What Went Wrong

• Vulnerabilities in cryptocurrency exchanges and wallets were exploited.
• Poor user security practices, such as the lack of multi-factor authentication, left accounts exposed.

Recommended Countermeasures

• Harden Exchange Security: Implement stricter security protocols for cryptocurrency platforms, including mandatory MFA and hardware wallet integration.
• User Education: Train users to adopt secure practices, such as using hardware wallets and enabling MFA.
• Global Cybercrime Cooperation: Strengthen international partnerships to track and prosecute crypto-related crimes.

Key Lessons Learned from 2024

The major breaches of 2024 highlight recurring themes in cybersecurity: insufficient network segmentation, inadequate authentication measures, weak encryption, and a lack of proactive monitoring. Organizations can and must adopt stronger cybersecurity measures to safeguard themselves against increasingly sophisticated attacks.

Top Recommendations

1. Zero-Trust Architecture: Verify all access requests, even from within the network.
2. Multi-Factor Authentication: Enforce MFA for all accounts, especially those with elevated privileges.
3. Proactive Monitoring: Leverage AI-powered threat detection tools to identify and mitigate threats in real time.
4. Regular Security Audits: Conduct audits to identify and address vulnerabilities before they are exploited.
5. Cybersecurity Awareness Training: Equip employees and users with the knowledge to recognize and prevent cyber threats.

By analyzing and learning from the failures of 2024, we can move toward a more secure digital environment in 2025 and beyond. The time to act is now.