In the mindset of a threat actor



Cyber attacks are increasing, and new regulations like NIS2 are coming into effect. That's why it is crucial to have effective crisis management and resilience plans in place. In this webinar, we will pit a cyber criminal gang against a crisis management team, placing you into the mindset of a threat actor.

You will gain some insight the processes a threat actor will go through during their attack on your organization and understand what key actions you could take now to ensure your crisis management teams are well placed to respond to a potential cyber attack.


What you will learn – Effective Crisis Management Throughout the Lifecycle of a Cyber Attack

In the first two thirds of 2023, we saw more ransomware attacks globally than in the whole of 2022. Regulators recognize these increasing threats and are implementing regulations such as NIS2, DORA and UK FCA/PRA Operational Resilience to ensure organizations are resilient and ready to respond. That's why it has never been more vital to have effective crisis management and resilience arrangements in place.

In this webinar, Secura’s Senior Crisis Consultant, Luke Fletcher and Direct Line Group’s Red Team Lead, Daniel Maine will walk through the life cycle of a cyber attack from the perspective of a threat actor whilst showcasing how best practice crisis management and resilience arrangements can set you up for success.

With years of experience in understanding how threat actors operate, performing red teaming assignments and responding to cyber attacks, Daniel will take on the role of the threat actor demonstrating how they would target their victims and the latest tactics they use when performing attacks.

Luke will play the role of the unfortunate victim’s crisis management team showcasing the difference effective resilience and crisis management procedures can have when responding to each stage of a cyber attack.

Targeted audience:

  • Crisis Management, Business Continuity, Risk & Resilience Professionals
  • Chief Information Security Officers and cyber professionals responsible for cyber resilience and response
  • Senior Managers involved in crisis response.


Please find below the questions that where asked during the webinar.

1. I guess there is no "Tripadvisor" for Ransomware agents - how likely are you to have your data restored if you were to pay?

The answer to this is it depends really. It is within the interest of threat actor to help you recover once you have paid the ransom to build their own credibility for future attacks. There are many example of organisations being able to succesffully recover post payment. That said, the decryptor tool provided may not work or be trustworthy and you may encounter your own issues in the recovery process.

2. In your experience, have you found that a lot of organizations indeed have actionable Incident Response Plans that are simulated and then actually followed in the event of a severe incident; or is it more a case of the Incident Response Plan exists to satisfy compliance requirements but they aren't actionable/practiced and organisations rather reach out to incident response experts?

This is a great question. Unfortunately, in our opinion it does tend to be the case that they are developed to satisfy compliance. In our experience, the most valuable aspect of these plans is in their development, where you get key stakeholders to actually discuss their response and collaborate. They become more effective with simulations and actual live incidents when lessons learned are implemented. Adaptability is key as indeed, each incident is unique but not having a process at all is detrimental.

3. I'm concerned with single sign on as it can give threat actors easy access to multiple systems once breached. If those systems are OT related it is a real concern. Would you advise SSO for OT related systems, I'm not convinced on the benefits vs risk. Especially if users are low, less than 5.

The answer to this may be dependent on who you speak to, however I am inclined to agree with your statement that SSO, especially on OT and critical systems can be a significant risk. From an attackers perspective, if I can compromise an internal asset and find an application inside the environment automatically authenticates through SSO, then I am free to move around the environment with ease. Often in defensive security we talk about "Privilege Separation", my view is that especially in critical systems, the separation of privileges should be enforced even from trusted internal assets.

4. Can you touch upon incident response for a large multilayer organisation and how to handle crisismanagement on different levels (for example: global steering from HQ to operational tasks at local sites)

Hopefully the explanation given during the webinar helped answer your question on this but to expand a little further. For larger organisations, having a crisis framework that details how your operational local teams will work together with your strategic teams is going to be key. You should seek to clarify roles and responsibilities at each level and identify the best ways for these groups to interact. This can be done through effective briefings, situation reports and ultimately practicing this in simulations etc.

5. Are there any specifics to take into account for Cyber incident response for the OT environment?

There certainly is. As referenced on the webinar, threat actors could potentially manipulate OT systems to cause more physical damage or at least threaten to in an attempt to apply pressue. They could also halt or slow down production. There are a number of specific risks related to the OT environment with some more information on our website in case this may be helpful here -

6. Given the entry point of weak passwords into ABC/CBA, how much of an improvement would MFA be?

MFA always provides a significant improvement in preventing compromise especially with common initial access vectors focussing on credentials. However, during Red Team engagements we still commonly see organisations not implementing it thoroughly across their estate allowing for areas that can be targeted by attackers. It should also be noted that there are publically available tools that allow for capture of the MFA token during phishing campaigns (such as evilginx2) which can allow an attacker to compromise accounts regardless. The key to identify this from an incident response perspective is to ensure that logins are set to log location based MFA access attempts to identify "out of the norm" login attempts.

7. Are there known cases where a blob storage from a big tech company has been compromised and encrypted (so no hosted file servers but actual cloud storage) ? Like Google Drive...

Attacks against blob/cloud storage are less common but still performed. S3 was a significant factor in the Capital One breach a few years back. Often these breaches are down to misconfigurations which could have been avoided. Whilst ransomware could still impact these storage solutions, the likelihood is reduced primarily due to the ability to configure immutability of files and the range of flexible recovery options. The way that your blob/cloud storage solutions would be impacted is when they are being synced with local and on-premise solutions (similar to OneDrive and DropBox), should the local copy become encrypted, it can sync back and change the cloud stored copies to the encrypted variant. More often than not threat actors who do not have access to the local storage would likely exfiltrate and extort without encryption, which we have seen in more cases recently.

8. When looking at the framework in stage 4, where do you place the specific disaster recovery plans per team in the framework?

In the framework, at the operational layer, I would expect a techincal representative to be on the team advising on recovery plans and pulling together a plan for recovery around the specifics of the incident. Then at the tactical layer, I would expect a senior member of the IT team to be able to report on this more hollistically to the wider business, providing estimated timeframes and costs and obtaining the business view on recovery prioritisation.

9. what's your advice to increase protection for admin and domain admin accounts?

The most common issue I see when conducting engagements is the sheer number of administrative accounts. The first suggestion would be to limit the number of high privileged accounts to those who really need them. Further to that, a user who requires domain administrative access should not be able to directly log in at this level of access. A way to combat that is to implement a "2nd admin" policy, where the users standard account is low privileged and to conduct their administrative activies, they would need to login again, with the higher privileged account. All administrative accounts should also have a significantly tougher password policy to reduce potential of attackers cracking extract hashes. As a final belt and braces approach, adding user behaviour analytics tools to spot irregularities in account usage will help provide an early warning.

10. Can you tell me a little bit more how to detect and stop an attack in an early stage. We are trying to do this with the cyber kill chain in mind.

From a Cyber Kill Chain perspective, you will almost never spot anything in the reconnaissance phase, nor the weaponisation. Therefore delivery is the first time you will be able to definitively spot an attacker. Strong controls on email security, perimiter security and most importantly user education will allow for an early prevention against a breach of the external perimiter. However, it is still necessary to think about internal threats and existing connecttions (e.g. business to business). This is where I like to take the metaphor of epidemiology. In the spread of a pandemic people are infected and often unaware until symptoms arise. We have vaccinations to help limit infections. You can view tools such as EDR/AV as vaccinations, whilst they help, they do not entirely prevent infection. Therefore we need scientists and doctors to identify early symptoms and help the public understand how to spot those symptoms. Taking that back to Cyber Security, a robust logging/monitoring solution that feeds through to a SIEM with specific and tailored rule bases will allow your SOC to act as the doctors and warn of early symptoms of infection. Combine that with an informative user education programme, that allows your staff to act as the aware public who can take action to notify and on occasion prevent further spread of an infection.

About the Presenters

Luke Fletcher, Senior Crisis Consultant at Secura

Luke Fletcher is a Senior Crisis Consultant at Secura with over 10+ years of international experience in crisis management and operational resilience. Luke holds a BSc (Hons) First Class in Disaster Management & Emergency Planning and has operated within the Finance, Energy and Higher Education sectors. He is a passionate professional and has built crisis management capabilities internally, coordinated the response to major crises and delivered numerous crisis and resilience projects to clients including the design and delivery of cyber crisis exercises.

Daniel Maine, Red Team Lead at Direct Line Group

Daniel Maine is the Red Team Lead at Direct Line Group with 15 years in Cyber Security roles, including Analyst, Incident Response and Offensive Security. Daniel has worked in various fields including Legal, Oil & Gas and Insurance. Daniel is passionate about mentorship and education of both offensive and defensive security.




Download our brochure on Crisis and Resilience Management (EN)



Download our brochure on Crisis and Resilience Management (NL)



Would you like to learn more on Cyber Crisis Management? Fill out the form and we will contact you within one business day.



Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.