#NSBCS.060 - Different Hats, Same Mission: Reflections on a Cybersecurity Journey

Cyber Threat Intelligence
Written By Shane Bell

Source: NSB Cyber

 

Different Hats, Same Mission: Reflections on My Cybersecurity Journey

Cybersecurity is a field defined by constant evolution, not just in threats and technologies but also in the roles we play. My journey from working with a Managed Service Provider (MSP) to a cyber insurance company and now to Digital Forensics and Incident Response (DFIR) has been a path of continuous learning. Each role came with unique challenges, shaping how I view security, risk, and ultimately the response. Here are the key lessons I've learned along the way.

The MSP Grind: Learning to Build Security from the Ground Up

In an MSP, the goal is to manage and secure multiple client environments simultaneously, which can often feel like trying to juggle several balls at once. However, what was more challenging was joining an MSP in its early startup phase with a diverse portfolio of startup clients, each with its own set of security needs, gaps, and limited resources. This experience was a crash course in security strategy but with the added complexity of helping a young business grow. Some key takeaways were:

  • Identifying Security Gaps Early: Many startup clients were still building out their infrastructures and had limited awareness of potential vulnerabilities. So, the job was to secure their systems and help them understand where the gaps were and how to fill them efficiently.

  • Standardisation vs. Customisation: One of the primary challenges in an MSP is balancing standardised solutions with each client's requirements. While standardising processes and tools help streamline security management, each client may have unique needs that require custom solutions. This can create tension between implementing efficient, unified strategies and offering personalised security measures.

  • Building Security in a Growing Business: At a startup, resources were tight, and security had to be integrated from day one. I learnt how to build security frameworks in environments that were still being shaped, creating systems that could scale as the business and its clients grew.

  • Time Management Under Pressure: I developed the ability to prioritise tasks effectively in this role. Often, handling multiple clients meant juggling priorities and learning to triage effectively.

Lesson Learned: Security isn't just about managing what you have; it's about proactively building robust foundations while growing a business.

Cyber Insurance: Seeing Security Through a Risk Lens

Transitioning to a cyber insurance company shifted my focus from a prevention mindset, to risk assessment and incident impact. Here, the narrative changed:

  • Understanding Business Impact: Cyber Incidents are not just technical failures; they can cripple entire businesses. A breach or data loss doesn't just result in lost data—it can result in lost revenue, damaged client relationships, and a tarnished brand.

  • The Cost of Complacency: Witnessing the aftermath of breaches highlighted how expensive poor security practices can be. Clients often failed to implement basic cybersecurity measures, and the fallout from breaches was costly. I saw firsthand how failure to act proactively could lead to massive financial losses—not just from the breach itself but also from regulatory fines, loss of business, legal fees and any costs associated with containing, responding and recovering from the incident.

  • Policy vs. Reality: Policies look good on paper, but real-world incidents often expose gaps in coverage and preparedness. Many businesses would assume they were fully protected against any form of cyber incident, only to realise that their coverage was insufficient or didn’t extend to certain types of attacks.

Lesson Learned: Security isn't just technical—it's financial, reputational, and legal. Risk management is as critical as threat detection.

DFIR: Where Every Detail Tells a Story

Now, in DFIR, I'm dissecting incidents to understand the who, what, when, and how. DFIR has taught me that incident response is as much about the story behind the data as it is about technical analysis. Here are some takeaways from my journey so far:

  • The Devil Is in the Details: A single overlooked log entry can be the key to unravelling an entire breach. In DFIR, every small detail can tell a significant part of the story. Thoroughness and attention to detail are paramount in this line of work.

  • Thinking Like an Attacker: To understand how a breach occurred, you must first think like the attacker. This means understanding their methods, tactics, and strategies. Understanding adversary behaviour helps anticipate their moves and improve defences.

  • The Human Element: In DFIR, many breaches are not just the result of sophisticated hacking techniques. Every breach has a human story—mistakes made, vulnerabilities exploited, and lessons to learn.

Lessons Learned: Incident response isn't just technical analysis; it's storytelling with data, piecing together events to uncover the truth.

Reflections on the Journey

Whilst each role felt like wearing a different hat, the mission remained the same: protecting people, data, and businesses from cyber threats. The MSP taught me to be proactive, cyber insurance taught me to think about risk holistically, and DFIR taught me the value of digging deep to find answers. Cybersecurity isn't a one-size-fits-all field. Whether you're managing networks, assessing risk, or responding to incidents, every role contributes to a more extensive security ecosystem. And with every hat you wear, you gain a new perspective on what it truly means to defend in the digital age and take #NoStepsBackwards.

What we read this week

  • Suspected Hacker of UN, US and Spain Military Agencies Arrested - The suspected hacker behind multiple breaches of government and international agencies has been arrested by Spanish authorities. In 2024, the individual breached over 12 high-profile organisations, including the Ministry of Defence, the United Nations, NATO, and US Army databases. Compromised data included personal details and sensitive documents. Using three pseudonyms, the hacker sold or published the stolen data on BreachForums, a hacking forum. Authorities are still investigating whether the hacker had any associates involved in these activities.

  • Critical VEEAM Updated Vulnerability allows MitM attacks (CVE-2025-23114) - A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code with root-level permissions on affected instances. It has been assigned a CVSS v3.1 score of 9.0. This issue occurs due to a failure to properly validate TLS certificate. There is currently no evidence of exploitation in the wild, or Proof-of Concept available. Organisations using Veeam Updater should assess their exposure to the vulnerability, updated to an unaffected version, and implement appropriate security controls such as allow-listing, network segmentation and firewalls, implementing security configuration hardening.

  • Education Sector Targeted in Microsoft ADFS phishing Campaign - A phishing campaign has targeted over 150 organisations, mainly within the education sector, using fake Microsoft Active Directory Federation Services login pages. The threat actors then launch Man-in-the-Middle attacks, capturing user credentials entered into the fraudulent login forms. Post-compromise activity includes reconnaissance, interception of communications, and further lateral phishing across the organisation. Organisations still using the legacy system have been urged to transition to more secure platforms, such as Microsoft Entra, to better protect against these evolving threats.

  • No Patch coming for Zyxel CPE vulnerabilities - Zyxel announced this week that zero-day vulnerabilities, including CVE-2024-40891, CVE-2024-40890, and CVE-2025-0890, will not receive patches. This decision stems from the devices being at End-of-Life, with the recommendation to replace legacy products with newer-generation equipment. Despite being out of support, thousands of these devices remain exposed online. The combination of default credentials and command injection vulnerabilities makes them prime targets, underscoring the risks of insecure default configurations and lack of vulnerability transparency. Organisations are urged to isolate affected devices and prioritise replacing all End-of-Life products.

  • Gemini AI leveraged in state-sponsored cyber operations- Google's Threat Intelligence Group revealed that over 40 state-sponsored APT groups from countries such as Iran, China, North Korea, and Russia have used its Gemini AI tools in their cyber operations. The Gemini large language model (LLM) facilitated various attack stages, from reconnaissance to malware development and post-compromise activities. While the AI supported threat actors' productivity, it didn't enable novel capabilities. Iranian APTs were the most prolific users, employing Gemini for hacking and influence operations. This highlights the growing use of AI tools in malicious operations, raising concerns over their potential in cyber warfare.

References
https://www.bleepingcomputer.com/news/legal/spain-arrests-suspected-hacker-of-us-and-spanish-military-agencies/
https://cybersecuritynews.com/critical-veeam-backup-vulnerability/
https://www.darkreading.com/cyberattacks-data-breaches/attackers-education-sector-hijack-microsoft-accounts
https://www.securityweek.com/zyxel-issues-no-patch-warning-for-exploited-zero-days/
https://www.scworld.com/news/google-reveals-gemini-ai-use-by-more-than-40-state-sponsored-apts
Shane Bell
Previous

#NSBCS.061 - From the Desk of the CEO | Your Office Needs You! (does it really?)
Next

#NSBCS.059 - Under the (Attack) Surface