No products in the cart.



No products in the cart.

Home Blog

Defence Cyber Strategy


Future conflict will involve sophisticated cyber warfare. Nations across the globe have recognised the strategic value and asymmetric advantage of investment in offensive cyber capabilities. They continue to evolve and advance their capabilities, contributing to an evolving strategic environment. In this context, cyber security is now one of our most critical tools to defend our people, capabilities, and ultimately, our nation.

On 31 August 2022, the Assistant Minister for Defence and Assistant Minister for Veterans’ Affairs, the Hon Matt Thistlethwaite released the Defence Cyber Security Strategy, outlining how Defence will strengthen its cyber security posture over the next ten years.

The Strategy details how Defence will combat cyber threats and ensure its capabilities are secure against attacks from adversaries. It presents the path to a cyber resilient Defence and the principles to maintain a strong cyber security posture in a shifting strategic environment.

Ultimately, the Strategy will contribute to a high-performing One Defence enterprise that can continue to deliver on its mission of defending Australia and its national interests.

The Strategy was released alongside the complementary 2022 Defence Information and Communications Technology Strategy.

Read more:

Patagonia evades Climate Change?


Aussie company Patagonia is donating its profits to fight climate change. You’ll see that splashed across the news.

However, could the real story be tax evasion?

You heard about Patagonia and their big donation? Interested in another perspective?

The Patagonia headline is “Billionaire Gives Away Company to Fight Climate Change”.

Wow that’s awesome right⁉️🔥

However, there’s more to it than most realize.

Yes 98% of the company is now owned by a non-profit that will leverage the $100M in profits to fight the environmental crisis.

BUT Yvon Chouinard and family save $700 MILLION in taxes.

He moved all his family voting stock, appx 2% of its total shares to an entity called Patagonia Purpose Trust. This entity now can make unlimited political donations in the U.S.

The deal is designed for the ultra-wealthy to use non-profits to exert political influence long past their lifetime.

He won’t have to pay $700M in capital gains taxes for selling a $3 Billion company.

He avoids paying a 40% estate and gift tax when transferring large fortunes to heirs.

When asked for comment on the tax implications… crickets. 🦗😶

I’ll share the Bloomberg article here and in the comments.


I love the idea of positively impacting the planet. But “battling climate change” can mean a lot of things.

What do you think about all this⁉️😲👇🏾

Insights for Good


The illusion of insights

Data Breaches 2022 in Australia


University of Western Australia – August 2022

Uber – July 2022

Perth Festival, Black Swan State Theatre Company – July 2022

Victorian Government – July 2022

Woolworths – July 2022

Marriott – July 2022

Mangatoon – July 2022

China Police – July 2022

Deakin University – July 2022

AMD – July 2022

OpenSea – July 2022

iCare – June 2022

Department of Home Affairs – May 2022

NDIS – May 2022

Spirit Super – May 2022

APAC – May 2022

Facebook – May 2022

South Australian Government – May 2022

National Tertiary Education Union – May 2022

Transport for NSW – May 2022

Coca-Cola – April 2022

Top Data Breaches and Cyber Attacks of 2022

Panasonic – April 2022

Block (ASX:SQ2) – April 2022

Warrnambool Council – March 2022

OKTA – March 2022

Microsoft – March 2022

Ubisoft – March 2022

Nvidia – March 2022

Samsung – March 2022

Australian Data Breaches Report

Toyota Motor – March 2022

OAIC Report – February 2022

NSW Government – February 2022

News Corp – February 2022

CFMMEUR – February 2022

Red Cross Australia – January 2022

TfNSW (Accellion) – January 2022

FlexBooker – January 2022

Bunnings – January 2022

MITRE ATT&CK Framework


MITRE ATT&CK® stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target. The tactics and techniques abstraction in the model provide a common taxonomy of individual adversary actions understood by both offensive and defensive sides of cybersecurity. It also provides an appropriate level of categorization for adversary action and specific ways of defending against it.

The behavioral model presented by ATT&CK contains the following core components:

  • Tactics denoting short-term, tactical adversary goals during an attack (the columns);
  • Techniques describing the means by which adversaries achieve tactical goals (the individual cells); and
  • Documented adversary usage of techniques and other metadata (linked to techniques).

MITRE ATT&CK was created in 2013 as a result of MITRE’s Fort Meade Experiment (FMX) where researchers emulated both adversary and defender behavior in an effort to improve post-compromise detection of threats through telemetry sensing and behavioral analysis. The key question for the researchers was “How well are we doing at detecting documented adversary behavior?” To answer that question, the researchers developed ATT&CK, which was used as a tool to categorize adversary behavior.

What is in the MITRE ATT&CK Matrix?

The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective. Those objectives are categorized as tactics in the ATT&CK Matrix. The objectives are presented linearly from the point of reconnaissance to the final goal of exfiltration or “impact”. Looking at the broadest version of ATT&CK for Enterprise, which includes Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, and Containers, the following adversary tactics are categorized:

  1. Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target organization
  2. Resource Development: establishing resources to support operations, i.e., setting up command and control infrastructure
  3. Initial Access: trying to get into your network, i.e., spear phishing
  4. Execution: trying the run malicious code, i.e., running a remote access tool
  5. Persistence: trying to maintain their foothold, i.e., changing configurations
  6. Privilege Escalation: trying to gain higher-level permissions, i.e., leveraging a vulnerability to elevate access
  7. Defense Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware
  8. Credential Access: stealing accounts names and passwords, i.e., keylogging
  9. Discovery: trying to figure out your environment, i.e., exploring what they can control
  10. Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through multiple systems
  11. Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage
  12. Command and Control: communicating with compromised systems to control them, i.e., mimicking normal web traffic to communicate with a victim network
  13. Exfiltration: stealing data, i.e., transfer data to cloud account
  14. Impact: manipulate, interrupt, or destroy systems and data, i.e., encrypting data with ransomware

Within each tactic of the MITRE ATT&CK matrix there are adversary techniques, which describe the actual activity carried out by the adversary. Some techniques have sub-techniques that explain how an adversary carries out a specific technique in greater detail. The full ATT&CK Matrix for Enterprise from the MITRE ATT&CK navigator is represented at https://attack.mitre.org

Read more

Securing M365


Securing M365 is important to many organisations that use Microsoft at the core of their business. Microsoft is making a serious bid to dominate the enterprise with a combination of M365 productivity suite, Power Platform, Azure and Dynamics.

Securing M365 is foundational to ensure the organisation is well-integrated, and secure.

Some quick steps to achieve this are:

  1. Establish a M365 cybersecurity task force focused on addressing known concerns with Microsoft 365. A specialised team or vendor to support the business on Microsoft 365 cybersecurity.
  1. Review Microsoft documentation which is an extensive library that documents security vulnerabilities, configuration issues. The task force should regularly review the library.
  2. Enable and use DMARC, SPF and DKIM to reduce the risk of spoofing and phishing. Use Microsoft Exchange as your email service provider in this configuration.
  3. Enable multifactor authentication (MFA) by default, at the very least for administrator accounts and, ideally, for all accounts. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) report noted that MFA for administrator accounts isn’t enabled by default, yet Azure Active Directory (AD) global administrators in a Microsoft 365 environment have the highest level of administrator privileges at the tenant level. This is an essential step to ensuring security.
  4. Determine if password sync is required. By default, Azure AD Connect integrates on-premises environments with Azure AD when customers migrate to Microsoft 365. In this scenario, the on-premises password overwrites the password in Azure AD. Therefore, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs. If password sync is required, the team should carefully think through the implications of a premises-based attack on cloud systems, or vice versa.
  5. Avoid legacy protocols. Several protocols, including Post Office Protocol 3 and Internet Mail Access Protocol 4, don’t effectively support authentication methods such as MFA. CISA recommended moving away from all legacy protocols.
  6. Upgrade all software and OSes prior to migration. Earlier versions of Microsoft software, such as Office 2007, have known security vulnerabilities and weaker protection thresholds. Upgrade all software to current versions prior to migrating to Microsoft 365.
  7. Test all third-party integrations into Microsoft 365. If you are using Microsoft 365 in conjunction with third-party applications — developed in-house or by outside companies — be sure you conduct solid cybersecurity testing before integrating them with Microsoft 365.
  8. Develop and implement a backup and business continuity plan. Although Microsoft 365 is cloud-based, it uses replication rather than traditional data backup methods. Microsoft can’t guarantee an organization’s files will remain available if files are compromised through ransomware or accidental deletion.
  9. Implement cloud-based single sign-on (SSO). Known vulnerabilities in Microsoft 365’s security protocols involve using cross-domain authentication to bypass federated domains.
  10. Assess your Microsoft Secure Score and Compliance Score. Microsoft has developed two registries for Microsoft 365: Secure Score and Compliance Score.


Understanding the ISM


The Information Security Manual (ISM) by the Australian Signals Directorate is created to provide strategic guidance on how organisations can go about safeguarding their systems and data from cyberattacks. It consists of 1700+ considerations to providing a secure environment for agencies and platforms to operate in.

Who are the Australian Signals Directorate or ASD?

The Australian Signals Directorate (ASD) is a leading member of Australia’s national security community, working across all of the operations required of contemporary signals intelligence and security agencies: intelligence, cyber security and offensive operations in support of the Australian Government and Australian Defence Force (ADF).

What is the Information Security Manual (ISM)?

The purpose of the Australian Government Information Security Manual (ISM) is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and data from cyber threats. 

Who is the ISM intended for?

The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cyber security professionals and information technology managers.

The ISM consists of cybersecurity principles and cybersecurity guidelines:

Cybersecurity principles: these principles provide strategic guidance on how organisations can protect their systems and data from cyber attacks and threats. These principles are divided into four key actions; govern, protect, detect and respond. To comply with the ISM, organizations must provide proof or demonstrate that they are adhering to these principles. 

Cybersecurity guidelines: there are 1700+ practical guidelines that an organisation can apply to safeguard its systems and data from cyber attack and threats. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security matters. Organizations should consider the cyber security guidelines that are relevant to each of the systems that they operate.

Cybersecurity Principles

ISM’s cybersecurity principles are grouped into four categories; govern, protect, detect and respond. Govern consists of principles surrounding identifying and managing security risks, protect consists of principles designed for implementing security controls to reduce security risks, detect consists of principles regarding detecting and understanding cyber security events and finally, respond is a category of principles designed around responding to and recovering from cyber security incidents. 

Below is a list of each of the principles under each respective category:

Govern Principles

G1: A Chief Information Security Officer provides leadership and oversight of cyber security.

G2: The identity and value of systems, applications and data is determined and documented.

G3: The confidentiality, integrity and availability requirements of systems, applications and data is determined and documented.

G4: Security risk management processes are embedded into organisational risk management frameworks.

G5: Security risks are identified, documented, managed and accepted both before systems and applications are authorised for use, and continuously throughout their operational life.

Protect Principles 

P1: Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements.

P2: Systems and applications are delivered and supported by trusted suppliers.

P3: Systems and applications are configured to reduce their attack surface.

P4: Systems and applications are administered in a secure, accountable and auditable manner.

P5: Security vulnerabilities in systems and applications are identified and mitigated in a timely manner.

P6: Only trusted and supported operating systems, applications and computer code can execute on systems.

P7: Data is encrypted at rest and in transit between different systems.

P8: Data communicated between different systems is controlled, inspectable and auditable.

P9: Data, applications and configuration settings are backed up in a secure and proven manner on a regular basis.

P10: Only trusted and vetted personnel are granted access to systems, applications and data repositories.

P11: Personnel are granted the minimum access to systems, applications and data repositories required for their duties.

P12: Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories.

P13: Personnel are provided with ongoing cyber security awareness training.

P14: Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel.

Detect Principle 

D1: Cyber security events and anomalous activities are detected, collected, correlated and analysed in a timely manner.

Respond Principle

R1: Cyber security incidents are identified and reported both internally and externally to relevant bodies in a timely manner.

R2: Cyber security incidents are contained, eradicated and recovered from in a timely manner.

R3: Business continuity and disaster recovery plans are enacted when required.



REDSPICE is the most significant single investment in the Australian Signals Directorate’s 75 years. It responds to the deteriorating strategic circumstances in our region, characterised by rapid military expansion, growing coercive behaviour and increased cyber attacks.

Through REDSPICE, ASD will deliver forward-looking capabilities essential to maintaining Australia’s strategic advantage and capability edge over the coming decade and beyond.

Through REDSPICE, we will expand the range and sophistication of our intelligence, offensive and defensive cyber capabilities, and build on our already-strong enabling foundations.

  • 3x current offensive cyber capability
  • 2x persistent cyber-hunt activities
  • Advanced AI, machine learning and cloud technology
  • 4x global footprint
  • 1900 new analyst, technologist, corporate and enabling roles across Australia and the world
  • 40% of staff located outside Canberra

Read more: https://www.asd.gov.au/about/redspice

The Future of IRAP


The Infosec Registered Assessors Program (IRAP) is a program run by the Australian Signals Directorate (ASD) to ensure organisations can access high-quality, independent security assessment services. The Australian government benefits from having access to sovereign and independent assurance and audit services.

IRAP services include providing advice for and assessments of:

IRAP services include providing advice for and assessments of:

  • Risk mitigation activities
  • Cloud services
  • Gateways
  • Information systems, and
  • System documentation

The IRAP program has been through a few iterations, and is maturing.

E8 Maturity Level One


The focus of this maturity level is adversaries who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, systems. For example, adversaries opportunistically using a publicly-available exploit for a security vulnerability in an internet-facing service which had not been patched, or authenticating to an internet-facing service using credentials that were stolen, reused, brute forced or guessed.

Generally, adversaries are looking for any victim rather than a specific victim and will opportunistically seek common weaknesses in many targets rather than investing heavily in gaining access to a specific target. Adversaries will employ common social engineering techniques to trick users into weakening the security of a system and launch malicious applications, for example via Microsoft Office macros. If the account that an adversary compromises has special privileges they will seek to exploit it. Depending on their intent, adversaries may also destroy data (including backups).

The Essential 8

Mitigation StrategyDescription
Application controlThe execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets is prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients.
Patch applicationsPatches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services.A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
Configure Microsoft Office macro settingsMicrosoft Office macros are disabled for users that do not have a demonstrated business requirement.Microsoft Office macros in files originating from the internet are blocked.Microsoft Office macro antivirus scanning is enabled.Microsoft Office macro security settings cannot be changed by users.
User application hardeningWeb browsers do not process Java from the internet.Web browsers do not process web advertisements from the internet.Internet Explorer 11 does not process content from the internet.Web browser security settings cannot be changed by users.
Restrict administrative privilegesRequests for privileged access to systems and applications are validated when first requested.Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services.Privileged users use separate privileged and unprivileged operating environments.Unprivileged accounts cannot logon to privileged operating environments.Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
Patch operating systemsPatches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release.A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services.A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.Operating systems that are no longer supported by vendors are replaced.
Multi-factor authenticationMulti-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s sensitive data.Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s non-sensitive data.Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.
Regular backupsBackups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.Unprivileged accounts can only access their own backups.Unprivileged accounts are prevented from modifying or deleting backups.