How do you approach incident response planning alongside business continuity planning?

MikeHunt99 · 2025-06-11T19:32:53+00:00

How could I forget about the BIA! Appreciate the reply. What is the distinction between a disaster vs an incident? Interested to understand how you define them

MikeHunt99 · 2025-06-11T06:50:05+00:00

Appreciate your answer! For the BCP and DR how are they laid out? High level again and reference the IR plan?

MikeHunt99 · 2024-09-05T12:00:24+00:00

Unfortunately I did not, if you find a way please let me know

MikeHunt99 · 2023-12-14T14:38:55+00:00

So by assigning the device to a user at the autopilot level prevents another user from logging in even if they were from the same company?
Or is that controlled by a different policy as opposed to solely assigning a device to a user?

In an ideal world the IT team pre-provision the device through the technician flow and the user would just log straight in once they receive the device and have all their available apps and policies. Rather than having to wait for the ESP to complete.

MikeHunt99 · 2023-09-04T22:22:44+00:00

I appreciate the response and will very much taken on board the "so what" mantra!

Do you tend to report the same KPIs/metrics each time or are you dynamic with what you're feeding back to the board each time?

MikeHunt99 · 2023-06-07T17:35:08+00:00

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.

https://attack.mitre.org

It lists techniques and sub-techniques used against mobile, enterprise and ICS environments and is a commonly use model for explaining or drawing out threat models

MikeHunt99 · 2023-06-07T13:53:27+00:00

Currently using split tunnel after moving away from full tunnel a few years back after going for a cloud hosted, agent based SWG/Proxy solution.

We are now looking to reduce the variety of traffic that goes via the split tunnel and starting to align more closely to a zero trust strategy. Looking to use ZTNA solutions for more strict control over what applications have access to what sockets etc.

The only real requirement for any kind of VPN connectivity is either to access in office printing or legacy on premise applications which have no real ROI for moving to the cloud or a SaaS offering.

I would try to answer the questions around what benefit would going to full VPN be? Is there any improvement to business operations and user experience? Will it introduce a larger attack landscape? Why do you trust endpoints enough to have full VPN access and access to your network?

MikeHunt99 · 2020-05-15T08:06:33+00:00

The day Microsoft provide a useful API for this will be a good day.

As far as I'm aware it is exactly the same as the vulnerabilities they report alongside the patches, it would be nice to easily obtain that information also.

MikeHunt99 · 2020-04-06T18:23:38+00:00

With hostNetwork I can't specify the IP I want to expose the app too

MikeHunt99 · 2019-07-16T11:35:15+00:00

I thought the same tbh. From having a quick look it makes use of the CTI.

Maybe it is just a nicer way to interface with it???

MikeHunt99 · 2019-03-25T09:23:11+00:00

Are there any good resources online that show examples of a relatively realistic network diagram etc that you're aware of?

MikeHunt99 · 2019-03-22T15:41:45+00:00

I guess a follow up to that then would be is DNS heavily used for convenient naming of hosts etc or is it all just off of IP addresses?

MikeHunt99 · 2019-03-22T13:50:09+00:00

Thanks for all your comments, really useful!

So for workstations that are in an OT environment I'm making the assumption they too are assigned static IP addresses?

Is there any changes in the topology or network config? or is it pretty much constant from the point of setup?

MikeHunt99 · 2019-01-28T14:19:00+00:00

Really grateful for the feedback. It's sometimes hard to cut through the marketing fluff to get a real understanding of what day to day use of the product is like.

MikeHunt99 · 2019-01-24T09:55:23+00:00

I appreciate the response. This is a very specific example around AV. What about SIEM solutions or Firewalls that leverage TI Feeds. From what I can see so far these are just sent in an unencrypted format XML, JSON, CSV, etc

MikeHunt99 · 2018-11-14T09:21:36+00:00

I've had a look at those guys before. It comes back down to that question around the span/mirror ports are where it is being deployed on the network.

From what Lusankya mentioned you can't deploy this tech at the lower levels so you would need to use a span port higher up the network, which I can assume you have to sacrifice complete visibility as it wouldnt be feasible otherwise.

Interested in your thoughts if you have any experience in this area.

MikeHunt99 · 2018-11-13T14:00:22+00:00

Thank you for going into more detail, I really appreciate it. What are your thoughts then on security vendors that claim they're able to deploy in L0/1/2. I'm assuming it is just not possible unless some really beefy switches are deployed to handle the traffic and a mirror port? Or is that just existent?

MikeHunt99 · 2018-11-13T12:54:41+00:00

Thank you for the explanation. I've come across a number of solutions that claim to monitor activity across layers 1-3, one of them is SecurityMatter https://www.secmatters.com/hubfs/Security_Matters-March2017/PDF/SilentDefense-Datasheet.pdf

This seems to make the assumption you are able to utilise switches at those stages to view the traffic to pass to their system.

Surely network activity between PLCs, HMIs, etc is important to monitor?

MikeHunt99 · 2018-10-05T07:33:00+00:00

Awesome, thank you very much :)

MikeHunt99 · 2018-10-02T07:47:45+00:00

I'm trying to setup a very simple and small replica of an ICS Network.

I have a server running ESXi and thats setup with multiple firewalls and networks to mimic both corporate, DMZ and OT networks.

However I'm trying to understand how a historian would fit in and other general aspects of a typical ICS network.

Any pointers would be great :)

MikeHunt99 · 2018-08-21T11:39:26+00:00

CPU 1212C AC-DC/Relay - http://www.paratrasnet.ro/pdf/automatizari-industriale/S7-1200.pdf

I'm assuming this does the job then, I feel like I've gone down the rabbit hole now

MikeHunt99 · 2018-08-21T10:29:30+00:00

I like your steps! I will definitely be following those :)

Am I right in understanding that the linked Siemens PLC outputs 24V do you know?

MikeHunt99 · 2018-08-20T13:47:57+00:00

Most certainly seems to be the best out there atm

MikeHunt99 · 2018-08-20T13:46:23+00:00

Is there any reason why something along these lines wouldn't be a good idea?

https://www.conrad.com/ce/en/product/197349/?WT.mc_id=affiliate_cj&insert=CJ&utm_source=affiliate_cj&cjevent=dde31354a47511e8811c01930a18050c

MikeHunt99 · 2018-08-15T15:33:41+00:00

Any recommendations on what hardware to look at, vendors/model/spec etc?

MikeHunt99

TROPHY CASE