The document discusses unconventional approaches to cybersecurity threats. It notes that conventional testing methods only find known vulnerabilities but cannot discover unknown exposures ("unknown unknowns") that can enable compromises. It provides examples where unknown unknowns were discovered, including a bank with compromised servers and a government agency with an insecure configuration. The document argues that people are often a weak link ("wet targets") that are ignored. It advocates threat modeling like attackers to identify potential vulnerabilities through open source intelligence and dark web monitoring before threats go public. The approach seeks to emulate "minority reporting" styles to discover unknown risks and assume systems are already compromised.

1. Conventional Defence to Unconventional Threats
[AKA‘ConvertingH20 to Bits& By[i]tes’]
WhiteHat– London– 06/03/15
ProfessorJohnWalker

2. The Majority have already been Hacked
The Minority are aware they have been Hacked
There are many suffering on-going Compromise of their Systems
Some know they are suffering Compromise
Some don’t
Accept the FACTS

3. Lets Talk - Proven Capabilities – [EUROPOL Q/1/15]
To date OSINT technology has achieved a 100% success rate with identification of Security Vulnerabilities and Exposures on
deployments which had been utilising the conventional methods of applying security by testing the known knowns, as
opposed to the new age methodologies of locating the unknown unknowns, which can, and do expose Corporate assets
to support an attack and/or compromise. The following are some examples of discoveries of what were unknown unknowns
which hosting threats, or which had already suffered compromise by external actors:
Compromised Bank Network: Identification of a major breach in which .com.cn Chinese Servers had attached to the core
switch of the Bank with remote login capabilities.
Exposed Government Agency: An International Sensitive Government Intelligence Agency who was suffering internal
Compromise at a Third Party site through a flawed and insecure DNS configuration.
PCI-DSS Exposed: The secure PCI-DSS Bank who were not aware of the deployment of an Insecure SAMBA Share, or an
insecure Cloud Service which exposed PCI-DSS Client and Account Data.
Local Authority: In this case a Local Authority were considered to be secure post multiple sessions of Penetration
Testing, yet were exposing 29 Servers to the Internet which were unknown and vulnerable.
MI5 Data Exposed: Government Agency who released information under FOI – without realising its implicated associations
with the Security Services [thus making other parties a potential Wet Target for Terrorists].

4. The Threat
We now accept that the Cyber Risk against companies is significant, the impact of which is evidenced by the attacks,
breaches, and security compromises against some of the biggest brands on the planet.
This is not scaremongering but fact!
Whilst conventional security delivers what is meant to be technological, and procedural security defences to safeguard
assets from attack, it falls short of underpinning the capabilities to discover the unknown unknowns which may [and do]
expose Deployments, Third Parties, Associates, or Assets to the potential of exploitation and compromise.
It is in this capacity where Pre Event, and Post Attack Cyber Intelligence can be of significant benefit to:
Identify the Unknown Unknowns of risks
Discover Data Leakage
Locate opportunities of exposure to Social Engineering
Find technical exposures at the unknown perimeter of the organisation
Brand Protection
Provision granular Alert & Reporting capabilities
Support Post Attack CSIRT Operations
Perform Social Media Brand Monitoring

5. Welcome to the Madcap World of off-the-wall ideas which
can [and do] sometimes work!
NLP [Neuro-Linguistic Programming] – Its time to change!
However – NLP can have both Positive & Negative outcomes
NLP may extend into what I call subliminal NVP [Neuro-Visual-Programming]
Converting H20 to Bits & By[i]tes – Turning Water into Data [Intelligence]
People Power – It’s the ONLY Way

6. Mind Manipulation – Its Everywhere

7. Unpatched People - Conversion of H20 into Bits & By[i]tes
The homosapien is made up of between 55-60% of water, and these represent the Wet Target which can be the
weakest link in the Security Lifecycle – I know, I have exploited them – and they can be easy targets!
Furthermore, whilst a lot of effort goes into patching applications, systems, and hardware, this landscape of vulnerable and
Intelligent targets are forgotten, and so are an ideal target-layer to support circumvention of any deployed security posture.
And the emergence of High Grade threats is continuous – e.g. ROVNIX & its updated Twin VAWTRAK
See SC Magazine News – 26/02/15:
http://www.scmagazineuk.com/banking-trojan-vawtrak-spotted-in-the-wild/article/400317/
And - See SC Magazine News – 5/03/15

8. Get it into Perspective
No matter the Firewalls, IPS, IDS, DLP, and the Security Infrastructure – which is proven to be failing – add to this Complexity,
Acquisitions, and High Technological Dependency, and you can start to appreciate the problem [or benefit] depending –
on your objective.
Big Data Credit Reference Agency based in Nottingham: Complex Firewalling made it impossible to identify all cable
Start, and Termination points!
Houses of Parliament: Comment on the BBC week commencing 23/02/14 – Can’t terminate cabling as it could be an MP
talking to the Kremlin!
Government Department: GSi link connected into a Hostile Region.
NHS Migration of Data Access: No comment!

9. Unconventional Hacker Thinking
Consider the element of H2O, and the tension at the Presentation Layer.

10. Robust Mitigation
One of the current challenges facing organisations today with engagement of the Cyber Threat is that they are applying the
conventional rules of yesterday to protect against the unconventional vectors of attack in 2015 and onward. In this area
multiples of successful Cyber Attacks and Incursions have been identified as a major component in the compromise.
To counter the threats we need to go beyond [and compliment] Penetration Testing and consider:
Identifying the unknown unknowns by applying multiple specialist applications, techniques, and streaming to support both
Proactive [before the event], and Reactive [where a Security Incident has occurred] to both defend and mitigate the exposure
of Corporate and Sensitive Assets.
Monitor for indications and threats through leverage of Cyber Intelligence to for purpose of Brand Protection – again by
applying a methodology of seeking out the unknown unknowns and turning them into Defensive Collateral.
Have an assured Computer Security Incident Response Team [CSIRT] First Responder Capability to engage Cyber Attacks, and
Security Breaches.
Assume you ARE Compromised/Hacked – You know it makes sense 

11. We Need ‘Minority Reporting’
Effective Cyber Intelligence capabilities which must
try to emulate a style of Minority Reporting

12. The Approach
DarkWeb applies the same rules as would a potential attacker and run multiples bespoke tools, applications, and Cyber
Intelligence Methodologies to identify what we refer to as OoII [Objects of Intelligence Interest].

13. Exploit the DarkWeb
The DarkWeb can be leveraged to for purpose of Cyber Monitoring Capabilities to enable users to understand the most
current threats before they go public.
25/03/15

14. Be Offensive – Have Bad Thoughts
The New Age of Unconventional Cyber Threats do dictate that we view security from an obtuse perspective of the Offensive:
SECURITY
Have Bad Thoughts – Think like Bad People – Apply Their Rules NOT Yours – Throw Convention to the WIND

15. i + e + v = c