Full Report
RSA is always a good opportunity to reconnect with industry friends2025 was no exception. Beneath the marketing avalanche of AI-enabled everything, one theme stuck out in conversations with CISOs and defensive leaders: the mounting time and energy spent on cyber audits, reporting, and remediation.These Enterprise Risk Management (ERM) and Governance, Risk, and Compliance (GRC) efforts are especially demanding in regulated industries. But with mandates like NIS2 and DORA taking effect in Europeand domestic frameworks like SOX, SOC2, and CMMC still in playsecurity leaders are spending more time with audit committees than ever before.Compliance Theater: Starring the Risk RegisterIn enterprises, defensive resource allocations are often adjudicated by committees and measured by audit progress and the almighty risk register. This means most of the attention (and budget) aligns with avoiding one specific risk: legal or compliance failure (LCF). Its no surprise that CISOs are often left with a single 15-minute slot each year to brief the board on the other four cyber risk impacts. Thats a missed opportunity.Board presentation produced by ChatGPT 4o.Boards need to better understand cyber risk beyond compliance. The state of rizz (resilience) depends on more than audit checklists. Point-in-time audits work well for demonstrating regulatory due diligence. If something goes wrong, but the virtual paperwork shows that policies were followed and corrections made, enforcement actions can often be minimized or avoided.Thats not true for the other risk impactsoperational disruption, financial fraud, brand impairment, and competitive disadvantage. Even after clean audits, the residual risk across these domains remains. Boards need to grasp this difference. And CISOs must continue translating technical risk into business language that supports resilience conversations.Measuring Rizz: Easier Said Than SustainedCommunicating rizz is momentary. Measuring it is constant. Organizations spend heavily to prevent all five impacts, but security investments tied to non-compliance impacts often receive less scrutiny (ROSI). Thats where control validation comes in.Sankey diagram depicting threat categories leading to multiple possible risk impacts. Code produced with ChatGPT o3 and Claude-3.7-sonnet.Looking ahead (meaning, likely six months from now), AI agents will monitor and challenge other AI agents in continuous loops of control testing and remediation, especially as adversary TTPs evolve daily.The Automation Angle: Purple Teams and Silver BulletsUntil then, automation in purple teaming, breach and attack simulation (BAS), and exposure validation is the best way to scale defenses without burning out staff.A growing number of vendors (like Picus) offer automated testing platforms with user-friendly workflows. These platforms arent silver bullets, but they help CISOs tell a better executive story.A silver bullet produced by ChatGPT 4o.Consider Business Email Compromise (BEC). GRC will enforce controls like phishing simulations and financial separation of duties to satisfy LCF (Limit Control Frameworks) requirements. But if the CISO is also emulating attacks and testing the actual tech stackemail gateways, MFA, IAM policiesthe story becomes richer. It shows intentional, tested resilience across financial fraud risk, not just paper compliance. Its far more compelling than: We have an EDR as prescribed in our compliance framework.Real Rizz Moves: How Live Threat Emulation Beats Paper PromisesTo make this real, draw from live TTPs observed in the wild. For example, within the past 90 days (as of May 14, 2025), Recorded Futures AI Insights flagged dozens of events that could be used as fuel for BAS automation.GitHub user winsecurity published AMSI-Bypass-HWBP, a lightweight debugger tool in Rust designed to evade Windows Antimalware Scan Interface (AMSI) detection.ANY.RUN detailed a new information stealer called Zhong Stealer that targets the cryptocurrency and fintech sectors through social engineering tactics involving chat support systems.@siri_urz shared a sample of DieStealer, indicating its capabilities of credential access and spyware functions.Reports from Hunt.io indicated an intrusion campaign targeting South Korean organizations using Cobalt Strike Cat modified for exploitative purposes.Kalman reported on a privilege escalation technique in GCP using IAM Conditions linked to tagBindings.Check Point Research detailed a spearphishing campaign by APT29 utilizing GRAPELOADER malware against European diplomatic entities.Insikt Group noted the discovery of CVE-2021-42013 scanning activities with overlaps found from Alibaba Cloud ISPs.Quarkslab reported CVE-2025-24200 as an authorization bypass vulnerability in iOS and iPadOS, allowing physical access to disable USB Restricted Mode before Apple patched it.Trend Micro highlighted EncryptHub's reliance on MSC EvilTwin loader exploiting CVE-2025-26633 as part of their custom malware arsenal.IBM X-Force detailed a fileless lateral movement technique exploiting COM objects in Windows systems.@tangent65536 shared Mimikatz binaries signed with legitimate certificates online.Cato Networks reported the Ballista IoT botnet targeting TP-Link routers.Coral Jasmine presented the LethalVoid RAT using malicious exfiltration methods via Discord webhooks and FTP.ThreatFabric identified Crocodilus Android banking trojan targeting financial institutions.Microsofts Threat Intelligence Center documented Storm-2460 ransomwares introduction of PipeMagic malware exploiting CVE-2025-29824.Morphisec Labs exposed new delivery techniques for ValleyRAT through phishing tactics.Risk Registers Win Audits. Rizz Wins Crises.If the board only sees traffic light audit checkmarks, theyre missing the real color of cyber risk. Thats why rizz narratives must move beyond compliance and into control validation and business risk translationbefore the next threat does it for you.The rizz game show produced by ChaptGPT 4o.
Analysis Summary
# Best Practices: Bridging Cyber Compliance, Risk Management, and Operational Resilience (Rizz)
## Overview
These practices address the common industry challenge where cybersecurity resource allocation and board reporting are overly focused on satisfying compliance mandates (avoiding Legal/Compliance Failure - LCF) at the expense of validating true operational resilience ("Rizz") against other critical risk impacts (operational disruption, fraud, brand impairment, competitive disadvantage). The goal is to shift focus from point-in-time compliance checks to continuous, threat-driven control validation.
## Key Recommendations
### Immediate Actions (Next 30 Days)
1. **Review Risk Register Prioritization:** Immediately evaluate how many current high-priority risks documented in the risk register strictly map to compliance requirements versus those mapping to operational disruption, fraud, or brand impairment.
2. **Isolate Compliance vs. Resilience Metrics:** Begin separating audit pass/fail metrics from operational resilience metrics in internal reporting to clearly illuminate residual risk areas not covered by standard compliance checks.
3. **Adopt Threat Intelligence Mapping:** Selectively map the five most recent, relevant, real-world threat actor Tactics, Techniques, and Procedures (TTPs—e.g., those noted in automated threat intelligence feeds) directly against existing control implementation status.
### Short-term Improvements (1-3 months)
1. **Implement Automated Control Validation:** Integrate Breach and Attack Simulation (BAS) or exposure validation tools to move beyond manual or scheduled checks for critical controls (e.g., MFA effectiveness, EDR deployment, email gateway efficacy).
2. **Develop a Business Risk Translation Glossary:** For the next board presentation, define and translate technical security risks into the four non-compliance impact categories (Operational, Financial Fraud, Brand, Competitive Disadvantage) to facilitate informed executive discussion.
3. **Pilot Purple Team Exercises Focusing on BEC:** Conduct a targeted, automated purple team exercise focused specifically on Business Email Compromise (BEC) resilience, testing phishing simulations in conjunction with IAM policies and financial separation controls, rather than just adherence to phishing simulation schedules.
### Long-term Strategy (3+ months)
1. **Integrate AI/Automation for Continuous Testing:** Plan for the transition to advanced continuous loops of control testing and remediation challenge, utilizing evolving AI agents (or vendor tools) to monitor and test defense effectiveness against rapidly evolving adversary TTPs.
2. **Mandate Resilience-Focused Board Briefings:** Restructure regular board/executive security updates to dedicate substantial time (e.g., at least 50%) to demonstrated resilience ("Rizz") performance, using validated control testing results rather than only audit status.
3. **Establish TTP-Driven Defense Roadmaps:** Formalize a process where observed threat intelligence (e.g., new malware strains, zero-day exploits, or lateral movement techniques) directly fuels and dictates the priority backlog for security improvements, ensuring defensives are proactive, not just reactive to frameworks.
## Implementation Guidance
### For Small Organizations
* **Focus on Foundational BAS:** Prioritize a user-friendly BAS platform that can immediately test core defenses like MFA bypasses and endpoint detection coverage, linking results directly to LCF risk reduction.
* **Leverage Open Source for TTPs:** Dedicate a small percentage of staff time to tracking widely published indicators (like the GitHub tools or malware reports mentioned) and manually simulating simple control effectiveness checks against those specific threats.
### For Medium Organizations
* **Vendor Selection for Automation:** Initiate the procurement and rollout process for automated testing vendors that offer streamlined workflows to scale control validation across the environment without significant staff burnout.
* **Cross-Departmental Resilience Workshops:** Facilitate workshops involving IT, Finance, and Operations to collaboratively review testing outcomes (especially fraud and disruption scenarios) to ensure resilience planning spans organizational silos.
### For Large Enterprises
* **Establish Continuous Cyber Resilience Officer Role:** Designate a specific role or dedicated function responsible for translating granular technical control validation results into executive-level narratives focused on the five risk categories.
* **Formalize Threat Emulation Pipeline:** Build out a mature automation pipeline where threat intelligence feeds (e.g., Recorded Future, vendor feeds) automatically inject validated TTP-based attack scenarios into the BAS/Purple Team testing engine daily or weekly.
* **Governance Integration:** Integrate tested resilience metrics directly into the formal Enterprise Risk Management (ERM) process, ensuring budget allocations reflect true residual risk rather than solely compliance gaps.
## Configuration Examples
While direct code is not provided, the concept mandates configuring testing tools to simulate specific, active threats:
* **Targeted Simulation Example (BEC Resilience):** Configure the BAS platform to attempt a financial transaction request post-phishing simulation, validating that the existing **financial separation of duties control** correctly stops the action, *not just* logging the initial click.
* **Targeted Simulation Example (Endpoint Security):** Configure the BAS platform to execute payloads utilizing known evasive techniques like **AMSI-Bypass-HWBP** or the mechanisms used by **Zhong Stealer** to confirm that the EDR stack provides detections and blockages beyond signature-based checks.
* **Targeted Simulation Example (Cloud Privilege):** Configure testing scripts to attempt to leverage misconfigured **GCP IAM Conditions linked to tagBindings** to validate least privilege enforcement in cloud environments.
## Compliance Alignment
* **NIST Cybersecurity Framework (CSF):** Focus aligns heavily with **Identify (Risk Management)** and **Protect (Protective Measures)** through continuous validation, moving beyond simple documentation to functional security.
* **ISO 27001/27002:** Directly supports controls related to operational resilience and measuring the effectiveness of security controls (Annex A testing).
* **CMMC (if applicable):** By continuously validating TTPs, organizations move beyond meeting the "Implement" requirement to demonstrating the "Verify/Validate" aspects often required for mature CMMC levels.
* **NIS2/DORA (if applicable):** Directly addresses the requirements for demonstrating **Digital Operational Resilience** through validated testing and incident response preparedness, not just policy adherence.
## Common Pitfalls to Avoid
* **The Paper Audit Trap:** Believing that passing a point-in-time compliance audit guarantees protection against real-world attacks. Audits demonstrate due diligence, not necessarily resilience.
* **Reporting "Checklist Confidence":** Presenting board updates solely through standardized GRC reports (e.g., "X% of systems patched") without linking these activities to specific threat scenarios or operational impact reduction.
* **Ignoring Real-World TTPs:** Relying solely on framework-prescribed testing (e.g., only running standard phishing tests) while ignoring active, emergent threats observed in industry reports (like Cobalt Strike Cat modifications or new privilege escalations).
* **Treating Automation as a Silver Bullet:** Implementing BAS/Automation without critically analyzing the test results and translating them into actionable remediation plans that address the *root cause* of control failure.
## Resources
* **Threat Intelligence Feeds:** Utilization of platforms providing real-time, actionable adversary TTPs (e.g., Recorded Future, industry-specific ISAC/ISA feeds).
* **Breach & Attack Simulation (BAS) Vendors:** Tools offering automated validation platforms allowing iterative testing against known TTPs (mention of specific vendors like Picus highlights the category).
* **Public Threat Intelligence Sharing:** Actively monitoring reputable security researchers and community shares (e.g., GitHub users, ANY.RUN reports, vendor research blogs) for immediate TTP incorporation into testing.