Co-founder & CTO

Chris Horsley

Chris Horsley has a long background in the international CSIRT community, with over seven years of experience working in national CSIRTs, almost five years of experience consulting to CSIRTs, and five years experience as a software developer and sysadmin prior to that.

Chris Horsley

Posts by

Chris Horsley
Browse all posts
Podcast

Episode #008: Getting Started with Cyber Threat Intelligence (CTI) with Chris Horsley

Can one analyst with zero budget start a Cyber Threat Intelligence (CTI) program?Yes! In fact, you may already have started a small threat intelligence program without even realising it.In this interview with Cosive CTO and renowned CTI expert Chris Horsley we delve into the following questions on how analysts and teams can start a threat intelligence practice with limited resources.

Engineering

My Washing Machine Refreshed My Thinking on Software Effort Estimation

I recently had a saga with a washing machine that reminded me why one of the most feared and hated tasks for software developers starts with the question: “So how long will it take you to build that?”

Security Operations

SOC Maturity Assessment in Australia: Our Approach

Day-to-day firefighting in SOCs (Security Operations Centres) can make it hard to see the bigger picture. A steady drum-beat of alerts and incidents can blur your focus. That’s why it’s so important to step back, breathe, and look at the current state of your SOC with a fresh set of eyes.Whether it's via an internal SOC maturity assessment with a popular model like SIM3, or an external consultant with deep SOC expertise, a new perspective can help uncover blind spots you might have missed in the rush to keep on top of the day-to-day demands of security operations.

Threat Intelligence

Using the CTI-CMM Model to Evaluate Threat Intel Program Maturity

It’s okay to admit that you don’t know exactly what CTI means. Of course, you know it stands for Cyber Threat Intelligence, and you might have a general sense it has something to do with staying on top of threats. How, though, do you actually build a successful CTI program in an organisation? What activities should it perform? What should it produce? For who?

Threat Intelligence

Using MISP Bookmarks with Workflows for Team Coordination

Have you tried the Bookmarks feature in MISP yet? It’s much more powerful than you might think. Bookmarks are incredibly useful because within a team, we need to know what to take action on from all the new MISP events that come in over the last 24 hours. MISP bookmarks give us a way to save searches that help us isolate the signal from the noise. Paired with the Workflow features, they give us some powerful options to get our team on the same page.

Threat Intelligence

Visualising APT threat actor and tool commonalities

How can we visualise intel about tool use between threat actors using a vis.js network visualisation? Let's add a circular twist.

Company News

Announcing Leadership Changes at Cosive: Farewell to Kayne Naughton and Welcome Scott Ceely

We wanted to take a moment today to update our community of past and present customers, as well as our professional and personal networks, of recent changes to the Cosive board.

Threat Intelligence

The Opportunity Cost of Self-hosting MISP

A term with origins in macroeconomics, opportunity cost is the hidden cost of choosing one course of action over another, when both cannot be chosen at the same time. Opportunity costs are not always financial. For example, the opportunity cost of playing video games instead of going for a hike are the benefits you’d have likely gained from hiking, such as improved fitness and mental health. Security teams also incur opportunity costs whenever they pick one way to spend their time and resources over another. The opportunity cost of self-hosting and maintaining MISP is the additional time and brainpower teams could have otherwise spent gathering and leveraging usable threat intelligence and enhancing their organisation’s security posture.

Malware Analysis

The Rise in Unique Malware & How to Defend Against It

While commodity malware is designed for general use against a broad range of targets, unique malware is designed for specific, targeted attacks against an organisation, facility, or individual. Unfortunately, the use of unique malware appears to be on the rise, with the latest BlackBerry Quarterly Global Threat Intelligence Report white paper showing a 70% increase in unique malware samples associated with attacks against BlackBerry Cybersecurity customers. In this article, we’ll explore the threat of unique malware, steps organisations are taking to fight it with the help of tools like Cosive’s MalwareZoo, which is purpose-built to privately store and analyse sensitive, targeted malware.

Engineering

Just How Big Does MISP Data Get, Anyway? We Ran the Numbers

Here at Cosive, we’ve both used and written a fair number of integrations and transformers for MISP events and data. A classic problem is MISP data processing scripts which end up falling over or taking forever to run because they didn’t necessarily expect as much data as they ended up receiving. How robust do our MISP data processing scripts and pipelines need to be to handle the extremes of MISP data volumes?

Company News

Cosive Partners With Feedly for Threat Intelligence

Cosive has partnered with Feedly! In this post, we’ll talk about how Feedly for Threat Intelligence helps cyber threat intel (CTI) teams collect, prioritise, and share threat intelligence into their tools and why we like it so much here at Cosive as CTI specialists.

Threat Intelligence

Seven Great New MISP Features You May Have Missed

MISP has such a cracking pace of development that you may have missed some of its more interesting features of late. Let’s go through some of our favourite additions that you might want to consider using.

Podcast

Episode #004: How ChatGPT Could Transform the CTI Analyst Role with Chris Horsley

Cosive CTO Chris Horsley conducted early experiments using ChatGPT to help assign ATT&CK IDs to threat intelligence reports. While the tool won’t replace an experienced analyst as of today, it will likely change the way we do this kind of work.

Podcast

Episode #002: Building Production-worthy Software in SecOps Teams with Chris Horsley, CTO at Cosive

Before jointly founding Cosive with Kayne Naughton and Terry MacDonald, Chris Horsley (Cosive’s CTO) spent many years working in national CSIRTs in both Australia and Japan, as well as doing freelance secure software development for operations teams. In this interview Chris talks about the challenges of building software and writing critical automation scripts in SecOps teams.

Threat Intelligence

Establishing a Threat Intel Program: Principles for Security Leaders

One of the more frequent conversations we have with security leaders is how to establish a new threat intelligence program in their organisation. In these conversations there are a few basic principles that we cover because they’re applicable to almost everyone. We’re sharing these principles publicly so that more organisations can learn about our threat intel philosophy and avoid the most common mistakes that can lead to failed programs.

Threat Intelligence

How ChatGPT Could Transform the CTI Analyst Role

The interview in this post is taken from Episode 004 of the Cosive Podcast, where Cosive CTO Chris Horsley sat down with Tash Postolovski to talk about the implications for AI tools like ChatGPT on the future of the CTI Analyst role.

Threat Intelligence

7 MISP Best Practices: Lessons from Effective Threat Intel Teams

MISP is a powerful open source threat intelligence and sharing platform used by countless SOC teams around the world. Getting a barebones MISP instance up and running is well within the skill-set of most SOC teams. Download MISP, run it on a VM, and log in to the MISP admin console using default credentials… all within about 10 minutes. That part is easy. Now for the hard part: how do you get from a barebones MISP install to actually using MISP to solve real-world cybersecurity problems? Making that leap can be much more complex and challenging than it may seem on the surface.

Threat Intelligence

ATT&CKing with OpenAI’s ChatGPT

We try out some exciting early experiments using ChatGPT for helping us assign ATT&CK IDs to threat intelligence reports. While it’s not going to replace an experienced analyst as of today, it will likely change the way we do this kind of work.

Security Operations

Building Production-worthy Software in SecOps Teams: An Impossible Challenge?

Before jointly founding Cosive with Kayne Naughton and Terry MacDonald, Chris Horsley (Cosive’s CTO) spent many years working in national CSIRTs in both Australia and Japan, as well as doing freelance secure software development for operations teams. In this interview Chris Horsley (CTO at Cosive) talks about the challenges of building software and doing development in SecOps teams.

Anti Phishing

Automating Anti Phishing Canary Credentials at Scale

In part 1 of our mini-series on canary credentials, we talked about what canary credentials are, why to use them, and how to use them well. It’s highly recommended to read part 1 first. So, let’s assume you’ve had some early success in manually using canary credentials in limited numbers - great! Now you’re looking to take your next steps. Arguably, the most powerful way to land a blow against phishing attackers and deter future attacks is using canary credentials at scale via automation. Here’s why.

Anti Phishing

How to Disrupt Phishing with Anti Phishing Canary Credentials

The traditional response to a phishing attack is to issue a take-down request and wait for the site to (possibly) be yanked offline. Take-downs, while necessary, just don’t hit phishers where it hurts - they still harvest plenty of stolen credentials while the site is up. In light of this, security teams are looking for new, more effective ways to fight back against phishers. Rather than be reactive, we want to disrupt phishers’ operations. A strategy rapidly gaining in popularity is the use of credential poisoning techniques, utilising what are referred to as ‘canary credentials’.

Company Culture

How to Communicate Remotely

Since our last post we've been inundated with requests asking for more details on how we work remotely at Cosive. For those who don't know us, we're a specialist IT security company that has been working completely remotely since 2015. And when I say we have been working remotely, I mean we don't have offices at all. We're fully online, with staff distributed across Australia and New Zealand.

Company Culture

Cosive’s Tips for Making a Happy and Productive Remote Team

As COVID-19 spreads globally, and employees are asked to work from home for the first time, we’ve seen many people looking for tips on managing a remote team. So, we decided to distill a few lessons we’ve learned at Cosive about how to make a cohesive remote team work well.