Blog

🤖 Leveraging AI for Threat Hunting: Lessons from ThreatGuard

Published: January 2025 | Category: AI/ML Security

Building ThreatGuard, a custom GPT for analyzing DShield honeypot data, revealed powerful insights about AI-assisted security operations. Here is what our team learned about combining human expertise with AI capabilities for effective threat hunting.

Key Takeaways:

• AI excels at pattern recognition across large datasets but requires human context for accurate threat assessment
• Structured output templates (like Attack Observation Template v3.0) dramatically improve AI consistency
• Integration with SIEM platforms enables real-time threat correlation and enrichment
• Local LLM deployment is viable for sensitive environments with proper GPU acceleration
• Model Context Protocol (MCP) enables standardized AI-to-tool integration

Try ThreatGuard GPT →

🔐 IRS Security Six: Mandatory Controls for Tax Professionals in 2025

Published: December 2024 | Category: Compliance

The IRS Security Six are mandatory cybersecurity requirements outlined in IRS Publication 4557 that all tax professionals must implement to protect taxpayer data. These six controls form the baseline security standards for legally handling tax information.

The IRS Security Six (Mandatory):

• 1. Antivirus Software: Deploy and maintain current antivirus/anti-malware on all systems
• 2. Firewalls: Enable firewalls on all devices and networks
• 3. Multi-Factor Authentication (MFA): Require MFA for all tax software, email, and remote access
• 4. Backup Services: Implement automated backups with offsite/cloud storage
• 5. Drive Encryption: Enable full-disk encryption on all computers and mobile devices
• 6. Virtual Private Network (VPN): Use VPN for all remote access and public Wi-Fi

Beyond the Security Six - Written Information Security Plan (WISP):

• Document your security policies and procedures
• Risk assessment: Identify threats to taxpayer data
• Access controls: Principle of least privilege
• Employee training: Annual security awareness training
• Incident response: Data breach notification procedures
• Vendor management: Third-party security requirements
• Annual review: Update plan yearly

Common Mistakes to Avoid:

• ❌ Storing unencrypted tax returns on local drives or email
• ❌ Not implementing all six mandatory controls
• ❌ Sharing passwords or using weak authentication
• ❌ Failing to document security plan (WISP)
• ❌ Not testing backups regularly
• ❌ Using public Wi-Fi without VPN
• ❌ Not vetting cloud service providers for security compliance

Who Must Comply:

• CPA firms and accounting practices
• Tax preparation services
• Enrolled agents
• Tax attorneys
• Payroll service providers
• Anyone with access to taxpayer information

IRS Security Six Implementation Services →

🏦 FTC Safeguards Rule: What Financial Institutions Need to Know

Published: January 2025 | Category: Compliance

The FTC Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to develop, implement, and maintain a comprehensive Written Information Security Plan (WISP). Here is what you need to know.

Who Must Comply:

• Financial advisors and investment firms
• Mortgage brokers and lenders
• Auto dealers offering financing
• Payday lenders
• Tax preparation services (also covered by IRS 4557)
• Credit counseling services
• Any business significantly engaged in financial activities

Key Requirements:

• Qualified Individual: Designate someone to oversee security program
• Written Information Security Plan (WISP): Comprehensive documentation
• Risk Assessment: Identify and assess risks to customer information
• Access Controls: Limit access to customer information
• Multi-Factor Authentication: Required for all access to customer information
• Encryption: Protect customer information at rest and in transit
• Incident Response Plan: Procedures for security events
• Vendor Management: Oversee service providers
• Annual Testing: Penetration testing and vulnerability assessments
• Security Awareness Training: Regular employee training
• Board Reporting: Annual report to board or senior management

Penalties for Non-Compliance:

• Civil penalties up to $46,517 per violation
• Potential criminal penalties for willful violations
• Reputational damage and loss of customer trust
• Increased regulatory scrutiny

FTC Safeguards Rule Compliance Services →

☁️ Cloud Security Automation: Beyond Manual Configuration Reviews

Published: November 2024 | Category: Cloud Security

Manual cloud security reviews do not scale. Here is how to implement automated security controls and compliance monitoring in AWS and Azure using infrastructure-as-code and policy-as-code approaches.

Automation Strategies:

• Infrastructure-as-Code Security: Scan Terraform/CloudFormation for misconfigurations before deployment
• Policy-as-Code: Use AWS Config Rules, Azure Policy, or OPA for continuous compliance
• Automated Remediation: Lambda/Azure Functions to auto-fix common security issues
• Security Baselines: CIS Benchmarks automated with AWS Security Hub or Azure Security Center
• Cost Optimization: Security automation often reduces cloud costs by 15-30%

Tools & Frameworks:

• Checkov, tfsec, Terrascan for IaC scanning
• AWS Config, Azure Policy for runtime compliance
• ScoutSuite, Prowler for multi-cloud security assessment
• Open Policy Agent (OPA) for custom policy enforcement

🚨 Incident Response: The First 60 Minutes Matter Most

Published: October 2024 | Category: Incident Response

Based on real-world incident response engagements, here is what to do in the critical first hour of a security incident to minimize damage and preserve evidence.

The First 60 Minutes Checklist:

• 0-10 min: Activate incident response team, establish communication channel
• 10-20 min: Initial triage - identify affected systems, scope of compromise
• 20-30 min: Containment decisions - isolate vs. monitor, preserve evidence
• 30-45 min: Evidence collection - memory dumps, disk images, network captures
• 45-60 min: Stakeholder notification - legal, insurance, management

Critical Mistakes to Avoid:

• ❌ Shutting down systems before collecting volatile memory
• ❌ Alerting attackers by changing passwords or blocking IPs prematurely
• ❌ Failing to preserve logs and evidence
• ❌ Not engaging legal counsel early (especially for ransomware)

Incident Response Services →

🔍 SIEM Detection Engineering: Writing Rules That Actually Work

Published: September 2024 | Category: Threat Detection

From our team's experience with the SANS Internet Storm Center and enterprise SIEM deployments, here is how to write detection rules that catch real threats without drowning your SOC in false positives.

Detection Rule Best Practices:

• Start with MITRE ATT&CK: Map detections to specific tactics and techniques
• Tune for Your Environment: Generic rules generate noise - customize for your baseline
• Use Threat Intelligence: Enrich with IOCs from trusted sources
• Test Before Deploying: Run rules against historical data to measure false positive rate
• Document Everything: Future you will thank present you

Common Detection Gaps:

• Living-off-the-land techniques (PowerShell, WMI, legitimate admin tools)
• Cloud API abuse (AWS/Azure credential misuse)
• Lateral movement via legitimate protocols (RDP, SMB, WinRM)
• Data exfiltration via approved channels (cloud storage, email)

SIEM Monitoring Services →