Scottish Cyber Awards 2017

The Scottish Cyber Awards are back!

The Scottish Cyber Awards are returning this November and it looks set to be another great night. Last year, the event was a fantastic celebration of the Cyber Security community in Scotland and we hope this year will be even more successful!


As an Information Security Consultancy operating in Scotland, the Scottish Cyber Awards are close to our hearts, as we strongly believe that there is a talented InfoSec community here. We were delighted to be part of this event, both with sponsoring an award and our CEO, David Stubley, acted as a judge for the entries. David said that;

It was difficult to pick winners in some categories because the level of competition was so high, but it is fantastic to help give the winners the recognition that they deserve.


Last year, we were thrilled to be awarded the ‘Cyber SME Defender of the Year’ award and this year are looking forward to passing the baton on to our successor. As an SME ourselves, we know the important role that Cyber SME’s provide, which is why we were delighted to sponsor this award and are looking forward to congratulating this year’s worthy winner.

The Scottish Cyber Awards are being held at the Sheraton Hotel, Edinburgh on the 22nd November 2017.

Fraud and Breach Prevention Summit

Fraud & Breach Prevention Summit: London (17th and 18th October)

7 Elements are proud to be a sponsor of this year’s Fraud & Breach Prevention Summit in London.

We believe this summit is important in bringing the topic of security breaches into the public conscious. As an information security consultancy delivering incident response capability for our clients, we are well placed to see the rising numbers of breaches.

Breaches happen to all types organisation regardless of size or industry and it is important to know how to deal with them effectively.

Our CEO, David Stubley, will be taking part in the following two panels and presenting on the topic of incident response:

  • ‘We’ve Been Breached: Now What? How to Effectively Work with Law Enforcement’
    15:20 on the 17th of October. The panel will discuss the importance of planning when it comes to incident response and working proactively with law enforcement.
  • ‘Equifax Breach: Long-term Implications. What Does It Mean for Europe?’
    16:05 on the 17th of October. The panel will discuss the long-term implication of the Equifax breach and the lessons that all organisations should learn from it.
  • In ‘Disaster Strikes: Here’s Your Incident Response Playbook’, David will discuss the five core principles all organisations should apply when responding to an incident. The talk will take place at 12:55 on the 18th of October.

Office Move and Expansion

The past few weeks have been a busy period for the team at 7 Elements. Behind the scenes we have recently moved our Scotland office to the Oracle Campus in Linlithgow, and extended our UK wide coverage by establishing a 7E presence within London.


Our Scotland based team will still be the primary point of contact for all engagements, and the new office details can be found here.







Our expansion into London is in partnership with Scottish Enterprise and the Scottish Government, with 7 Elements using the prestigious Scotland House as our London base. We are working on some exciting events that we will be hosting at Scotland House, so watch this space for future news and invitations.

Summer Newsletter 2017

Did you miss our latest newsletter? If so, you can get a copy here and don’t forget to sign up for future copies.

Phishing and Awareness

2017 has seen an increase in the uptake of our tailored phishing services, as organisations look to gain a deeper understanding of the threat posed.

Currently the average exposure (the percentage of employees clicking phishing emails) is 42% with outliers at 83% and in many of our engagements we are able to entice end users to provide domain credentials.


This clearly shows a need for training and awareness along with regular testing to measure the effectiveness of any intervening attempts to improve on how staff deal with phishing attempts.

As part of this holistic approach, 7 Elements are proud to announce that we are partnering with Advanced Engagement to deliver customised security awareness training, alongside real world phishing engagements to measure the effectiveness of such campaigns.

Advanced Engagement is a dedicated security awareness training company trusted by financial services organisations and professional bodies with the aim of positively influencing the security culture in your organisation.

If you would like to explore your organisations exposure to phishing, then please get in touch with our team to discuss how we can help.

7 Elements shortlisted for award

Government Places Importance on Cyber Essentials

Matt Hancock, the minister for Digital and Culture, made it clear today that the Government wishes Cyber Essentials Accreditation to become a priority for all businesses. This comes after 2016 was plagued consistently with high-profile attacks: ranging from Yahoo to the American Election. In a recent IoD Survey, it was found that whilst 95% of business leaders considered cyber security to be very/quite important to their business; 45% did not have a formal cyber security strategy in place.

Cyber Essentials is already a requirement for many Government suppliers and sub-contractors, such as in the Healthcare and defence industries. However, Matt Hancock stated that the Government will be widening this Cyber Essentials criterion to include more suppliers than ever. Furthermore, a number of the UK’s biggest firms, such as Barclays, BT, Vodafone and Airbus Defence & Security, have agreed to promote Cyber Essentials accreditation to their suppliers.

7 Elements is the leading Scotland- based Cyber Essentials Certification Body. As an independent technical information assurance consultancy, we pride ourselves on being well placed to help your organisation through the process of gaining Cyber Essentials certification.

More information on Cyber Essentials can be found here, or just get in touch with the team.

Incident Response: Lessons from the Trenches

At 7 Elements, we successfully manage security incidents for our clients that cover a broad spectrum of threats.  These range from highly capable advanced persistent threats through to opportunistic and untargeted attacks using commonly available exploit code. While all incidents are their own unique creations and the true nature of the incident only becomes clear during the course of the investigation, through my seventeen years of hands on experience, I have identified four key lessons that will make the management of incidents easier and more effective.

In this blog, we will take a look at each lesson in turn.


The First Lesson. Prevention is better than cure.

There really is no excuse for being the third, fourth or even the 100th company breached using the same MO (Modus operandi).

Groups conducting attacks, whether for financial gain or other motives, will frequently use the same methods of compromise. This is demonstrated in the recent attacks utilising SQL injection to compromise externally facing applications to expose sensitive data, and the on-going use of targeted phishing emails to gain access to corporate networks, amongst others. The use of similar methods by attackers means that organisations have an opportunity to identify attack approaches and vulnerabilities that could be applicable to them. Organisations should therefore look to use the experiences of others within their sector to enhance their own incident management procedures.

While the full details of the incident will not be publicly available, organisations can gain insight into the incidents of others through information sharing forums (for example the National Cyber Security Centre led Information Sharing Partnership ‘CiSP’) and employees’ individual relationships with their counterparts in other organisations. It is likely that an organisation will be able to gain sufficient information to identify the vulnerabilities exploited by attackers and key attack vectors. Using the information available, an organisation can identify potential attack scenarios and whether they are likely to be breached as a result. Organisations can then take preventative steps to remediate exposure prior to real life exploitation.


The Second Lesson. Not all incidents require a forensic approach.

Many people are conditioned to believe that any response to an incident automatically requires a forensic-led response. However, organisations need to remember that as long as they are making informed decisions then they can decide on the approach that fits best within the context of the incident or the required outcome. This could result in a more intelligence-led approach being undertaken, a forensic-led approach or a blend of both being utilised. This point is summarised well by Andy Settle (Senior Managing Consultant – Cyber Security & Threat Intelligence Solutions, IBM);


Any ‘incident’, by its very nature, requires a response which is founded upon timely and informed decision making. There are no luxuries, incidents bring with them the constraints of time, resources and limited and at times conflicting information. Although a ‘forensic led’ approach is commonly accepted for incident response, so too is ‘intelligence led’. What both of these approaches accept is the need for insight and understanding to underpin decisions throughout the stages of an incident. Rather than endeavouring to take an ‘intelligence’ or ‘forensic’ approach, better yet to take a ‘business led’ approach. One which returns the organisation back to business-as-usual in the most appropriate manner. Incident response is a business support function in time of adverse and hostile conditions, understanding that this will never be resolved with a prescriptive one-size-fits-all approach is the beginning of a mature and robust business-continuity strategy.


Forensic investigations by their nature are more detailed and methodical, as they are often focused on obtaining information and evidence that could be used within a court of law for the purpose of prosecution of a crime. Requiring suitably trained professionals and following established data handing procedures. Taking a forensic approach will thereby take longer to establish the facts and likely result in additional incident costs. Organisations should therefore take the decision at an early stage whether they wish to take the case to court or involve law enforcement. Therefore, a key question that should be asked at the beginning of any incident is:


Is there a possibility that this incident will be taken to court or involve law enforcement?


If there is any possible outcome that turns the answer to this question into a yes then you would have no choice but to use an approach that meets the evidential handling requirements of the local legal jurisdiction of the incident. Within the UK the foundations for this approach have been well documented by the Association of Chief Police Officers (ACPO) and serve to ensure that evidence handling, investigation practices and supporting activity are carried out legally.

If your organisation only needs to understand the facts around an incident and has no requirement to involve law enforcement, an intelligence-led approach may be more suitable.

Taking an intelligence-led approach broadens the tools and overall options available as part of an incident response. It will enable your organisation to gain a rapid understanding of the size and complexity of the event without the overheads of a forensic investigation. This can often result in the ability to contain or even stop the attack at an earlier stage, or even isolate compromised systems and therefore protect the wider environment.

Such an approach also enables the use of individuals with experience of incident work as well as wider security testing capabilities and attack centric knowledge. Through this broader understanding and capability, it is possible to identify and understand attack vectors rapidly.  In many cases, a blended approach will often be the more suitable option. In one real life incident, a substantial fraud had been committed and law enforcement were involved from the start of the investigation. As such, a comprehensive forensic response was required to deal with the incident. As a result, this approach caused a delay with regards to understanding the initial attack vector. Without this knowledge, the organisation was not in a position to react to any possible wider exposure. Therefore, a more agile stream of work being undertaken in parallel to the forensic stream of work was called for.

In this example, it was possible to gain access to logs that would not form part of the forensic investigation. Through rapid analysis of these logs, utilising the knowledge of security testers, it was possible to identify the initial point of compromise. The analysis also identified the methods of compromise and established an overall timeline for the attack. This stream of work proved hugely valuable to the on-going investigation, enabling the organisation to take proactive steps to reduce exposure across the wider environment.


The Third lesson. The three C’s.

Co-ordination of a major cyber breach will require strong management of both technical teams and management teams. Therefore, organisations will require a robust approach to Command, Control and Communication. The key aspect of all of this will be to free up the technical troops to actually get on with the task. If they are joining incident calls every 30 minutes or even hourly, then the response work is just not going to get done.

In all of the incidents that we have managed, we recommend that the organisation forms two incident cells, a management focused cell and a technical cell. With the technical response team separate from both of these.

The management cell are responsible for making any business decision required, setting the overall direction of the incident response and in any engagement with the media / public relations or external law enforcement. Their role is to balance what can / should be done to resolve an incident, agree priorities against wider business considerations, take any risk based decisions and authorise technical activity and budget spend. The management cell will also need to take in to account the changing nature of the incident and adjust priorities accordingly.

The technical cell is responsible for handing off tasks to the response team, to provide a buffer between the response team and the management function, allowing traction to be made.

We then have a representative from the technical team attend the management incident calls to provide co-ordination of activity and inform and advise the management team on the technical aspects of the incident.

Lastly, we advise having a nominated individual who is responsible within each cell for collating actions and maintaining an action log with named owners. This has two main benefits, firstly it avoids actions that are agreed verbally at 3am in the morning from being lost in the overall noise generated by an incident. Secondly, by acting as an agenda for future update calls and providing structure around those meetings.

Once an incident has been concluded, action logs provide an excellent resource for any post incident reviews.


The Fourth Lesson. Shifting sands.

All incidents are their own creations and the true nature of the incident will only become clear during the course of the investigation. As such, what you think you are facing on day one, may not be the reality later on. It is important to accept that you will have to work with limited and often constantly evolving information. However, by establishing the extent of the compromise zone at an early point, an incident response team can place a boundary around the investigation and thereby reduce potentially unnecessary effort. Therefore, cutting costs and leading to more informed decisions being taken.

Technical activity that you can expect to deploy while looking to establish the compromise zone may include:

  • Log, host and traffic analysis.
  • Security assessments of compromised environments to identify potential onward points of compromise.
  • Bespoke vulnerability research.
  • Forensic analysis of compromised assets.
  • Malware analysis.
  • Security architecture review to identify potential compromise zones.
  • Intelligence-led and incident focused analysis of compromised assets.
  • Forensic analysis of compromised assets.


In Summary. Know your enemy and know yourself.

As we have seen, often attacks methods are known in advance and knowledge of current attacks can be used to reduce the likelihood of an incident. Where an incident has occurred, challenge the assumption that a forensic approach is the only option and establishing a strong command and control approach is vital. Lastly, understanding how an attacker exploits vulnerabilities to gain unauthorised access to systems will help understand what is going on. Security testers are great at understanding those attack vectors and theorising the “what would I do” card.

So, as part of your incident response capability, making use of these experts and when suitable taking an intelligence-led approach can help in gaining a prompt understanding of the type of incident that you are facing. Thereby enabling the organisation to make informed decisions that will lead to a proportional response and ultimately in establishing the compromise zone and gaining rapid control of an incident.

7 Elements are proud to be the 2016 SME Cyber Defender of the Year. The award recognised our achievements for the delivery of incident response services.

Contact our team if you would like to find out more about how 7 Elements can work with you to avoid unnecessary incidents and when required effectively respond and recover.

7 Elements becomes trusted partner

We are proud to announce that 7 Elements Ltd are now listed as a ‘Trusted Partner’, with the endorsement of Police Scotland and SBRC for the delivery of Cyber Security related services. More information on the scheme can be found here.

SME Cyber Defender of the Year 2016



7 Elements are proud to be the SME Cyber Defender of the Year 2016. The award recognised our achievements for the delivery of incident response services. Contact our team if you would like to find out more about how 7 Elements can work with you to avoid unnecessary incidents and when required effectively respond and recover.