Two executive orders President Donald Trump has signed in recent months could prove to have a more dramatic impact on cybersecurity than first thought, for better or for worse.

Overall, some of Trump’s executive orders have been more about sending a message than spurring lasting change, as there are limits to their powers. Specifically, some of the provisions of the two executive orders with cyber ramifications — one from March on state and local preparedness generally, and one from June explicitly on cybersecurity — are more puzzling to cyber experts than anything else, while others preserve policies of the prior administration which Trump has criticized in harsh terms. Yet others might fall short of the orders’ intentions, in practice.

But amid the flurry of personnel changes, budget cuts and other executive branch activity in the first half of 2025 under Trump, the full scope of the two cyber-related executive orders might have been somewhat overlooked. And the effects of some of those orders could soon begin coming to fruition as key top Trump cyber officials assume their posts.

The Foundation for Defense of Democracies’ Mark Montgomery said the executive orders were “more important” than he originally understood, noting that he “underestimated” the March order after examining it more closely. Some of the steps would be positive if fully implemented, such as the preparedness order’s call for the creation of a national resilience strategy, he said.

The Center for Democracy & Technology said the June order, which would unravel some elements of executive orders under presidents Joe Biden and Barack Obama, would have a negative effect on cybersecurity.

“Rolling back numerous provisions focused on improving cybersecurity and identity verification in the name of preventing fraud, waste, and abuse is like claiming we need safer roads while removing guardrails from bridges,” said the group’s president, Alexandra Reeve Givens. “The only beneficiaries of this step backward are hackers who want to break into federal systems, fraudsters who want to steal taxpayer money from insecure services, and legacy vendors who want to maintain lucrative contracts without implementing modern security protections.”

The big changes and the in-betweens

Perhaps the largest shift in either order is the deletion of a section of an executive order Biden signed in January on digital identity verification that was intended to fight cybercrime and fraud. In undoing the measures in that section, the White House asserted that it was removing mandates “that risked widespread abuse by enabling illegal immigrants to improperly access public benefits.”

One critic, speaking on condition of anonymity to discuss the changes candidly, said “there’s not a single true statement or phrase or word in” the White House’s claim. The National Security Council did not respond to requests for comment on the order.

Some, though, such as Nick Leiserson of the Institute for Security and Technology, observed that the digital identities language in the Biden order was among the “weakest” in the document, since it only talked about how agencies should “consider” ways to accept digital identities.

The biggest prospective change in the March order was a stated shift for state and local governments to handle disaster preparedness, including for cyberattacks, a notion that drew intense criticism from cyber experts at the time who said states don’t have the resources to defend themselves against Chinese hackers alone. But that shift could have bigger ripples than originally realized.

Errol Weiss, chief security officer at the Health-ISAC, an organization devoted to exchanging threat information in the health sector, said that as the Cybersecurity and Infrastructure Security Agency has scaled back the free services it offers like vulnerability scanning, states would hypothetically have to step into that gap to aid entities like the ones Weiss serves. “If that service goes away, and pieces of it probably already have, there’s going to be a gap there,” he said.

Some of the changes from the March order might only be realized now that the Senate has confirmed Sean Cairncross as national cyber director, or after the Senate takes action on Sean Plankey to lead CISA, said Jim Lewis, a fellow at the Center for European Policy Analysis.

For instance: The order directs a review of critical infrastructure policy documents, including National Security Memorandum 22, a rewrite of a decade-old directive meant to foster better threat information sharing and respond to changing threats. There are already signs the administration plans to move away from that memorandum, a development that a Union of Concerned Scientists analyst said was worrisome, but critics of the memo such as Montgomery said a do-over could be a good thing.

Most of the other biggest potential changes, however, are in the June order. This is a partial list:

• It eliminates a requirement under the January Biden order that government vendors provide certifications about the security of their software development to CISA for review. “I just don’t think that you can play the whole, ‘We care about cyber,’ and, ‘Oh, by the way, this incredible accountability control? We rolled that back,’” said Jake Williams, director of research and development at Hunter Strategy.
• It removes another January Biden order requirement that the National Institute of Standards and Technology develop new guidance on minimum cybersecurity practices, thought to be among that order’s “most ambitious prescriptions.”
• It would move CISA in the direction of implementing a “no-knock” or “no-notice” approach to hunting threats within federal agencies, Leiserson noted.
• It strikes language saying that the internet data routing rules known as Border Gateway Protocol are “vulnerable to attack and misconfiguration,” something Williams said might ease pressure on internet service providers to make improvements. “The ISPs know it’s going to cost them a ton to address the issue,” he said.
• It erases a requirement from the Biden order that contained no deadline, but said that federal systems must deploy phishing-resistant multi-factor authentication. 
• It deletes requirements for pilot projects stemming from the Defense Advanced Research Projects Agency-led Artificial Intelligence Cyber Challenge. DARPA recently completed its 2025 challenge, awarding prize money at this year’s DEF CON cybersecurity conference.
• It says that “agencies’ policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks,” a change security adviser and New York University adjunct professor Alex Sharpe praised.

Some of the changes led to analysts concluding, alternatively, a continuation or rollback of directives from the January Biden executive order on things like federal agency email encryption or post-quantum cryptography.

The head-scratchers and the mysteries

Some of the moves in the June order perplexed analysts.

One was specifying that cyber sanctions must be limited, in the words of a White House fact sheet, “to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.” The Congressional Research Service could find no indication that cyber sanctions had been used domestically, and said the executive order appears to match prior policy.

Another is the removal of the NIST guidance on minimum cybersecurity practices. “If you’re trying to deregulate, why kill the effort to harmonize the standards?” Sharpe asked. 

Yet another is deletion of a line from the January Biden order to the importance of open-source software. “This is a bit puzzling, as open source software does underlie almost all software, including federal systems,” Leiserson wrote (emphasis his).

Multiple sources told CyberScoop it’s unclear who wrote the June order and whom they consulted with in doing so. One source said some agency personnel complained about the lack of interagency vetting of the document. Another said Alexei Bulazel, the NSC director of cyber, appeared to have no role in it.

Another open question is how much force will be put behind implementing the June order.

It loosens the strictness with which agencies must carry out the directives it lays out, at least compared with the January Biden order. It gives the national cyber director a more prominent role in coordination, Leiserson said. And it gives CISA new jobs.

“Since President Trump took office — and strengthened by his Executive Order in June — CISA has taken decisive action to bolster America’s cybersecurity, focusing on critical protections against foreign cyber threats and advancing secure technology practices,” said Marci McCarthy, director of public affairs for CISA.

California Rep. Eric Swalwell, the top Democrat on the House Homeland Security Committee’s cyber subpanel, told CyberScoop he was skeptical about what the June executive order signalled about Trump’s commitment to cybersecurity.

“The President talks tough on cybersecurity, but it’s all for show,” he said in a statement. “He signed the law creating CISA and grew its budget, but also rolled back key Biden-era protections, abandoned supply chain efforts, and drove out cyber experts. CISA has lost a third of its workforce, and his FY 2026 budget slashes its funding …

“Even if his cyber and AI goals are sincere, he’s gutted the staff needed to meet them,” Swalwell continued. “He’s also made the government less secure by giving unvetted allies access to sensitive data. His actions don’t match his words.”

Montgomery said there was a contradiction between the June order giving more responsibilities to agencies like NIST while the administration was proposing around a 20% cut to that agency, and the March order shifting responsibilities to state and local governments without giving them the resources to handle it.

A WilmerHale analysis said that as the administration shapes cyber policy, the June order “signals what that approach is likely to be: removing requirements perceived as barriers to private sector growth and expansion while preserving key requirements that protect the U.S. government’s own systems against cyber threats posed by China and other hostile foreign actors.”

For all of the changes it could make, analysts agreed the June order does continue a fair number of Biden administration policies, like commitments to the Cyber Trust Mark labeling initiative, space cybersecurity policy and requirements for defense contractors to protect sensitive information.

Some of those proposals didn’t get very far before the changeover from Biden to Trump. But it might be easier for the Trump administration to achieve its goals.

“It’s hard to say the car is going in the wrong direction when they haven’t started the engine,” Lewis said. “These people don’t have the same problem, this current team, because they’re stripping stuff back. They’re saying, ‘We’re gonna do less.” So it’s easier to do less.”

The post The overlooked changes that two Trump executive orders could bring to cybersecurity appeared first on CyberScoop.

LAS VEGAS — Businesses that don’t treat security with the gravity it requires — exhibited by lackluster or nonexistent preparation, planning and exercise in the event of a cyberattack — typically suffer longer and unnecessarily, Microsoft threat intelligence, hunting and response leaders said Thursday at Black Hat. 

In the best- case scenarios in the wake of an attack, professionals across the impacted organization know their roles and responsibilities, said Aarti Borkar, corporate vice president of security customer success at Microsoft. “They know the moving parts. They know what their policies are. They know who to call in the middle of the night and wake them up, because incidents don’t happen on a Wednesday afternoon,” she said.

Microsoft’s incident response and recovery efforts are often measured in days, instead of months, when organizations have plans in place, and regularly assess and practice those procedures against challenges that might occur across the organization, Borkar said. 

Only 1 in 4 organizations have an incident response plan and have rehearsed it, said Andrew Rapp, senior director of security research at Microsoft. 

When Microsoft’s incident response team engages with a customer that has rehearsed an incident response plan, held table-top exercises and conducted proactive compromise assessment, the operation functions like a well-oiled machine, he said. “It’s sort of like sharing a central nervous system with a customer during that bad day.”

Attackers are moving faster than ever before — achieving shortened dwell times — and this accentuates the need for incident responders and organizations to prepare, said Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. 

“Attackers and threat actors think in graphs. They see the pathways that they can take to pivot around inside of a network, and all of us as defenders think in lists,” she said.

This creates an imbalance that defenders can overcome by embracing an attacker mindset, Microsoft’s security specialists said on stage. 

“Data is key,” Rapp said. “Having visibility across your network, ensuring that you’re logging everything, that you have properly configured all of the protections, and you’re using all of the features and capabilities that are in your products is table stakes.”

This advice carries weight regardless of attackers’ objectives. While Simeon Kakpovi, senior threat intelligence analyst at Microsoft, spends a lot of time studying advanced threat groups and their tradecraft, basic security control failings are what every threat actor tends to take advantage of, he said.

“They’ll do social engineering. If you’re not patching servers, they’ll take advantage of that,” Kakpovi said. “They’ll do the basics before they spend their effort doing the more advanced things.”

Organizations should consider the weaknesses attackers can target, and study and apply insights from threat intelligence on their specific industry, he added. “Usually you have to worry about a certain set of threat actors more than others, so that can give you a head start thinking about what you should worry about first.”

DeGrippo underscored the significance of security fundamentals, such as keeping software up to date and configuring it properly. “If you do experience a breach, missing logs really contribute to a nightmare scenario for both intel and incident responders,” she said. 

“Every action leaves a trace, unless logging is turned off,” DeGrippo added. “Even though you’re suffering, maybe the pain isn’t as much as it could have been.”

The post Microsoft: An organization without a response plan will be hit harder by a security incident appeared first on CyberScoop.

North Korean operatives seeking and gaining technical jobs with foreign companies kept CrowdStrike busy, accounting for almost one incident response case or investigation per day in the past year, the company said in its annual threat hunting report released Monday.

“We saw a 220% year-over-year increase in the last 12 months of Famous Chollima activity,” Adam Meyers, senior vice president of counter adversary operations, said during a media briefing about the report.

“We see them almost every day now,” he said, referring to the North Korean state-sponsored group of North Korean technical specialists that has crept into the workforce of Fortune 500 companies and small-to-midsized organizations across the globe. 

CrowdStrike’s threat-hunting team investigated more than 320 incidents involving North Korean operatives gaining remote employment as IT workers during the one-year period ending June 30. 

“It’s not just in the United States anymore,” Meyers said. The threat group escalated its operations throughout the past year, landing jobs at companies based in Europe, Latin America and elsewhere to earn salaries that are sent back to Pyongyang. 

CrowdStrike researchers found that Famous Chollima fueled that pace of activity with an assist from generative artificial intelligence tools that helped North Korean operatives maneuver workflows and evade detection during the hiring process.

“They use generative AI across all stages of their operation,” Meyers said. The insider threat group used generative AI to draft resumes, create false identities, build tools for job research, mask their identity during video interviews and answer questions or complete technical coding assignments, the report found.

CrowdStrike said North Korean tech workers also used generative AI on the job to help with daily tasks and manage various communications across multiple jobs — sometimes three to four — they worked simultaneously. 

Threat hunters observed other significant shifts in malicious activity during the past year, including a 27% year-over-year increase in hands-on-keyboard intrusions — 81% of which involved no malware. Cybercrime accounted for 73% of all interactive intrusions during the one-year period. 

CrowdStrike continues to find and add more threat groups and clusters of activity to its matrix of cybercriminals, nation-state attackers and hacktivists. The company identified 14 new threat groups or individuals in the past six months, Meyers said. 

“We’re up to over 265 named adversary groups that we track, and then 150 what we call malicious activity clusters,” otherwise unnamed threat groups or individuals under development, Meyers said. “This problem becomes more protracted and continues to proliferate into other countries that are looking to evolve their intelligence collection and espionage programs by adding offensive cyber operations.”

The post CrowdStrike investigated 320 North Korean IT worker cases in the past year appeared first on CyberScoop.

Answered by Chris Brenton of Active Countermeasures | Questions compiled from the infosec community by Shelby Perry This article was originally published in the Threat Hunting issue of our infosec […]

The post Questions From a Beginner Threat Hunter appeared first on Black Hills Information Security, Inc..

Join special guest Chris Brenton, COO of Active Countermeasures, as he discusses the anatomy of beacons and why you need to be looking for them during a threat hunt. He […]

The post PODCAST: Beacon Analysis appeared first on Black Hills Information Security, Inc..

💾

John Strand// In this webcast, John walks through a couple of cool things we’ve found useful in some recent network hunt teams. He also shares some of our techniques and […]

The post WEBCAST: Tales from the Network Threat Hunting Trenches appeared first on Black Hills Information Security, Inc..

A bit delayed but here is the webcast John did with Security Weekly and Endgame about Threat Hunting on 11/15/16.

The post WEBCAST: Threat Hunting Using Open Source Software Bro Part 1 appeared first on Black Hills Information Security, Inc..