Insights & Blog

Insights 16 May 2025

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

InApril 2025, theDBS data breach 2025shocked the financial world, exposing the personal data of over 11,000 customers fromDBS BankandBank of China (BOC) Singapore. The breach wasn’t a direct attack on the banks themselves, but rather asupply chain attackvia their third-party IT vendor,Toppan Next Tech (TNT). This incident serves as a wake-up call about the vulnerabilities that come with relying on external vendors for critical services and data management.

Ismael Melgar Villalta

Insights 15 May 2025

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

Ransomware continues to evolve. While well-known groups likeLockBit,Cl0p, andBlackCatdominate the headlines with high-profile attacks, a new wave of emerging ransomware groups is turning its attention to less defended systems—particularly open-source email platforms. These actors are exploiting vulnerabilities in software such as Zimbra Collaboration Suite, often with a focus on data theft, extortion, and reputation damage rather than system encryption.

Peter Bassill

Insights 13 May 2025

The Quiet Breach: Understanding and Responding to Low-Volume Data Leak Actors

The ransomware landscape is evolving. While high-profile attacks involving system-wide encryption and operational disruption continue to dominate headlines, a quieter breed of threat actor is gaining traction. These groups do not encrypt files, deploy malware, or demand immediate ransom. Instead, they rely on simple intrusions, slow data exfiltration, and carefully timed leaks of stolen data to apply pressure.

Peter Bassill

Insights 8 May 2025

Detection Advisory: ProjectRelic and Low-Noise Threat Actors in the UK and EU

This advisory focuses onProjectRelic, a stealth-oriented cyber threat group active across the UK and Europe, and other associated low-noise actors targeting research institutions and local government bodies. These groups typically avoid encryption-based attacks, instead favouring credential harvesting, passive data theft, and long-term access.

Peter Bassill

Insights 8 May 2025

Everest Group Alleged to have hit Kaefer

On 8 May 2025 at approximately 05:49 BST, theEverest Ransomware Grouppurportedly claimed responsibility for a cyber‐intrusion against Kaefer, one of the world’s leading industrial insulation and access specialists. According to the group’s online communiqué, stolen materials include internal correspondence, project documentation and support tickets drawn directly from Kaefer’s Freshdesk customer-service platform.

Peter Bassill

Insights 6 May 2025

Stealth-State Actors: Silent Persistence, Slow Exfiltration, and Cloud-Based C2

In contrast to ransomware operators and high-noise cybercriminals, a growing class of state-aligned threat actors operate with quiet precision. These stealth-state actors, including groups such asSilent Ransom (Silk Typhoon),Gallium, andAPT27, specialise in long-term infiltration, passive surveillance, and the gradual exfiltration of valuable information. Their methods favour persistence over disruption and rely on low-volume, low-frequency exfiltration techniques coupled with legitimate cloud services as their command and control channels.

Peter Bassill

Insights 4 May 2025

Continuous Threat Exposure Management

Cyber threats today evolve at breakneck speed, outpacing traditional defences. In theUK, ransomware has become the most significant cyber threat to organisations and even a national security risk. The numbers paint a stark picture:over 550 UK organisations have fallen victim to ransomware attacksas tracked on ransomware leak sites. Worse, this count has doubled since 2022, indicating an aggressive upward trend. Attackers aren’t picky – businesses of all sizes and sectors are in their crosshairs. Traditional, reactive security measures (like occasional vulnerability scans or annual pen tests) can no longer cope with this “always-on” threat environment. This is where Continuous Threat Exposure Management (CTEM) steps in.

Peter Bassill

Insights 3 May 2025

Open-Source Tools for SOC Analysts

Security Operations Centre (SOC) analysts leverage various open-source tools to monitor threats, investigate incidents, and automate responses. Below is a structured list of commonly used open-source tools, categorised by their primary function. Each tool’s core capabilities, typical SOC use cases, notable strengths, and integration support are described in formal British English.

Peter Bassill

Insights 3 May 2025

PCI DSS 4.0: Significance for Retailers and the Value of SOC-as-a-Service

Every credit card swipe or tap is a moment of trust in today’s retail environment. Customers trust their payment data is safe, and businesses rely on standards to uphold that security. PCI-DSS – the Payment Card Industry Data Security Standard – is the cornerstone of protecting cardholder information. This industry standard, governed by the major card networks, defines how organisations must secure credit and debit card data. In March 2024,PCI-DSS version 4.0came into effect, marking the most significant PCI-DSS overhaul of these requirements in over a decade. For retailers, PCI DSS v4.0 is more than a compliance update; it represents a shift towards continuous, robust security practices in the face of evolving cyber threats. This article explains what PCI-DSS is, why version 4.0 introduces meaningful changes that merchants must address, and how a Security Operations Centre (SOC) as a Service, a crucial tool, can help retail businesses meet v4.0 compliance, improve security monitoring, and defend against emerging threats.

Peter Bassill

Insights 2 May 2025

DragonForce Threat Actor Profile

DragonForce is a cyber threat group that has rapidly evolved from hacktivist beginnings into a prolific ransomware operation. Active since mid-2023, it initially engaged in ideologically driven attacks but later shifted focus tofinancially motivated extortion. In recent months, DragonForce has made headlines by claiming responsibility for disruptive cyberattacks against major UK retailers including Marks & Spencer (M&S), the Co-op supermarket, and luxury storeHarrods. The gang employs amulti-extortionmodel: not only do they encrypt victims’ data, but they also steal sensitive information and threaten to leak it on their dark web site if ransoms are not paid. As of May 2025, DragonForce’s leak site listed over 150 victim organisations globally, marking it as one of the most active ransomware groups of the past year.

Peter Bassill

Insights 29 April 2025

SOC365: The Backbone of SOC as a Service

UK Cyber Defence’s SOC365 is a cutting-edgeSecurity Information and Event Management (SIEM)service platform that forms the backbone of the company’s SOC-as-a-service offering. Designed in formal collaboration withWazuh– a renowned open-source security platform – SOC365 combines open-source innovation with bespoke enhancements to deliver a comprehensive managed SOC solution. In essence, SOC365 leverages Wazuh as its foundation, augmenting it with Cyber Defence’s advanced components to provide round-the-clock threat monitoring, detection, and response. This article explores the evolution of SOC365 over the past year, from its open-source roots in Wazuh and other SIEM tools to the custom features UK Cyber Defence has developed, including an integrated EDR/XDR agent, a network detection appliance, and aninternal AIfor intelligent alert correlation. We also discuss key milestones in the platform’s development, such as dramatic reductions in incident response times and successful deployments across industries, and how SOC365 helps organisations meet strict security compliance standards like ISO 27001, NIST, DORA, and GDPR. We highlight why SOC365 has become an effective and user-friendly solution for IT leaders such as CISO’s, IT managers, and security engineers seeking top-tier cyber defence.

Peter Bassill

Insights 25 April 2025

What is SOC?

In today’s rapidly evolving cyber threat landscape, organisations in high-risk sectors – from financial services and banking to legal, logistics, and research – are increasingly asking: “What is SOC?”. A Security Operations Centre (SOC) is a dedicated hub of people, processes, and technology focused on 24/7 cybersecurity monitoring and incident response. In the UK, senior decision-makers such as CISOs, IT managers, Security Engineers, and CTOs recognise that having a robust SOC is essential for protecting sensitive data and maintaining trust. This article provides a detailed, educational overview of what a SOC is and how it operates, tailored for a professional audience. We will explore the SOC’s definition and purpose, its history and evolution, core components and functions, the key roles on a SOC team, and the technologies they use. We’ll also discuss the business benefits of having a SOC, compare building an in-house SOC versus using an outsourced SOC-as-a-Service, and examine how UK Cyber Defence’s “Detect, Defend, Disrupt” approach sets it apart from competitors like Quorum Cyber and Arctic Wolf. Finally, we’ll look at future trends in SOC development and cyber defence, and conclude with guidance on leveraging SOC-as-a-Service to enhance your organisation’s security posture.

Peter Bassill