How Cyber Building Blocks Come Together IRL
9–29–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, September 29, 2025, and we’re right at the end of the quarter and end of the fiscal year for some (including the Federal Government here in the US), which should make for an interesting week, particularly since this week’s story wouldn’t have even been a story if the staff at CISA get laid off due to a government shutdown.
But let’s back up a couple of steps before we get too far into things.
How Cyber Building Blocks Come Together IRL
Last week, CISA issued an Emergency Directive, 25-03 (only their third of the year!), ordering civilian agencies to “Identify and Mitigate Potential Compromise of Cisco Devices.” CISA asserted that the activity identified is part of a campaign by a nation-state actor known as “ArcaneDoor” - who has previously been profiled by both Cisco and Canada’s Centre for Cybersecurity.
The emergency order tasks agencies to “Immediately identify all Cisco ASA platforms” and conduct both a threat hunt and patching exercise by the end of this week, given that the exploits against this system are now being seen in the wild.
This is where all of those basics that we talk about every week start to come into play, and if you’re ever facing a similar situation, let’s walk through how they all come together to put you in a stronger, more defensible position.
First of all, as the Directive notes, it’s critical to identify what’s in your environment. You might hear this called “Asset Inventory” - and not only does it apply to both Hardware and Software, it’s the fundamental and foundational control for both the NIST CSF and CIS controls. In short, it’s asking do you know what’s on your network? This is why we keep inventories, build “allow lists” for software, and run vulnerability scans regularly, to identify new machines, or maybe old machines that got turned back on to grab a file - happens all the time.
Next, are you able to get these types of warnings if you don’t have CISA watching your back? You might hear this called “Threat Intelligence” which is just a fancy term for being aware of the implications of running all the things you just identified in your inventory list. Do you get the warnings from those vendors that you need to take action? Are you subscribed to the updates from the various ISACs and other feeds (including CISA’s) to ensure you’re aware of these emerging threats?
Then, you get the alerts, and have to take action.
Fortunately, this Directive (and the team at Cisco) have provided some pretty clear next steps on how to patch these devices, but there’s still plenty of work to be done. You need to ask yourself if you can reach out and update the machines or software that needs updating. Maybe it’s fairly straightforward for one edge devices like these Cisco firewalls, but what if it’s hundreds of workstations that need updates, or mission-critical IoT devices? Do you have this capability, in a way that’s practiced and defined and can be deployed quickly in an out-of-band manner. If the exploits are active, time matters, and being able to move quickly is key.
Finally, and this is often an overlooked step, is Threat Hunting - do you have the logs that you’d need to determine if you’ve already been breached. Looking at the point of entry - and even closing it off - may not help you if persistence has been established and the attacker’s already conducted their initial compromise via this new channel and is now moving around your ecosystem.
This is where all of your other defensive controls (network, endpoint, etc.) come into play as you create room to detect and disrupt the attacker’s movements, but it all matters. All of it, because these basics are what come together to make a meaningful difference in your ability to defend the realm and support the business.
If you’re not feeling confident in your ability to execute on these basics, day in and day out, and even under duress and in short order, then you’ve got to get practicing. Get tools, get policies, get some reps under your belt. There aren’t any shortcuts here, and being under the gun is the worst time to realize you should’ve prepared more.
Fundraising
From a fundraising perspective, we just under $9B in newly committed capital, with Ridgemont Equity Partners raising nearly $4b for its fifth fund - so congrats to that team.
From a macro perspective, some interesting assertions from the commentary class, with the CEO of Brookfield Asset Management asserting there should be “4,000 less” PE firms. Pair this with Apollo Global Management’s President Jim Zelter asserting that “There’s many, many PE funds that are out there that have raised their most recent fund and don’t realize it’s their last fund,” and you’ve got the makings for a shift in the landscape, to say the least.
Hyperbole? Prescience? I guess we’ll all just have to wait and see.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns