📄 Original Report (PDF): Download EQST Insight 2025 June →
The June 2025 edition of EQST Insight explores how detection rule frameworks can be operationalised as a core security strategy tool, analyses the Devman threat actor’s multi-ransomware approach, and delivers the second Zero Trust instalment focused on devices and endpoints.
Headline: Rule Framework — A Core Tool for Threat-Centric Security
Detection rules (Sigma, YARA, Snort/Suricata rules, and vendor-specific equivalents) are often treated as afterthoughts, created reactively after incidents. EQST argues for a rule framework methodology where detection content is developed proactively against the MITRE ATT&CK matrix, prioritised by likelihood and impact, and continuously tuned against real telemetry. The report introduces a Rule Lifecycle model: Draft → Test → Deploy → Monitor → Retire, with defined quality gates at each stage. EQST found that organisations with structured rule governance detect attacks an average of 40% faster and generate significantly fewer false positives than those without. Security engineering teams should treat detection content with the same rigour as production code.
Keep Up with Ransomware: Devman — One Group, Many Ransomware Brands
EQST attribution research identified Devman, a single threat actor group operating under multiple ransomware brand names simultaneously. Rather than committing to a single RaaS platform, Devman cycles through different ransomware tools depending on target sector, geography, and law enforcement attention. This chameleon approach complicates attribution and makes it harder for defenders to block a single known encryptor family. EQST’s analysis linked Devman’s campaigns through shared infrastructure, negotiation language patterns, and cryptocurrency wallet clusters, demonstrating the value of holistic threat intelligence over indicator-only detection.
Special Report: Zero Trust Security Strategy — Devices & Endpoints
Devices are the most common entry point for attackers. EQST’s endpoint-focused Zero Trust chapter covers device health attestation, mobile device management (MDM) enforcement, and conditional access policies that deny network access to non-compliant devices. Key controls recommended: enforce full-disk encryption on all corporate devices, require MDM enrolment before granting access to corporate resources, implement certificate-based device authentication, and continuously assess device health (patch level, EDR status, jailbreak/root detection) as a condition for maintaining access. The report also addresses the bring-your-own-device (BYOD) challenge, recommending containerisation or virtual desktop approaches for high-risk roles.
Source: SK Shieldus EQST Insight, June 2025 — skshieldus.com
