Resilience Cyber Insurance Β· Internal Application Β· Andrew Bayers (hiring) Β· Hoda Hilal (recruiting)
You know the internal structure β ROC, TI team, EDGE β and how intel flows between them. You're not guessing at the org chart; you live it. No ramp time, no trust-building from scratch.
You've been on the receiving end of intel from the ROC and TI team, then adapted it for client delivery. You know precisely where the translation breaks down, which is exactly the problem the TI team needs solved.
You operate across underwriting, claims, and risk management. Most TI analysts are siloed inside security. You can frame intel in terms of financial risk and loss outcomes β a massive differentiator for a cyber insurer.
You track Mustang Panda, Russian APTs, and Iranian groups with geopolitical context β connecting diplomatic events to sector-specific targeting logic. That's strategic intelligence, not just IOC-pushing.
Only 16% of organizations have an operational CTEM program (2026). You've built and operated one, mapping active attack chains to MITRE ATT&CK and recommending packages against live threat actor activity.
Government, Aerospace, OT/ICS, Healthcare, Finance, K-12 β 150+ tabletops, 50+ enterprise clients. The breadth of sector context makes your intel more actionable than a specialist who only knows one vertical.
Frame: Start with the intelligence requirement, not the data. "I start with what the client or underwriter actually needs to decide β that drives collection, not the other way around."
Then walk your workflow: monitor active threat actors targeting that sector β map TTPs to MITRE ATT&CK β anchor to specific attack chains β translate into risk language the client team can act on. Cite your Iranian campaign work against US healthcare (DOD supply chain, Stryker) as a concrete example of geopolitical motivation β sector targeting β client briefing.
Frame: Hit the three layers β collection, context, and dissemination cadence. "Tracking an actor isn't just watching IOCs. It's understanding their mission, who funds them, what geopolitical events change their targeting, and what that means for our specific client portfolio."
Use Mustang Panda as your anchor: espionage-focused, PRC-aligned, historically diplomatic/NGO targeting. Walk them through the 2026 shift β Middle East government expansion, India banking sector divergence, MSBuild lure technique. Explain how you connect PRC foreign policy posture to targeting decisions.
Frame: "Geopolitical events are one of the most reliable leading indicators for threat actor targeting shifts. Nation-state actors don't operate in a vacuum β their tasking follows the diplomatic and military priorities of their sponsors."
Examples to deploy: (1) Iranian actors escalating against US healthcare following US foreign policy posture changes β the Stryker/DOD supply chain angle. (2) APT28 targeting Greek military and NATO Balkans members following specific geopolitical postures. (3) Mustang Panda expanding to Middle East diplomatic targets as PRC deepens Gulf engagement. Each of these is a geopolitical cause β cyber targeting effect you can articulate directly.
Frame: Use the standard phases β Direction, Collection, Processing, Analysis, Dissemination, Feedback β but make each one concrete with your Resilience experience.
Direction: RFIs from EDGE team or underwriting β "what actors are targeting manufacturing right now?" Collection: OSINT stack (Shodan, Flashpoint, DomainTools, CyberChef), SIEM telemetry, Wazuh/ELK, vendor intel (Proofpoint, Mandiant, Unit42). Processing: Normalizing, correlating, deduplicating across sources. Analysis: TTP mapping to ATT&CK, attack chain reconstruction, sector relevance assessment. Dissemination: Briefings adapted for Security Engineers to deliver to clients; executive briefings for C-suite. Feedback: Client-side signal you surface back to the TI team about what actually resonates β and this is your unique loop given your current role.
Frame: "Underwriting RFIs are time-sensitive and need to be decision-useful, not comprehensive. They need enough to price and structure a policy, not a deep-dive report."
Walk through: Understand the specific client sector and geography β identify which threat actor clusters are actively targeting that combination β pull current TTP data β translate into risk-relevant language (not "APT28 used T1078" but "credential-based access is the dominant vector for this actor against this sector, which means MFA coverage gaps are the most material risk"). Tie it to the claims context β what does an incident from this actor actually cost?
Strategic: Long-horizon, decision-maker-level. Nation-state intent, sector targeting trends, policy implications. Audience: C-suite, board, underwriting leadership. Cadence: quarterly, driven by geopolitical events. Example: "Iranian APT programs are increasingly targeting US critical infrastructure as a geopolitical lever during periods of diplomatic tension β here's what that means for our healthcare and energy portfolio."
Operational: Campaign-level. Active threat actor TTPs, specific attack chains, current targeting patterns. Audience: security teams, EDGE consulting. Cadence: ongoing, event-driven. Example: "Mustang Panda has shifted to MSBuild lures targeting diplomatic entities β here's the updated campaign profile and recommended detection logic."
Tactical: Technical artifacts. IOCs, signatures, YARA rules, CVEs actively being exploited. Audience: SOC, threat hunters, IR teams. Cadence: near-real-time. Example: "CVE-2026-50751 (Check Point VPN) is being actively exploited since May 2026 β here's the patch priority and detection recommendation."
Frame: Not as a compliance checkbox β as a living operational framework. "I use ATT&CK as a common language between threat intelligence, security engineering, and client delivery."
Specific examples: (1) Mapping Mustang Panda's current toolchain (PlugX, MQsTTang) to specific techniques β T1566 (phishing), T1059 (command interpreter), T1071 (C2 over legitimate protocols). (2) Using technique coverage to evaluate BAS package selection β "does this simulation package actually test against the techniques this actor uses against this sector?" (3) Aligning Resilience's risk signals to ATT&CK + NIST CSF 2.0 for underwriting intelligence.
Frame: This is a clarification question, not a "why are you leaving" question. Frame it as a natural progression, not an escape.
"My most valuable contributions at Resilience have come from the intelligence work β tracking actors, building briefings, connecting geopolitical context to sector risk. The EDGE role is client-facing delivery; the TI team is where that intelligence actually gets made. I've been doing the translation work for years, and I want to be closer to the source β contributing to production, not just adapting it."
Add the feedback loop angle: "I've also been a valuable signal back to the TI team about what resonates at the client level. Moving into the team formalizes that β I can help produce intel that I know will land, because I've been on the receiving end of it."
Why interviewers ask about this: Reciting six phases in order answers the surface question. Explaining why the feedback loop is the most neglected phase, why bad direction makes good collection irrelevant, and how you've personally operated across multiple phases simultaneously β that's the answer of a working TI analyst. Know the phases cold, and connect each one to a concrete Resilience example.
Print just the OSI section as a clean single-page reference card β white background, printer-friendly layout.
Or use your browser's Print (Cmd+P) to print the full page.
Mission: PRC-aligned cyberespionage. Primary targets: government, diplomatic entities, NGOs, foreign affairs ministries. Collection priority: political intelligence to support PRC foreign policy objectives.
Current Activity 2026: Now
Core TTPs: Spearphishing (T1566), PlugX RAT, MQsTTang backdoor, TONESHELL backdoor, LOLBin abuse (MSBuild), USB worm propagation, C2 over legitimate cloud services
Geopolitical driver: PRC foreign policy priorities drive targeting shifts. Watch diplomatic events β Middle East engagement, India tension, Taiwan Strait activity β as leading indicators for targeting changes.
Mission: Pre-positioning inside US critical infrastructure for potential disruption β NOT espionage. The IC assesses this is preparation for kinetic conflict scenarios (Taiwan contingency), not intelligence collection. This is the most strategically alarming Chinese actor for Resilience's portfolio clients.
Mission: Strategic telecom espionage β persistent access to US communications infrastructure to intercept calls, texts, and CALEA lawful intercept systems used by law enforcement and intelligence agencies.
Sponsor: GRU (Russian Military Intelligence). Mission: Espionage, influence operations, NATO/Ukraine targeting.
Sponsor: GRU Unit 74455. Mission: Critical infrastructure disruption, ICS/OT sabotage, destructive attacks aligned to military objectives.
Sponsor: SVR (Foreign Intelligence Service). Mission: Long-dwell strategic intelligence collection β diplomatic, government, technology targets.
Sponsor: Iranian MOIS (Ministry of Intelligence). Focus: Government, telecom, energy, financial services β Middle East primary, expanding globally.
Most active Iran-linked APTs in 2025β2026. Manufacturing and Transportation sectors most targeted.
Sponsor: RGB (Reconnaissance General Bureau) β DPRK's primary foreign intelligence service. Active since at least 2009. Responsible for Sony Pictures (2014), WannaCry (2017), Bangladesh Bank heist ($81M, 2016).
Current Focus 2026:
Mission: Financial theft β cryptocurrency heists, DeFi platform attacks, crypto exchange compromises. The DPRK's primary revenue-generation arm. Tracked jointly by FBI, CISA, and US Treasury.
Mission: Espionage β policy intelligence on nuclear affairs, sanctions, South Korea/US relations. Targets think tanks, government, academia, NGOs, journalists covering North Korea.
North Korean IT workers using false identities to obtain employment at US companies is a documented, ongoing threat β not theoretical. M-Trends 2026 reports a 122-day median dwell time for these cases, with several persisting over a year undetected.
Origin: Eastern European financially motivated cybercrime group, active since ~2013. Originally a sophisticated POS card-skimming operation targeting restaurant and hospitality chains. Has since evolved into one of the most adaptable and persistent threat actors tracked β commercially motivated, not nation-state, but with nation-state-level operational security and tooling.
Evolution arc:
Current TTPs:
Current target sectors: Financial services, manufacturing, technology, healthcare, cloud services, utilities β well beyond the original retail/hospitality focus. Any Resilience client is a plausible target.
Why it matters for Resilience: FIN7 represents the evolution of financially motivated cybercrime to near-nation-state operational maturity. Despite multiple high-profile arrests of key members (2023β2024), the group has absorbed those losses and continued operations β a hallmark of a resilient, professionally organized criminal enterprise rather than a personal crew.
Origin: English-speaking cybercrime collective β predominantly US and UK teens/young adults. Scattered Spider began as an identity and SIM-swapping crew; ShinyHunters as a data theft/extortion group. By early 2026 they have effectively merged with LAPSUS$ remnants to form the SLH (Scattered LAPSUS Hunters) alliance.
Evolution timeline:
Current TTPs β what makes them dangerous:
2026 target sectors: Technology, financial services, insurance, retail, hospitality, crypto exchanges, higher education. Any organization using Okta, Azure AD, or Google Workspace SSO with human-staffed IT help desks is in scope.
Why it matters for Resilience: SLH attacks almost always trigger cyber insurance claims β MGM was one of the largest cyber claims in insurance history. The help-desk social engineering vector is specifically relevant to underwriting: a client with robust technical controls but no help-desk social engineering training or MFA-resistant authentication (passkeys, hardware keys) has a significant control gap that technical scans won't surface.
Active groups to know β be able to name at least 6:
| CVE | Product | CVSS | Type | Status | Context |
|---|---|---|---|---|---|
| CVE-2026-50751 | Check Point VPN / Mobile Access | 9.3 | Auth bypass (IKEv1) | Exploited | Active exploitation since May 7, 2026. Unauthenticated VPN session establishment. Dozens of orgs compromised. |
| CVE-2026-20127 | Cisco Catalyst SD-WAN | 9.8 | Auth bypass (controller) | Exploited | CISA emergency directive issued Feb 2026. Remote unauthenticated admin access. FCEB patch deadline enforced. |
| CVE-2026-21509 | Microsoft Office | 8.8 | RCE (one-day exploit) | Exploited | APT28 weaponized within 24 hours of disclosure. Spearphish documents targeting Ukrainian gov and EU institutions. |
| CVE-2026-41940 | cPanel / WHM | 9.1 | Auth bypass | Exploited | ~1.5M internet-exposed cPanel instances. Exploited since at least Feb 2026 before disclosure April 28. |
| CVE-2026-41091 | Microsoft Defender | 7.8 | Security bypass | Exploited | Defender bypass allowing malicious code to run without AV detection. Confirmed wild exploitation May 2026. |
| CVE-2026-45498 | Microsoft Defender | 7.5 | DoS | Exploited | Causes Defender service disruption β used to blind endpoint protection before subsequent payload delivery. |
Vulnerability intelligence talking point: "The remediation gap is widening, not closing β 43-day median time to patch critical vulns, with only 26% of critical CVEs actually closed. From an underwriting perspective, that means the insured's patch velocity is as important as whether they have a scanner. A scanner that finds everything but patches nothing is a false control."
MITRE ATT&CK β 14 Tactics (the attack chain)
BAS packages should be selected to test the specific tactics your target actor uses against your client's sector β not just generic coverage. Impact (TA0040) is where the insurance claim originates; everything to the left is where prevention and detection can intervene.
Intelligence Lifecycle
Choose a color theme. Your preference is saved in the browser and restored on next visit.