EP01: Cyber security – the threat landscape

[music]

Alex: Today, joining me, we have Dr. Jamie Collier. Welcome, Jamie.

Jamie: Hi, Alex. Yeah, great to be here.

Alex: And Jamie is a senior threat intelligence advisor at Mandiant. And for our listeners who aren't familiar with Mandiant, they're an American based cyber security and threat intelligence firm, and Google has just announced their intent to purchase them. Is that correct?

Jamie: Yep. So, they're all going through it now, but yeah, certainly an exciting time for Mandiant at the moment.

Alex: Perfect, and you are also a fellow of the UK's oldest and leading security think tank, RUSI.

Jamie: I am. So, you're trying to really take a lot of the operational insight that we have within the likes of Mandiant, all of that intelligence, and try and explore what it means for that kind of cyber policy crowd. Because I think, you know, cybersecurity, we're very good at staying in our silos and our thought bubbles and yeah doing what I can to kind of build those bridges.

Alex: Perfect. Well, thanks for joining us today.

Jamie: Yeah, thanks.

Alex: So, welcome and let's get started then.

Jamie: Sure thing.

Alex: So, I wanted to start by sort of thinking about some of our traditional cyber threats, some more well-trodden ground. So, if we're thinking about nation states our listeners are probably familiar with the Big Four. So, we're thinking Russia, China, North Korea, Iran, and there's definitely some headlines at the moment about Russia's cyber capabilities, and as a red teamer, I certainly see a lot of the innovation of malware coming out of Russia. Is that an accurate assumption? And what's the story with nation states at the moment?

Jamie: Yeah, I mean, I think you're certainly right that, that kind of big four, if you like, are the ones that most organisations are concerned about, and I think rightly so. You know, when you've got a state, you've got significant more funding to, you know, create the infrastructure around these sorts of cyber operations. And yes, that is partly malware, it's custom tools for instance, but it's also, also the bureaucracy. It's being able to, you know, conduct operations through multiple time zones, it's being able to work shift patterns, you know, where people have often got, you know, wives and husbands and children's birthday parties to attend on the weekends. You know, being able to get round all of that and have that operational consistency. You know, we really see that as kind of being a key feature of some of these kind of state programs, but yeah, you're absolutely right, Russia is certainly keeping us all busy at the moment.

Alex: Certainly, yeah and, and what other nation states should we be worried of at the moment?

Jamie: Well, I think, I think, first of all, I think that the Big Four are absolutely the most sophisticated, and probably for different reasons, right? If we think of North Korea, traditionally gone after the kind of finance sector and very kind of financially motivated. China, you know, got the capacity to really go after a range of different regions and sectors. I think, thinking a bit kind of further beyond that, though, is, as you say, there are some really interesting challenges for the security community, because what we're starting to see is a lot of these emerging state actors, not just, you know, non-state actors, but also state actors. I think Vietnam is a great example of what we've seen in the last few years where, you know, since kind of 2015, it's really gone and built a very kind of meaningful capability, And actually I wouldn't even necessarily call it emerging anymore, you know, it's pretty well established. We've also, you know, Mandiant recently put out some reporting around a group that we kind of associate to kind of Belarusian government, for instance. So, I think, I think there are some kind of really interesting takeaways there in the sense that I think if we if we think further ahead in the cyber threat landscape, we're going to be dealing with a lot more complexity. There’s going to be a lot more states getting involved in this, and I think actually, interestingly, a lot of that will play out regionally because if we look at a lot of the states that are investing and building out these cyber operations, they might not necessarily want to target organisations halfway across the globe. They might be more interested, if we take Vietnam, you know, very interested in the Asia Pacific for instance. So, I think that we'll see a lot of this play out regionally as well.

Alex: And how do you think that will affect global organisations? Will they have to kind of have more tailored threat intelligence for different offices?

Jamie: Yeah, I think so. I think that's a really kind of interesting challenge for organisations, and it's really a twofold challenge I think. Because if you're if you're defending a vast and disparate space, you know, big multinational, for instance, you've probably got quite different levels of security maturity within your own organisation. And even if you've hired well and you've got that, you know, capacity internally, you're still working with kind of different levels of government maturity. You know, you're operating in different kind of ecosystems from a defensive point of view where, you know, your partners might look quite different in the U.K. to maybe elsewhere that's, that's maybe a little bit further behind in the kind of security journey if you like. But you're absolutely right, the threat landscape can vary enormously based, you know, in different regions for instance. You know, if I am, you know, an oil and gas or an energy company, my exposure is going to look very different in Ukraine or Eastern Europe right now than it might say in the Middle East. So, you've got some really big strategic issues, both of those areas, you know. So, I think having that kind of regional nuance is, is really important, being able to understand, you know, how my threats might differ from region to region.

Alex: Interesting. And I wonder, how are hackers for hire or we're kind of seeing that termed as private sector offensive actors, how are they changing the game for,for nation states and generally the threat landscape? Because as a, as an ethical hacker in the UK, I'm bound by the computer Misuse Act, but that’s not holding these guys back, right?

Jamie: Yeah, I think there are a few different interesting implications there. I think first of all, it's probably that speed component, right, that if I you know, we talked about those emerging states and if I've got real ambitions to ramp that up quickly, then contractors all of that kind of private sector infrastructure, that can certainly play a role there. I think what's also interesting is, you know, in the past, certainly historically we've seen a lot of the zero day exploits we've seen associated with the likes of contractors, and, and that comes at an interesting time because 2021 really smashed all previous records for the amount of zero day exploits we saw. So, I think, I think it just adds to this kind of complexity in terms of the threat landscape. You know, you've got emerging states you've got the contractors and the kind of private sector piece now. You've got, you know, cybercriminal ecosystem that's, you know, increasingly professionalising. So, with that, you know, on the one hand, there's complexity and there is a lot to worry about. But on the other hand, hopefully, if you understand kind of, you know, you've got that understanding of your threat landscape, kind of threat profile, you can also actually eliminate a lot of that in terms of just focusing on what matters and not getting distracted by, you know, what's in the news just because it kind of sounds scary, as it were.

Alex: Yeah, certainly. But it's definitely true that hackers for hire, quote unquote, are being attracted to E-crime. So, kind of financially motivated, crime as much as they are potentially by nation states now?

Jamie: Yeah, absolutely. And I think it's really interesting when we talk about, say if we, if we kind of talk about the cybercriminal ecosystem, or the E-crime ecosystem. Is that we've talked for a long time about that professionalising, and I think what people assume we mean by professionalising is one cybercriminal group becoming bigger and bigger and having the kind of the shift patterns and, you know, having that kind of bureaucratic infrastructure surrounding it, but that's not really the case, that's not really what we see. I think in general, when we're talking about the professionalisation of the cybercriminal ecosystem, we're really actually talking about a greater variety of different cybercriminal groups that are now collaborating. This is not one organisation that's becoming, you know, really big and conducting all of this themselves. It's you know, it's one group that's maybe gaining initial access to an organisation selling that on via an initial access broker.

Alex: Right.  

Jamie: There might be another group that moves around in that network, if we're talking about ransomware, it might actually be another group that's, you know, developed that kind of ransomware variant. So, it certainly gives our analysts a lot of headaches as people that are interested in attribution.

Alex: Yes.

Jamie: And figuring out who's, who's behind these operations, because actually we're increasingly talking about, you know, three, four or five different entities often behind some of these kind of cybercrime operations.

Alex: Yeah. And I'm going to jump the gun a bit here in a later question, but thinking about SolarWinds, which I will pick up on later. I'm aware there was a huge number of analysts involved in that on the, on the offensive side. Was that an enormous knot to unpick?

Jamie: Yeah, I think it was. I think the, the thing I would say about that, though, is when, when we talk about something like supply chain compromise, you know, clearly a huge challenge for executives right now, and we've seen a huge kind of strategic level conversation about supply chain. Not necessarily just related to cyber security, right? It's a much bigger issue affecting risk management much more broadly. If you look at something like SolarWinds, though, it was, you know, that was essentially detected by, you know, investigating MFA (multi-factor authentication) attempts.

Alex: Yeah.  

Jamie: So, I think I think there is always a tendency to you know, talk about the complexity, talk about how unique and sophisticated some of these things are, but actually often it's, it's very ordinary security controls and security practices that lead to these kind of extraordinary discoveries. So hopefully within that, there is that kind of sense that actually a lot of this, you know, it is solvable we are empowered to actually do something about it, even if that initial attack vector is, you know, potentially quite difficult to detect.

 Alex: Yeah, certainly. So, you know, if I throw another threat actor into that picture, the hacktivist community. I'm looking at the, the so-called hacking group Anonymous, they've come out and said that they were responsible for the attack on Russian yachts. How are you seeing the hacktivist community responding to cyber threats and especially with kind of geopolitical events?

Jamie: It's a really interesting question Alex because I think actually around a year ago I'd get really irritated by the hacktivism kind of piece of it. I almost thought it was the kind of the, you know, the management consultants that wants to talk about three things on a power PowerPoint slide. So, you'd have you kind of find that, you know, you're financially motivated actors, your state actors, and then you'd have this kind of ideologically motivated piece, and that was because we kind of hadn't seen too much of a viable threat from that area. But I think you're absolutely right. If we look at what's going on with Russia, Ukraine now, you know, huge amounts of kind of civilian participation in that from a cyber perspective and, you know, really operations being conducted both ways. You know, we see kind of pro Russian and pro Ukrainian groups there. And I think sometimes what they're going to be doing is relatively unsophisticated  if I’m being honest. It's, it's website defacement, it's things like denial of service where your effectively flooding networks with, you know, packet requests, et cetera. It's not something that gets, you know, a lot of kind of technical people particularly concerned. But we've got to look at the impact here. And if you're you know, if you're kind of undermining if you're taking out a ton of media infrastructure, then, you know, you're potentially, you know, that's well, that's potentially really significant a time where that information battle is you know, the battle for perceptions, a huge part of any conflict. I think another interesting component is we're starting to see many of these much less sophisticated actors or, you know, ideologically motivated groups also start to gain access to operational technology. So those kind of systems that interact with physical processes, we can kind of think of, you know, water treatment facilities or power grids, for instance. And that's not necessarily that these groups have become really sophisticated overnight. It's just actually a lot of manuals and guidebooks on how to exploit common misconfigurations and vulnerabilities are starting to get distributed and so I think there are some, some real concerns there around ideologically motivated threats and less sophisticated threats if you're not able to get the security basics right. Now, the flip side of that is that, you know, the solution to that is pretty well known. It's pretty kind of routine stuff. But I think it's just an important reminder that, you know, as much as we like to talk about some of the really high end stuff, actually getting the basics right, you know, just goes such a long way in, you know, protecting your kind of portfolio and your network.

Alex: Yeah, absolutely. I would 100% agree with that from a red team perspective, in some ways, shooting myself in the foot because if these get fixed, it makes my job harder. But ultimately, that's the cynical way of looking at it and not allowed to do that. So yeah, things like  multi-factor authentication, it's not bullet proof, but it's a huge, huge benefit to help with phishing and things like that. And yeah, the water treatment example was really interesting because I think there’s, there was a news case in Florida a couple of years ago now, that was a lone wolf activist, right?

Jamie: Yeah, I believe so. I mean, yeah, you're testing me on the, on the specifics there but yeah, I think I think it wasn't something that was particularly high end. It wasn't something that was kind of particularly well planned from my memory. And yeah, I just think it kind of highlights that, you know, I think operational technologies had a tough time and I think we need to be sympathetic in that, I think it's easy to think about if we think of, say, power grids, for instance, you know, we can think of these huge multinational or nationwide power providers, but actually a lot of water facilities or power providers are pretty local although pretty regional. You know, they're very small. And with that, they're not necessarily going to have that security budget of those big players, and the challenge is quite different for them, I think.

Alex: Yeah, it's the where the kind of the lost magnitude, if a threat were to occur, is so great. You know, we feel like it's difficult to kind of quantify. You think how likely is it if the magnitude is that high, you really feel like protections need to be in place?

Jamie: Yeah, absolutely.

Alex: Yeah and thinking about this hacktivist threat actor a bit more, do you feel like there's some specific sectors which are more at risk if they're becoming slightly bigger players?

Jamie: Yes, I think when it comes to ideologically motivated groups, you know, if we take Anonymous, which is, you know, a bit of a slippery group anyway, but I think you know, in terms of kind of nailing down who, who is Anonymous, who is and who isn’t. I think in general; they are going to be conducting pretty loud operations, right. So, they're going to be looking for that kind of high impact kind of, you know, achievement kind of media headline often. So, I think I think the likes of, say, the media that would be one really kind of clear target because, you know, you can often have quite significant impacts, especially if you kind of start interfering with websites or you know, TV and anything that's kind of read and viewed by millions of people. You know, I think I think as well, you know, maybe the likes of kinds of government websites, all of that sort of thing. Anyone that's kind of, you know, got a high public profile is certainly going to be at risk there. And then and then clearly there's also a conversation about the specifics around certain geopolitical developments. So, if I'm, if we think about, say, Russia, Ukraine, that is probably something that would pose a kind of outsized impact to any Western organisations that still have a presence in Russia, for instance. And, you know, see that in quite a lot of cases that that might be something that gets hacktivist attention more than groups that don't, for instance.

Alex: And are you seeing anything in the kind of environmental sphere in that case? I know some environmental groups have been hugely disruptive in a kind of physical way, but have you seen that in a kind of technological way as well?

Jamie: Not so much. I think in general, they're not maybe quite, as, you know, sophisticated or organised that, you know, of course, that that could change. And, you know, something that we will continue to track. But I think at the moment for most organisations, I don't think that is as big a concern as other bits and pieces. What I would say, though, is, you know, if we think of, say, anonymous, as I said, it's quite hard to pin down who they are, what they stand for. Effectively, anyone can claim to be anonymous and act under that kind of anonymous umbrella, if you like. So, I think it's certainly the case that we you know, if we see the kind of the way the world's moving and an increasing concern around environmental issues, it would be, you know, very easy to imagine the people that previously you know had been supporting Ukraine under that anonymous umbrella, you know, maybe shifting their attention to environmental causes in the future. But I think I think for now at least, we can, you know, not be too concerned about that kind of area.

Alex: Ok, preemptive but potential then, ok, wonderful. And if we take this kind of threat actor picture a little bit broader what should business leaders be aware of, kind of for the rest of this year and looking into next year, what would be the kind of number one thing you would point out to them?

Jamie: I mean, I think it's got to be ransomware, right. I think it's probably not the most exciting answer.

Alex: Just for me maybe, but yes.

Jamie: Something we talk about a lot and I think everyone at Mandient is probably fed up of me talking about ransomware. But I think I think the key thing with ransomware is that if we go back to say 2015, that was an I.T. problem. It was a bit of a nuisance. It is now something you're seeing, you know, front page news of Financial Times, Wall Street Journal.

Alex: Yeah.  

Jamie: It's really transformed from that I.T. problem and that nuisance to something that is now a core strategic concern for effectively any organisation, and while cybercrime in the past would typically go after banks, now, what we see with ransomware is that it is effectively sector agnostic.  Ransomware can kind of pose a threat to any organisation and it's not necessarily just going after, you know, really large high revenue organisations, we’ll also see it going after a lot of local regional firms as well. So, while I think, you know, it's probably, probably something that we were talking about, you know, 12 to 18 months ago, I think it's only going to become a, you know, an even bigger concern recently. So, I think that has to be priority number one. I think the only thing else I would say is that it does , it does, you know, being the kind of typical intelligence analyst here.

 Alex: Yeah.

Jamie: Saying that it depends, but, you know, in terms of those top threats it really does depend on your region and your sector. And that goes back to if you're a Middle East government, your threat landscape looks very different than, you know, UK financial services, for instance.

Alex: Sure. I did ask you the broadest question possible. So, I appreciate you giving me a narrow answer. And just to step back, a little bit for our listeners who may not be aware, ransomware is kind of malware or malicious software that encrypts your data and then holds it hostage, asking for a payment. Is that a good description?

Jamie: Yeah, exactly. I mean, I think that's exactly right, and that's what we're seeing is, I think over time that's gone from just being sent out to kind of one employee's laptop and, you know, that's where it's the nuisance because it's encrypted, you know, an employee's laptop, for instance. Now, I think what we see is actually those groups moving around within a network, spending a bit more time in those corporate networks, for instance, finding the most sensitive data, the kind of parts of the network that keep the lights on, as it were, and then they're deploying that kind of malware that you mentioned. So, so that would be the one thing, but I think the other is, is actually we increasingly talk about this as multifaceted extortion. Where, you know, ransomware, the encrypt is that's probably the part that poses the most critical business risk in the sense that if your data or your systems are rendered unusable, you know, that's incredibly serious for organisation, but we're also seeing these groups now steal data threatening to leak that online.

Alex: Yeah.

Jamie: Which clearly poses kind of compliance regulatory challenges there. We're seeing them contact media organisations trying to drum up press interest or even seeing them contact you know, employees directly or notify business partners. So, I think that's, as I said, it’s moved to that strategic challenge, and I think that's largely because of that that broader kind of extortion tactics that are being used. Where it's meant that the ransomware or the extortion threat is now very much interdisciplinary. It's not just your technical remediation. It's also, you know, what does your legal team, how does your legal team approach data theft, data leakage? You know, does your kind of communication teams have a PR and a comms strategy?

Alex: Yeah.

Jamie: If that is going to the news and media, do we have kind of plans in place to work with our partners if they've been notified et cetera? So yeah, this, it's really now spanning the entire C-suite, I think is a strategic issue.

Alex: Yeah, and thinking about the threat of publishing data who's this, what threat actors are we thinking of here? I remember there was some stuff around the US elections when there was some stuff published potentially from some legal firms, who would be the perpetrators of that?

Jamie: So, it would often be the ransomware groups themselves, those deploying ransomware in the network. What you would typically find is they'll be a group that, you know, gains access to an organisation. As I said, they're moving around and then and then it's really up to them to decide how they leverage that access. Some will exclusively steal data and try and, you know, threaten to leak that online or do an extortion that way. Others will go down deploying ransomware. What we increasingly see is threat groups that do both, so they both steal the data and then they encrypt, and then there's this kind of double extortion threat where effectively it's all about imposing as much cost on a victim as possible, because then you can demand a higher extortion fee.

Alex: Right.  

Jamie: And you're probably more likely to have a victim, you know, be willing to pay or at least see the kind of the, the upside of paying as it were.

Alex: And have you ever seen a financial gain through or that slightly be motivated through pressure from nation states? We kind of talked about hackers for hire, and they may be publishing the data to increase their revenue from the ransomware. But do you think there's ever any tangible links to nation states for publishing kind of ransomware data?

Jamie: I think it's a really interesting question. I think, I think a lot of states, if they want data or they want it to be leaked they will be able to do that or they will go and do that themselves, and I think we certainly see Russia in the past hack and leak kind of operations. Certainly, in the UK we've seen that play out in kind of elections in the past, but what I would say is that we've often discussed and the link between these ransomware groups and states has long been speculated. I think what we've seen more recently, you know, Conti, which is, is one of these kind of ransomware groups, kind of a big leak that came out after they kind of effectively announced, you know, their support of Russia during the current crisis.

Alex: Yeah.  

Jamie: But that that leak was very interesting and it appeared to show some pretty kind of close links between these, these kind of cybercriminal groups and the kind of Russian FSB. So, so I think there's certainly some conversations there at the very least and potentially something, you know, more of an active and close relationship than, you know, I think in the past we kind of suspected that might be the case. We're starting to see a bit more of an evidence base around that now.

Alex: Yeah, and kind of thinking about the ransomware flavour in the Ukraine Russia situation. Am I right in thinking we're seeing kind of ransomware that isn't really ransomware, where it doesn't actually kind of hold the data hostage, it just completely destroys and wipes it? Kind of “Hermetic Wipe”, one of the big flavours out there right now?

Jamie: Yeah, exactly. So, you're absolutely right. So wiper is you're effectively encrypting the data, but without any kind of option to un-encrypt or restore systems. I think that is a thing that I think definitely gets that concern, at a kind of more strategic level within an organisation. If we think of NotPetya, that was one of these really well known cyber operations or cyber attacks, and that was wiper malware that spread effectively uncontrollably. So, it had this kind of propagation effect to it that meant it impacted organisations all across the world. What we've seen at least so far with the wiper malware deployed in Russia, Ukraine, is that it does look a little bit more tightly distributed.

Alex: Right.

Jamie: We're not seeing this kind of uncontrollable propagation and with it we're not seeing that kind of systemic risk of something like NotPetya, at least for the moment. In general, the wiper malware that's been deployed has been deployed kind of only after what we assume is Russian groups that have got pretty extensive access into these networks and kind of the Active Directory and things like that.

 Alex: Am I right in thinking, though, that it's not, it's only a matter of time essentially before others begin to weaponize this these new strains, and potentially then it kind of shifts from being a Ukraine problem to being a more global problem like WannaCry from NotPetyar?  

Jamie: Yeah. I mean, I think I think the concern is, is because I think I think actually having a kind of a wiper or encrypting, you know, encrypted kind of capability is something that a lot of ransomware or a lot of kind of wiper malware will have. So, I don't think necessarily if that capability, those, those strains that Russia have been using, if they kind of get into other people's hands, that that's necessarily the kind of the big concern in the sense that, you know, those threat groups would still have to gain access to those organisations moving within those networks. They'd be doing a lot of what they would have to do anyway, and they effectively have a lot of those, you know, different wiper or ransomware variants that they can, that are readily available now. I think maybe the thing that maybe concerns a lot of us is, is around that that possible retaliation. When if I think of the Russia Ukraine crisis or, you know, the invasion, I think probably the thing that really few people saw coming, which was just the sheer level of not only Ukrainian resolve, but also that the broader Western resolve, and I remember there were conversations before this even happened of, you know, do you think do you think they'll get chucked out of the SWIFT network? and things like that. You know, we've seen a real dramatic change there. You know, we're seeing kind of German foreign policy, you know, 100 years of kind of German foreign policy, you know, changing very radically. So, I think with that, while you'd probably expect Russia in the short term to be very preoccupied in targeting Ukraine, you know, is there going to be that broader retaliation and therefore the deployment of this wiper malware to Western organisations more broadly? And I think that could certainly come in the coming months.

Alex: Yes, certainly, because we've definitely seen that kind of hacktivist community, if I'm right in thinking, retaliate against Russia and publishing very recently some information about Russian gas pipelines. So, we were already kind of seeing the perhaps preliminary stages of that is that correct?

Jamie: Yeah. I mean, I think on the specific claims, we've always got to be careful, there's so much of this flying around right now. You know, frankly, I lose track of the latest thing, but a lot of this is harder to verify. You know, there's a lot of claims being made. 

Alex: Okay.

Jamie: I'm not 100% sure on the specifics of that one. I'm sure, you know, probably likely to be true as we're seeing a lot of that sort of thing at the moment. It's probably more a point that there's just a lot of noise at the moment. I think I think the underlying point that we're starting to see a much more kind of chaotic-landscape, different things being deployed. Yeah, absolutely.

Alex: What's the kind of latest trends and DDOS and the motivation there?

Jamie: Yeah, I mean, I think it's, it's a really interesting one because I think too often we just focus purely on the technical side, and actually when we think of denial of service, effectively, a lot of network requests, it's relatively easy to mitigate or, you know, prevent at a technical level, but actually I think we often missed that broader psychological or geopolitical piece. So, if we look relatively recently there was a campaign against the Ukrainian financial services system, where, you know, there's a lot of DDOS. These websites, these banking apps were offline and that's easy to mitigate, as I said, from a technical side, but what was interesting is that the users of those banks also received text messages saying that their bank was offline or wasn't available so then they would go and check and realise that they couldn't access their banking infrastructure.

Alex: Right.

Jamie: So, I think I think the point there is that the, the intention behind that campaign wasn't to create technical disruption for a bank. It was to create psychological concern amongst the general population. It was to undermine the integrity and confidence in the Ukrainian financial services system. So, I think I think we don't want to discount that broader psychological, the geopolitical context in which we're operating in, if we, you know, focus purely on those kind of technical areas and how we remediate them.

Alex: Perfect, and I kind of want to move on to kind of other types of malware, but actually, we're also seeing a rise of malwareless attacks or cyber attacks that actively like try not to use malware, and this is called living off the land right? So, in red team engagements, we are likely to deploy malware to control the narrative and the attack itself, but actually, if we can avoid the use of malware, potentially we might be more successful as we're not actually leaving any traces behind, there's nothing really to detect. We're just going to use the software existing within the environment. Are these actually like credible threats? Is this something you're seeing this living off the land? 

Jamie: Yeah, I think it is, and, you know, I think kind of what we talked about kind of fileless attacks, but also just going after things like PowerShell, you know, these parts of a network that provide huge access or, you know, huge opportunities for threat groups, but, you know, potentially in quite a stealthy way. I think for me it's that there's maybe two things that come out of that often it's actually a blend of the two. You might see a group using malware initially. Then they're kind of as they pivot, as they move through a network, as they try, especially as they try and gain persistence and, you know, they try and have that long term kind of stay staying power. It might be then that they start to look at some of these kind of more stealthy attacks, but I think the other thing is the you know, in the security industry, we've often looked at these malware variants and we've kind of taken the kind of the technical details of those and we've gone searching for that in networks.

Alex: Yeah.

Jamie: Think kind of indicators of compromise, things like that, and actually, I think what these sorts of attacks show us is that there are limitations to that indicator of compromise led approach. And, and actually, we also want to be looking at the sort of the behavior, behaviors, the kind of broader modus operandi of threat groups that you know, are of a concern to our organisation and start to kind of be  either searching for that, you know, that kind of activity in a proactive way, inserting security controls that actually mitigate that ahead of time and kind of really present, you know, numerous hurdles to attackers. Whether it's kind of really getting detection efforts focused on those areas that we know are very prominent.

But yeah, I think I think just it does highlight the, the need to shift away from focusing exclusively on kind of well-known malware variants as it were.

Alex: Yes, absolutely. That's a good tip. Another threat I wanted to get your perspective on, particularly as a red teamer, I find that if network compromise hasn't been achieved through phishing or through open source intelligence gathering, so looking on the internet for kind of vulnerable websites, anything on the Internet that's exposed that pertains to the organisation. If that's not successful, physical social engineering is often very successful. So, visiting offices or sites of the client and trying to tailgate into the office, without kind of it, in some organisations, where there's a need for physical security and that's historic, certain sectors that's, you know, really prominent, it can be more difficult, but I would say in general, it's a really effective method of achieving network compromise. Is that something that you're seeing replicated kind of in the threat actor space?

Jamie: It's, I think in all honesty, it's not something we see come up a huge amount but, but having said that, some of the more sophisticated groups absolutely do that, right? So, we know that, you know, it's publicly documented evidence that, you know, the GRU, the Russian kind of intelligence agency, that they have that close access capability. I think you would also expect a lot of kind of opportunistic bits and pieces to emerge there where if, if an organisation is exposed there, you know, criminals are going to kind of explore what they can get there.

Alex: Yeah.

Jamie: I think, I think really it just highlights the variety of different attacker techniques out there. You know that there are multiple different things, your either going after exposed means of access, you're phishing. 

Alex: Yeah.

Jamie: Even within phishing, right? We can, you know, social engineering, we can talk about emails, we can talk about messaging via social media, which often gets around some of those email detection efforts.

Alex: Yeah.

Jamie: You know, voice phishing, calling people up, et cetera. So, I think it's just important security leaders really appreciate that full spectrum of different threat factors and actually take a pretty empirical look at, you know, which are the ones that are most prominent for our organisation. I think physical security, you know, huge. I think, I think outside of just cybersecurity as well, has that kind of broader infosec, you know, information security piece as well where you clearly don't want people sneaking into office buildings and things like that.

Alex: Yeah, definitely, and moving back to the kind of controls you were talking about there. I, I think my experience organisations can be heavily reliant on one or two controls. So, when you're looking at kind of mimicking a threat actor, you can look to kind of bypass that one in control they have, and that's really effective at gaining access. I'm thinking in particular a multifactor authentication, which disclaimer I want to say is highly effective in, you know, securing organisations. But actually, I find individuals are not aware of the need to protect their MFA token, their multi-factor authentication token. And vishing that you mention, so, calling somebody up and just asking them like hi, I'm from I.T. Support. People tend not to believe that I'm from I.T. support, but, you know, actually just saying I'm from I.T. support can, can I have your MFA token, please? More often than not, that works.

Jamie: Yeah. I mean, what I found really interesting recently, we've seen a huge uptick where you have multiple factor authentication kind of push notifications. So, you'll say, you know, you need to log in, you put your username and password in.

Alex: Yeah.  

Jamie: Then you'll get this this notification saying, you know, approve you don't have to necessarily enter a token or anything. But we see a lot of threat groups when they've got those stolen credentials. Now, effectively just keep pushing those notifications to users.

And it’s amazing how many times a user will just approve that, even though they're not trying to log in themselves.

 Alex: Yeah.  

Jamie: And I guess that's just kind of spam, it's just, you know, harassing them until they accept it. But I think, I think there's also a broader point there where, you know, we're seeing even with multi-factor authentication that while it's, you know, excellent kind of security control, it's not that silver bullet. We're seeing, you know, big rise in the likes of supply chain compromise in the number of zero day exploits, and I think, as you say, we can't rely on one or two controls especially at that initial access point to keep our network secure. It's, it's really, I think now it's about building that defence in depth where we're presenting numerous hurdles, if, if an attacker, you know, once they've got access to that network, they’ve still got to do a lot.  And that actually presents huge opportunities, and it should be something that really empowers us as network defenders, because they're effectively playing on our kind of home turf. It's our network, and we really empowered there to insert all of these different security controls and ultimately, you know, those threat groups, they've only got to fail once. You know, we've got that kind of agency that if we're building that defence in depth, we're not relying too much on just preventing that initial access.

Alex: Yeah, it's interesting, that kind of spam point, because it reminds me of kind of traditional SOCs where, you know, security operation sense is you have your analysts looking for cyber threats, looking for attacks. And we used the term alarm fatigue a lot where there's a lot of alarms going off, they're all for the same thing. And you just immediately close the ticket because you go oh, I know that one, that one's, you know, this niche thing that happens on this weird server. I mean, it's interesting that that's now propagated to the user, not just to the I.T. Analyst. So, some justice there maybe I don't know.

Jamie: I think the other thing there is, I think so much of what we talk about in cybersecurity is identifying threats. You know, it's about finding areas of concern. And that's absolutely a key area, it’s a key area of threat intelligence, if you like. But I think the, the, the question that I don't see asked as much is how do we eliminate some of that distraction, right? And it's more, I think any security leader, if there's one thing they really crave right now, it's focus and a huge amount of that. I mean, especially since the pandemic, we've just seen so many, you know, stories in the news. We've seen things that we're told that we should be really concerned about. Actually, if we start to take a slightly more empirical view of what's going on in the threat landscape, we find that it's not necessarily about flooding our inboxes with all of these different threats and things that we should be concerned about. It's often actually providing data to say, while this thing might be a concern in the news, it's actually not really playing out in the landscape. And, and hopefully for the, you know, the security operation centre for all of those people suffering from alert fatigue, I think, I think there needs to be that kind of real drive to actually eliminate some of that distraction rather than just pile it on.

Alex: Yeah. So maybe we've got alarm fatigue for the analyst, for the user and now for the board. So yeah.

Jamie: Yeah, exactly.

Alex: What a thought. The final threat I wanted to cover, which we've kind of briefly touched on, is that from the supply chain and we also briefly touched on SolarWinds, which is it's hard to believe was two years ago now. Just to recap for our listeners, SolarWinds was a highly sophisticated cyber attack that it leveraged a commercial piece of American software, right? American cybersecurity software and it injected the malware into the update. So, users were, you know, doing what they were told, updated and that update contained the malicious software which caused the breach. And I'll admit to a red team tip here, so it's often really handy when looking to create accounts on a network, we use suppliers names maybe with a little tweak in it. And just to the naked eye, it looks, looks normal to a security analyst and that's, that's proved effective a number of times for me. So, I wonder, Jamie, what's your take on the threat from the supply chain?

Jamie: I mean, I think it's, it's clearly a concern. We've seen a big increase in that over the last few years now and a steady, you know, increase. And I think I think that's, that's from a few different areas. I think with that increasing professionalisation around the cybercriminal ecosystem, the increasing amount of money in ransomware, we're seeing more supply chain compromise come from ransomware operations and the cybercriminal piece, it's certainly not just Russia on the state side as well. I think in terms of the prevention, I would just refer back to that previous point about that defence in depth that actually if you're if you're spending a lot of time trying to detect supply chain compromise initially, you're going to find it very difficult because if we're talking about what, what looks like legitimate updates, you know, we might, we might kind of become a bit of a crazy person if we're kind of ripping these apart and interrogating everything. 

Alex: Yeah.

Jamie: So, I think that defence in depth is really important. But again, it goes back to this point of focus. And if we look at the data, for instance, something like supply, SolarWinds is a great example because it really drove that kind of C-suite, that board level conversation because it was this kind of real headline grabber. But actually, it’s what while, while the initial malicious update impacted a lot of organisations, the amount of those targets that were actually then, you know, kind of targeted further was actually pretty narrow, and it was it was largely kind of narrowed down to kind of government and defence space. So, you had an issue there where a lot of people were concerned about, and perhaps understandably so, but it probably didn't impact their sector or their region so much. Whereas if you look at the data of, say, the last few years on supply chain compromise, a huge amount of what we're seeing is maybe the areas that people aren't talking about so much is, you know, developer environments, it's open source tools. We've seen a big increase in supply chain compromise related to mobile apps and mobile devices. So, I think that's, that's the kind of I guess that's the concern for me around supply chain compromise. Is that we focus probably a little bit too much on some very kind of isolated case, and there's probably other bits that maybe aren't quite as glamorous, but they are ones that probably going to impact most organisations. You know, if we think about developer environments where you're bringing in all these libraries. You're building apps, you want to be really innovative and leverage all of that kind of, those tools in the open source and, you know, world, if you like. But with that come clear risks and it's much easier to kind of conduct those sorts of operations from an attacker perspective. So, I think I think supply chain compromise is probably a worry for me in that I think the conversation probably needs to be slightly recalibrated to, to really capture the spectrum of different threats that we see there that probably aren't kind of being discussed in the way that, you know, at least I think they should be.

 Alex: Yeah. It kind of goes back to that proportionality point that we've talked about throughout this of, you know, is it a relevant threat to my organisation and actually am I looking at it from the right kind of lens? Which leads really nicely onto my next kind of broad question. So, thinking about advice, what would you tell somebody responsible for cybersecurity from a threat perspective? So how should all of this information be integrated into a security function? 

Jamie: Yeah, great question. And I think it really depends on the, the end user and how, how kind of far along that kind of intelligence, that threat intelligence journey they are. I think what I would say to anyone that is maybe starting out and they're maybe not quite sure about, you know, why does all of this concern around threats, how do I actually start plugging that in? Is to really focus on some of those quick wins? You know, I'm, I'm a lazy person, so I very much follow that kind of 80/20 mentality in my life. And actually, if we look at say the last year or so, you know, huge amount of different attack techniques are being used and that can feel really overwhelming because if I read all of the threat landscape, if I look at all of that, I see all of these different attacks taking place. Where do I get started, right? This is too overwhelming. But what if it was actually a very small number of those attacks that occur time and time again? What if there was five or ten really common attack techniques? And actually, if we focused on those, we inserted security controls, we got detection right around those kind of five to ten areas, then maybe we wipe out a significant amount of our attack exposure. So, I think I think that's the first thing is that there are huge, huge quick wins, this huge kind of high leverage that we can kind of benefit from by focusing on the really common stuff. And I think that's something that we've the intelligence industry talking so much about, the kind of the latest and greatest. We probably don't talk as much as we should about the really common stuff. So, I think that would be number one is focus on those really kind of quick wins the most kind of common. And you know, that's something we talk about in a kind of M-Trends report. We provide data of some of the most common attack techniques. I think then going forward, it's probably then about building that threat profile. So, it's about saying, you know, what region am I in? What sector am I in? And then what does the threat landscape look like for me in that area? That starts at a strategic level, you know, understanding the key threats. But then I think we can kind of drive that down if we if we understand those two key threats, we can drive that down into a slightly more operational network defence. You know, thinking about a really proactive security posture that is looking for these sorts of threats, maybe some kind of threat hunting, a slightly more kind of advanced intelligence use case, for instance, but really starting to kind of take the fight to the adversaries and, you know, expecting them, anticipating them and kind of reacting accordingly.

Alex: Perfect, and then how do we abstract that one layer further? How do we take that to the board? How do we convince the board that they should be interested in cyber threat?

Jamie: I think that's a great question. I think I think the big hook that I've seen and the thing that maybe we don't discuss enough in the industry is that link with cyber risk. And I think actually for a lot of organisations, there's maybe that perception that there's the kind of the cyber risk team and then there's the threat intelligence team and they play nice.

Alex: Yeah.

Jamie: And it's often cyber risk and risk management, and that's really where the conversation with a board or a C-suite is taking place. And threat intelligence, I think at times can seem a bit  techy and a bit kind of geeky and focusing on some technical piece.

Alex: Nothing wrong with that.

Jamie: Yeah, I'm definitely one of those people. But I think actually if you look at cyber risk, a huge amount of that is threat right? And that's a huge, huge part of any kind of risk assessment is, is understanding the threat. And I think what threat intelligence does is it provides that data, it provides that kind of empirical evidence base, if you like, that really allows you to take that kind of either cyber risk or risk management more broadly allows you to take that to the next level. And that can be about something like ransomware. It could be about you know, the cyber risks of entering into China, you know or the risks around market entry or a merger and acquisition. You know, if we're going to acquire a company in a different sector, how does that change our risk as a company? Well, part of that is how does it impact the cyber risk? And part of that are the threats to that sector. So, so I think if threat intelligence can speak to those strategic areas, it gets a huge amount more buy-in, but it also makes the whole topic much more accessible.

Alex: Yeah, I totally agree. And I think cyber risk and risk management is certainly due for improvement in the industry. We do a lot of kind of ordinal scales of multiplying one number by another right and if you can inject that threat intel to at least how you're choosing those numbers, those ordinal scales, that must make a huge benefit, right?

Jamie: Yeah, I think so. I think it just makes the quality of the decisions you're making a lot higher. And I think that's ultimately what executives are all about.

Alex: Excellent. Perfect. And then you mentioned quick wins. What can we share with our business leaders today for them to take away? Maybe you suggest a few and I'll suggest a few.

Jamie: Yeah. I mean, I think I think to be honest, a lot of this is the basics, right? It's you know, I think and NCSC, the, the UK's government's kind of cybersecurity arm, they've done a great job of putting out the kind of the ten best security controls like, you know, real kind of basics. I think I think a lot of that is where I would start. It's, it's just thinking about things like security awareness, phishing, you know, multi-factor authentication-

Alex: Yeah.  

Jamie: -we discussed how it wasn't perfect, but it goes a long way. I think maybe the other piece is maybe not discussed as much, but really thinking very forensically about kind of identity and access management, you know, getting into things like Active Directory.

Alex: Yeah.

Jamie: These kind of parts of the network that potentially provide, you know, huge kind of devastation and, and, you know, the, the areas of the network that provide threat groups with huge amount of opportunity to really cause kind of disruption at scale. I think,I think focusing on those areas of the network is going to be really important.

Alex: Yeah, definitely. I think over privileged access accounts is still rife and a fairly easy one to implement. It's easy for us to say, not the ones having to make the changes, but I would also go back to supplier security that we touched on. Actually, I think a lot of businesses, particularly SMEs, who you said are being more, more of a target for ransomware type threats. They have kind of sometimes, I’m generalising little understanding of who's responsible for their cyber within the business. Is it outsourced? Is that actually documented, if it's outsourced, that cyber is included in I.T? Is incident response covered? I think you can kind of quite quickly unpick quite a few big areas that you can get a lot of bang for buck in, in, supplier security. So, that’s somewhere I always point people to.

Jamie: Yeah, absolutely. And I think it's making sure that I think the cybersecurity team is in the room when those supplier conversations are taking place because it's easy to go with the cheapest supplier. And, you know, I think having that kind of risk led approach where you're thinking about, you know, what could that lead to in terms of potential vulnerabilities, that's really important because, yeah, it's such a kind of broad issue that having some kind of policies there can go a long way, I think.

Alex: Yeah, exactly. If you include it on the onboarding process, maybe you've done some kind of initial piece of work to look at your existing suppliers, but then you if you include it in onboarding, you're not going to have that pain moving forward, and you can do it proportionally. You know, there's in some businesses where it's less of an issue, but what data are they accessing? As you said, doing it kind of on a threat and actually kind of data led method of what are they accessing and therefore how much protection do I need? Definitely.

Jamie: Yeah absolutely.

 Alex: Perfect. And then to finish today, I can't believe we've made it to the end. But yeah, just to wrap up for today, out of all of the things that we've discussed what would you say our business leaders should be sure to take away?

Jamie: I think for me it's the, the quick wins. It's that actually we can take all of this complexity in the threat landscape and very quickly draw some key, you know, three or four things to kind of do right away. I think that would be number one. I think, you know, I don't want to kind of bang on about ransomware, but that is the strategic concern for so many organisations. So, making sure that there is a kind of readiness plan there that that's something that really is driven from that leadership piece, I think that's really important. And I think I think with Russia, Ukraine, what I would say there is maybe while the concerns are absolutely reasonable and valid, we see huge amounts of concern-

Alex: Yeah

Jamie:-from business leaders at the moment, I think it is just making sure that they look at that in a proportional way, right? We, we want to start thinking about our sub security in response to Russian groups, but we don't necessarily want to overcorrect. And what I mean by that is neglect, things like ransomware, neglect, China or some of these emerging groups. We want to give Russia the attention it deserves, which for a lot of organisations means, you know, a growing amount of attention. But it doesn't necessarily mean it's the exclusive threat out there. And just looking at things with a more measured perspective, I think.

Alex: Thank you so much for joining us today, Jamie. That was a really, really useful session. Thanks for walking us through that.

Jamie: Yeah, anytime. Thanks, Alex. Great to be here. I really enjoyed it.

[music]

That brings this weeks episode of the "Tech for Business Leaders" podcast with Mazars to a close. If you enjoyed today's show, please subscribe to the series and leave a review to help us extend our reach and keep technology at the heart of the business community. We look forward to sharing more with you in our next episode but for now, take care and thank you for listening.