Staying One Step Ahead Of The Cyber Spies

Uploaded on 2018-04-04 in NEWS-Cybersecurity News, INTELLIGENCE--International, FREE TO VIEW

If you want a job that rides the wave of the future, get hired by a firm that combats cyber-threats. Criminal and malicious hackers are endlessly inventive and every day dispatch novel viruses and other digital threats into cyber-space to wreak havoc. Getting paid to tackle these is about as cutting edge as you can get.

One emerging discipline in this field of cyber-incident response tackles the most skilled and serious of these hackers - those who work for nation-states.

The UK's GCHQ now estimates that 34 separate nations have serious, well-funded cyber-espionage teams targeting friends and foes alike.

The threat from these state-sponsored digital spies has been deemed so serious that the intelligence agency has designated five firms that victims can call on if they are caught out by these attackers.

"We get called when people have a big fire and we come along with our hoses and try to put it out," says James Allman-Talbot, head of incident response in the cybersecurity division of BAE Systems.

That captures the fact that, more often than not, the fire brigade arrives to find a building still in flames. When it comes to cyber-fires, that means the hackers are still embedded in a victim's network and are still trying to steal data or burrow more deeply. Unlike the fire service, the BAE team do not arrive in a blaze of lights and sirens. They have to be more, stealthy.

"If the attackers have access to the victim's email servers the last thing you want to do is discuss it on there," says Robin Oldham, head of the cyber-security consulting practice at BAE, who is also part of the incident response team.

Tipping off the bad guys could prompt them to delete evidence or, if they have more malicious motives, shut down key systems and destroy data, he says. Instead, responders first gather evidence to see how bad the incident is and how far the hackers have penetrated a network. It's at this point that the team use the skills picked up during earlier careers. All of the team have solid technical computer skills to which they have added particular specialities.

Prior to working at BAE, Mr Allman-Talbot did digital forensics for the Metropolitan Police and Mr Oldham has significant experience running large complex networks. The good news about most organisations is that they typically gather lots of information about their network and often it is anomalies in the logs that expose suspicious activity. But that extensive logging has a down side, says Mr Oldham.

"It can mean we have a large amount of data to work with and analyse. In some cases, that means a few hundred million lines of log files."

Once incident response teams get their hands on data from a victim they start analysing it to see what has happened. It's at this point that the allied discipline of threat intelligence comes into play. This involves knowing the typical attack tools and techniques of different hacking groups.

Good threat intelligence can mean responders hit the ground running, says Jason Hill, a researcher at security firm CyberInt.

"If you understand how they operate and deploy these tools and use them to attack the infrastructure you know what to look and how to spot the tell-tale signs."

In the past, nation state hackers have tried to bury themselves in a target network and siphon off data slowly.

"Criminal hackers have a more smash and grab mentality. They do it once and do it big," he says.

More recently, he adds, it has got harder to separate the spies from the cyber-thieves. One example was the attack on Bangladesh's central bank - widely believed to have been carried out by North Korea. It netted the rogue state about £58m ($81m).

Russian groups also span both sides of the divide. Some criminal groups have been seen working for the state and often they use the tools gained in spying for other jobs.

"The motivations of the groups have really become blurry of late," says Mr Hill.

Attribution - working out which group was behind a breach - can be difficult, says Mr Allman-Talbot, but spotting that one attack shares characteristics with several others can guide the investigators. 

One widespread attack, dubbed Cloud Hopper, sought to compromise companies selling web-based services to large businesses. Getting access to a service provider could mean that the attackers then got at all its customers.

Thoroughly investigated by BAE and others, Cloud Hopper has been blamed on one of China's state-backed hacking groups known as APT10 and Stone Panda. Knowing how they got at a victim can help free the hackers' hold on a network and reveal all the places that need cleaning up.

Even with up-to-date intelligence on attack groups and their chosen methods, there will still be unanswered questions thrown up by an investigation, says Mr Allman-Talbot. The joy of the job comes from during investigations as the team figures out how the bad guys got in, what they did and what data they got away with, he adds. He likens it to solving complex puzzles and problems using experience, good hunches, deep analysis and coding skills. It's a challenging profession that regularly bestows solid intellectual rewards.

"There are lots of eureka moments," he says.

The deep knowledge built up by the responders as they investigate and clean up a breach can also help others that might not even know they have been penetrated, says Mr Oldham.

"There are people that see the smoke alarm go off and pick up the phone and tell us that something is wrong. There's others that we go to and tell them that their house is on fire," he adds.

Mr Allman-Talbot says some of the satisfaction with the job comes from helping people and making life online safer.

"Just as with criminal cases, there's a real sense of doing good. We are investigating incidents that have badly affected these organisations."

There's little doubt that the job is only going to more important as time goes on. The cyber-spies will not stop and are only going to get better at what they do.

"It's just going to get more and more complex," says Mr Allman-Talbot. "It's the next form of warfare."

BBC:      Image: Nick Youngson

You Might Also Read:

Spy vs Spy - Cozy Bear Hackers Hacked:

Dutch Intelligence Agency Pinpoints Cyberattacks:

 

« Snowden Says Bitcoin Is Not Private
Healthcare Security Should Use More Sophisticated Tools »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

British Insurance Brokers’ Association (BIBA)

British Insurance Brokers’ Association (BIBA)

BIBA is the UK’s leading general insurance intermediary organisation. Use the ‘Find Insurance‘ section of the BIBA website to find providers of cyber risk insurance in the UK.

Australian Information Security Association (AISA)

Australian Information Security Association (AISA)

AISA champions the development of a robust information security sector by building professional capacity and advancing the cyber security of the public, business and governments in Australia.

Seric Systems

Seric Systems

Seric is a technology business specialising in security, infrastructure and data management.

Exatel

Exatel

Exatel is Poland’s leading provider of ICT security services.

GreyCortex

GreyCortex

GreyCortex uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

Bureau Veritas

Bureau Veritas

Bureau Veritas are a world leader in Testing, Inspection and Certification. We provide certification and training services in areas including cybersecurity and data protection.

PQShield

PQShield

PQShield are specialists in Post-Quantum Cryptography. We provide quantum-secure cryptographic solutions for software, software/hardware co-design and data in transit.

Network Utilities (NetUtils)

Network Utilities (NetUtils)

Network Utilities provide identity centric network and security solutions to organisations from Telecoms and ISPs to SMEs and large corporates.

ADL Consulting

ADL Consulting

ADL Consulting provide information security-related consultancy and training support to businesses across the UK. Our services include ISO27001, GDPR, Cyber Essentials and training.

Let's Encrypt

Let's Encrypt

Let’s Encrypt is a free, automated, and open digital certificate authority, run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

West Midlands Cyber Resilience Centre (WMCRC)

West Midlands Cyber Resilience Centre (WMCRC)

The East Midlands Cyber Resilience Centre supports and helps protect SMEs and supply chain businesses and third sector organisations in the region against cyber crime.

AutoSec

AutoSec

AutoSec supports the FFI program Electronics, Software and Communication by dissemination and exploitation of the results of projects related to automotive cybersecurity.

Wavenet

Wavenet

Wavenet has grown from simple beginnings to become one of the UK’s market leaders in unified communications, business telephony, and Cyber Security solutions.

Evo Security

Evo Security

Evo Security is an Identity and Access Management company focused exclusively on serving MSPs, MSSPs and their SMB and Mid-Market customers.

Blink Ops

Blink Ops

Blink helps security teams streamline everyday workflows and protect your organization better.

Fivecast

Fivecast

Fivecast is enabling a safer world. We help organizations around the world explore masses of data to uncover actionable insights.