Ian Todd: Hello and welcome to the last episode of the first series of the new realities of cyber security. My name is Ian Todd, I am a data privacy and cyber security consultant here at PwC.
Today I am joined by Louise Taggart, a threat intelligence analyst. We will be discussing the changing world of threats from state sponsored attacks to the new techniques which individuals and malicious groups are adopting.
Louise, well thank you very much for joining us. I am really excited about this subject and I don’t know a huge amount about this so I think it will be a really good learning opportunity for everyone and hopefully the people listening as well. Your background, in particular, is quite fascinating I think. I noticed that you speak six languages, straight off the bat, so and I know you are involved with threat intelligence so I guess a good starting point would be to find out a little bit more about what that is. What your background and how you ended up in PwC in this position as well.
Louise Taggart: Yep so thank you very much for having me today. So my background is, I joined the firm about a year and a half ago and I come from a completely non-technical background, so joining a technical team here at PwC was quite a step change for me. My background as you mentioned is more in languages and linguistics. I studied Russian at university and then that spiralled into studying a few more East European languages as well and after university I worked mainly in political risk which was focused on the former Soviet Union region. I also worked for a “think tank” which focused on security and defence research matters and then transitioned to the team here at PwC that’s working on threat intelligence in particular.
Ian: Amazing, amazing and I think it’s really interesting that you haven’t come from a technical background. I straightaway thought you must have some kind of technical IT background so you’re language based and then it has kind of evolved over time into where you are now and I suppose the next part is, so what is threat intelligence? What does that involve?
Louise: So threat intelligence at a very sort of basic level, is helping clients understand who is targeting them. Particularly with a focus on the cyber domain obviously. So this might be looking at different threat actor groups that are out at the minute and they are particularly active. Looking at the particular methods they use, what kind of tactics and techniques do they have in their skillsets and what sort of information they go after. So what sort of intellectual property or data are they going to be looking for on a particular system or network.
Ian: Incredible, is this something that just, over the last five years popped up or is this something that has been going on for twenty years. I think from my own perspective, I haven’t heard a huge amount about it, so is this something that is growing at the moment?
Louise: Yeah, so threat intelligence is a really growing sector at the minute and has kind of evolved over the past five to ten years. I think one of the benefits of being here at PwC actually is that we are quite unique in that we have both technical specialists and also people from a non-technical background like myself who can offer more geo-political analysis to what we are seeing.
Ian: What does that mean, so you will be looking obviously from a non-systems technical point of view. Are you looking at the social environment of a certain country or are you looking at the political environment. Is that the kind of things that you are looking at and then from there kind of setting that down into potential groups that may cause issues, or potential threats that may come from that. Is that the kind of thing that you’re doing, is that right?
Louise: Yeah, that’s it exactly. So with a background in political risk and analysis and with a knowledge of different cultures and countries I can help clients understand the geo-political context they are operating in. So that might be looking at different countries they have offices in, maybe companies that they have joint ventures with or have their party relationships with and help them understand how that might be able to shape their particular threat profile.
Ian: And is that always moving. I suppose, I guess it is different in the UK, but we have new leaders potentially every four years, I guess the US is similar, do we see quite radical changes when new people take over in power. Is that something that affects this quite drastically?
Louise: Yeah, I think the geo-political landscape is constantly changing. I think you know if you look just at the minute, how many shifting alliances there are, not just in Western Europe but in Eastern Europe, in Asia and the Americas it is definitely something that is constantly changing and evolving.
Ian: Yeah, it must be so difficult to keep up with that constantly. I can only imagine. I imagine that there are certain parts of the world that this is happening more than others and you’ve got to keep shifting your attention so how difficult is it for you guys to kind of see the horizon and see where things are moving to, is that a difficult thing for you to do?
Louise: I think it definitely keeps us on our toes. I think there is always new trends emerging. There is always new events that you have to keep an eye on so we tend to focus on the main countries that we see activity pertaining to. Whether that be threat actors that are based there or countries that we know that our clients particularly operate in. But it is a constantly shifting environment.
Ian: Interesting and I guess on the constantly shifting note the actual threats themselves and the techniques that these groups or whatever these states are using must be changing as well throughout time so what kind of things have you seen. How has that shift happened?
Louise: So we are definitely seeing that a number of threat actor groups are becoming much more sophisticated in the kind of techniques and tactics that they use. If you compare the landscape now to how it was maybe say ten years ago when you would get spam emails pretending to be from a former royal family member or a long lost cousin asking for you to transfer them cash. Obviously these kind of emails still exist or probably still receive them, but increasingly you are seeing the more sophisticated threat actor groups put quite a lot of effort in resources into much longer term reconnaissance. So this might be targeting very specific executives using social media platforms to research them in their activities. Knowing when they go on holiday, knowing who their personal assistants are and how to frame spear phishing emails to make them much more realistic.
Ian: And spear phishing is targeted phishing attacks and phishing being they send you an email which tries to extract information from you so they pretend that they are from a bank. They so, your bank account has been shut down, we need these details, we have got this so far but we need this to finish it off. Am I right in thinking that?
Louise: That’s it exactly. So phishing emails are the kind of generic, tend to be sent out to large numbers of people at the same time. PayPal is one good example of a phishing email that people I think quite frequently receive when it is evidently not from that particular company. Spear phishing emails are much more tailored to a specific person or individual. Often they tend to be quite high up in an organisation or maybe have access to cash.
Ian: Interesting. I heard, I guess it is similar to this, it is not quite spear phishing but there is an organisation in China that was looking to find out information about an American firm and they falsified a profile on LinkedIn who was the CEO of this American firm and started adding who they thought were his friends and people he may be associated with, and because he didn’t have a profile, it wasn’t kind of flagged up anywhere, and they actually managed to map out the CEO’s closest friends, who he worked with, if he was in contact with other companies and these kind of things that this can relate with a reconnaissance I guess leaves people so vulnerable doesn’t it and I guess it’s what you are trying to educate organisations on and try and prevent them from falling for this kind of issue.
Louise: Exactly, I think a lot of, it’s around 75% to 80% off attacks that companies see are actually relatively low sophistication – so things like phishing emails. It’s educating users and employees about how susceptible they are to receiving these kind of things, but as you say, there’s also examples of groups that will use much more sophisticated means of gaining access to somebody’s network using social media platforms. I think as well it is important to raise awareness of how much information we do put out there and it is not necessarily just the Executive that’s being targeted, it’s maybe their family members or their friends who put information in the cyber sphere and don’t think of the consequences that this can have on their relatives.
Ian: Yeah, absolutely. So in terms of success, how successful are these attacks? Obviously I guess you can raise awareness about the threats. Do we see 100% of spear phishing attacks become successful and are we seeing a decrease over time or is this increasing, I’m trying to get a feel for how well this is actually working for the bad guys?
Louise: It is actually really difficult to quantify. Partly because a lot of organisations don’t like to release that kind of data showing what their vulnerabilities are. But also because people who are comprising might not even realise they have been
Ian: So this can happen where someone’s being compromised and they are lying dormant I guess in the person’s system or with their information and they can keep that for a while I guess and then use it at a different point. Is that what you mean by that?
Louise: Exactly, if it’s an employee and it’s their corporate email account that’s being compromised. If the company itself doesn’t have the right kind of network detection and monitoring in place then the company might not realise that its systems have been compromised. If it’s an individual, if it’s somebody’s Gmail or Hotmail account for example, they might not know that there is now somebody sitting, using that particular malware. They might be logging their keystrokes, stealing their passwords for on-line banking accounts, that kind of thing.
Ian: And as a person who doesn’t have a huge amount of wealth, or isn’t an Executor in an organisation, this is an issue for them as well I guess. So they can lose their personal information, I suppose fraud things like that. Are these the kind of issues that the normal person in the street will see?
Louise: Exactly. I think the kinds of attacks that make the headlines tends to be when it’s the big corporations and organisations that are breached and maybe hundreds of thousands or millions of people’s worth of data has been leaked or stolen. But I think it is definitely something that everybody should be aware of, that you know personal information is something that can be monetised and is therefore an attractive target for a criminal.
Ian: And I guess, going back to what we were talking about a little bit earlier. Obviously in some cases there is a big state sponsorship around that so I guess in normal language, that means a country or a government of a country, is providing the funding to allow this to happen. Is that what we are seeing now? Is this predominantly driven by states or is this just actors within the state who are completely independent of the government. What’s the feeling around that?
Louise: So in threat intelligence in the team here we tend to break down threat actors into four different groups. Obviously it is not an exact science but this is kind of the methodology we use and that’s cyber criminals. So those who go after your bank account log in details to steal things from.
Ian: So organised crime would that be, is that?
Louise: Yeah, organised crime. Hactivists – so groups like anonymous who have a particular vendetta or motive and will use cyber methods to promote their particular ideology. Saboteurs – so that might be groups that are looking to disrupt national infrastructure for example and state sponsored espionage. Again, it is difficult to quantify or to breakdown into exact percentages how a cyber activity is broken down into those four groups and with the state sponsored espionage, attribution is always a difficult thing to manage. So knowing exactly who has been behind a particular attack to a 100% degree of certainties is almost impossible and this is actually where it is important to have both technical and strategic analysts because you can use technical research – so looking at the particular infrastructure that was used in an attack, so that might be the particular websites that have been compromised or email addresses that are associated with the attack and combining that with a strategic understanding as well can help you to a better degree, maybe identify who has been behind a certain attack.
Ian: So I know it is quite a contentious issue, but is there examples of where you have seen state sponsored action happening?
Louise: Yeah, so there is obviously a lot of coverage of different cases at the moment in the media. One that particularly springs to mind was in 2015 when a French media company was actually the target of an attack which took down its website and some of its TV channels. At the time, a group calling itself the Cyber Caliphate posted a message online claiming it was them who had carried out the attack and was affiliating itself with Islamic state. So it was very much taken on face value that that was who had committed it. However, the French authorities and some private security companies did a bit more research into the tactics and techniques that had been used and it transpired that actually it was likely to be a Russia based group that had carried out the attack rather than this so called Cyber Caliphate.
Ian: So how did they get away with not being directly affiliated with this attack?
Louise: So it actually transpired that the group believed to have been raised in Russia that was actually responsible for the attack. Had rooted an attack through Brazil so they had managed to hide their footprints by using an infrastructure that was located in a completely different country. Sort of deflecting attention away from the apparent original source.
Ian: Interesting. So I guess one of the big things that we find in state sponsored attacks, is trying to steal intellectual property from other companies or other countries and that something that we discussed in our team is that there is an organisation in China that are believed to have been state sponsored who were stealing intellectual property from Vauxhall and it was actually, it transpired that they had stolen exactly what Vauxhall had to the point where there were spelling mistakes in the manuals of the cars. So when they tried to say, oh it wasn’t us, I think it is quite well know that car blueprints or however the cars are built, there’s exact models that you see in Asia that we have over in Europe but to the point where they have actually taken intellectual property in the manual, everything was taken, so it shows you how vulnerable organisations are and there is so much stuff available now if you can break into a system, you really can take everything from an organisation I suppose.
Louise: Yeah, I think. What is interesting from the point of view of state sponsored cyber activity is that different nations have different motivations. So for example, some countries are motivated by gaining access to intellectual property and using that for their own ends. So that might be developing their own domestic markets or manufacturing. Some countries focus more on domestic opponents to a regime or dissidents in targeting them to find out who their contacts are, what their activities are.
Louise: And some nations are more intent on sort of promoting their own national interest. So they might be much more overt activities than others.
Ian: So I suppose the question is who should care about this? Is this just a state government interest, or is this big financial sector, banking or retail or is it all of us. Who does this encompass?
Louise: It is everybody. I think the focus tends to be on implications for large organisations because it is when they are breached that attacks really make the headlines. But it really is a concern for everybody. I think on an individual level it’s not just making sure that we take sensible precautions with say for example, two factual authentication on email but it is also being aware of which companies have our personal data and how that’s being protected. I think for a number of high profile factors it is obviously of key importance, so you have already mentioned the financial sector for example, and they are a target not just because of the vast assets they hold. So for example, cash and personal data as well but it is also in things like employee data and HR data. For the defence sector, it might be intellectual property, it might be confidential or top secret projects that they are developing for the government or a nation state and at a government level it is very much a priority for securing things like critical national infrastructure, securing defence operations whether they be abroad or networks at home. So it really is something that everybody should be concerned with.
Ian: Yeah, I agree. I think from my own experience a classic thing I have seen where talking back on spear phishing where they will directly aim emails at the financial department and they will say hey it is Ian here, the CEO of this company and I need you to release these funds to these guys over here and I think historically, and you will know this better than I do but historically it has just happened. There hasn’t been a protocol in place where people say well hang on let me double check this, is there other areas of identity that we can make sure that the person that is actually contacting us is the right person and people kind of release funds. There are stories of millions of pounds being released through fraudulent emails in different things and obviously that is a big issue for organisations but that can also obviously happen for you and I as well. Is it a person who is not associated with an organisation just in your own personal life? If someone is to steal your identify, the fraud that can happen around there, take credit cards out or loans under your name and it sounds like there is a lot of vulnerabilities and I guess that there probably is but it’s realistic isn’t it, these things can happen?
Louise: With exactly, as you have said, there’s been a lot of cases in the media. There’s been a number of cases reported recently of what we call business email compromise, which is exactly as you described. It’s somebody pretending to be a legitimate employee or colleague, emailing somebody in maybe the payroll department, or who has access to the accounts and asking for a transfer to be made, and if it’s written in such a way that it’s, you know, it really replicates the nature or the demeanour of the person who’s purporting to be sending it then there’s no reason that the recipient should necessarily be suspicious of the validity of this email.
Ian: There’s a really interesting story actually from your team, and this was all ethically allowed, for a client, they were challenged to try and find the CEO’s bank details through technical and non-technical approaches, and what they ended up actually doing was, I think this is fascinating. They found a picture of him in front of his Aston Martin I guess, a really old classic car and they saw the tax disc and it was about to run out in a certain month. They also found his mobile number on a charity website that he was a board member of, and they called him up and said ‘eh we’re calling from – whoever the insurance provider is – we know your insurance is about to run out next month’ and he went ‘oh yeah it is, yeah, yeah’. We just need your bank details and we’ll sort it out for another year for you’, and he got all the bank details, straight over, and it’s as simple as that, and he didn’t even for a second think about this, and obviously the big thing for us was, we went in there and did a presentation and said ‘we’ve got all your stuff’ and he said ‘no it’s impossible, you could not have’. It was that simple, he thought we must have broken in through here and done this, but in actuality it was a simple phone call from a picture off Facebook, and that’s how crazy this can be isn’t it. I think people think it’s going to be this really elaborate incredibly complex state sponsored attacks, when actually it can be a simple picture that you put on social media.
Louise: That’s it, exactly, and I think often we don’t put two and two together. The information you put out there can be manipulated and exploited to … for nefarious purposes.
Ian: Yeah, absolutely. So we talked a lot about threat intelligence, what this means, what’s happening out there and the different threats. I think everyone is terrified now, who’ll be listening to this, so I think what we need to try and decide is what PwC are doing as an organisation, what we’re trying to provide for our clients, what we’re doing for organisations out there and general education as well.
Louise: So I think we have a really unique offering in the threat intelligence space, so as I mentioned before, the team … the Threat Intelligence Team here has both technical and strategic analysts, myself being one of the strategic analysts, and that really means that we can offer clients a full understanding of what their threat landscape is. So not only on a very technical level, but also from a wider business strategy point of view as well. The wider team also incorporates instant response and network detection, and we have a very holistic relationship between the three components of the team. So on the Instant Response side, the Threat Intelligence Team is able to feed in our most up to date and actionable threat intelligence so we can offer guidance and insight into what threat actors are targeting, and what their current activities are. It also means that the Instant Response Team can feed back fresh and up to the minute data from the data breeches that they respond to. So for example, that might be the kind of infrastructure that threat actors are using at the moment, or what kind of lure documents they are using, and the team also comprises a network detection component and that means that again the threat intelligence part of the team can feed in up to the minute and really fresh data about what kind of infrastructure threat groups are using, so that might be a fully uninitiated, it might mean particular files names that threat actors are using and then the Network Detection Team can go out and monitor for those kind of flags coming up on our client’s networks.
Ian: Amazing, so it’s not just about after an incident has happened or before. It can be everything. It can be, you can plan strategically for the future and we are also there to help you guys out if something went wrong as well.
Louise: That’s it exactly. I think we are really well placed to be able to offer a full service to our clients. Everything from really, from initiating an understanding of what your threat landscape looks like all the way through to helping you respond if or when unfortunately you might have a data breach.
Ian: And that was going to be my next kind of point. I guess the need for this will continue to grow over the next ten, twenty, thirty years because the more inter-connected we get, the more that we rely on digital data or digital information, I suppose the more vulnerabilities that present themselves and the more we need to understand what is happening in the large world around us.
Louise: That’s it exactly. I think the workplace is really undergoing a huge digitalisation process at the minute. Everything from E-commerce and on-line banking, through to bring your own devices to work. There is only going to be more vulnerabilities opening up to companies and our clients.
Ian: I think interesting on the point as well about bringing your own devices to work. I think we will see a real clouding of organisation you, so when you are working for your company and your personal life, I think that will be quite interesting as well because we are going to see a real amalgamation of data from everywhere. So no longer are they going to be targeting just the individual or the organisation but I suppose they will target you as a bit of both and you will probably show weaknesses from either side I guess as well.
Louise: I think you are completely right that it’s something that needs to be addressed both at an individual level but also at a corporate level. That there is an increased blur in things like social media. You know there’s social media that’s aligned to professional interests and social media that you use for your day to day personal life. But increasingly the lines between those are becoming blurred and that opens up both the individual and businesses to much greater risks.
Ian: Well I think it’s been fascinating. I really appreciate you coming here and talking about this. I imagine we are going to have a whole bunch of other questions for you in the future. But it is a really interesting time, I think things are really interesting, the way our world is moving right now politically. I imagine there is going to be more and more incidents coming out in the future so I really appreciate you coming here today and talking about this.
Louise: Thank you
Ian: Thanks again for joining us for series 1 of the new realities of cyber security. We have discussed a few of the challenges and opportunities that organisations are facing right now. But we would love to get your feedback, comments and suggestions on future topics. You can send them through to me on Twitter at @iantodd86 or email me direct at firstname.lastname@example.org.
Again, thanks for listening.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680