Abigail: Welcome to the second series of our podcast, the new realities of cyber security. I’m your host, Abigail Wilson, a consultant from our cyber security practice. Each episode we’ll be inviting one or two of our colleagues who are experts in their field to discuss what they do here and what they’re focusing on at the moment in the ever changing world of cyber security. Today’s guests joining us are Matt Wixey and Holly Rostill from our research and development team. They’re here to tell you more about the recent projects and areas they’re focusing on right now. Thanks for joining us. And Matt, welcome back. You joined us as a guest last season and you’ve been super busy since, presenting your research at conferences around the world. Could you tell us about yourself and what you do for the firm, and also tell us about what you’ve been focusing on recently?
Matt: Hi Abi. Yeah, thanks for having me. So, I lead technical security research for the cyber security business unit in the UK. I develop new research, original research that’s based on emerging threat vectors and try and develop countermeasures for those threat vectors as well. As well as doing original research myself, I supervise other people in the business unit who are doing research. So, two things I’ve been working on recently that I’m really happy to talk to you about today, the first is ROSE, remote online social engineering, which is a new threat vector, fairly recent, we’ve only seen a handful of case studies before but we think it’s going to be really important going forwards. It’s attackers doing long term social engineering over social media with the aim to eventually compromise an organisation. And the reason we’ve decided to start looking at this is because in contrast to traditional phishing attacks which many people know about, there’s lots of user awareness training in place and security controls, ROSE attempts to bypass that by being much longer term and using social media as a kind of entry point. So, we presented that research at Black Hat USA earlier this year. And the second project I’m really keen on at the moment is case linkage analysis. So this is looking at very granular attacker behaviours in an attempt to solve the attribution problem. So rather than relying on discreet identifiers like IP addresses and domain names which can be really easily spoofed…
Abigail: All the technical details.
Matt: Exactly. This is looking much more at psychology and behaviour as a way to attribute cyber attacks. So, it’s a new original approach. So that was presented at DEF CON earlier this year as well so we’re really thrilled to be able to present that at a really high profile hacking conference and it was subsequently covered in Wired magazine as well which was brilliant.
Abigail: Oh, that’s awesome. That’s great. And Holly, thanks for joining us. Could you also tell us a bit about your role with us? While Matt leads up our technical research, you’re now working on coordinating research more globally. It would be great to hear more about that.
Holly: Yeah, that’s right. So, it’s really exciting. I’m thrilled to have this new role and for me it really shows how the Firm is investing in research and development. What this role really is, it’s about actually how do we bring the whole of PwC to our clients when it comes to research? We don’t want one person in one country and in another doing the same thing and having the same research outcomes. So it’s actually how do we get people working together? How do we collaborate? And how do we think more globally? Cyber threats are now global, lots of our clients are global and we also want our research to be at a global focus.
Abigail: That’s a key point. It’s so important that research has that global mindset that you mentioned. Our clients face global problems and collaborating with other researchers around the world must be so important to overcoming these challenges? Not only faced by our clients but the cyber security industry as a whole?
Holly: Exactly. So, it’s not just about collaborating within PwC, it’s also collaborating with externals as well.
Abigail: Great. So, I’m wondering both of you, where do you see this going? What does research mean for organisations that you work with? Matt, I know you’re focusing more about the practical application of new emerging attack vectors. Could you tell me about your more recent work?
Matt: Yeah, absolutely. So, going back to the ROSE research, remote online social engineering, initially we just started with an exploratory research phase, so looking at this because it’s a new attack vector, it’s something that not a lot of organisations are aware of at the moment and as I said there are only a handful of incidents so far. So, what we did was take that exploratory research and try and expand it into a practical checklist for organisations to use. If people want to view that checklist they can have a look at the Black Hat presentation which is available online. We really wanted to do an in depth analysis of what attackers do when they’re doing this long term social engineering approach. How they’re doing it, why this particular attack vector can bypass traditional controls and traditional user awareness.
Abigail: That’s great. So you can say that real life examples was your inspiration to continue to research this particular area. Does this research reflect recent attack trends?
Matt: I think it does, yeah. So, definitely the case studies that we’ve seen have succeeded for the most part where traditional attacks may have failed. So the research was definitely inspired by seeing things happening in real life and we realised there was an opportunity there to focus on this because it is something that hadn’t really been looked at before.
Abigail: That’s great and that of course is the mission for R&D to look at things that no one else is really ooking into, to get to a proof of concept which I believe you’ve now developed.
Matt: Absolutely, yeah.
Abigail: Great. That sounds really exciting. I’m just wondering what’s next, if you can give us any hints on what you’re looking to be working on next?
Matt: Sure, so with the ROSE project, we’re looking at taking that into two particular streams. So, we have a non-technical and a technical stream so a lot of our R&D work is very technical and some of it is also non-technical, so looking at social engineering and policy as well. So on the non-technical side we’re looking at raising awareness of this as an attack vector, feeding it into our work on cyber security culture generally, and then on the technical side we’re looking at developing a solution to try and detect deception in social media profiles which feeds into a wider social issue about disinformation on the internet and fake news and that kind of thing.
Abigail: That’s great, because cyber security in general isn’t just a technical challenge. It’s great that you’re looking at the human factors aspect of research. That’s great. Holly, I’m wondering what you’re looking at researching next? Tell me more about that.
Holly: So, as well as my global role, I do my own research and the thing that I’ve been looking at over the last twelve months is around Blockchain. Blockchain has become a little bit of a buzzword in the market and I took on the task to actually go into the detail. I’m a cryptographer by background so I really wanted to fully understand it from the bottom up and actually make sure we are getting the right view and the right kind of information to our clients on this buzzword. That’s included looking at use cases so a lot of industries are looking at ways of using Blockchain and I’ve been analysing whether they are appropriate and the right ways and also looking at the security as well.
Abigail: That’s a great point. Organisations are now taking payment in cryptocurrencies and it’s now more accessible than ever. Many may not realise that this has wider security implications. I’m wondering if you can tell me about the general risks? Is this something you cover in your research?
Holly: Yes. So there’s loads of other factors to consider as well. One that some people potentially don’t always think about is the environmental impacts of cryptocurrencies.
Matt: Yeah, I think that’s a really popular point at the moment, isn’t it? I’m sure I read somewhere that in the last twelve months the amount of electricity consumed by Bitcoin activity is equivalent to that of a small country.
Holly: Yeah, I’m not surprised because actually, the way for cryptocurrencies to work you need a lot of processing power. Whether that’s through mining or just using the currency, and actually it’s something that, yeah, is really popular to think about right now.
Abigail: That’s great. It’s great the research and development we’re doing isn’t limited by our perspective of being cyber security professionals. We’re looking at the wider political and environmental aspects. That’s great.
Holly: Yeah, and that links in with working with all the wider parts of the firm as well in my other global role.
Abigail: Definitely. So, I understand that some of your research isn’t yet public. Where can our listeners go to find out more about the projects when they launch?
Matt: So, we have a dedicated area on the PwC cyber security website. Also, a lot of our conference talks are on Youtube as well.
Abigail: Great, awesome. Thanks again for coming along to speak to us. Are there any final words, anything you’d like to mention?
Holly: I guess for me, I just feel like I want to mention that research and development is really important, not just for keeping cutting edge which is something that we really want to do, but also for making sure that we’re actually building trust within society and building that secure digital society.
Matt: Yeah, I totally agree. The fact that we’re building new things, not only looking at cyber security but also wider social issues as you said is really important.
Abigail: Yeah, bringing all those different perspectives.
Abigail: That’s fantastic. Well, great, thanks again and thanks again for joining us.
Holly: Thank you.
Matt: Thank you.
Abigail: Thanks for listening. Next episode we’ll be talking about Untrusted Apps with our software assurance business and technical leads and discussing what we’ve seen to be the top three risks to application security.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680