Abigail: Welcome to the second series of our podcast, The new realities of cyber security. I’m your host, Abigail Wilson, a consultant from our cyber security practice. Each episode we’re going to be inviting two of our colleagues along who are experts in their fields to discuss what they do here and what they’re focusing on at the moment in the ever changing world of cyber security. Today’s guests joining us are Louise Taggart and Rachel Mullan from our cyber threat intelligence team and they’re here to tell you more about their work and what interesting stuff they’ve been up to at the moment. Thanks for joining us. To start with, I thought it would be great if you could introduce yourselves to our listeners.
Louise: Great. Thank you Abi. My name is Louise Taggart and I’m a manager in our threat intelligence team and I have a particular focus on strategic and geopolitical analysis.
Rachel: Hi. I’m Rachel Mullan. I’m the strategic lead for our threat intelligence team. I work with some of our clients to help them build, design and develop their threat intelligence capabilities as well as, like Lou, doing some of the geopolitical analysis of the threats that we track.
Abigail: So, Rachel, it would be great if you could tell what are the key trends you’ve been looking at over the last year? What have you been observing and what’s caught your eye?
Rachel: I think for me one of the big things has been financially motivated cyber attacks. We work really closely with our incident response team and a lot of the incidents we’re being called out to deal with have a lot of a ‘going after the money’ feel to them. This includes an increasing prevalence in business email compromise where attackers try to get in between transfers of money between organisations, it could be the payment of invoices for example, and the attacks we’re seeing are ranging from tens of thousands of pounds upwards and using slightly different techniques as well. Some of them are considerably more sophisticated. We’re also seeing an increasing number of incidents from financially motivated, what we would call, threat actors. They’re targeting particularly the hospitality and retail sectors have had quite a number of incidents happen in the past year.
Abigail: Thanks. So, Louise, what are the key trends that you’ve been observing over the past year?
Louise: So, one of the hot topics that I think that has remained in the news over the past few months is election hacking, which is a bit of an umbrella term but broadly speaking refers to malicious cyber adversaries targeting three different aspects of democratic processes. So, that might be for example targeting the elections themselves so perhaps altering voter data. It might be the targeting of specific political parties or politicians with the intention of discrediting campaigns. Or it might be the disinformation or misinformation which is the so-called fake news which is used to manipulate voters’ opinions. This is something that has obviously been in the media quite a lot over the past few months but we’re now beginning to see increased scrutiny of the voting machines and the systems behind them as well.
Abigail: So that’s an interesting point and I guess that ties in more widely to supply chain compromises. Rachel, I’m wondering if you’d like to add to that?
Rachel: Sure. We’ve seen supply chain risks in cyber attacks for quite a while now, particularly where organisations are worried about who they are working with and how they connect between their organisations. Operation Cloud Hopper, we released over a year ago now, which was a global cyber espionage campaign targeting IT managed service providers, and we’re continuing to see a lot of targeting of the supply chain in the work that we do and the threat actors we track. So, it’s definitely something that is still out there and happening.
Abigail: Yeah, definitely. This type of threat activity definitely poses a big challenge for organisations. I’m wondering if you can, either of you, elaborate on that? Does this mean they should reengage with threat intelligence given this increase in threat behaviour?
Rachel: I think one of the interesting things about supply chain risk is that we’re seeing from the organisations that we’re dealing with that a lot of them are lacking a lot of confidence in the organisations they’re working with or at least they’re exhibiting some concern about the incidents and how they’re being dealt with if incidents are occurring. Or even an understanding of what would happen if an incident was to occur. So, we get clients come to us a lot of the time almost looking for that independent view of has an incident been dealt with appropriately? What would the supply chain risk be? How would it work? And that’s where threat intelligence can play a really interesting part because we obviously are tracking a large number of threat actors that would potentially target various industries across the globe and supply chain is really interesting and often considered a low hanging fruit as it were. So the idea is you go after the target that might be slightly easier to get into which may or may not in fact be the case.
Abigail: Definitely. And Louise, drawing back on the wider geopolitical influences on cyber attack activity, what does it mean for organisations in terms of election hacking?
Louise: Absolutely. I think it’s an important distinction to make. So, election hacking obviously specifically targets democratic processes. But actually, a lot of the techniques and tools that are used in this kind of activity are actually sector agnostic and are therefore pertinent to a variety of other organisations or sectors as well. So, for example, this might be the use of spearphishing emails for example, so targeting a specific individual, or spoofed emails. When it comes to disinformation or so-called fake news, one of the things to think about is also the bots. So, these are social media accounts for example that are actually driven by computer scripts rather than a legitimate human user, and these can be used to flood social media with specific hashtags. This is a really interesting way that actually an attacker could potentially damage the reputation of an organisation without having to do any technical hacking.
Abigail: Great. So, it sounds like the geopolitical influences on attack activity, it’s a great chance for organisations to self-reflect on their own defences and take action as they need to. I’m wondering, back to Rachel, if you have anything to add to that in terms of the level of sophistication that you’re seeing attackers using?
Rachel: I think one of the interesting points we’re seeing is the sophistication of threat actors who are financially motivated has also increased. They’re using a lot of the techniques most people would associate with the more advanced system threats or espionage style attacks. And that’s affecting a lot of organisations that might previously have not considered themselves to be a particular risk. So, for example, Financial Services organisations have long had fairly defence in depth approaches because they’re dealing with various different threat actors but we’re starting to see a bit of a shift so that obviously financially motivated crime can also target a number of other sectors and retail and consumer as well as hospitality have been sectors that have been particularly affected in the last year, and we’re seeing they’re having to put in place more controls and get a lot more visibility around what can be fairly complicated networks to get an understanding of if they are being attacked and if they are, what’s happening.
Abigail: Sounds like organisations will definitely be facing challenges ahead. Looking to the future, do you have any specific predictions for the year ahead?
Rachel: For me, I think one of the interesting things is going to be the living off the land. It’s been around for a while but it’s certainly something that’s not going away and it continues to occur. And that’s about a threat actor getting in and compromising a network but it’s not always just about the way in. Sometimes they find another, they’ve gone in through traditional methods, something like spearphishing, and then once they’re in they’re moving around like legitimate processes or legitimate tools or legitimate systems which makes it probably harder for an organisation to detect. That means organisations are having to employ much more interesting techniques in how to identify behaviour that perhaps is anomalous rather than clearly malicious so your typical traditional approaches are no longer working and that’s why you see quite a lot of talk about things like threat hunting for example.
Abigail: Interesting. So, it sounds like the attackers don’t necessarily have to use sophisticated methods to compromise an organisation. But now we’re finding that organisations have to use quite sophisticated defence measures in order to detect and respond to that. Louise, looking to your future and the work that you’re doing, do you have any predictions for the year ahead?
Louise: Yeah, I think one of the trends that we’re expecting to see become even more obvious over the next few months is the alignment between malicious cyber activity and the wider geopolitical landscape. So, this is something we are in fact already seeing but I think activity linked to things like the imposition of sanctions for example, or perhaps diplomatic tensions or trade deals is something that’s going to be coming to the fore even more in the public eye than it has done previously.
Rachel: I think Louise we’ve already seen some direct correlation between some of the things like sanctions on attacks that have been even identified within the media so things like attacks on cryptocurrency exchanges or some of the banking infrastructure around the world and that’s got some very clear geopolitical links and there’s a quite a lot more being said more widely about things like that.
Abigail: So, today we’ve covered financially motivated attacks and the wider geopolitical influence on the activity that you guys observe in the threat intelligence team. Are there any other areas of focus that you could tell me about and anything you’re looking to write about in the next few months?
Louise: From my perspective I think one of the trends I’ll be keeping an eagle eye on is the number of connected devices that we’re seeing coming to the market. There’s been a variety of statistics thrown around about this but it’s estimated there’s going to be over twenty billion connected things by 2020. And that to my mind is a frankly a fairly mind blowing statistic. One of the concerns around this is that fairly often these connected devices are not designed with security front of mind and often the market they’re sold to, the consumers aren’t necessarily putting security at the front of their own mind. So, I think it will be interesting to see how this part of the threat landscape develops over the next few months.
Rachel: I think it’s particularly interesting Louise that countries are trying to grapple with this concept of how do they deal with a set of devices that aren’t really built with security in mind but then also trying to encourage users to also buy those same devices and that’s certainly an interesting conversation that’s been had in a number of countries.
Louise: Yeah, absolutely. I think it’s going to have to be a bit of a multi-pronged attack to addressing this kind of threat. So, whether it is through governments and their approach to regulating this kind of market. Or whether it’s about trying to improve and educate the audience and consumers as well.
Abigail: Awesome. Great points there. Thanks again guys for joining us today. It was great talking to you both. Thanks for listening to the second series of our podcast. We hope you enjoyed hearing about what our experts have been working on recently and how they view the recent challenges, as well as what they predict will be in store in the near future. If you have any questions about what we do here in cyber security, please reach out to our guests on LinkedIn or send me a message on Twitter @securityswan.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680