Stealth Management

Dr Adrian Nish

Head of Cyber Threat Intelligence, BAE Systems

When TalkTalk was hit by hackers, CEO Dido Harding confirmed the first external call she made was to cyber defence specialists at BAE Systems. Here, the head of the firm’s Cyber Threat Intelligence team, Dr Adrian Nish, details the key threats companies face – including ransom viruses and denial of service attacks – and how Russian speaking criminal gangs and UK-based money launderers are amongst those behind them. Threats are now moving so fast that “what we’ve learned can be out-of-date in six months” he warns.

As with any walk of life, technology has had a major impact on how criminals go about their business. The internet has become a way to reach a global base of victims and illicit services – and its global reach makes it very attractive. Conducting crime in cyber space as opposed to the physical world also comes with a perception of anonymity and lower risk.

BAE Systems is a multi-national defence, aerospace and security company that builds military hardware, advanced electronics and information technology for air, land and sea forces, but now increasingly focuses on the cyber domain and defending businesses. In this division of the company, we have 4,200 people spread across 30 offices around the globe who deliver cyber security and intelligence solutions for customers.

Our expertise includes Incident Response work for companies in need of extra support to investigate cyber breaches, along with running more traditional security services for organisations. TalkTalk is one of the few examples of customers we work with whose breach is public knowledge, and CEO Dido Harding is on record saying one of the first things she did was pick up the phone to us.

Across the world we are seeing cyber attack and fraud techniques spread fast, as criminals see what works and what is most profitable. The challenge is that anybody who wants to launch an attack can quite easily pick up readily available tools, and hide in dark corners of the web whilst using them. Much of what is reported is also just the tip of the iceberg. There are many attacks that people and companies are not even aware of, which is a big challenge both for victims and the security community.

Across the industries we work in, not every company is looking to protect the same thing. Many customer- facing firms will be most concerned about their customers’ personal and credit card information, while for others it may be sensitive data in email exchanges, or information that relates to well-known clients. Companies also care a great deal about preventing reputational damage to their brand, about records of upcoming mergers or acquisitions, or intellectual property, which could be of great benefit to rivals.

How and where an attack takes place can tell you a lot about who is behind it, so our approach to attributing attacks depends on what’s being targeted and who we think would be most likely to go after it.

If the attacker goes after credit cards, we would look at which gangs have a past history of stealing such data. If they are looking for sensitive information or emails of a particular individual, they might be trying to figure out what that manager (or department) is working on. If it’s a big deal that’s worth billions, then it may be competitors in another part of the world that are also interested in this. Some cyber attackers may be out to make money as quickly as possible, others will do it for some cause or political reason – and may not care about concealing their actions. However, espionage actors – whose attacks are industrial or politically driven – work hard at remaining covert. They take great care not to let you know there has been a breach in the first place and may take clever steps to complicate and misdirect attribution efforts.

The 16-year-old in the bedroom gets a lot of the headlines because they will often publicly announce what they’ve done, but their attacks are certainly not the most frequent or the most significant. Most incidents we deal with are either originating from cyber spies or well established criminal gangs.

A lot of people talk about the Russian- speaking criminal underground, and that is certainly a hotbed of cyber threat activity that we come across. Much of the more sophisticated criminal capability that has been built over the years comes from this region. There is a community that goes back over a decade with a lot of their interactions taking place within closed forums. These are groups that require vetting prior to access being granted, and the individuals who use them may never meet physically – it’s all done using aliases online.

These closed criminal groups have grown into a whole ecosystem and different actors will focus on different elements. Some focus on building malware, (the malicious code that gets used in attacks,) others focus on the infrastructure – the servers that get used to host and control the malware. Another segment will focus on building networks of money launderers in order to cash out the stolen funds from bank accounts. It’s just like a process of industrialisation – divvying up the tasks to different specialisations, and within those specialisations people become more proficient.

More recently, we have been seeing West African groups getting more organised and using some of the more sophisticated capabilities acquired from players in other regions. Equally, information travels quickly through the modern media. When breaches get reported in the press we read that as good guys thinking, “Oh that’s how they did it,” but are plenty of bad guys out there thinking, “I could do that and potentially make some money.”

These days it’s certainly very difficult to provide a fortress to keep everyone out. Technology and attacks have evolved in the last five or six years. Not long ago you could just put in a firewall and anti-virus software to keep most threats at bay. However, those are what are called ‘technical point solutions’ and the challenge is that the bad guy is always able to get around a specific point.

Organisations are realising that much more than just pure technical solutions are needed. What’s becoming increasingly important is how to identify anomalies on your systems, respond to them, and to train your people to spot potential cyber attacks, such as suspicious emails. You can’t keep everything out, so it’s making sure you respond effectively so you can mitigate the damage that is important.

In the cyber world, different industries have been going through the same journey at a different pace. The financial industry has been very aware of the threat for many years. They track the groups behind attacks, and try to be proactive to work with law enforcement to go after the criminals wherever possible. Other industries are realising that they also face significant threats, maybe not in the same way, but are now looking at how they may invest more to improve their security.

At the moment, the vast majority of attacks we see are from commodity, semi-automated malware kits and affiliate programs.

Dridex is one that is very prevalent in the UK now. It is a banking malware, which tries to facilitate transfers from one person’s bank account to the criminal’s account. It waits until the user is logged in and then it will basically pause your banking session. You may see a timer icon, but in the background the malware is forwarding your banking session to the criminals so they can enter new payee information.

The money is often moved to another bank account in the UK – someone we call a money mule. These are people who the criminals recruit to work as drop points for their transfers. Often they are recruited through the work-from-home type ads – the type that might say ‘Make £3,000 pounds a day, working from home.’ Sometimes that can mean working for one of these types of gangs. The ‘employees’ may believe they are facilitating international money transfers and are often recruited through fake companies.

You’d have to be a little bit naïve – or desperate – but it does look somewhat legit. You receive money into your account and you may have to transfer that into your PayPal account and from there you might have to transfer it to the criminals’ account. Or you may have to cash it out and then make an international transfer, for example using MoneyGram or Western Union. Usually the amounts are in thousands of pounds, but that takes place thousands of times, and large sums can be laundered this way.

If you fell victim to such malware, as a retail customer you’d be entitled to compensation. A small business legally doesn’t have the same protection, although the bank will often compensate because they don’t want to see small businesses going bust over things like this.

“How and where an attack takes place can tell you a lot about who is behind it”

Recently we have been blogging about another class of threats which is also popular at the moment. They are pieces of malware, called ransomware, which encrypt files on your computer, then suddenly say ‘Pay £100 or you’ll never get your files back’. Usually the encryption they use is quite good, so even with expert decryption capabilities it may still be impossible to get the files back.

Extortion in general is a popular technique at the moment. Another variation is where websites are hit with DDoS attacks – distributed denial of service. Again, these may be followed by a ransom note saying: ‘Unless you pay us xxx bitcoins we are going to hit your site harder next time and knock it offline.’ It has been around for a while, but we believe the increasing popularity of anonymous payment mechanisms such as bitcoin is enabling the criminals to make such attempts.

One of the best ways to fight cyber threats is by improving the sharing of information related to their activities and how to mitigate them. This is already quite mature in the big financial services organisations, but we are starting to see that trickle down into the other sectors and smaller industries as well. We all need to share the best practices that people find useful for defending against threats as well as building up that network of support, so you have somewhere to go if you need that extra bit of expert help.

The internet brings us such a vast amount of advantages which outweigh the risks, but we need to avoid being complacent. Let’s be frank – we are not going to win the war against cybercrime. But we can do our best to have properly empowered, knowledgeable law enforcement and a security community that can shake out the most devious activity and keep our networks and information secure.