Explain IT: Season 3, Episode 4 - Cyber Espionage

Playing now - Cyber Espionage


In this episode we dive into the world of cyber espionage and look at how it’s impacting organisations today. Host Zac Abbott welcomes experts Adam Louca, Softcat’s chief technologist for cyber security and Zeki Turedi, EMEA technology strategist at CrowdStrike and together they chat about the essential ways to protect your organisation from the growing, and often hidden, threat of cyber espionage.

From L to R: Zeki Turedi, Adam Loucas, Zac Abbott
Zac Abbott
Zac Abbott Senior Account Manager Softcat
Adam Louca
Adam Louca Chief Security Technologist Softcat
Zeki Turedi
Zeki Turedi EMEA Technology Strategist Crowdstrike
Key takeaways
  • Cyber espionage is a specific, advanced type of threat that exceeds more basic cyber attacks.
  • Threat actors are generally looking to dig deep into an organisation’s network with the aim of stealing information to advance their own capabilities.
  • Cyber espionage can take place over a long timeframe without an organisation realising the threat actor is there. They can infiltrate deep into an infrastructure and render it totally untrustworthy, even after remediation has been carried out.
  • It is important to understand if you are likely to be targeted by cyber espionage, and if so, to ensure you have an understanding of what the threat actor’s techniques may be and have a control layer to detect it. Having a good plan is imperative.
  • E-crime is growing - the UK government is investing heavily in helping organisations protect their data from nation-state threat actors.
  • Attackers are evolving – it is becoming easier for them to learn from other threat actors and carry out similar attacks. 

What happens if your company is going to go and make a big acquisition, great technology, they have this IP that is wonderful and will harness your company to grow and grow and grow. But what happens if they've been breached already and that IP has actually been stolen and replicated behind the scenes?

Zac Abbott: Hello and welcome to Explain IT brought to you by Softcat the show for IT professionals by IT professionals that aims to simplify the complex and often overcomplicated bits of Enterprise IT without compromising on the detail. Welcome back to another episode of Explain IT, I'm your host Zac Abbott and over the next 30ish minutes I’ll be challenging our panel of experts to take a different area of the IT ecosystem and of course explain it. In this episode we’re going to be talking about Cyber Espionage; what it is, how it's impacting organisations and what does the future threat landscape look like? Joining me today to discuss this is Adam Louca, Softcat’s chief technologist for cybersecurity and Zeki Turedi, the EMEA technology strategist at Crowdstrike. Zeki, Adam, welcome to the show, thank you for joining us. We have got a great show coming up but before we start I thought we’d play a little bit of Room 101, do you know the premise, familiar? 

Adam Louca: I am.

Zac Abbott: Familiar Zeki?

Zeki Turedi: Yeah I love it.

Zac Abbott: Just to make sure... Anything you like in the world, well anything you don't like, something you want to get rid of, we're going to put in Room 101 for you. So I’ll hear one thing for each of you, what it would be and why, and then I will pick whose goes into Room 101. So we will start with Adam.

Adam Louca: Personally I would put in oysters into Room 101. They are basically little sea snot creatures that I don't think have any value being in anyone’s diet.

Zac Abbott: Sea snot? Nice. OK, Zeki?

Zeki Turedi: Not going to lie, I quite like oysters, so…

Adam Louca: This could be difficult podcast for us.

Zeki Turedi: Tension already. Mine’s a bit more complex. I've been flying a lot recently and I've realised there's an uptick in games people can play in the back of the seats and just keep hitting the screen which is not great when you haven't slept in about 48 hours and you're trying to get a bit of kip. So games on airplane seats.

Zac Abbott: Ooh, tough. Yeah because if you broaden that out into more, people being annoying on public transport, then yeah I'm leaning towards Zeki on this if I'm honest.

Adam Louca: I mean at some point we’re just going to say people aren't we?!

Zac Abbott: Good! Executive decision made, Zeki wins, that sounds infuriating especially if you haven't slept for that amount of time. 

Zeki Turedi: Thank you. 

Zac Abbott: Sorry Adam oysters are going to stick around…

Adam Louca: I can't wait for that person to just a crack open some oysters behind you on the plane and kick you in the back of the seat.

Zac Abbott: Thanks for playing guys, let's dive into the world of cyber espionage. So, Adam, what is cyber espionage?

Adam Louca: Cyber espionage is a specific type of threat whereby generally a sophisticated or nation-state threat actor looks to break into organisations for the purpose of stealing intellectual property.

Zac Abbottt: And how does it differ from things like cyber warfare or cyber terrorism?

Adam Louca: Cyber warfare is an often thrown around term, it's quite hyped at the moment given the geopolitical tensions across the world and the recent application of cyber weapons or cyber attacks within those campaigns. Cyber warfare is generally defined as an attack against a government or government entity that breaches into the physical world, so actually impacts the physical environment vs just data. And lastly, cyber terrorism is kind of similar I guess, but cyber warfare is generally performed by countries, individual nation states that we can point a finger at and take who have individual ideologies who are looking to either further or defend their ideology. So Zeki I’d be interested in your view on this, it’s getting more and more difficult to differentiate, I think, given how much of our day-to-day life is now digital, even the most basic of things requires digital systems to work, often people talk about cyber warfare requiring a kinetic element or requiring some sort of crossover into the physical world, do you think that is something that definition will last the test of time, orl do we think we’ll probably come back and say, well actually we’ll reflect on this in ten, twenty, thirty years and say, “well actually that was definitely the start of cyber warfare, we just didn't know about it”. 

Zeki Turedi: So that's a very interesting point, the majority of the time we kind of look at a base on intentions, but the reality is what the outcome may be, may not have been the original intention. So a whole critical national infrastructure being taken down based on, this is theoretical, based on a ransomware attack, that is very much possible. We would probably class that as cyber warfare, yet the initial intention may have just been for a little bit of disruption. 

Adam Louca: I guess like a lot of things, the collateral damage or the unintended targets of something potentially focused at a nation-state can often mean the lines are blurred in terms of the impact to businesses that might be associated or even just be sharing the same network segment as a target that is a piece of CPNI or a piece of government infrastructure.

Zeki Turedi: Absolutely correct.

Adam Louca: And it's the other part of that is also we can't really, or history has shown us that we're not really very good always at, controlling cyberattacks, so once they’re out in the wild, actually they replicate, maybe they have self-replication properties or actually the vulnerabilities that are used, or the exploits that are used to perform a certain type of attack get out into someone else's hands and although the first attack might have been designed for a very specific target use case, that exploit gets out into the general wild, so to speak, and actually the everyday run-of-the-mill criminal gets that their hands on it and all of a sudden that thing is now being used against the average businesses so we’re seeing that dropping of state-level attacks into the everyday run-of-the-mill.

Zeki Turedi: Yeah you’ve literally hit the nail on the head there. As an example, EternalBlue, we all know about this I'm sure, again this is one of those words that, probably as a listener, you're quite fed up of, but we got so much learning from it. It is something that was nation-state capabilities leaked on the internet, adopted very quickly and guess what, people are still being targeted with it today and unfortunately it's still highly effective.

Zac Abbott: Ok so we’ve spoken quite a bit about how cyber espionage can affect the public sector, but how will it impact the private sector?

Adam Louca: So the other private sectors often will come into contact with this in probably one of two ways in my head. It will be firstly as collateral damage, so actually they will either be in the supply chain of a government entity or alternatively a supplier to a government entity, and that would then open up that sphere of organisations that could be impacted by this. The second way is that the expectation that these attacks will slowly drop down the food chain and drop out of state-sponsored into sophisticated criminal groups and then we'll start to see those types of attacks hit private organisations. The second one is, actually also then relates to certain organisations that have intellectual property and that's where we have seen this start to really move out of cyberwarfare but into cyber espionage that does start to hit the individual business a little bit more frequently. Most organisations trade incredibly heavily on the data they create, maybe that’s designs, maybe that’s customer lists, maybe that’s movements of certain individuals around the world and that information is highly valuable to sufficiently motivated nation-state who’s looking to build or create an industry that doesn't exist in their country. Over the years we've seen large amounts of data stolen from specific manufacturing sectors allowing certain organisations to undercut prices by not having to invest in R&D and actually obtain very similar designs and only manufacture them for far cheaper. Now one of the really challenging things we have, I guess, as a world and this is a much bigger question, is as globalisation and the free market continues to evolve, as consumers sometimes we benefit from obtaining things cheaper because somebody didn't follow the rules and we have to ask ourself that question of actually do we want to pay more money to get something done properly rather than actually somebody just saying, “oh cool, I took a MacBook somewhere and took it to pieces, I copied it and then I manufactured it for half the price,” some people will say, “well actually, I’ll go and buy the half-price one,” and that becomes more of a question of, as a human race, is that acceptable behaviour and what do people want to happen?

Zeki Turedi: I think that's a very good question. I think the unfortunate thing is it's actually been happening for quite some time. Most notably when we talk about economic espionage we always refer to China. We saw the agreement in 2012 which should have seen China decrease this type of activity, the reality is today we're seeing it’s bigger, it's louder than it has ever been before. Yes it may not be coming directly from groups affiliated with the Chinese government, but it's definitely happening on behalf of the Chinese nation. Now what you've also got is the reality that a lot of other growing countries trying to be part of the economic table who have, saying, maybe not done the initial research and development, haven't got the actual initial intellectual property, wanting to become a dominant player in a number of different markets and they've realised based off what's happening with China and other countries, that, guess what? Cyber’s a really easy methodology to utilise to learn and actually you can get hold of quite a lot of good data really quickly that can boost your capabilities, economically. So a great example is we've seen Vietnam target automotive industries across Asia to boost their own capabilities and we're starting to see lesser-known nation-states adversary groups using this as a method, or looking to build their capabilities for potentially using this method in the future.

Adam Louca: I think that becomes interesting, especially when you then consider the university sector as well. One of our largest exports in the UK is our research and the universities that perform the great research that enables us to develop new ideas and to grow the UK economy, they're traditionally or typically not the most sophisticated, or haven’t had the largest investment in cybersecurity and we’re really having to see that start to change as organisations get attacked by very sophisticated threat actors who are looking to break in and obtain PhD research and get that early mover advantage in a new area.

Zeki Turedi: Literally a few months ago we saw an adversary group that we call Wicked Panda, which we attribute back to Chinese nation-state, targeting Hong Kong-based universities for that exact reason, because unfortunately, universities do not have security budgets, they do not have security operation teams, but guess what they have huge amounts of funding and they're literally leading the R&D for some very interesting sectors. 

Adam Louca: So just talking about, maybe not that example specifically, but maybe more generally, what would we typically see as the threat model, as the TTPs we would expect - the  targets, techniques and procedures - that we would see from those typical threat actors?

Zeki Turedi: The reality is what we’re starting to see is starting to shift away from malware base capabilities, what we’re seeing especially from more of the sophisticated groups, and what I mean by sophisticated groups, I'm not just saying the best nation-states, we’re also seeing a lot of good criminal organisations focusing on these kinds of techniques as well. So they want to just masquerade as the administrator. No longer can we believe, or have the trust of thinking, “hey they’ll drop some malware and guess what, we’ll know about it straight away, they'll be some signs of something weird and wonderful happening in that organisation that will tell us about the incident,” the reality is the sophisticated attacker, the nation-state, targeted attacker or the criminal actor wants to be as quiet as possible. We're seeing a huge increase of them utilising the tools that you're using every single day, your administrators are using, a huge influx of utilising legitimate credentials to gain access and then be able to move across laterally so really the tactics and techniques and procedures being used to the same tactics, techniques and procedures that your administrator’s using which makes it a bit hard as a defender.

Adam Louca: So living off the land and using those tools means that you can no longer go and look for a hash that is going to be bad or malicious, actually that hash is going to match actually RDP, which is meant to be there, like it's not malicious, there's not a bad version of RDP, it's just someone's inside your network, they have legitimate credentials and they're using that to move maybe around the network or to obtain access.

Zeki Turedi: So a hash, an indicator of compromise, an IOC is still really useful but the reality is if you're just using IOCs and you think that's going to tell you and stop an attack as it's happening, it's not. It's great for historical analysis, they’re really useful, they do play quite nicely into our detection pipelines and simply if we know it's bad we can block it and stop it, that's great, but the reality is we need to do a lot more to be able to investigate, understand, if we're looking to stop the type of intruder, the type of adversary that we are dealing with today, it needs to go a lot past that.

Adam Louca: Given that what we just spoke about is more organisations than ever could be facing a cyber espionage threat from a sophisticated threat actor, one of the key questions I know customers will ask me is, “well if I'm going to be a target of that level of sophistication, it really means I need to increase my investment, whether that's in technology or in people,” how would you recommend they go about trying to communicate that to a senior business leader to get them to realise the level of attacker that could be a potentially inside or attempting to target that business?

Zeki Turedi: That's actually a good question on multiple levels. My example would be, my feedback would be we need to understand what the actual attacker looks like and what our threat landscape actually looks like. To do that we need to first of all understand our business in the best possible way. It sounds simple but the reality is, an organisation can be extremely multifaceted, not only from the network level, the applications they’re running, but most importantly what we are actually giving to our customers, what the organisation is providing as an output. By understanding the supply chains as well in that actually provides a lot of visibility into what your threat landscape could look like. That's actually quite an important piece because if you don't understand what your supply chain looks like as a consumer, but also as someone actually creating or manufacturing goods, you could have huge amounts of vulnerabilities or state actor interest but never knew about it. But what that allows you to do is it allows you to go up front so if you’re having the conversations with the board, going to have conversations with your c-level executives, you understand what your landscape looks like, you also understand what the threat looks like and making sure you understand the threat actually allows you to put the right technologies, the right people, the right processes in place to have your best foot forward when dealing with any type of attack. 

Adam Louca: I think a lot of people talk about how do we get security into the boardroom and I think exactly that methodology is how you make sure that cyber security is a relevant topic amongst any business decision because without having visibility of potentially new acquisitions or new market areas a business might be entering or even services, how are you meant to properly inform the board about the potential change in threat landscape and what that might mean for investment, what that might mean for cost, what that might mean for risk? Because without that information, the board’s going to look at somebody and say, “that's a really good business area to go into, we want to manufacture fighter jets for the government because they're really expensive and we can make loads of money,” but unless somebody goes in and goes, “well actually by doing that it means that x y and z thing’s going to happen we’re now going to be on this person's radar, that person's radar, and we now need to invest 100 million pounds in cybersecurity”. Now the board can factor that into their decision and decide actually is that still a valuable profitable business area we want to enter? Or alternatively should we charge more money for the service because we have to account for the fact we need all this security so we need to charge 200 billion pounds for this plane because we need to cover the costs of the additional risk that brings onto us.

Zeki Turedi: You also mentioned M&A, mergers and acquisitions, such an important, crucial part of a business, yet security is never usually involved. Now what happens if your company is going to go and make a big acquisition, great technology, they have this IP that is wonderful and will harness your company to grow and grow and grow, but what happens if they've been breached already and that IP has actually been stolen and replicated, but maybe behind the scenes? That’s something that's not actually part of the initial conversations, but really should be because we've seen it publicly, unfortunately it happens quite often, we may not always hear about it but that should be a crucial part of bringing the security into any core business decision. Now we don't need to say that security member needs to be part of the board, or board of directors, that may not always be necessary, but having the ability to call on security as and when you're making those decisions is extremely important.

Zac Abbott: Ok so what role would you say governments play in defending organisations against cyber espionage Adam?

Adam Louca: So I think they have a major role to play, they are here to defend the UK or the national interest of us and our allies and partners and cyber espionage is something that directly impacts the UK economy and our ability to operate at a worldwide level, so at an international level. We’ve seen a real investment from the UK Government over the past 10 to 15 years creating new organisations that were traditionally focused on military protection becoming now pushed out into more civilian applications, so specifically thinking about GCHQ creating NCSC and really investing in that and actually coming out and being very proactive with organisations, helping them to ensure they have the right base standards to defend against, maybe not the most sophisticated of cyber espionage, but actually making sure that we're not just an open door, that actually there is some level of sophistication required. And it's like most elements of risk management, you can't defend all risk, so it's about accepting who am I prepared to get broken into by and that's kind of true in life isn't it, we have an army that is so large, but fundamentally we know there’s countries that we couldn’t go up against on our own. But we're never going to be able to do that because it's just not, it doesn't make sense. Actually that's not capable for the UK, given its size.

Zeki Turedi: And I'm going to be honest, I think what the NCSC have done is an amazing job, it's definitely a hard job and they have really brought on only vendors from the security space, partners, but we’re also getting really close to the actual organisations and the enterprises across the UK. We've seen frameworks like cbest in the new tbest coming out, which again is allowing people who really know what they're doing to test the frameworks, test the networks of critical infrastructure on a continuous basis and the outputs there are really really mature in these businesses to make sure that they are able to defend themselves against any type of adversary. But on the other side of the fence we’ve also actually seen a number of different state actors being indicted publicly, either be it through the UK Government itself or working with European entities or our friends in the US and I think that's a big change and to really actually putting faces to names here, and going, “yes this is actually a problem, it's happening, and do you know what, we know about it and we going to publicly oust you”.

Adam Louca: And that's involving the conversation, isn't it, at least, from a geopolitical perspective it becomes politics rather than hidden shadows and it's something that can be debated and something that's put on the table when negotiation trade deals or relations with other countries saying, “well we've attributed actors in your country breaking into UK-owned businesses, taking intellectual property, so we're now not going to sign that aid agreement or we’re now not going to sign that trade deal with you, or we’re going to apply the sanctions or terms with you”.

Zeki Turedi: Exactly and we were talking before about how do we make this issue more public with the board? Well guess what, we're not keeping this secret anymore, this is not something that only the practitioner understands and can see, this is actually something we’re publicly talking about because it is important for every single individual, it's important that the board member understands what the security practitioner’s up against and guess what, we can site and public references back to the UK Government.

Zac Abbott: Let's say we've been a victim of cyber espionage. It's done, it's happened. What are the next steps after that? How do you recover from that?

Adam Louca: If you were in a scenario where you were hit by cyber espionage, the incident management process is going to be broadly similar to any standard incident management, cyber incident management process that you might already have today. First understanding the scale of the breach, then containing it, then remediating any identified issues and bringing the business back online. I guess the bit that becomes more challenging is that if you were hit by a truly complex or sophisticated threat actor then the level of intrusion by that threat actor might be far greater than what you’d anticipate from a standard criminal actor and that might mean that the level of forensics and/or level of trust that you have in your remaining platforms needs to be sufficiently lower because if a threat actor is that well ingrained in your environment, whereby they could have obtained rootkit access or they might have even got down to something in the hardware level, at the most sophisticated, you kind of reach a point where you might just have to set the whole place on fire because you really just cannot trust that platform to ever be secure again. So you have to really, at that point, engage professionals to understand exactly what's happened. Also notify any regulatory bodies, but also get in contact with GCHQ or NCSC and actually seek help from those government level organisations, because they will often have far more information than you will have about who was involved and might even, in certain circumstances, reach out to you.

Zeki Turedi: In these cases your legal team is going to be your first people you call, especially, or your outside counsel. If you don't know the processes with that, make sure you do because it’s the number one stage of incident response. Going really back into what you were saying about remediation - it's unfortunate, it's not always true, but in some cases you could have an intruder that’s been there for quite some time. Remediation is not simple. Unfortunately, at CrowdStrike what we see on quite a frequent basis is bad remediation jobs. So companies who had an incident a year ago, 2 years ago, feeling that they've been resolved it correctly, had a remediation plan put in place, and then 2 years later realise that the threat actor never left. Remediation is really difficult and it's not something that happens in a week or two, it could take years and that is quite scary for some businesses and it kind of goes down to, if we don't want to have to be dealing with remediation that takes a couple of years, we don't want to have to be rebuilding all networks because that stuff’s complex. We don't want to have to be doing coordinated kicking out of the actual adversary because if that's not done properly, guess what? They know your network just as well as you do. In some cases even better. They will come back and if that's not done or in a coordinated fashion with expertise, we're going to have problems. And this is where, going back again, it's so important to actually focus on defence and detection. It’s actually easier to kick them out as it's happening than it is to kick them out a year later.

Zac Abbott: So we've been through quite a bit now about how cyber espionage can affect organisations today, what can be done in the remediation process, things like that. Zeki, where do you see the future of cyber espionage? Are we likely to see an increase in the number of high threat incidents?

Zeki Turedi: That's a really interesting question and that doesn't take away the fact that targeted attacks and espionage is very serious and it does happen to a lot of organisations, but as part of CrowdStrike we actually gather quite some interesting information on this. In 2018 we saw roughly around 75% targeted attacks, so targeted attacks being sophisticated nation-states or target intruders, and around 25% criminal actors, targeting organisations. Same time in 2019 we actually saw it completely change, so we saw 39% of the activity being actually targeted attacks and 61% being e-crime. Now the majority of people will probably say, “hey maybe nation-state targeted attacks has actually decreased,” well actually it's been exactly the same. So we’re seeing there’s roughly the same amount of nation-state activity as to 2018, it's just that actually e-crime has massively, massively grown and what's worrying here is this growing education of the criminal actors. They've learnt off the targeted attackers, they've learnt how they have been so effective and basically they've grown with that capability, they've learnt off the more targeted type of activities taken. So if you look at criminal actors a few years ago, they had more of those spray and pray methodology, they’ll target as many companies as possible in the hope that someone clicks a button and gets impacted. They've kind of evolved this a little bit, so rather than the second you click on the email you get a ransomware note asking you to pay $100, that's not going to make a criminal organisation much money, they’ve realised that if they don't do anything, it just maybe launching some code, and from there someone accesses the system, understands the business, looks to see what that company’s actually doing, if it’s a large company maybe they will start doing some more reconnaissance, and move across laterally, similar to a targeted attacker, be very very quiet and stealthy, use the same tools that they use as being administrators and roughly until they get about 80%, 90% coverage, then click the big red ransomware button because, guess what? Instead of saying $100 to get your systems back up, it's now 10000, half a million, couple of million dollars.

Adam Louca: And that's really where we've seen previously APT was the sort of top-level word, the advanced persistent threats, but they’re no longer advanced, they’re just persistent. We've seen that playbook drop down into the average malware authors or criminal threat actor group. And we've seen that even here at Softcat, the expectation that you now just hit a single machine is almost gone really lateral movement is almost embedded, it’s a key part of what we'd expect to see in any average cyber threat actor now and that taking of the playbook and unfortunately the sad thing about this is that almost in the same way with cyber espionage, these threat actors can still IP and then become very good without doing the hard work. Exactly the same thing is happening in our cybercriminals, they're not doing the hard work, they’re basically just trailing 6 months behind the top-level actors and one of the great things about our industry is that we are very open and we share information, but often sometimes that does hurt us because we're sharing techniques very openly about what these threat actors are doing, we’re sharing methodologies, we’re sharing examples whereby actually if you're a budding cybercriminal all you need to now do is read Krebs online or Security News Weekly and listen to a few podcasts and you’ve pretty much got yourself a pretty good playbook of ‘this is what all the top-level guys are doing’ and maybe you’re not quite there, but even if you can imitate 50% you’d get yourself to be pretty sophisticated level without a huge amount of effort nowadays.

Zeki Turedi: Yeah exactly so we see it on a huge basis and new vulnerability, if it has some kind of remote execution capability, that's going to be snapped up by the criminal organisations within less than 24-hours and we see that on a regular basis. And yes it may not be a targeted attack, but opportunistic, which then moves further into your organisation then that's going to cause a lot of damage. I'll tell you another naming convention for Room 101, it's probably the zero day. We all, as security vendors, we talk about zero days quite frequently, but the reality is they’re not used that much. Yes we do get them occasionally, but a lot of these criminal actors and even these nation states, they’re actually using off-the-shelf toolsets. It maybe parroted or cracked versions but the reality is, it’s the exact same toolsets that are freely publicly available, there the same tools that, unfortunately, your red teams are using, yet they still work.

Adam Louca: And that's down to that hygiene element isn't it, really? I sort of see a lot of organisations who allow powershell to run, any powershell code, no restrictions anywhere and you’re just leaving somebody a… people say powershell is the post exploit kit, it's a full scripting language, it’s fully expandable, you've got all of this power inside it, yet we allow it to just run on everyone's desktop, we have all of these administrative tools that are just left out there from things like PsExec or Webeye, you can allow lateral movement very simply and leaving all of this toolset out there for attackers to use and not locking this down, is really making the threat actor’s life very easy once they get inside the environment so that they don't need exploits because exploits you only need when you don't have good credentials, if you have good credentials and you have tools that are already there, what do you need an exploit for?

Zeki Turedi: Exactly it goes down to the old age argument of for security to be effective, we have to disrupt business. But actually it's not actually true, we can allow the business to still do what they do, but what we have to do is put extra effort into security. We’re no longer in this situation where we can be passive and expect it to be fine, because we can't block powershell scripts all the time, we would love to you and the perfect network would have powershell blocking, but guess what? There’s a strange script that has to run on every single system at 12 o’clock on an evening that does collect some information that goes into a core system that is fundamentally important to your business and unfortunately the person who developed it 10 years ago has left and we don't know what it actually does, but it works and it needs to be there. In a lot of cases do we even have visibility into that in the first place? Really I think the importance for what we need to do is actually realise that we can't be passive, we need to actually have visibility into this activity. We need to actually understand what it's doing, the reasons why it's there and once we have that visibility, have that hygiene that actually puts the perfect opportunity to be able to identify things that become suspect. Things that don't look right in our organisations. And that's really where strong, mature enterprise networks are able to defend themselves from things like sophisticated criminal actors or sophisticated nation state actors. It’s when they're able to really… we talk about the needle in the needle stack in the factory - that's really about understanding what each needle looks like and then being able to pick out the anomaly.

Zac Abbott: You’ve both mentioned, to some extent, that there's trends between all of the different attacks, threats, styles that you would see on cyber espionage. Adam are you seeing trends in security technology vendors as well that would combat these?

Adam Louca: The security industry is unfortunately a bit call and response sometimes, so we see trends evolve in the security industry that reflect the threats that we are defending against. I would say the rise in anomaly detection is being one of the key ones, so moving away from just looking at IOCs and chasing down hashes to starting to look at techniques and TTPs, so going up that stack and actually saying, “what is the behaviour that I'm looking for?”. There’s now so many needles that I can't have a big pile of all the bad needles, because actually the pile would be too big, so I need to work out actually what is the characteristic am I looking for, so we’re starting to see that become pretty prevalent in most mature security offerings and that's almost into this macro shift we’re seeing towards moving away from rule-based technology, so where you have to be declarative about what you want and what you don't want, into much more of a risk-based approach whereby you have a sliding scale from zero being everything is fine, to like 100 being nothing can happen at all and trying to choose something on there that is a reasonable set, but is no longer a binary decision, it's neither a yes or a no, it's actually ‘maybe’ becomes an answer, so that's definitely happening. The other macro elements I'm starting to see as well, I’m starting to see an increased interest in threat intelligence, so as people want to communicate more effectively, both internally to their stakeholders - to the board members - they actually want to understand who are my throat actors and what threat modelling have I gone through to understand the likely mechanisms or likely ways that they might break into my organisation? So that's probably the second one. And the last one is I really think an increased investment in incident response and an expectation that the threat actor you might get hit by might not just be run-of-the-mill. It's not just going to be a virus on a machine anymore it could be something that takes down a whole segment of your business, whether that's from ransomware or alternatively through data breach. So a maturation of the incident response process in a lot of organisations is another thing I’m probably seeing.

Zeki Turedi: Taking all those points you mentioned, attackers don't change drastically but they do evolve and one of the things that we do is focus on collecting the right information at the right time, storing it into a centralised location so what that allows us to do is use automated mechanisms like machine learning to go through that data, look at the behaviours, look for anomalies and actually very quickly able to identify how an attacker has evolved and then put preventive mechanisms back to our customers. Anomaly detection is really useful, but if we look at it into a single enterprise, or try and baseline an enterprise, we’ll never get a right answer. But if we can utilise the crowd, rather than just looking at your business, look at thousands of other businesses and seeing other behaviours, we can very quickly understand if hey, that is actually just a normal administration activity or you’ve installed a weird and wonderful software that isn't very common but it does do that weird powershell execution, but it needs to do that vs actually this is potentially an active intrusion. Massively agree with threat intelligence, for us at CrowdStrike, threat intelligence was one of the first things we actually built up as a technology platform, because simply, when we were building our endpoint protection capability, we understood we need to know what the threat actor looks like, we need to know what tools they’re using, how they are using it and most importantly, what and who are they actually targeting, because that information is crucial when you put it back into the detection and defence and mostly from a preventative functionality.

Zac Abbott: Ok so we've had a look at what cyber espionage is, how it affects organisations and what the future could look like for it, which pretty much brings us to the end. But before we do Adam, 10-second summary - what is cyber espionage, how can it affect organisations and what can they do to protect against it?

Adam Louca: Cyber espionage is a specific type of threat often carried out by nation-state attackers to steal information, generally for the purpose of advancing manufacturing and other capabilities within an organisation. How does it affect organisations? Typically it's a advanced persistent threat that digs into your environment, understands the valuable data inside of it and then exfiltrates that out to the threat actor. And what can you do to protect against? Firstly understand what it is, secondly understand whether or not you're likely to be targeted by it - nobody here wants you to be chasing shadows - but do make sure that's an active decision, rather than a passive decision. Third, if you are likely to be targeted by a sophisticated threat actor, ensure that you have an understanding of their techniques, an understanding of their methodologies and ensure you have an adequate control layer, so adequate technologies to detect against that. Finally, ensure you have a good plan, should the worst happen.

Zac Abbott: Well that's it for another episode of Explain IT. Adam, Zeki, it's been really great talking with you, thank you very much for your time. If anything in this show has piqued your interest or you would like to talk to someone more Softcat about anything we’ve talked about in the episode, please do get in touch [email protected] Also make sure you subscribe wherever you get your podcast so you can stay up-to-date on all episodes of Explain IT. Thank you very much for listening to Explain IT from Softcat.