In Conversation with Richard Coyne, Senior Advisor for IScann Group
Many people are unaware of, or often wilfully disregard, the importance of being safe online. They think a cyber attack could never happen to them because they don’t see their own information as valuable.
In 2019, almost one-third of all cyber attacks used phishing as an entry point, and the COVID-19 pandemic has only made things worse. Since the end of February, phishing attacks have increased by 600%, with many cyber criminals looking to exploit people’s fear and uncertainty in these unprecedented times.
Richard Coyle, Senior Advisor for IScann Group, works with governments and companies to help identify the weak points and vulnerabilities in their cybersecurity defences. IScann Group’s In Conversation talks with Rich about the intricacies of phishing, touching on what makes a vulnerable company and what people can do to better protect themselves.
Q: You previously spoke to us about vulnerability and penetration exploitation that you do on companies to pressure test their cybersecurity barrier. How does phishing play a role?
Richard: There are various guises from email phishing, which people respond to reasonably well, to SMS, text phishing. You have to have a very carefully crafted approach though since people tend to have their guard down a bit more in the workplace as opposed to in personal texts. The most effective is voice phishing, however this is often the hardest to pull off.
But if you are well-researched and have some skill in it, as I do, it’s the most effective and devastating.
Q: And then that leads to hacking.
R: Yes. Well, it depends what you meant by hacking, but if you refer to hacking as the bit where you’re behind the firewall and doing all kinds of jiggery-pokery, then yes.
It might be easier to say that no-tech hacking leads to the higher tech hacking, if that helps. But it really doesn’t have to be very technical to start with. You’re just researching and then fooling some people.
A lot of them are just looking to scam or even make companies collapse.
We can look at the people doing it like a pyramid. At the bottom of that pyramid are low-grade cyber criminals. Those guys will go for a quick hook. As in, they don’t really care who they’re targeting. They don’t really care about how sensitive the data is that they might access. They just want the lowest hanging fruit. They want the easiest, greatest number of attacks that they can do in a short timeframe. And they will typically look to get in and then unleash some malware, some ransomware.
An industrialized, if you like, bunch of cybercriminals will hit multiple people a day and could run somewhere for something like $50,000 at a time. Although, if they were to do more research and understand the value of the target they’ve gone for, and most of them don’t, then they could just sit back and realistically ask for six figures instead.
Now, those guys work at scale and they work quickly, and they will generally honour the responses. So if the company pays up, they will generally give them back the keys and their data.
Q: Have you ever worked for someone who this has actually happened to?
R: Oh yeah! I worked with a law firm a couple of years ago. They’d been ransomwared and they were asking me, “look, do they know if they’ve been into all of our files? Because we have very high net worth, very high profile people’s data here.”
And I had to say: “To be honest, we can’t really tell, that’s only for you to tell. I’m sorry. You’ve got to worry about that forever. You shouldn’t have been ransomwared in the first place, but I’m sorry. That’s for you to worry about.”
Going up from the industry, the cybercriminals operate at different levels of scale and expertise.
Q: Who’s at the top of the “scale and expertise”?
R: You could be looking at the state actors at the very top of the scale, for instance governments. Some of them think they have nothing to lose, and some of them just don’t care about the attribution of the attacks. For example, the Chinese, they’re in a rare position where they’ve got the capability, the know-how, and also the manpower. The sheer number of people they will put on those tasks is mindblowing.
They also don’t care about being found.
Now somewhere below that you’ve got people with the same level of skill, but better in terms of hiding their tracks. For example, the Russians.
I’m not telling you anything that you couldn’t read elsewhere, or maybe you already know anyways, but they’re like the Chinese, they’ve got the desire to get hold of very sensitive intellectual property, whether that’s industrial or specifically military or governmental.
But they’ll do the job a little differently and they know how to target people to get the data. And again, they will because they’ve got the financial backing. They will spend years doing the research. When compared to one of my cases, where it was just me and one other person doing the job, and we had to work under time constraints on top of that, it makes a difference.
Q: Can you tell us a bit more about that case?
R: I can’t be too specific because of confidentiality. I can say though, they’re not enormous, but in their field they are a big player. They’re not particularly big outside of the UK, but their revenue is in the tens of millions. So, you know, they’ve got something to protect.
So it was just me and one other person spending a lot of time on search engines, and we were able to execute that in about half a day. Now imagine what the Russians, what the Chinese, could do with the scale of what they’ve got, the people that they have, what they’re prepared to play for, and where anything and pretty much everything is open.
Q: That sounds worryingly easy.
R: It is. And again, what I really stress is that it doesn’t have to be desperately technical. It’s not a case of smashing technical defences with your incredible technology. It’s fooling your way in, and then just trying to look around and get the data you need and remain undetected.
Q: Do you think bigger companies are more at risk than smaller companies?
R: So I would say that the bigger the company, the easier it is for the attacker. And I give you the example of my smaller accountancy company. I employ only four people there. They know each other very well. If I was pretending to be one of them, I’d have a really hard time of it.
I’d have to come up with a much more clever approach as an external provider. It could still be done, but it would be harder. Whereas if I think of some of the defence industry companies that I’ve dealt with, and their thousands of staff and people not knowing each other, it would not be that difficult.
Q: Can you give us an example of how that works?
R: I can determine that person A works in an office in Washington and person B works in Vancouver. These guys never meet, and that is, on the whole, easier for me to pretend to be someone else working for the same company and needing some information. So those companies are better funded, but there are far more people to actually attack.
I would like to put across the image of every person being a way in. And when you’ve got 4,000 members of staff, that’s at least 4,000 ways in.
Q: Can you explain a little about the whitebox and blackbox approach of hacking?.
R: The white box approach is an approach whereby I might be attempting to penetrate companies websites, but along the way, I’m talking to a guy in it saying, “Well, I found this, do you want me to go any further? Or what does this code mean?” And I’ll move along with it. The people know what I am doing.
In other words, white box attackers have been legitimately paid to come in and do some work. They are working in a fashion where they’ll have compliant access and some information from inside the company to ease the work along. There’s a comparable term, white hat attacker. It’s somebody who’s working in a sanctioned way on behalf of a company.
Whereas the job I’ve just done, very few people in the company have been told about the work that was happening, and I had no privileged information from inside. So that’s what we call a black box approach.
With the black box approach, I’m being given no insights on what’s actually inside. I need to find out everything for myself.
If I’m going to a company, I say we can do this quickly, or we can do this realistically. There’s a trade off there. Realistically, it’s going to take a lot longer, therefore, cost a lot more money. We might get the job done quite quickly if I have a compliant white box, as we say, and access to some of the stuff inside.
Q: We have talked a lot about the threats and how to penetrate cyber defences. Do you have any advice on keeping safe?
R: So this moves onto the area of defensive work and offensive work. So for example, in the UK, we’ve got things like cyber essentials, which is a government sanctioned badge that people can apply for. If they store their data in such a way, they can have this cyber security badge that states that you store your data in a certain secure way.
Therefore we think we’re pretty good and secure. That is the defender’s ways of thinking. The mantra to remember though is that attackers don’t think like defenders. For example, people who build brick walls and security doors don’t think like the kind of people who are going to break in.
So you need to have a group of people prepared to use offensive cyber methods. Bear in mind, a lot of that is not technical at all. It’s just looking for information to force their way in. So that is what I do. I force my way in and show the company where the weak points are and what they need to defend against.
My advice particularly for individuals: Do not put your faith in those cyber defence badges. And those antivirus programs that you spent a fortune on and do nothing.
In terms of advice I would give to companies specifically, they need to have offensive cyber attacks done against the kind of work that I’ve just done.
Q: Thanks a lot, Rich!
If you want more information on how to test your company’s cyber defences, contact Andrew Vasko at firstname.lastname@example.org