BSides 2022 - John Watson - RCIPS

okay welcome back i wanted to introduce you to john watson who is the office manager the rcips here in the cayman islands he's been with the rcips for about 15 months and he is responsible for the cyber crime and digital forensics department which you may not have realized that we have at the rcips so i i would like to welcome to the to the stage john watson who will tell you a little bit more about what's going on with most recent attacks john

morning everybody i'm glad you applauded then because you might not applaud at the end um so as it says up there um and you may not know we existed um i'm from the cyber crime and digital forensic unit which is part of the rcips um so i'm going to go through a little bit of my experience prior to coming here just to give you an idea who i am and what i've done so i was a police officer for 30 years um mostly in major crime investigations murders rapes um i actually set up in my force the first high-tech crime unit um i did want to advertise um for people by saying are you a geek please come and

see me um but hr wouldn't let me do that after i left the place i became involved in teaching police officers to do open source intelligence which is basically one of the things that um ashley spoke about yesterday about using facebook um twitter and other materials to find out about people because um people just give away so much online and then sometimes it makes our jobs a little bit easier as part of that i was actually at uc online which means i was an undercover officer online specifically in irc chat rooms i don't know if anybody is aware of the uk tv program called catherine tate but i named myself lauren and modeled myself on lauren

and had to learn the language of a 14 year old girl because that's what i was um my kids used to get fed up with me putting my hand up and saying whatever and putting laws at the end of all my texts it was an interesting experience after that i was recruited by the national crime agency into the national cyber crime unit i was involved in a number of investigations and having been sat in the audience for a couple of days it's actually um quite amusing really because most of the investigations that people were talking about i was actively involved in um i think the first speaker mentioned wannacry uh and when the splash screen

came on to the the main screen for the ransomware i think my eyes started twitching again for one of the longest weekends of my entire my entire life i was actually um i was also involved in um mirai botnet um a gentleman called daniel k who used the miraibotnet to target lloyd's bank and barclays bank currently residing at hm prison due to my well my my team's effort but most of my experience is based in working within the ncsc at gchq and the uk london headquarters so for four years i was there basically involved in investigating the most serious cyber attacks in the uk um i know ashley mentioned yesterday the the case we were involved in here about

um the as the the pedophile and um the i gave expert evidence that he hadn't been hacked or had rdp access into his system um the barrister said to me after gone through my qualifications he went qualifications are all very well and good but what experience have you got which allowed me to say i've just spent the last four years doing this and we then had a little poker game where i was basically going i i see your 20 minutes on google and i raise you my experience of doing this um i was actually during the monaco investigation i was actually in the room um sat next to the nsa sharpie when we discovered that it was eternal

blue which if you don't know is an nsa exploit and he just said one word which was [ __ ] um i was also actually involved in the one that we spoke about this morning uh the previous speaker the coinbase um he didn't mention an email that they that they clicked on that email actually emanated in the uk so we were involved in trying it was a compromised account obviously so we're involved in trying to bottom out where the compromised account had come from um and now i'm here so i went from a building with 5 000 people um to an office of four so what brought me here um well i would like to say the sunshine

but it was actually the the very affordable rent um the reasonable cost of living and the incredible standards of driving i've seen on the island i'll go back to the first one which was sunshine actually so why am i doing this presentation um i want to get the messaging out as far as possible the the cyber crime team itself is quite new it's only really been formed since i've been on the island um and i'm not sure how many people knew we existed so um i'd met with um a couple of people who'd introduced mickey james i had to meet with james and he went look the best place for you to get your messaging out is here so that's why i'm

here at the moment um um the rcips have a three-year strategic plan part of that strategic plan is and this is generic to all forms of policing but it's to understand a threat secure the cayman islands and ensure safer communities now i'm charged with driving that as far as cyber crime is concerned as well but that's going to be impossible without you help and that's really why i'm here is to tell you what we're trying to do and say to you let's get involved let's work together um because hopefully you've seen i do bring a lot of experience i doubt there's anybody else in the island who's studied apts um hostile state actors um significant cyber crime groups

um one of the investigations i was heavily involved in was the um [Music] maximum yakibets known as can't even say it aqua um and the evil core group if you don't know who they are google them because if nothing else they'll tell you cyber crime pays google maxim riacobet's wedding and you'll see the most lavish wedding i've ever seen in my life what we're trying to do is to make cayman islands a hostile envoy environment for criminals i can't do that on my own i need to do it with you guys um we do try and take a 4p approach to cybercrime which is prepare mitigate the impact of serious cyber attack exercising protect strengthen protection against serious

cyber attack prevent um prevent people becoming involved in cyber crime that actually gets less and less the more cyber crime moves abroad and lastly pursue which is this detect disrupt and prosecute the prosecutor is always going to be difficult because a lot of the cyber criminals are not based anywhere in the jurisdiction that is user-friendly however we can disrupt um i put out some publicity the other day about a fishing campaign that purported to come from sydney in actual fact if you clicked on that link that site had already been blocked by the government systems so it shows your disruption can work and that's what i can do so my mantra from my experience complacency is the enemy of cyber

security and i mean complacency has and it will never happen to me we're okay we've got everything right nobody can do anything to us and because my experience from the uk is that that's never really true secure by design sounds lovely but it's just design application maintenance i think cat spoke about it yesterday as well you can only design if you know what the weaponization is and that's one of the issues i've got here at the moment oops you only know how much you need a system when you don't have it um the attacks i've dealt with took down entire networks um and people just didn't realize what they were and i'll talk more about those in a moment

yeah i know it's expensive but what happens so this was an investigation and involved in europeans europeans were the biggest supplier of of forensics that's wet forensics in the uk and they were taken out by ryuk um i love when it says it's highly sophisticated as rio is not highly sophisticated but it completely and utterly shut down their network and one of the reasons that the complacency is the enemy of cyber security is ncsc had given europeans a warning about six months before this happened saying that we detected trick bought in the system if you don't know what trigbot is it's a thing that sits in your network basically steals all your data steals all your passwords in plain text and it

had been there for six months and they did nothing about it then they got hit by ryok as it says there the um they paid a ransom fee nobody they've never revealed publicly what their answer fee is i can't because i learned it within the confines of a secure environment um but it was a lot of money uh hackney council another one of my investigations cost them 10 million that that was the upfront cost what that hidden cost this was a council that couldn't pay their employees couldn't provide school meals because they had no system red car another council cost them 10.4 million but i don't think we should really should look at this as just costs

because yeah it's gonna cost you but there's a human cost as well um masco was a number of colleges that were hit with ransomware attacks and basically on gcs sorry gcse results day they couldn't tell the pupils what the results were because the systems were down they were linked to another school through the same it provider and the admin for both ads had the same password um and it's it's the length of time it takes to get back up and running um i think you probably all know that the one of the first thing riot does is it looks for everything that could have an extension that means it's a backup and if it can see it it encrypts

it so if you've got completely offline backups and you can restore excellent kudos um my experience tells me because i've seen companies do it is it takes a long time the europeans won was more than a year before they were back back up and running and they paid the ransom um yeah there is reputational damage you just need to ask sophos about that one so what do assets want to do um because my time is coming to an end we want to work with the industry in the wider community to understand this threat um i have head through the grapevine in the back door but i can't actually bottom this out but i'm pretty sure that

last year there was a phishing attack on a major entity on ireland that tried to exploit the log full shell so anybody here think that would have been good information to have been shared with you so um i want to work more about understanding the threat as i said before you only understand the weaponization you almost understand the threat if you understand weaponization um i have muted this to james and others um we are in a very vulnerable position being on an island and um and i think it's ashley said yesterday the um if you're a big company and you have a major ransomware attack you're probably going to have to call in a cir company

simply because they've got the expertise to fully restore your networks and more importantly get rid of persistence but what would happen is that would take a bit of time if there was a major attack on some of the critical critical infrastructure on cayman who would respond so i mute the idea about people coming together to form a community uh cyber security incident response team to try to do that stuff um so i'm putting that one out there and carries more reporting of incidents not a lot comes into us i'll be honest investigated one ransomware attack last year but the rest of it we pick up through social media ourselves or people phoning stuff in i would encourage more people

to get involved with us together we can beat crime i'm not that naive particularly cybercrime i doubt that but we can target hard and as and as part of that can we work together let's not be complacent um and that's my email address please write it down and contact me if you've got any questions any desires i'm really keen to move this on i think james is as well um and i know rj's came to get involved as well let's do what we can to protect the cayman islands from significant attacks because hopefully i've shown how devastating they can be um i wanted to have questions if you email me in the next two weeks you're

going to get an out of office because i'm on a flight this evening but please don't let that stop you thank you very much for your time and i'll hand over to the speaker who's on next thank you

hey

you