Cyber In Asymmetric Warfare by Nick Prescott

all yours my friend thank you very much hi everyone um until we've got people who are coming in so we'll we'll let them filter in so I'm just going to cook for the next 15-20 minutes about where the good guys are kind of beat in the valley I'm told you're all highly technical people um so uh hopefully I've got the the you know right but just to do some definitions so asymmetric what we mean by symmetric uh basically what we're looking at here is is saying it's like you know one size ball Lop sizes in the other uh and the more kind of warfare side of it is everyone thinks it's all nation state but actually it's kind of like people doing bad things so I just wanted to be on that one as well so this is probably a quote you've all seen before at some point somewhere somehow um amateurs hack system and professionals have people what I mean by amateurs um is they're not really amethysters you can say there are people just looking for commercial opportunities um whereas you know the professionals or the nation state people and that's reason kind of seeing what we're looking at here today so um really what I want to talk talked about was just the kind of little kind of groups that we got in there I think it's been really interesting over the last year to see some of the states lots of stuff in Russia and trying to be hammered by uh some of the uh kind of Ukrainian side in there as well but they're still around some are there for commercial opportunity and the reason is is that um as we'll see in the next slide so there are a lot of people there's a big difference here there's some of the stuff we're going for critical National infrastructure there's other stuff we're going for kind of commercial opportunity but essentially what I do with message is we do a lot of CSO level stuff is they just think that you sit there in a risk committee they all they talk about is States haunted stuff they're going to come to that company rather than thinking for the asymmetric side we think it actually is the commercial opportunity guys so what you have here do you have things like native States organized crime and you can see here is the activity is the kind of low sophistication um so if you think of the big Bridges like remember the tall corporations lots of other things what that was was that was just a guy in Northern Ireland he was under 18. he went into a back end of the third party server and he took down a while the large communication apparently you know if you look through all the news stories you had all the people from various government agencies saying it's a very sophisticated Russian state board okay and that's the asymmetric side of it one guy in his bedroom in Northern Ireland versus rather large telecommunications company then you can see here is the perceived impact in there so when you get towards the nation state you probably would have had North Korean group called Lazarus for example they went in took a bank down on the Unix site and what got really with it but the thing that we look here is that a little bit white bit in the middle and that's really the kind of misunderstanding that we're getting a lot of I think within the cyber security industry so a lot of what I do is sit there and the sock and a sweat threat intelligent people will tell me all of this is happening and then you go to a risk and all in committee and you sit there to the board and they'll have it you'll have you always have that really enthusiastic non-indictive director who claims they're a cyber expert will start saying all this stuff and then you turn up and they present your stuff to the board and then they'll start talking about nation state hackers uh all the world is going to end them actually and actually what they're not doing is they're not getting the basics right they're not getting the psychology they're discipline all the culture right within the business people are still clicking official email people are still kind of going to Hotel wi-fi people are still doing that and that's really really simple stuff and yeah what the ball talking about Russians chinese vietnamese the radiant all that lot all kind of doing lots of fancy stuff in there as well so you know if you think of uh what um uh fancy mayor doing um is basically the malware targeting Russian attributes and all that stuff and they're all going for governments NATO if you think about that good old solid critical and actual infrastructure but those are hard targets right a lot of time what were happening is we're seeing opportunities that they want to go for the money okay so you see credit card firms you see e-commerce retailers see that so you know for example um last year I got involved in the bridge with a big PLC retailer don't worry it's not WHSmith which at all we've done recently but it was a really simple thing it was somebody in finance clicking on an email and because because the board think because they're an e-commerce it hasn't happened to them it's not going to happen to them they were offline for eight hours but it took four months to respond to it and when you work out who did it it was somebody in Hungary so again they made admitted money out of it and whatever so what you're seeing a lot of here is um you know all the all the really good guys are they actually going after the whole threat intelligence picture uh the relational so if you if you see here the amount of money that is being spent and I think that anyone who's anyone here run a budget within an infrastructive you know how does the prices go up every year they try to do they kind of try and do you have a vendor that goes in and said we have a solution for everything and they try and bundle everything together and they try to they try to right and do you deal with procurement people as well yes and do they kind of tell you that they you go to that one and not the other one yeah the human doesn't tell me what to do you don't have to say you're you're quite unique now actually I know yeah so a lot of the time what we're seeing is that you'll you'll get you'll get rfps going out you'll get the people who are non-security people doing the procurement and this is why all the money is being spent on there and you know a lot a lot of you go to Achieve Financial options and they will say security is just costing us and I'm gonna let what's the return of investment you're getting on it it's like well you didn't really get returning investment or security what you do you get an avoidance to the Cyber bridge but what they won't do is they won't invest in a really basic stuff there was someone will go in and say we need to have everything from cloud Striker we need to have the Microsoft E5 or we need to have there's another one tenable that's one that's kind of like my head around the bed uh I'm sorry but but essentially the spend is going up because what what you see a lot of the time especially when you do the Cyber insurance that again well the losses are getting bigger and bigger and bigger things so they think oh right because the loss are getting bigger and bigger that we need to spend more and more money in order to protect our house so the question about Alex was how many of you have filled in a cyber Insurance question in the last year and how we've got two great and how many of you gone back to the insurer said do you actually know what questions you're asking how many of us have trained the insurance yeah but he's not what you are and that's the thing and and quite a lot of the time is it because the losses are getting bigger and bigger um the assurers are not saying you must have the absolute minimum background and it's minimum rate but that would help out a lot in our industry but again what you've got is you've got everyone kind of pushing each other along it's a bit like um uh you ever heard of something called the south sea bubble where basically something happened in the 18th century I wonder score though the big problem they just pump more money and pump more money into it and then they realized that everything they were trying to do was completely lovely worked with the bubble pop never lost a whole load of money you know that that's the whole nature that we're seeing in all of the Court well you're sure it's a seen bigger losses the board is taking let's spend more money on security so people in security are getting great let's buy more money and then what they're not doing is people are still getting hit by the basic phishing emails the really basic stuff that has been there for ages how um so I'll come to that in some of the things later um and you can see here uh the latest work no uh so what you got here is the average data which costs in here um so you can see kind of 2020 the pandemic started you can see 2021 and 2022 the costs going up a lot now is that because everyone started working from home everyone just got sloppy cyber security training the suddenly stopped everyone just started you know it's crazy rants where shot up a lot as well and you look in here is in 2022 you look at the losses in the U.S they kind of shut up as well um and then you see a lot of it though they're going off the healthcare so that's probably because the US has got private healthcare uh and all the assured uh paying out and legal cost s behind it that's what's driving those costs so the the fine structures for the I know this because I'm based out of that yeah so the fine structures in the US have actually increased or what's driving that cost is the legal repercussions afterwards so your upfront costs are typically 20 25 30 your legal costs are now exceeding that considerably system of class actions yeah not just class actions in the financial sector um the the clawbacks on their significantly higher the costs associated with that on the healthcare section it's class actions it's other losses and just legal costs as well are just ridiculous um and then Insurance costs are obviously getting driven up I think insurance and use is different because they're asking more questions now in the US because they have had their assets handed in the last several years yeah because they just wanted the money and didn't think about what to ask now they're asking more questions so my insurance I mean for me for our organization our insurance they try traveling out like outside and then explain to them exactly what we were doing so then we came to an agreement then also in the U.S the insurers pay the fine as well so when they get the cover yeah they do and then they comes back on it comes back in the organizations yeah but there was an increase in well the other part of that to answer that one as well in the US uh at least in like state and federal you actually have to disclose what your limits are how much you're paying the other things so now what we're seeing is adversaries are going after them and basically doing ransomware for pretty much so the insurance limit you so I mean it's they're doing a huge amount of intelligence background pieces absolutely yeah so uh so essentially that's kind of to your point really uh yeah um that's why I put it in there but the thing is is that to go to your point and I I know yeah you can hear from me later right but if the if the bad guys yeah know that they got the liability the insurance and they know themselves um and you know they know that people are going to click on the ransomware I will not dispute yeah we'll talk about yeah yeah yeah so um so one of the things I certainly seen um certainly I've seen you know I didn't do that much work in the U.S but smart moves um but you know a lot of the time what I'm seeing is that you see the good guys the stronger kind of defenses they spend far too much so I'm evaluating risk not investing it not looking into stuff um and you know they're not they're not thinking about how do we react within that burst out of a cyber Bridge you know something will come in on the service desk someone won't be able to retrieve it properly something will happen they're not they're not tuned to kind of be like that kind of paramedic style mentality they're not changed right something dollars is happening how quickly can we analyze the issue and stopped it down and I've seen quite a lot of breaches where people just don't respond quick enough you know they wait for a couple of hours think oh my God it's an instant I don't know another couple of Art and by that time the hack has gone in shot with him yeah are you going to touch on the fact that most companies have got more Earth too many tools you're gonna touch on that I mean yeah I don't want to spoil Thunder but if you know that's one of those biggest issues we're seeing as well too many companies rely on too much for the technology yeah they're not you know you've got yeah great if someone is sitting there on a service desk will look at three or four systems so what I can't see anything going wrong they won't have that technical analysis so um are we investing in the right way and it's like making sure we have the right instant response plan uh in place a lot of times I see they do a table time exercise but I'll do a bridge simulation uh and people think I've done a bridge simulation so well we're ready to stop but I'll do it once a year and the people who are non-tactical go oh why do I have to so why does that someone from HR have to sit there and talk about it they're not doing it continuously there's not much like fire drill type stuff happening on a continuous basis also uh with the response team it's like what I find a lot of is is people with two slopes declare a major incident let's say a ransomware and I said oh well it's only hit two Futures we've isolated them it's not spreading it's not a problem um kind of communication that is an absolutely key thing as well it's it's quite a lot of the time because there's so much noise going on people won't have that mentality in making sure is it something I really need to very well at the right time um also is the collection of data as you kind of show there's too much Reliance on the technology what you need is making sure you get the right information to present that to the people what a lot of people suspect for a conference bridge in an incident everyone on there is Technical and I've seen it so many times it's like right there's a big incident we're going to have a call every two hours so what do you do for the first hour you talk about it what do you do for the next hour work out what to say the call in an hour's time and that goes on and there's you've got to be really really regimented in terms of and that's always like the the the collection of data and whatever um also negotiation how many times have you seen non-specialist negotiators start negotiating with hacking group and then it all goes absolutely horribly well the chances are is they go oh well can you find some Bitcoin paid off and everything will be okay and then realize it's not where they need to get better at that and the post instant review a lot of people say well we've patched everything up the insurance is paid up we'll just crack on before but had that really changed the discipline all the culture um so you know why the threat Act is successful um adversaries are getting better I think you you may be really good point about the fact is they know how much you're being insured for they know the systems they are constantly targeting yourself better um so it's all about the cost of attack might have been made higher uh but they they are they're all one step ahead a lot of the time we're seeing is um adversaries they've probably got football into the system and they've had listened and they listen they watch and they learn we're not detecting them early enough um over Reliance on technology um and also a lot of the time is security teams have limited empowerment quite a lot of times where certainly I've seen you know a risk goes to a risk committee an audience says oh yeah can you fix this finding and the business is basically trying to think well if we do the rest side the audit side and the compliance side that we don't have a problem because the risk Is Win win actually what we're looking at is constantly evolving and changing risk no it's going to talk about the security teams the empowerment thing I mean that's something on us that's because we're not talking the right language so much of that as we go in there at a technical level but we don't go and have the conversations at a business level we don't talk the same language the business is talking very rarely will you see somebody going in and having a conversation with somebody in the business understands risk Finance manufacturing supply chain and all the other stuff with it so getting that seat to the table is imperative and unfortunately in so many cases we don't we're not spending the time to do that but the flip side and that and that that's a really good point because the flips I would pay to do the security with the security have to understand the rest of the visit so again that's almost asymmetric in its nature is that in order to get security known to The Wider business we have to speak their language and their language is not securely language right so uh there's a massive race to the cloud how many vendors coming in well you move everything to the cloud we can protect it all for you um and I've seen quite a few uh I've seen quite a few companies what they do well we bought this product they give the service level guarantee that none of this would be an issue uh but actually they think that you transferther in if you haven't not really not in the slightest and also really about the security fundamentals uh in the building blocks things like this and the one thing I do find fascinating with that I do find a lot of people are teenagers are coming into work they're far more security we're aware than people earned at 40 for 15 to 60 because they will know all about scams for sharing emails and all that and then they'll expect to be much more liberal than the workplace uh because that's good what's happening so I think really that you know a lot of people will think they know what a phishing email is and they think that's what security is maybe we need to change the way in which we educate the users more than just looking at your email clicking on websites it's about what network you connect to and many other things so what should we be focusing on let's talk about the Fisher thing um you know how many businesses really lock down USB cloud storage and manage the web browsers uh even a lot of low maturity businesses who are big businesses they think oh well locking down USPS is something we ought to do but we're not quite sure on when they do it everyone starts from playing and then you start understanding actually a lot of people stick USB sticks with confidential data and they'll stick it into an OT machine because that's the way they've always done it and they think that's the most secure way of doing it absolutely crazy and also managing the web browsers you know a lot of places that I see they will have their ads their Chrome or they always say Firefox um but they won't they won't manage the browsers and many of the time that people clicking on the link the browser to manage that reduces the risk getting the basics right uh how many people have SMD V1 and TLS on their service that's always the first thing we do is amazing that's scary um lots of if you don't wrote If it ain't broke don't fix it you'll see a lot of that in the A2 space um and you know how many companies um you know we'll put all the filings from an electrical hacking exercise and they'll spend their entire time going okay we've got a pen test ethical hat three months ago probably fixable we'll read all the vulnerabilities but we've done all the remediation no well we'll focus on that rather than actually focusing on the day-to-day stuff as well a