The Get Cyber Resilient Show Episode #27

Gar is joined this week by Dr Francis Gaffney, Mimecast’s Director of Threat Intelligence and Response who leads the data science research teams for threat intelligence, risk and resilience, threat intelligence analysis and strategic intelligence. Francis has had a fascinating journey that began with an honours degree in chemistry and a career teaching. He then moved to a position in government providing advice on the threats domestic chemicals posed and provided guidance on information warfare (psyops), before moving into counter terrorism and finally transitioning into cyber security.

Francis brings his considerable knowledge and expertise to this conversation surrounding cyber threat intelligence, its function and value. Gar and Francis also discuss technical vs strategic threat intelligence, how to build a threat intel team, trends for cyber attacks and a big one… the value of attribution.

Click here to register for the GCR Live show 

The Get Cyber Resilient Show Episode #27 Transcript

Garrett O'Hara: [00:00:00] Hi everyone. And welcome to the show. Before we get started, a small announcement The Get Cyber Resilient site is celebrating its first birthday and to mark this milestone, we're holding a Get Cyber Resilient live show on the 18th of August at 2:00 p.m.

You can register by heading to getcyberresilient.com/gcrbirthday. At the end of the live show, we'll do an AMA. That's ask me anything where we'll open up for questions from our audience. If you can't make it to the live show, don't stress, we're going to publish the episode in the podcast feed. Again, you can register at getcyberresilient.com/gcrbirthday. Hope to see you there now on with the show.

Welcome to The Get Cyber Resilient podcast. I'm Garret O'Hora and this week, I have the great pleasure to be joined by Dr Francis Gaffney, Mimecast Director of Threat Intelligence and Response who leads the teams that do data science research for threat intelligence, risk and resilience, threat intelligence analysis and strategic intelligence. So four teams all up. I've attended some of Francis's internal and public facing talks so, I'm excited to share his perspective with you.

Francis originally got an honors degree in chemistry and became a teacher and back then he was also advising local governments and governments on the inside threat. So for example, how domestic chemicals could be used in a harmful way. This was in parallel to work he was doing on what we know today as information warfare or what was known back then as psychological ops or psych ops. He moved across into counter-terrorism and actually authored chapters on threat actors in various books.

Through the lens of counter-terrorism, he was looking at countries and regions and analyzing areas like energy, trade and security and that skillset led to a transition into cyber security. This could easily have been a two-hour episode, but we did manage to cram a lot in. Cyber threat intelligence and its function and value, technical versus strategic threat intelligence, how and when they're useful, what good looks like when threat intel is being used well, how to build a threat intel team, trends for cyber attacks even touching on what quantum computing might mean and a big one, the value of attribution which has been a bit of a debate in the industry. So there's lots here, please enjoy.

Welcome along everybody. I'm joined today by Dr Francis Gaffney and, um, a very, very interesting, uh, person within the Mimecast organization and somebody I've been looking forward to talking to for- for quite some time. Well come along Francis, how are you doing today?

Dr Francis Gaff...: [00:02:38] Yeah, not too bad. Thank you very much for having me.

Garrett O'Hara: [00:02:40] Absolute pleasure. Um, maybe... do you wanna just start by kind of describing your current role in Mimecast and then we might get into the- the sort of bio on how you got here? Because I think it's an interesting path you've had.

Dr Francis Gaff...: [00:02:51] [Laughs] Most definitely okay. So, I joined the Mimecast family and I do say family because it's a- a very very close community we have here as you know. Um, 18 months ago. So, I joined in February last year and really, it was to start developing the threat intelligence function at Mimecast. Uh, so Mimecast had a brilliant threat intelligence capability at the time but they just wanted to start going onto that next step and where they could look into different areas of study.

So, um, I have a team that leads the data science research for threat intelligence. We have the risk and resilience team. We have the threat, uh, intelligence analysis team and then we have strategic intelligence. So there's four parts to the team.

Garrett O'Hara: [00:03:34] Fantastic. And- and how you got here... and you actually started in chemistry. I know you had an honors degree in chemistry and weirdly, uh, so do I and we got them around the same time and neither of us are doing chemistry.

So, that probably says everything you need to know about how interesting that is. Um, how did you get from an honors degree in chemistry to- to where you are today? It's a fascinating path in my opinion.

Dr Francis Gaff...: [00:03:57] So, most definitely, so, for our listeners, everything I say is true. So, this isn't a- a- a fiction story but... um, so I went to chemistry and, um, as you say, there's very little you can do with a chemistry degree apart from going into that sort of vocational work in terms of research or so forth.

So I became a chemistry teacher and while I was doing the chemistry teaching, um, I was advising local government and government on the inside threats as in, you know, how, uh, the use of even just domestic chemicals could be used in a harmful way.

And this was, um, parallel to some work I was doing in what they call information warfare nowadays but back then it was called psychological operations and that's the... how one would influence. Um, and so by doing these talks on the psychology of, um, various activities for the insiders- insider threat, that's how I sort of moved across into the counter-terrorism, um, academic sphere.

So, um, you- you see, um, I have a- a number of chapters in different books on various, uh, you know, um, threat actor groups in terms of counter-terrorism. And that's how it started. And, uh, you start looking at the various, um, countries or regions and that's what I did. I just looked at different regions and I was looking at energy, trade, security. Um, I was looking at the psychology of, um, why people have this propensity to cause harm and it was things like that.

And eventually, um, the thought processes were those processes that one would identify through actors in the, you know, terrorist field, actually could apply to those in the cyber domain.

And it was like an unknown actor committing this with these sort of types of methodologies. And- and- and I think, you know, we- we... I'll be very surprised if we don't get onto it at some point but the attribution, um, the attribution of who did it wasn't actually an important thing.

It was the methodologies because that as a person, nation, state or whatever you wanna call it, that makes you more resilient if you can actually mitigate their methodologies, mitigate the threat rather than actually, you know, spending time and effort on who did it. And that's- that's really where that same ideology and thought process came from, from counter-terrorism and cyber.

Garrett O'Hara: [00:06:15] Absolutely. And so when I... You know, as you've described your time in government I, you know, immediately think kind of James Bond and I think it's hard not to but, you know, all the things you've described there the kind of, um... And some of the stuff you've- you've talked about before where you're looking at kind of the major moves by terrorist organizations and those kind of macro level, um, kind of global movements. Um, like, on a scale of tuxedos and fast cars to office cube, how is the work? Like, what does it actually look like?

Dr Francis Gaff...: [00:06:46] I am very, very definitely office cube. If we had this video, people would see definitely office cube. If I was to do any sort of special forces thing, it would be me nil, team six. It wouldn't be anything [laughs] more sinister than that. No, I- I... literally, desk analyst. That's- that's, you know, I- I read papers, I write reports.

Garrett O'Hara: [00:07:07] Absolutely.

Dr Francis Gaff...: [00:07:08] Sorry to disappoint you [laughs].

Garrett O'Hara: [00:07:10] Not at all. The work is so fascinating anyway, um, and- and really, you know, that- that idea, so threat intelligence, it's become this massively topical area. Um, it feels like more and more organizations are talking about it.

It's become, um, yeah, something that just appears to be much more in focus and part of the zeitgeist of cyber security. Can you kind of, at a broad level, um, run us through it? First of all its function but also its value as you see it?

Dr Francis Gaff...: [00:07:37] Yeah, must have been so... I think with, um, the threat intelligence team that we're [inaudible 00:07:44] up at Mimecast and what we're attempting to do at Mimecast, um, we've made it more actionable than consumable.

And what we mean there is it's written for an audience. So, instead of writing a paper for paper's sake, we're writing it with a particular audience in mind. Um- um, for example, regional. Um, the threats to South Africa, there's different methodologies used in those particular areas. So, by having that contextual, um, actionable report, it helps the customer make, you know, take some sort of action. Um, I think it helps increase their resilience.

So, we go through scenario reporting and so we'll explain how, uh, or we'll project how. And it's called the cone of plausibility where I would have a scenario and what we would just do is go out in that cone and give a left and a right or above and then say well, actually any of these scenarios along this spectrum therefore are potentially possible and then the customer will actually say, "Well, actually these are the red lines for us". And therefore they would actually, you know, try and mitigate bits of potential threats that they can mitigate.

Um, I think it also gives better content... oh sorry, context to current threats and trends. So, it supports, um, those more proactive companies or organizations in their, um, awareness training campaigns because we took on those current threats because sometimes you'll end up with, you know, threat fatigue. If I keep saying, you know, "there's a threat, there's a threat, there's a... " eventually people get fed up, whereas, if we actually, you know, target it and time it correctly... uh, you know, because the threats are always there but you've got to do that timing correct because otherwise it just becomes white noise.

Garrett O'Hara: [00:09:15] Interesting- interesting point and probably something I hadn't really thought about that much, is that, uh, the fatigue component and- and balancing the amount of information that presumably sits in the background. But, you know, picking what's- what's relevant, what's actionable, what's useful but without overwhelming people with the- the amount of noise that you- you and the team there must actually go through on a daily, monthly, weekly basis, um, must be a huge amount of data.

Dr Francis Gaff...: [00:09:41] And it comes back to that original training I had in that information warfare. It's, um... You've got to find that sweet spot. So if I'm trying to influence you to say, “Look, you need to take some sort of action here because this is a real threat". If I have already told you so many things, it's the "boy who cries wolf", whereas, if I don't get you scared enough, you know, you just say, "Well, actually, I don't see a threat there". So, it's that sweet spot where, you know, the person does want to take some action.

You also don't want to get into apathetic where they think, "Well, we're going to get attacked anyway, so you know, we might as well just start putting the investment into that, you know, BCP, you know, Business Continuity, rather than the mitigation.

And that, uh, logic, you know, uh, we equate to, you know, school nurse being employed to, you know, treat children for splinters from the desk. So, instead of sanding down the desk and varnishing it, they employ a nurse to give you plasters for the- the splinters and that... sometimes you look at that logic and think, okay [laughs].

Garrett O'Hara: [00:10:34] Yeah, that's- that's definitely the wrong way around. And- and there's different types of, uh, threat intelligence. Obviously, you know, we've- we've talked on the podcast before with folks from organizations like Recorded Future. And, you know, then we talked about the idea of technical or operational, uh, TI versus the more strategic stuff and I- I suppose the question does the value of those change with the maturity level of the organization or, even the size of the organization?

Dr Francis Gaff...: [00:11:01] Most definitely. A- a- and again, the various, uh, threat intelligence vendors, I mean, they're all absolutely brilliant. I mean, again, I'll never ever speak ill of them because the different threat intelligence vendors have not just very different targets but actually also it's you as an organization, what you take out of it. So, initial or new startups, really what they are looking at, I would suggest is, you know, the reactive. They are playing whack-a-mole.

You know, as the threat comes in, they- they mitigate it or they fix it. As a company matures, they start to expand that priority of threat monitoring and they'll start looking out for it. Um, so, again, the analogy I use, we're a castle keep. Now we're at the castle wall and that's the initial protection one would have but as you mature, you'd start going into the forest to see what the new trebuchet those, you know, those threat actors are building so that, I actually... I can make my castle wall thicker so, instead of waiting for the first time I see that, you know, um, trebuchet, I've actually already mitigated it.

You'll also start getting the maturity then of investigating the insider threat. So, do you have an insider of that castle keep who are gonna open the drawbridge for people? So, you start increasing your, you know, your threat intelligence and monitoring theirs. So, you- you'd have the perimeter you'd have inside the perimeter and then you would have outside the perimeter.

So, you start seeing that maturity build and as people grow in their understanding of the threats, they'll start linking geopolitical events to cyber activity. Now, th- this is why I keep saying focus on the- on the methodologies because the methodologies don't so much change, they just use different events to, you know, entice you to interact. So, if I play the red team at the moment, if I want you Garret, to come and, uh, you know, interact with me, I want you to click on a link.

That's really what I want you to do because I don't have to start, you know, developing that relationship with you in terms of spyware, malware, or whatever I'm going to do to you. What I'm gonna do is try and change the look and you're very savvy. So you think, oh yes, I know about these things, these phishing attempts. If I just said to you about the Australian bush fires, I'll say, "well, actually look, you know, you can claim some money because of the- the poor air quality we can give you filters for your thing. Did you know you can actually get support from government?".

You may click on that link if it sounds realistic. It could be, you know, world events. So let's look at the pandemic. As it started, people were nervous, people were vulnerable saying, "wh- what does it mean? What do I have to do?".

So, they start clicking on links to find more information and me, as a threat actor would exploit that by putting those in there. Um, as we're now starting to return to the office, I'll start saying about returning to the office, you know, you can get funding to help you la la la... you know and again, so all I'm doing is changing my look but actually, the methodology is still the same.

Garrett O'Hara: [00:13:40] Absolutely. And it is almost a... it's amazing to me how quickly they can mobilize around world events. And I know your team produced, um, I think part of your team produced the report on the domains that were being spun up.

Um, I think it was the first two weeks maybe of the kind of COVID, uh, you know, when it- it was really hitting and watching the amount of, kind of, uh, COVID lurers and domains that were being spun up that were related to, you know, free masks and testing kits and all those kinds of things. And, uh, it's quite astonishing.

Dr Francis Gaff...: [00:14:10] And that a hundred days of COVID paper we did, we tried showing week by week and it almost shows you the evolution of a, you know, a threat actor campaign. And if I now apply it... we did a first hundred days of returning back to the office, you'd start seeing the same evolutions of same people, clicking the links, because they're wanting to know about news... some of the things so you'll have those initial , you know, opportunistic, and then as it matures, it will be, you know, more clever as it were in almost every [inaudible 00:14:35] campaigns.

And if those don't work, we still have the bread and butter of the sophisticated impersonation or the sophisticated phishing. And this is where a Garret, I would... you know, if I'm looking at you as my target, um... So, I would be looking at your social media presence, be looking at what things you post, favorite restaurant you go to or, if you're a runner, these sort of things.

And I'll send you, a you know, a- a- a voucher saying 15% off here, you know, because you're such a regular customer and as we now start going back to work, please feel free to come and visit us again. You'll click on that. But I've obviously hidden behind that a file. I'm now into your home network and I would have piggyback into your work work network. So there's so many different ways [inaudible 00:15:13] that we understand it.

Garrett O'Hara: [00:15:16] And one of the things I think as humans, we're always looking for the- the shiny new thing but you're spot on in terms of quite often, it is the tried and trusted methodologies that are used to think that was reflected in Verizon's, uh, data breach report this year as well, where they call it the same thing.

You know, it's not- there's not some exotic new attack methodology that no one's ever heard of. It's the stuff that, um, has been around for- for quite some time but just changed and socially engineered in a more meaningful way.

Dr Francis Gaff...: [00:15:41] And this is the psychology of the curious, so that- that- that influence triangle, um, you know, I keep talking about how I try to influence but that influence triangle would be how I change your capability, your will, or your behavior. They're the three things I'm gonna to try and do. And so if I want to change how you behave, you know, and this, you know, again known as social engineering.

So, by me doing that pattern of life analysis on your social media footprint, I can then apply that, you know, that- that, uh, influence triangle to try and then get you to... because all I want you to do is click on a link. And- and so, it's not that hard. I'm not asking you to go to war.

I'm just asking you to click on the link. So there's those psychology of the curious and I think there's one that says, uh, you know, the human nature is such a... if you go to the back of a deep, dark cave have a button that says, "end of world". Someone will press it before the paint even dries. You know, it's that sort of... you know, we have that curious nature.

Garrett O'Hara: [00:16:37] And can you run us through that triangle? Um, the- then the three- three parts of that?

Dr Francis Gaff...: [00:16:41] The capability, will and behavior. It's easy when you have it on a- a- a, you know, PowerPoint slide, but yeah, so that's the... so I'm trying to change your capability. So how I could do it, if, uh, if I were to look at a hostile nation state, um, and I want to stop them from going to war against me, what I'd do is, um, change their capability. I could actually just blow up half their military assets and therefore, they haven't got the capability to come at me anyway.

Um, I could change their behaviors and that could be putting patrols all around them, isolating them, all these different things. And that changes their behaviors as to how they would go to war. And then they will... well, it could be that, you know, you engage with them politically and say, well this isn't a thing to do as a grown up nation. You know, we can actually talk about this.

So you change their will to want to, you know, come to you. So those- those three and that's at a military level but at a personal level, if I want you to do something, you know, so look at correcting a child. You train their behaviors, you, sort of, not take away their will because that's, um, quite- quite probably bad but yeah, their will to do naughty things and their capabilities.

So parents, how many times you can put things up out their way? If they don't have capability to put the porridge on the wall, then the porridge doesn't go on the wall. You see?

Garrett O'Hara: [00:17:53] So, maybe we should just take the computers away from all the employees around the world and then we've- we've solved- we've solved the problem.

Dr Francis Gaff...: [00:17:59] Yeah, we'll have it automated [laughs].

Garrett O'Hara: [00:18:00] Yeah, like maybe notepads and abacuses and, uh, yeah.

Dr Francis Gaff...: [00:18:05] Well, I mean, this just... I mean, that's a quite good, serious point though. You know, various reports show that, you know, well over 90% of, uh, you know, the- these- these things that happen to us are through human error but that still does say to you that about six to, you know, depends which paper you're reading, six to ten percent must be the insider threat, the- the malicious, you know, actor. So there- there- there is a story to tell there but unfortunately, over 90% of what we see is human error [laughs].

Garrett O'Hara: [00:18:35] Yeah. It's- it's- it's... I think human error has been around as long as humans have. I know, and I've certainly been guilty of it as well. And on that, um, you know, one of the things I suspect your, uh, team are seeing these days is just the sophistication level of, um, attacks just increasing dramatically.

Um, one of the ones that hit recently was the, was it Cosmic Links where they had done a, like a double-pronged impersonation and registered domains. And it sounded like there had been some good research into the targets and the victims but I'm- I'm guessing, you know, you've seen some stuff and we've moved on obviously from the- the times where we could warn people about bad grammar and, you know, the aspect ratio of images being wrong.

But you know what we're seeing today and I'm guessing the stuff that comes across through a team's desk is, is pretty hectic in terms of sophistication?

Dr Francis Gaff...: [00:19:25] Most definitely, uh, most definitely. Um, so the time it now takes to do our analysis, I would have said, um, has increased six times. So, where it would take a week to do a particular thing, is now taking six weeks. The attacks have become more hybridized. So, you know, you talk about that complexity. Uh, so yes, the methodology is still there, but what now the threat actors are doing are mixing those methodologies.

So then it's- it's layered. So where we would have a layer defense mechanism, they're actually having a layered attack mechanism. So, there's different- different layers to how they would do their attacks. And- and there's again, they've got their plethora of opportunities they could use to attack us. So, whether it be through hardware, software, people, through our partners or through our processes, there's different things they can exploit to, you know, make sure that attack is fairly successful.

And therefore we then layer our defense, so to protect our hardware, software people, processes, and partners. Um, that complexity in the attack does take us, uh, a bit longer to do but we've got such great, uh, threat mitigation teams around the globe that actually mitigate those very, very quickly.

There's also, where we talked about going up threat, so whereas we're looking for, say, an equivalent of phishing attack DNA, where we're seeing a particular phishing attack, what we actually do is go up to the root cause and actually we know it's off the phishing family, so we don't need to know that particular methodology.

We just know it's got that DNA in it and therefore, we can mitigate more threats instead of playing whack-a-mole. So yeah, we are responding. I would suggest that we be more proactive. So, uh, you know, we'll come onto it later with my concerns for the future, I'd suggest but you know, looking at the impact of quantum computing, AI and ML, Mimecast are already thinking about those things. There's no point waiting for those things to first hit us.

So, we're looking five to seven years ahead. And that's when we think quantum computing will have a realistic probability of doing things, well that's why we're now looking at how we would mitigate quantum computing attacks.

Garrett O'Hara: [00:21:27] Okay, we might park that one because I feel like, uh, there's- there's probably going to be some- some meat in that conversation. Um, before we get to that, you know, when you look at organizations, um, you've obviously got a lot of experience here.

What is it, like, what does good look like when an organization is using threat intelligence well? Like, how do they take the information that, uh, you and your team provide and apply that?

Dr Francis Gaff...: [00:21:50] So, I mean, it- it is actually a very basic answer. It's a complicated question, but it's actually a basic answer. Intelligence should be predictive. It is in its very nature. Um, whenever we used to brief, a particular senior, um, he would be slamming his hand on the desk saying, "So what? So what? So what?".

If there was no "so what?" to it, really, what you've just done is reported the news. Um, so, if I go to a company and say, "yes, we've detected 15 IOCs", you know, it indicates a compromised view. Well, that doesn't help the company. You know, they know they've got the IOCs, they're feeling the pain of it. What they want to know is, so what? What does it mean? How can they mitigate it in the future? How could they look out for it in the future?

So, these are the things I would suggest to make a good threat intelligence piece is what is the, "so what?" does it help me? You know, so, they're the bit I'm after. And that predictive element, well, again, like I was saying, I don't want to see that trebuchet for the first time coming against my castle wall.

I would have liked to have known it was coming. So, that emerging threats... you know, I'd like to know the [inaudible 00:22:52] uh, we knew had gone quiet. It was coming back. We knew that they were tooling again. One of our threat, um, threat researchers and amazing lady, she was actually already identifying that it was coming out... you know, it was actually, you know, tooling up. Militarizing and weaponizing again. And it came out a week later, but we had actually already had in place some of the mitigation so that when it did appear in our landscape, you know, last Friday week, we actually had already known it was coming in a way.

Um, but we just didn't know what it was looking like. So, it's not just getting those zero days. We're not gonna ever, you know, stop them fully but it helps us be more resilient to them.

Garrett O'Hara: [00:23:32] Incredible. I mean, the sort of the flip side of that question then is the, the promise of threat intel. Like where does it fall down and what are the... yeah, and- and maybe some misconceptions. You know, I suspect there's probably a lot of misconceptions around threat intel?

Dr Francis Gaff...: [00:23:45] Well, definitely and- and you'll find when people start looking at intelligence, they want more and more of it, you know, a- and they want more and more detail. So, you know, um, I'm saying there's a threat coming and inevitably the person wants to know how, why when, you know, all of those. Um, you know, when it will happen, how big an attack, what the impact will be and sometimes you don't know.

The fact that you're actually able to predict it is, you know, is actually a success but trying to get the- the granularity of it. And it's like trying to predict, you know, like a potential terrorist attack. You know, we know that terrorists aren't ever going to go away. So we know that there's that capability, you know, there's the amazing work that the various services do around the world in trying to mitigate those threats but inevitably, it will happen at some point and that's when you say it's intelligence failures. And it's okay then to go back through, you know, the- the data and say, well, you can see here the failure points.

But if you think about the, you know, the plethora of threats that are coming, you know, uh, there was a famous politician one time said, you know, we've got to be lucky every time. They've just got to be lucky once and that's- that's what it comes down to. So yes, there were lots of serious questions are asked quite correctly, uh, posed to an attack or an event, um, but, you know, you're not going to have to mitigate them all.

Garrett O'Hara: [00:25:05] And- and so, it feels like in some ways there may be an unfair expectation on threat intelligence solving all of the problems where it's really, it's part of a tool set to- to help.

Dr Francis Gaff...: [00:25:16] Yeah, I mean, it is part of the tool set. So, again, yeah, a bit like predicting which horse is going to win a race. You have all the data there, you have all the past form but at the end of the day, there's many things that can affect it given the running on the day.

So yes, there will be lots of failures but as long as the person accepts that it is part of that. I mean, I've talked about the influence piece. Um, and that's how the threat actor works. We, in intelligence, do not do influence at all and I mean, it's quite categoric, so part of training is to make sure that you don't influence. So, when I'm producing a paper for yourself, Garret, I would actually write it so that you, as the decision-maker, based on your risk appetite, based on your own experiences, based on your, you know, business profile, you make the decision.

I will give you a, I don't know, um, courses of action, different options that you could do but you as a decision-maker... because if I try and sway you in one way or the other, that's not intelligence, that's marketing. And then, you know, intelligence should always stay away from trying to influence the decision-maker. What they should do is present the facts but with the, you know, the- the predictions and then you, as the decision-maker, will make that choice.

So there is that element of, you know, the get out of jail card where we say, uh, it's all on you. You know, we did give you the intelligence but you used it in your own way. So, most definitely but 100% we don't influence.

Garrett O'Hara: [00:26:36] Yeah, I get you. And- and you've referenced there quite a few times, the reliance on, sort of, cold, hard data. And I know obviously, you're a doctor. Um, very, very highly qualified in this area and I also know that you've got other, uh, PhD level people in your team.

Kerry, I think is, um, somebody you might have been mentioning there. Don't know if it was Kerry but I know sh- she's pretty, uh, impressive but you have all these people working on data science and obviously there's a very clear need for those, you know, hardcore top level experts and to be in a team. When you're building at a- a team though what are the valuable skills that you're looking for, uh, for threat intelligence?

Dr Francis Gaff...: [00:27:13] So, I mean, yes, we do have academic qualifications, but that isn't, you know, necessarily... that- that's a happy coincidence. I think it shows sometimes the psychology of the person that- that- that interest in learning that curiosity. Um, you know, so we don't necessarily say you have to have a degree or 'X' or 'Y' or, you know, have these qualifications.

It's actually the experience we're after and that behavior to want to question. So yeah, as the data scientists, you know, inevitably they'll have, um, a- a list of qualifications they would have but the risk and resilience team, the intelligence analysis team, the strategic intelligence and emerging threats, there, that's where the skill sets are very, very different, you know, to each other.

The strategic intelligence, that's the person looking at those geopolitical, that's looking at that business intelligence, that's looking at those thought processes. The intelligence analysis, um, we use what they call structured analytical techniques and these are, you know, proven in academia many, many times, uh, where we would do like the assessment of competing hypotheses or, you know, PEST and SWOT analysis.

These, you know, tools that people have done. And it's applying those tools. There's not necessarily going off on a course to do PEST and SWOT. It'll actually be, can you apply the, you know, the processes to do a good PEST and SWOT analysis? So yes, the people do have, I mean, Kerry, she is amazing. Absolutely amazing qualifications but it's more the experience and the, uh, you know, the putting into practice of those.

Garrett O'Hara: [00:28:39] Fantastic. So we- we kind of touched on a little bit, um, but attribution, I kinda feel like we- we might need to talk about this one a little bit more and like, one of- one of my observations is, it sort of feels sometimes, like, we're creating a- a dystopian circus, uh, of funny animals like, um, vicious pandas and dancing bears and all that kind of stuff and it's become, I think, a debate in the industry in a couple of different ways. Like, how valuable is it? How reliable is it? Um, do you mind, from your perspective walking us through what attribution is and then your thoughts on its kind of value and its reliability?

Dr Francis Gaff...: [00:29:17] Yeah. So, I'm not a great advocate of attribution and it's from past experiences, both at, uh, national and international level but also, you know, at this level, um, because to attribute, I mean, I- I- I'll first- I'll quote an ISO standard, 27,037 and, uh, section 6.1.

So this is, like, almost off pattern. Section 6.1 is looking at the chain of custody. Now for me to identify you, definitely you, nobody else but you as being the, you know, the threat actor that I'm after, I really need to get access to the machine that you've been on.

There's so many different ways of obviously locating an attach. I can actually pretend to be a different, um, attacker. There's ways of doing proxies, there's, um, nation states that actually can behave as a- a threat actor group even. You know, they've got the technologies and capabilities so, for me to get caught up on this particular group, doing this attack, it really is... not a waste of resources but it's- it's not necessarily telling a story because, okay, Garret you're the person doing the attack, what's the "so what?". When it comes back to intelligence, what's the "so what?" mean knowing it's you?

Well, it could be that I can start working out that influence, you know, that capability [inaudible 00:30:39] if I know it's you Garret, therefore I know what your capabilities are but if I'm actually wrong, I'm going to be very, very badly wrong because it could be someone pretending to be you so therefore, your capability is not what I think it is therefore, I'm going to be wrong there.

Your willing behavior, the psychology of what you're about to do what you're going to do, that changes totally and this is where, you know, we talked about it, this is where the intelligence feelings happen where the attribution was incorrect. Where we thought it was a particular group or, we thought that group was gonna do a particular thing and then, you know, it totally blindsided us by doing a totally different thing. So, that- that part of it.

The next part of it would be, well, again what's the key part we're trying to do is mitigate that threat and give us better resilience and so the methodology I'm after, it doesn't matter who's doing that attack, I'm watching that methodology, I'm mitigating that methodology and again, if it's a nation state or a particular threat actor group, um, I don't care, I want to know more of how I'm going to stop that threat. So, an analogy could be that I've got water coming down the outside of the front of my house. It could be from rain or, it could be from a hosepipe from next door's kids.

I don't care. I'm still going to get wet when I walk outside so when I put an umbrella up, at least I'm gonna mitigate that threat. Slow time, yes I can start looking at that but you know, looking at that 27,037 standard, that's where the law enforcement agencies and that's where it becomes an important attribution. Um, I sit as a magistrate in the UK and again really to identify who is doing it, that's where someone pull the mask off and I've got DNA and even with the DNA, it's identical twins so you know, unless you're there at the time with the- the person identified, it is actually very hard to do that chain of custody, um, so, again that attribution.

And again the- the press is very full of it and academia of where attribution has been wrong even by a national government. So when I say even by a national government because I do hold them in high regard, that they've got better collection capabilities, they do know, you know better research on how these attacks can happen and even they argue about who was the... you know, who done it as it were.

So, it is very, very hard to attribute and I personally think in a time where we are looking at our resources and if there's that, uh, you know, not famine of tech but you know, people who can do this sort of research. I don't want to waste their time on telling me who did it. I want to know how I can mitigate it. That "so what?". It sounds like I just got off a soap box.

Garrett O'Hara: [00:33:13] [Laughs].

Dr Francis Gaff...: [00:33:13] It- it's just an odd thing because I always get to people, "but which group are behind it?". It doesn't really matter what it is and I'm trying to understand the customer's point and he's saying, "but what does it say what? It's told you it was this" because if it was the Russians rather than the, you know, the... in the Cold War thing, well, so what?

You know, do we go and attack Russia? What are you gonna do about it? No, you're not gonna attack Russia so, why was it so important for you to say it was the Russians, you know, that sort of thing.

Garrett O'Hara: [00:33:39] Yeah, no, get you. It needs to be actionable. It- it's a funny one. I was listening to, um... I'm currently doing some security certification training and they... uh, one of the knights luckily brought in a- a digital forensics investigator kinda guy so, I had no concept of the level that you have to go to, um, to kinda keep a d- diary of every single action of when you walked into a- a property, take photos of where the computer was. Was it turned on? Was it turned off? Was the monitor on?

Take photos of the things around it. It was incredibly detailed and so many of the "gotchas" that it wouldn't have occurred to me and, you know, no reflection on me because it's not my job but I probably would walk in with a- a disk clone or... and just kinda go, "well, yeah that's fine". Um, but he talked through how, um, to your point around change of- chain of custody.

Um, like there are, I think and you're probably gonna correct me here, but I think legal ways where you can, for example, um, analyze a computer without it being deemed as having interfered with the computer with apparently mobile devices because of how, I believe, like the memory is, um, set up on the motherboard, you sort of can't do without in a way altering the device but it's understood so that, you know, it's sort of allowable in court but I suppose the point is my mind was absolutely blown by the level of effort and work that was required to do what to me what would have seen, like a trivial attribution of, you know, a crime. Where you're walking into a property where there's a computer and- and- and even still.

Dr Francis Gaff...: [00:35:14] And this is actually what people forget. That, you know, all these different things these threat actors are doing, is crime. You know, it's, uh, in the UK, it will be the Misuse of Computer Act, Misuse of Communication Act. There's so many different acts that these people are committing an offense even if I send you an email to try and get you to click on a link and the UK has two levels. So, we've had the balance of probability and beyond reasonable doubt.

And if you or, we as a vendor, um, a cyber security vendor, do any harm to that investigation then actually, we've collapsed a trial or, you know, they call it "cracked". You've cracked a trial and therefore, now that person's gonna go away scot-free because we've actually again broken, uh, the thing by saying, "we think it's this person, this group".

Well, thank you. That hasn't happened under a court of law and therefore, you've now prejudiced my trial against my client so therefore, off he walks into the sunset so, you know, by attributing in some respects can actually and has happened just recently in the press, I think about a month ago where unfortunately a vendor did name a particular group and that, you know... then prejudiced a criminal investigation and therefore, we can't shut down those bot farms, we can't go after these people because you've already outed them and therefore you've prejudiced their trial.

And here's a trial by media come [inaudible 00:36:34] to any other crime, you know, if we had, uh, somebody, you know, accused of stealing and the press went round and started taking photos and showed this person out to be the thief when they may or may not have been, it will be very hard to bring that person to court now because they've already been outed in the media. So, that's why we stay away from it because at the end of the day, it's a crime and we don't want to prejudice crimes.

Garrett O'Hara: [00:36:57] Yeah, no, understood. So, we- we sort of parked this one. Um, but I was gonna ask you around the- the trends that you see, uh, for cyber tech and you mentioned, sorry, quantum computing and things like machine learning and, um, yeah, I'd be very keen to- to hear your kinda thoughts and where you see the cyber attacks heading and- and maybe things that we maybe haven't paid attention to?

Dr Francis Gaff...: [00:37:20] I mean, if you didn't mind, I'd actually just widen it to what concerns I see in the cyber security arena and the only reason why I just wanted to widen that one piece is legislation, if we as an industry, um, don't behave as the customers or, um, the environment dictates, legislation will come into place to make us behave.

And a classic example of that is data protection where the industry didn't respond as, you know, the growing concerns from the consumers, the customers, the- the general populace, then actually legislation's brought in and legislating for the internet is a- a very tricky area because this is where people see themselves as free and you know, free speech and various other things and by limiting their movements, it is like limiting your movements in the physical world.

So actually, sorry to just stretch it a bit but legislation is one of these things that does concern me because if we over legislate... and one of the papers I worked on was looking at, um, terrorist investigation pre September 11th and post September 11th and looking at how, not draconian but how the laws did definitely change there and this is what I'm now seeing in cyber that, you know, um, sometimes the legislation can be over prescriptive.

Um, and not saying the innocent but the people who do, do lots of work on the... in that virtual space, are limited because of the legislation now being brought in. So, it is a concern because if we don't behave as an industry, legislation will make us behave and I don't think the legislation sometimes is helpful in some respects and very helpful in others.

Um, the things that concern me for the future though would include, um, sophisticated, um, phishing attacks and this is where there is that, um, level of pattern of life analysis where people do their homework and, you know, I- I- I do say in a facetious way but you know, threat actors have to pay their mortgages too. Uh, therefore they're going to do attacks that gives them good returns. They're not going to waste time on rubbish attacks and again, if I'm coming after you Garret, I actually do spend that time, those four or five days it takes for me to get inside your life so that when I do attack you, it's actually gonna give me a good return.

Yes, there's still going to be opportunistic attacks and that's, you know, I send out a thousand emails, I'll get one or two clicks statistically so, yes, there are those but actually if I want to go for those big returns and link to that is that phantomware that is something that is, you know, been a successful form of attack and again, we've just seen it again recently with some university education.

You've seen it yourselves in- in- in, uh, Australia and ransomware has been a problem for a long time and it's been the same in the physical space. It's just moved into the virtual space because data, now is monetized. Data is valuable and if I can, um, get hold of data that is, um, able to be exploited then you're- you're gonna pay a premium for it.

So, we will see ransomware but it is linked, I would suggest to those sophisticated, um, phishing attacks to target where they think that that will be the most successful. Another one would be the sophisticated impersonation.

This is a tough time for everybody, uh, returning back to the office. Some companies haven't made it, some organizations haven't made it through. They've had to close, um, they've had to let people go. By, the, you know organizations keeping on contact with their partners, talking to their third party suppliers, that helps prevent, um, some of those sophisticated impersonation because you don't know the person you're talking to is from a company that closed three/four weeks ago and they're in administration so, you think you're talking to one of your supply chains but actually, they've closed down.

So, we're gonna see more of those I would suggest, those impersonation attacks and I do get from friends and colleagues and, you know, previous lives where they say, "ah but Francis I can't be held, uh, you know, be caught out by those phishing attacks because I don't have a social media presence". Well, actually, you're a prime target for me because you don't have a social media presence so I can impersonate you on social media.

You're never gonna know because you're not there. So, I will actually create your persona on Facebook, LinkedIn, um, Instagram and other ones are... you know, as they say, other ones are available but I can actually impersonate you and by impersonating you in- in that virtual space, you know, it's actually hard for you then to, you know, get online because I'm actually you and everyone thinks you're now the impersonator. So they're [inaudible 00:41:39] impersonation attacks are, you know, [inaudible 00:41:41] so, um... and then the last one is that- that whole ML, AI and quantum.

These are the, you know, e- evolving, uh, technologies. Yes, we've used ML and AI in very many things and there's some spectacular companies out there that do AI tracing, um, and again, how- how do we, not as in Mimecast but how do we, as an industry, look at these because you know, um, these are evolving. The quantum computing can make hashes, you know, effectively become a- a thing of the past and what we're relying on, you know, could actually just be undone in seconds with quantum computing.

And I think the realistic, and they are realistic, claims will be about seven to 10 years but we need to start thinking about them now to have processes and people in place, the training in place because if you don't have the right people, it will be hard to mitigate those threats because, you know, again it's that reactive, you know... not immature because that sounds, you know, quite patronizing but those immature companies where they- they don't think about, you know the five, 10 year plans. That's when we worry.

So, they'd be the five areas aside I'd worry about those evolving technologies, ransomware, impersonation, sophisticated phishing and legislation.

Garrett O'Hara: [00:42:52] Yeah, absolutely. Legislation's an interesting one and we're- we're sort of, kinda running out of time here but, uh, I've often thought about how if I'm a criminal, yeah, how legislation maybe sometimes helps me.

Um, you know, because the law abiding citizens, they will naturally probably do the right thing but criminals kind of sit outside of that so, when it comes to encryption, it's probably the thing I think of most often and- and in Australia, there's the... um, you're probably aware of it, the... uh, it's the [DLA 00:43:22] bill.

I can't remember what it stands for now, um, but it's the idea of kind of essentially backdooring or forcing coders to include backdoors so the government can, you know, look at communications between main points and in my mind, you know, these days it's fairly easy, if I'm a- if I'm a bad person, to use other kind of encryption methodologies.

It won't be WhatsApp. I can purely spin up something else that uses PKI and you know build my own. Um, you know, there's enough money certainly in some organizations I would assume and the expertise is there so, I don't know if you have any brief thoughts on that just given the time but, uh, given your background, I'd be keen to hear.

Dr Francis Gaff...: [00:44:02] The US Navy creating the tour network so that those people in countries that don't have that free press could still access the internet and still could make their voice heard and look how that could be used for various means.

You know, the dark web and so on so, yes there is, um, these good intentions and yes, um, we have to obey the law. The baddies don't and that's the bottom line, you know, they're talking about gun crime, you know, let's make guns legal. Well, you can but baddies will still do baddy things. They're not gonna obey the law... just because you made guns legal, doesn't mean they're not gonna get hold of guns.

So, us, you know changing our legislation as you say, it does affect the innocent in- in a way if we make a true draconian because by very nature, with what they're doing, they're committing a criminal act and when I was doing my training for Paul, it was always... we would rather let 99 guilty people get away with it than put one innocent person, you know, uh, you know, found guilty and put in prison because at the end of the day, you know, yes people get off on technicalities but that still protects the innocent and those technicalities so by... and it goes back to that attribution by attributing, if we're not 100% sure, if there's a reasonable doubt, I cannot send that person down because at the end of the day, I can't take the chance that person was innocent and I've just got an innocent man away so it- it does... you know that legislation is very, very important but the baddies are always gonna do bad things.

Garrett O'Hara: [00:45:28] Yeah, so we've pretty much ran out of time but I might just finish with one question and that's, like, what's the most important thing for the audience to know about threat intelligence?

Dr Francis Gaff...: [00:45:40] I would say awareness training. This sounds very odd but it's that awareness. You know, we talked about that tempo of that threat fatigue, you know, you need regular awareness training and that's where the threat intelligence will give you the current trends and patterns of what's going on and by being aware of it, you're less likely and therefore more resilient to clicking on those links because you're aware that this is a scam.

And you'll see these on the web, you know, where it says, "there's a scam going around. If someone calls you and ask for your credit card number, don't give it". Well, by being told about these scams, trends, patterns at a regular tempo and it usually is about once a month but again it may be different for different organizations, that's the key thing. I would definitely say it's the awareness training with, you know, the threat intelligence.

Garrett O'Hara: [00:46:22] Phenomenal. Dr Francis Gaffney. I just like saying that because you're, I think, one of the few doctors that I- I get to- to speak to. So, um, thank you so much for taking the time. It's been an absolute pleasure to get to spend some time with you.

Um, I've been lucky enough to kinda see you speak on, uh, our internal and some of the external events so it kinda feels, uh, like a luxury to get to ask- to ask you a bunch of questions. Um, but thank you thank you so much and, um, yeah, I really, really appreciate you taking the time.

Dr Francis Gaff...: [00:46:50] And Garret thank you very much for the time. It's been enjoyable. Thank you [laughs].

Garrett O'Hara: [00:46:57] Thanks again to Dr Francis Gaffney for the insights and the time. It was an absolute pleasure to speak to him and I learnt a lot as always. We'll include a link to the hundred days of COVID report that we talked about. As always, thank you for listening to The Get Cyber Resilient podcast.

Do get into that growing back catalog of episodes. There is some gold in there and take a minute to subscribe, like, share or comment. It helps us a lot. Stay safe, and I look forward to catching you on the next episode.