• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.


    Add comment
Garrett O'Hara

In a special episode focused on the cyber risks associated with upcoming Tokyo Olympics, Gar is joined by two heavy weights from Mimecast - the Director of Threat Intelligence Dr. Francis Gaffney, and Head of Risk and Resilience Carl Wearn.

In the episode we cover the risk radius of the upcoming Tokyo Olympics, the research approaches the Mimecast teams have used, and insights as to what attacks are most likely. Carl and Francis also look deep within their crystal balls to make some predictions on what they feel will be the largest threats for businesses and large events over the next 5 to 10 years.

Additional Resources:







The Get Cyber Resilient Show Episode #63 Transcript

Garrett O'Hara: Welcome to the The Get Cyber Resilient podcast. I'm Gar O'Hara. Today. We have a special episode and are joined by Dr. Francis Gaffney, who is our director of threat intelligence, and Carl Wearn who's our head of risk and resilience Francis joined us back in August, 2020 for episode 27, where he talked us through the function and value of threat intel.

In the conversation today, we cover the risk radius of the upcoming Olympics, AKA Tokyo, 2020, despite it being 2021. That's the world that we live in Francis and Carl cover the research approaches. Their teams have used what we can expect when it comes to the games and likely attacks. And then a little bit of crystal ball gazing.

We're gonna include images for some of what's talked about in the episode, which will help as a guide to some of the research approaches they've used. You'll find those in the show notes. Let's get over to the episode. Welcome to the get Cyber resilient podcast I'm Gar O'Hara And today we're joined with two very special guests Dr.

Francis Gaffney and Carl Wearn. How are you guys doing today?

I am doing well. thanks for joining us all the way from uh, the UK. Uh, great to have you here today. How's the weather over there?

Happy days.

Oh. Well, for those in Sydney, when we're recording tonight on this Friday evening, it's absolutely miserable in Sydney. So I suspect the UK is probably gonna win the- the weather battle on this one. Um, guys, look, b- before we kinda, get into it, like, really uh, important for our audience to understand who you are and the value of the conversation we're about to have.

It would be very lovely to just get a little bit of a background and bio uh, from both of you. Maybe we could start with you. Francis?

Dr. Francis Gaffney: Yeah. So uh, thank you Gar. So for me. I started this journey about uh, 20-odd years ago. Um, I started in the, what we call influence operations It used to be called psychological operations, but that carries connotations with it, but really what it is, is how to influence how to change people's capability will and behaviors. so you'll be able to see you know, the brief, presentation that I give you'll see this influence triangle.

how I would, Trying to, you know, and it's used in marketing and advertising, how you change, you know, a- a- a customer's those three attributes the capability will, and behavior, but then uh, we moved across to uh, in my academic phase counter-terrorism. And this is where I was studying, looking at where, you know radicalization techniques, because this was around the time of the September 11th attacks of how in schools, radicalization processes would occur.

And that- that started me on that that journey of looking at at counter-terrorism techniques. Um, and also at de-radicalization. programs. When the UK government then decided that actually people who worked in this, this field actually could become very good cyber analysts um, using the similar methodologies that we, we, we employed in those, those uh, sort of.

uh, Investigations, a lot of us were moved across to cyber. And- and Again, it is, you have an unknown actor using unknown methodologies. Okay. How do you start that process? And off we would go, so then uh, about two and a half years ago, Mimecast came knocking on the door said, you know, "How about coming to the dark side. And we said, yes, do you have cookies?

And they- They promised me ice cream

and [

Garrett O'Hara: laughs]

Dr. Francis Gaffney: ... that I'd be looked after.

Garrett O'Hara: And happy days and, and so glad, so glad you're you're here. This is actually your second time on the pod. So we'll put links to the the previous conversation, which was uh, it was quite lovely. I don't know how long ago that was, but yeah, definitely one that I I really enjoyed and Carl and, and be great to hear your background.

as well.

Carl Wearn: Hi, Gar. Thank you. Um, I- I'm Carl Wearn. um, previously I was a metropolitan police officer for 23, 24 years. Um, doing, carrying out various roles since 2014. I was part of the organized crime command or Operation Falcon you might recognize it as then commissioner's [inaudible 00:04:07] cyber and fraud related command resource it appropriately.

Um, and investigate all of those offenses. I was one of the first seven officers to join met command and was very much at the center of it running a operational development team, which included their intelligence tasking. Um, and basically if you contacted the metropolitan police in the London area for any offense, With over a million pounds, potential loss you would speak to me and I'd give you advice or refer you on or accept it for investigation.

Um, and that included other police services across the country. I- I was it for a couple of years since then I've moved on to Mimecast. Um, I've got a young son, I've realized I'm getting older and I can't swing that big red key

to smash doors in as well as-

Garrett O'Hara: [laughs]

Carl Wearn: ... I used to [laughs]. And getting up at 5:00 in the morning. Really? Isn't so great. So yeah, I- I think this is a- a much better way to live.

Garrett O'Hara: Yeah, definitely get that. And you know, we, we generally don't have Mimecast folk on, you know, it's, it normally is external guests. Uh, but because of the work you guys do I think this is particularly interesting.

Um, and we're actually gonna be talking about the Olympics and like, I'm gonna make a guess here that neither of you are competing in the Olympics and it's actually gonna be a conversation much more around the uh, research on the risks um, that are associated with the risk from a cyber perspective.

And a good place to start. I think uh, with that would be to just dig into the research and getting an understanding of what that would involve.

Dr. Francis Gaffney: Uh just to, a point about not competing in the Olympics, It's only because they want to have a a fair level playing field. Cause if we introduced ice cream eating I would be [

Garrett O'Hara: laughs]

Dr. Francis Gaffney: ... [inaudible 00:05:50] So [crosstalk 00:05:51]

Carl Wearn: I was considering skateboarding, but I I don't think so.

Garrett O'Hara: Yeah. I- I don't know what- what I would be [laughs].

Dr. Francis Gaffney: So the with, yeah, with the Olympics, w- what we've been doing for the last few months, cause obviously uh, we started the project last, last January, effectively. um, as uh, we were planning on uh, the 2020, it is still Tokyo 2020 but o- obviously a year later and we'd started doing our our workup.

because, you- you know, our our customers, but also, you know, intelligence is actually not any use to anybody unless we share it. So it's not just our customers, anyone who has an interest, any, any stakeholders and which means to say, well, actually, you know The Olympics, if we want to get mitigations and we, you know, target [inaudible 00:06:31] and all these other things, we need to start warning people early on in the process.

So we've been doing this in- in our workup and now we're getting to that intense period where we're now, you know, really focusing on, you know, making sure the message is out there, that people are aware of campaigns that are going on and. There's a number of techniques we would use at different stages in our process.

So uh, both myself and Carl actually were involved in the UK's, you know London 2012 Olympics in terms of this. So I worked uh, effectively on- on- on the whole process over that summer. And then the Paralympics uh, process that happened afterwards. and we see similar campaigns because, you know, the method works. You know, the, the cyber threat actors, employ it. if if it doesn't work, they're not gonna do it.

It doesn't get them any money. So we do see similar campaigns, but at the same time, you don't wanna be complacent because you then don't see that next new thing that emerging threat. So we're always watching always monitoring where we think there could be either opportunistic. attacks Or target attacks and more laterally and Carl will back this up, we actually are seeing very, very sophisticated targeted attacks, you know, not just this Olympics, just generally but doesn't mean that we don't get the spray and pray the opportunistic still going in there because people click on links and add this into the background.

The context of COVID that's you know, obviously the fourth wave is transiting through Japan and Australia. at the moment. Or actually the Australia uh, Australasia region. Um, that's actually, a- adding another dimension because there is that added confusion and times of confusion is absolutely brilliant for threat actors because people are concerned.

People don't know so they're clicking on links, they're reading emails, trying to find information about whether they can go, you know, Japan's just made the decision that they're not allowing any spectators.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: So people now will be clicking on links that say, well, how do I get my money back? How do I get this?

And obviously threat actors know this because they've employed this at various other things such as pop concerts whatever. So this is just you know, an ideal time for them to seize these opportunities and make their, you know, make their big bucks.

Carl Wearn: Absolutely. I think the announcement yesterday that no spectators will be at the events because the state of emergency obviously increases that risk and the vulnerability because the only way you can view it is online.

So really that attempts at disruption through denial of service attacks or ransomware are gonna be key considerations at the moment 'Cause they would cause maximum disruption. Um, and that's really how we'd look at it. The team would discuss you know, various hypotheses for events, the region what's going on there.

And that goes outside of just cyber. It goes into all of those geopolitical events as well. Um, politics in the area and tensions, you know, and you do consider is anyone got any, has anyone got anything to gain from disrupting it? Um, and previously there have- There have been attempts to do that. in previous Olympics, the 20 the, the winter games previously,

Garrett O'Hara: It- it sounds like just an incredibly.

Confusing and dynamic set of things to be looking at and, and trying to understand, you know, given all the moving parts between people, politics, technology, like all the things that would go into the analysis and the research. I'm guessing you guys have like formal or methodologies or frameworks that you use to do the research.

Dr. Francis Gaffney: So one of the, yeah, one of the first techniques we use would be the environmental scanning. And- And this is used in business management tools. You, you see this around, so, you know, maybe you- you've seen it as pestle or um, [inaudible 00:09:59] Those sort of things we use STEMPELS. So it's just the same pneumonic. So what we would do, there sorry, acronym would be, you know, we have the social.

The technological, the economic, the military political legal, environmental, and security. So what we do effectively, is put those titles down on a- a big uh, white board.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: and we just write down underneath each of those ideas things. So what would be the social drivers for the Olympic games? And we'd look at the the imp- impacts.

So that's the- the big capital letters for us COVID for the social, but we're also looking at environmental uh, people, not happy about, you know having the games here because of X, Y, and Z, the impact You know, you, you actually as Carl says the tensions in the area. So sometimes these tensions

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ...come up as various d- diverse groups uh, you know start a- arriving on the various islands.

What are the technological? Now Carl touched again, we- we- we, this is now gonna be a virtual games. Over 60% of the IOC's revenue comes from the broadcasting rights.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: So now it's gonna be online there's all those technological. Vulnerabilities that they're gonna have 'cause people are gonna be logging on to watch things, you know, and again, this is a perfect thing for uh, you know, a D- a DDoS attack.

But If I did a DDoS attack, you know, there's more money involved to be able to you know ... Um, in the last uh, I'm just trying to think in the last six months we've seen ransomware DDoS. It- it's the new thing where they'll, you know, they'll do a test view show you that actually they can. do this.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: You pay them money, otherwise they'll do it. And you know, we saw this only in April this year uh, [inaudible 00:11:22] um, you know, you're looking at the economic impact, You know, not just the Olympics and the area, but what are the economic impacts? So so we we're talking about those broadcasting rights. military think, well wait a minute, w- what's the military got to do with this? Well there's, you know, huge us bases in Japan and there's various tensions there.

So there's lots of different things. that, you know, the, Not the normal read of you kinda, go, oh, okay. didn't realize that was an issue,

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: but also the military are usually called out to help support the games. So sometimes, they're used in researching of people, going to spectators going in or use y- you know, in a policing role. So the, the, w- what would be the impact?

So they're now being, you know, radio communications, to, things dialing into the police they've never had. So again, there's that vulnerability of people not knowing communication systems, that they never had, in the past. so th- those sort of things and the political impact. So you know-

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ... if this is a very big thing for Japan. If it doesn't go well. um, you know, We're looking at the legal impacts. So There are various legal considerations now that have been brought in, in terms of data laws and various other things in Japan, but also wider thing Um, the environmental. We talked about those environmentally, so not happy about the games taking place, where they are.

And then finally the security, you know, the criminal gangs uh the, you know, cyber threat actors. So that would be the first thing we do is the STEMPLES. And once we've got that STEMPLES, that environmental scanning, we then plug it into various other techniques. I'll let Carl just talk about that early brainstorming session.

because that's the first one we do before we start. moving on.

Carl Wearn: Yeah, it's really, if you, it- it's quite a simple process really, but it tries to draw out all of the various factors that could impact it. Um and that would be a discussion around what those factors might be related to all of those. Um, you- You know, the, the acronym STEMPLES and cataloging them at the same time, you'd go into, you know, what, what would make that more likely

Garrett O'Hara: Mm-hmm [affirmative].

Carl Wearn: ...what's likely to decrease the risk or increase the risk.

Um, and- and as well as uh, once you're trying to narrow it down and you're getting to that stage where you've got your most likely events, you're looking at how you're then gonna, how that's gonna take place and how you're gonna mitigate. it.

Garrett O'Hara: And and so uh, like, as you're describing that I suppose a question that would come to me is how much of it is based on.

Like experience and, and kinda, knowing the things to think about and how much is science like or method.

Carl Wearn: It- It's a mixture of both.

Garrett O'Hara: Mm-hmm [affirmative].

Carl Wearn: Um, obviously 'cause of our backgrounds that, that assists greatly because we're possibly aware of uh, a wider range of threats in a a better context of what's going on in the world now.

Um, just as a consequence of our previous roles as well. Um, but in addition, Absolutely. You can't know everything. Um, and it does require a huge amount of reading and keeping up to date, you know, being an analyst that's that takes up a- an incredible amount of time. I- I don't think you should uh, underestimate that at all.

Uh, to stay up to date it takes hours of reading. Um, really I'll have a 24 hour news channel on all the time.

Dr. Francis Gaffney: Yeah.

Carl Wearn: Um, a- and I'm always reading articles by our commercial security providers, intelligence providers, and also as widely and open source as possible. Um, a- and that includes everything. Um, not just cyber events.

That's looking at politics as well. How the. uh, The pandemic is impacting because very hugely for active behavior that volume and those targeted attacks are influenced heavily particularly in the last year, by the pandemic when things get tough in one area, it'll get hit harder. Um but we also see similar activity when things are relaxed, but changed as to which verticals are being targeted for instance.

Garrett O'Hara: Yeah.

Dr. Francis Gaffney: And I'd like to add to that that we actually do end up looking at at, you know, it is both the experience. So uh, you know, the assumptions that we have to make, because you know, again, what- what- what are potential a- avenues and methods of attack? But That that could actually just be endless that- that list. So we have to make some assumptions that will bring things down.

And- and One of them we do make, that we do make with uh, not to say uh, tongue in cheek 'cause it's, there's no humor in it, but you know the actual tech they're doing is- is actively being monitored. So you know, are we actually s- monitoring the systems that we are using to detect these threats is the patching up to date? we're assuming it is. But [laughs] that's where the vulnerabilities really are. Cause people don't patch. Um, you know, a- and again, these assumptions come from experience that we you know, can make some assumptions and can't make others. And then apply it, the scientific methods, these structured [inaudible 00:15:51] techniques, you may have heard us talk about, and we apply these techniques so that there is science behind it.

So all fellow analysts should be with the same evidence that we have g- got before us should be able to come to the same assessments um, and recommendations because they're following the similar sciences.

Garrett O'Hara: And are those the things like we we've talked about this stuff before uh, the bow tie, cone of plausibility environmental scanning, the- the, it's those kinda things you're referring.


Dr. Francis Gaffney: Yeah, most definitely. So what we would do you- you know, in terms of the like, so for example, a bow tie, we would actually have an event that we're worried about, that would be the center part of that bow tie image. And then on the left hand side would be our threats and then how we would prevent those threats from happening so that we don't get that center event. But say that center event does then happen it's obviously the recovery, the mitigation and consequences of that. So we would apply that tool based on that. you know, that, the- The brainstorming session we would have had and just plug them all in and then look at the- the likelihood of them happening. And from that, we would get something called a threat matrix.

So we'll do our analytical technique, Then we'll get our threat matrix and that's when we get our highly likely likely cause then we'll start working out the probabilities and plausibility of these happening. Once we've done that stage, the, you know, the probability of and plausibility of it happening. We can then give a confidence level.

So you could say, well, Francis, you know, what's the probability of this happening? How confident? "Well, yeah, there's a high probability, but how confident am. I? I've only seen that in once piece of media reporting.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: So therefore my confidence is not great because it's a single source, but actually I do agree. It is likely Now do you see.

So There is lots and lots of different uh, you know, moving parts in it. But say, a- another analysts should be able to follow the science. And, you know, you said you've seen it recently. It's because a lot of our customers and also, you know, people who read our reports are saying, well, Francis, can we see you working?

Cause you know we're interested in the art." "So, Yeah, definitely 'Cause that- that helps them you know, be more resilient, but actually they wanna see the working as well, because it helps them understand. Not o- our methodologies, but also what we're seeing in terms of the threats, you know, the, you, know, we talk about TTPs and we at Mimecast Do [inaudible 00:17:50] mapping that's that's- that's the method? you know, the- the framework we've chosen to operate under. so they can then shoot the use the same, you know, science to get the same answers.

Garrett O'Hara: And I suppose it adds authenticity and sorta, veracity to, to only, kind of report when you can s- sort of show where you got your conclusions l- like, what- what are the sorta, campaigns?

or the things you think we should be worrying about in terms of the the Olympics and maybe they, you kinda, refer to this in in the past Olympics that you both have worked on? uh, what what sorta things? are the concerns as- as we go towards you know, Tokyo 2020?

Dr. Francis Gaffney: So there's a tool we use and I'll let Carl do go into the- the- the finer detail, but I- I'll just go into the academics as it were.

Um, we would actually look at historic evidence. So this is a- a process called the cone of plausibility. And what we would do is look at the historic evidence. What are the things we've seen? What are the things we're seeing? What are the emerging threats we're seeing? And then we'll put those into these potential future outcomes.

And if you imagine that cone, the further out, as in the- the further away we get into say, if I'm looking at Christmas. That's so far out that actually the cone is so. so wide, My plausibility, you know, my confidence levels will start dropping because

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ...it is such a now big spectrum But if I bring that cone in. You know, I can actually make some very, very good predictions for next week, but the further out I'll get, you know, that that starts spreading and we get you know, at- at the center of that cone the more probably, you know, the more likely.

And then at the edges of it is the- the wild cards. And just to finish, we end up giving hopefully an assessment to the decision makers. So you as a customer or you as somebody who's a stakeholder can look at this and say, okay, what's the most likely course of action. And what's the most dangerous course of action.

So these, Those are my two things. I'm most. worried about. Now if my most likely and my most dangerous are the same, then actually I'm in for a very, very bad scenario ahead. You know? what we try and do is the most likely, most dangerous. And then you as the decision maker 'cause, you know, we, as you know, try not to influence you in intelligence.

If I've put any marketing into my product, or if I use any influence in my product I'm actually failing you as the decision maker, because yeah, you've got your own risk um, appetite.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: You've got you own budget. If I'm skewing that then doesn't make you make you know, a a good decision. So we stay away from the influence.

So I I think I've told you in the past, when I say there's a, you know, a- a demonstration in Syria, I don't say the Syrian regime because that then has connotations That influences you into thinking it's a, a uh, not a good thing. So we end up with our most likely, and most dangerous A- and, you know, Carl will now go into the- the detail in a way, but our most likely Threat actors. We think we'll go into one list and then our most dangerous being another list. And and that's how we'll do it, but Carl will just go through what we've seen at the moment, through our landscape.

Carl Wearn: Th- This is really how you narrow it down to what, what is most likely to happen? Um,

Garrett O'Hara: Mm-hmm [affirmative].

Carl Wearn: we're all aware if- if you just take this as, as an example, anyway, as we're working on it the continued threat of ransomware is increasing across all systems.

Uh, we're seeing very basic forms being delivered by email, Some more sophisticated via encrypted email but really uh, the vast majority of ransomware threat actors when you aggregate the intelligence across sources open source and commercial and stuff that we're seeing th- they're actually more interested in targeting exploits, particularly in relation to virtual private networks

Garrett O'Hara: Okay.

Carl Wearn: ... web servers and any vulnerabilities that become known, We- we've all, you know, the vast majority of us have worked from home considerably. Some people having not done so before you know, they were doing this before, but now these technologies are being more widely used. Um, the various things Like the, the mediumware on [inaudible 00:21:34] Um, new vulnerabilities are becoming known cause these uh, technologies are yet to mature,

Garrett O'Hara: Mm-hmm [affirmative].

Carl Wearn: um, and that will carry on and they're really looking for vulnerabilities that they can exploit to get into systems and plant ransomware as a secondary infection. Um, so that's the more likely way ransomware's gonna be inserted.

uh, inserted. We're seeing a lot of Bitcoin related extortion um, and a lot of HTML redirects. Um, in the [inaudible 00:22:03] we believe efficacy of email detection across the industry is relatively high and has been for at least the last year. Um, we've detected absolutely huge volume Bitcoin extortion related campaigns in may. Um, against a couple of regions, particularly the UK and Europe.

Um, but really it's worldwide. Um, a- and that's the crux of it really DDoS is going to be risk. And it- it really, when you focus in on the most probable as you can see here it is that threat to disrupt the games nation-state we considered unlikely when you consider that the largest state in the region wants to be known as a stable.

hand a- and is trying to increase its reputation. Um, so we don't believe that is, has the highest potential, but Russia unfortunately was shown to have meddled in the, the winter games, as I mentioned earlier. Um, and that may carry on. It- it may not even be, you know, we say nation-state, but it may be groups that are, are just really irritated or annoyed.

Um, that happen to be Russian who who think they should be present at the games. who decide that they should disrupt it for everyone else. So it's a multifaceted threat in that respect. Now, when you get to Francis touched on the most likely and most dangerous once those coincide that's when you're You know, you've got a problem really, and really we have got a problem or the games has a problem in terms of that ransomware, that disruption threat is most likely and it's most dangerous.

Garrett O'Hara: Yeah. And uh, so there's a visual we have on the screen that's the audience won't have, but I might take a moment just.

to Describe it again, which is it's basically two cones. And on the the left hand side is the historic evidence and the limit of evidence. And it's sort of, it's going out from a center point and and the cone is kinda, getting bigger as you go to the left and then on the right is the limit of plausibility. um, And that is doing the same thing.

It's going from a point and then expanding as you go out to the right hand side, I'm I'm wondering guys, and I'm I'm guessing this might be okay, but if we could have a, maybe a redacted or cleaned up v- version, just more of the structure of this, we could, it's something we could include in the show. notes?

Dr. Francis Gaffney: That's- that's absolutely no problem at all. 'Cause, I mean, [crosstalk 00:24:27] this is really what we're- what- what we're actually talking to A- and just

Garrett O'Hara: Yeah.

Dr. Francis Gaffney: Okay. 'Cause I just want to stress this point that normally you know, one would have the most likely, most dangerous as uh, not wild cards but you know, at other ends of the you know, spectrum. In this case of the games. Unfortunately, the most likely actually can be ransomware.

That's what we think uh you know, from uh, various behaviors and um, the ransomware DDoS I'm including in there because you know, people are, you know, commoditizing data, and that is actually the most dangerous, you know, because if I did a a ransomware DDoS attack now, you know the, the games would be interrupted. If I did that during the, you know, the men's 100 meter finals, when we get the the biggest spectators that would have a a massive, massive impact.

And therefore, you know, the ransomware. Threat you know, it it would be paid so that, you know, this wouldn't be disrupted. So the most likely, most dangerous you know, actually are overlapping in- in some parts of the Olympics. So that's all I want to stress that Carl-

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ...touched on the most likely, most dangerous. in- in this case, they are overlapping in a number of our threats.

Garrett O'Hara: A- and You mentioned the 100 meters uh, you know, sprint. I I also wonder at the skateboarding and the ice cream events, 'cause, you know, let's be honest. here, I think they're gonna enjoy the big crowds too. Don't think we can under- under ...Yeah. Uh, no, absolutely. Um, what- what do you think? So when you think about the threat actors, you know, we've described what the risk is, and obviously ransomware, there's, there's clearly financial gains there, you know, and, and Carl, you mentioned the the Bitcoin extortion like, is that it like, is that for, for the threat actors?

Is is it just financial? Like what do they, What's their aim here? What's the motivation?

Dr. Francis Gaffney: I mean, a lot of it is yeah. In terms of finances. but you know, there is the reputation a- amongst those groups, but it doesn't necessarily mean that if I have managed to get an exploit or I've managed to you know do this social engineering, which we haven't touched on in this case.

But if I was doing that kinda life analysis on some of my targets, and then would get that, that social engineering to get them in a position where I could exploit them, it doesn't actually necessarily have to be within this games. Period. Some of them are time critical.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: You Know are- are, you know, the the ransomware DDoS, that would be time critical.

I need to get it done at a time when I'm gonna make some you know good impact, but actually sometimes I actually could get my in now. So this way I'm targeting a a big organization. if I'm gonna get in through a sponsor or through a contractor. And because the games are going on, people are accepting, you know, emails from other people.

This is how we could start getting in early. Then I'll now spend some time doing my uh, network surveillance and various other, you know, sniffing techniques. I do on a network and maybe exploit it at the Beijing Olympics, or uh, maybe just exploit it at a quieter time when you know, the cybersecurity uh, the Impetus is dies down the, Olympics is done. We've all survived. This, this is great. Okay. Relax everybody. Now we can relax. Well, that's when I'll do my attack, because I now know that you know, people will be you know, buzzing, that they've managed to get through this Olympics done very, very well. And uh, in cybersecurity but just done very well and that's when I'll execute my attack.

So there there are ones. where They don't do it necessarily straight away

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: that exploit could actually involve, you know, not just uh, monetary, but it could also involve other other gains in terms of selling your data. So a- again, one of the threats of ransomware I encrypt your data and then you pay for it to get back But actually I don't uh, I give it back to you, but I still got a copy of it. And now what I'm gonna do on the dark web is sell it again. all that lovely data. So you know, telephone numbers, email addresses, all these things for future exploits. So, you know, even though I've- I've let you let you get your system back up and running, I'm now going to reveal all that data anyway.

So money is usually the the key driving factor, but some people do it out of interest. I mean, there are those people who actually. you know, just do it because they can do it. Or they-

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ... think it's- it's interesting project for them Um, yes, it's a minority. Cause at the end of the day, you know, they've got to pay their mortgages too. people.

Don't think of the threat actors have these sorts of bills to pay. You know, So yeah.

Carl Wearn: I- I think he's Francis has touched on something very important there. I I think there can be a tendency if you're suffering one significant type of attack, such as a denial of service to you know, focus very much on what you're dealing with there.

And then And I think what you have to be aware of is actually the more sophisticated threat actors could have contracted another group or could be utilizing another group to perform that denial of service attack whilst they carry out other activity, which could be long-term compromise. Um, it makes it more likely it's ideal cover and half these systems aren't working, which could be security systems. Um, and really, you- you know, nation-states, it's a double edged sword. They may not disrupt you immediately because they've got longer term intelligence gathering aims. Uh, but they- they're, gonna sit in your systems. They can interfere with them, change things. Uh, so really you need to be aware of it and that's where your more sophisticated or, you know, the more time intensive and really slow side of it comes into it when you need to be aware of where your servers are communicating with what hours files are, exchanged, things like that, the normal patterns of behavior in your network, so that you can spot when, you know, files are being downloaded at night in for sake of argument in some third country that you've got no employees.

in. So that, you know, that's highly suspicious and indicates. You've probably got a problem,

Garrett O'Hara: Interesting. quick one on the pattern. So that's come up uh, with a a few of the kinda, guests um, where they're using kinda, end user behavior analysis and just, you know, what, what's normal. And then looking for anomalies with something like the Olympics given time zones, and I'm guessing, you know, global corporations that would be involved, like, does that start to get more difficult?

Because people are potentially. You know, for the duration of the games or maybe in the run up to the games like operating at different times. And just by nature of the fact that it's an international event popping up from locations that maybe you wouldn't expect them to like, does it, does the- the nature of the games almost make the job of security much more difficult because it isn't normal.

Dr. Francis Gaffney: If it's a c- consumer or, you know, member of public who's connecting to public facing websites and stuff. it, That's that's not necessarily gonna be what you're interested in.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: Really. You're gonna be interested in traffic on your internal network, for your users

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ...and. their accounts. Uh, because if somebody's in there, they're gonna be escalating privileges, utilizing your own user accounts.

So it's really your internal traffic, you're- you're concerned about,

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: um, and how it's then rooted out of the network. Um, so it's not necessarily those consumers or- or those people who are browsing your website, that you're gonna be really interested in. Um, it does complicate it because it's more connections, you know,

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: it's more data to look at and that's really where this gets gutty.

Uh, you know, because. it is Hugely time consuming to, to understand your network in that way, there are tools and products to help you do that available on the market. But a lot of them are extremely expensive because they know it's hugely time consuming.

Garrett O'Hara: And and I'm guessing there's massive complexity on the organizational side as well.

When I think of the Olympics. I'm thinking like there's some very large organizations that would be involved, which they would then have, subcontractors who would have subcontractors [laughs], you know, it's turtles all the way down, basically. Um, and yeah, I'm guessing, like, just trying to map out the supply chain.

and the, Yeah, how data's flowing, you know, dependencies.

Dr. Francis Gaffney: Yeah. That's what a threat actor will do. [inaudible 00:31:46]

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: That's what a threat actor would do as- as part of pattern of life analysis,

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: They would actually build up those webs to start seeing who's involved in those supply chains. Who- who are those third parties? Uh, where The third party may not think that they're part of the Olympics but actually you know, going on down the chain you find out they are and they could be operating.

And this is what happened in a- a previous uh, campaign in the states. But you know, th- that that particular group were using a very old windows system.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: And. as a result They were able to get the in and then just move up the supply chain to the actual target. So, you know, y- you're not necessarily gonna go straight in, as you say to that big organization, that we protected up the yin yang by various vendors.

You'd go down the- the supply chain to a very small little vendor, you know, maybe three or four employees making a a bespoke chip that goes into X. And then that's, that's that's the in. So that's what a a good cyber threat actor, but that would only be by the sophisticated. ones.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: You know, 'cause we're starting to see more and more are these sophisticated uh, threat actors, but also this information is sold on the dark web.

So you can actually go to various parts of the dark, web where you will find where these contractors, you know vulnerabilities exist so that you can then exploit them because other people have done that homework and then sell that information. So, you know, the- the, it's a, it's a huge market really. Um, and it's a terrifying market when you actually start thinking that, th- these things go on in the world, but if you go back to old day crime, you know, when [laughs] Carl and myself were doing things e- early days when there wasn't this cyber, you know, people did the same sort of techniques.

But they just did it in a physical environment, you know, you- you- you get another group to go and do X, Y, and Z you- you know, surveillance so that when you then go and commit the crime, you're not showing up in all the you know, surveillance cameras that were there, you know, watching people getting ready to do the job, You know, so.

Carl Wearn: it it touches on there. you're saying old world crime there, Francis.

Um, It really is It- it- it's well known in burglary, for instance, in relation to repeat victimization that the the good burglar- burglars, the really professional ones once they've burgled you, once they know the layout, of your flat, your house wherever they've broken into unless you change your security, they'll probably be back in six.

months Cause they know your insurance, will replace

Dr. Francis Gaffney: Mm-hmm [affirmative].

Carl Wearn: ...those goods. um, and what I'm um, concerned about is that actually and I think it started, you- you will see these threat actors. If you do pay them off and you don't make changes to your security ecosystem, you're gonna see them come back. Uh, they've mapped your network, they know exactly what you've got

Garrett O'Hara: Mm-hmm [affirmative].

Carl Wearn: they know exactly what your vulnerabilities are.

They may not have used 'em the first time 'cause they weren't aware of them, but now they are. So they'll take you ransom and they'll be back in a few months and that's happened in a couple of cases already. So you know, that repeat victimization by really um, tenacious and dedicated threat actors and bear in mind, these people are committing these offenses.

All day they do it as a job, a career you know, that will happen. And there's nothing to say, even if you paid a ransom that you'll get your data back, they may [inaudible 00:34:46] uh, files get corrupted on encryption.

Garrett O'Hara: Mm-hmm [affirmative].

Carl Wearn: So it- it's better to try and prevent it. Or at the very least make sure that you've got mitigation in place for cyber resiliency, archiving.

backups and backup email so that you can carry on as best business, as usual as possible. And hopefully not have to pay that ransomware at all.

Garrett O'Hara: Absolutely. Uh, Like it it seems so many of the conversations we've been having lately involve ransomware and sorta, the closing of doors, or, you know the ...Yeah. I mean, you just literally the- the financial implications are so huge for many organizations and it feels like.

we're, And I'd love to get your thoughts. Cause it feels like we're kinda, fighting a losing battle and the problems getting worse rather than better. And I'm just kinda, keen to get your thoughts in terms of like bigger strategies, maybe even at national levels, international levels to potentially Help with this.

Like, is there anything around, I don't know, regulation of crypto you know, how crime crime fighting organizations work together? Like, what are your thoughts there?

Dr. Francis Gaffney: So this is something we were talking about uh you know-

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ... tail end of last year. You know, we we talk about not our concerns, but you know, not protections for the future, but it is a- along those lines Uh, you know, if we as an industry don't look after ourselves, and police ourselves Legislation will be introduced. And legislation isn't always good 'cause it either has loopholes or it's not a a good piece of legislation and actually hinders the- the good the the vendors in a way, rather than actually you know, stops any, any uh, offending Th- they're appealing almost to I'd say the threat actors to behave, but the fact that they're breaking the law shows, they're not the most uh, honest people.

Um, and so in terms of legislation, it'll be tough because they've brought in-

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ...legislation to protect data, we're still seeing data breaches. That's the very basis

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ...of ransomware. So even though you know, the- the- the data has to be protected, yes, there is that onus on the organizations to make sure that they operate under the, you know, the- the- the CIA triad, you know, making sure it's still kept confidential, accessible, but also the integrity of it.

But The, the threat actors are always working out new ways of of breaking that.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: So this increased legislation actually will just pass on you know, additional costs to people um, who may not actually have it as their priority. They're there to make money. And, you know, when they have to pay out money on increased cyber security and that then begs the question of well, cyber insurance.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: And and again, you know, if I I- I use this analogy a lot, but you know, I've got a a very expensive SUV but I just come with the standard lock from the You know, the company well I actually wanna get that cap relock. I wanna get that special lock. And if I don't, well, when my insurance goes to pay out on it, will they say, well, you didn't have the cap three lock.

You just came with the one that was fitted, you know, are you then. You know, not complicit, but are you an unfaithful servant to that insurance company? Will they actually pay out then? There's also the thing of paying the ransom. Should insurance companies be paying the ransom because that then you know, condones that behavior.

But at the end of the day, if people wanna get back up and running running, because every day they're not getting back to that business as usual model they're- they're- they're losing money.

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: So it is a- a very, very, very challenging difficult question. I I don't think we're gonna solve easily. I'm only talking about it in this way.

Cause we had the same question of terrorism. What is terrorism

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: You know, what is terrorism to one country y- you could be a freedom fighter to another you know, you're- you're a odious group. It- It's very hard. uh, to try and get a global opinion on you know, where we should stand with ransomware when, you know, some people look at it as a- a- a legitimate m- model uh, you know, they're- they're you know, doing ethical hacking when actually they're not, you know, so there's, there's various arguments also ransomware is a service because you know me retired 'cause I've made lots of money.

I'm now gonna give that out to somebody else. So if I go to target a group and it comes back to this attribution, is it really. Gar Who's the person sitting at that computer sending that malware?

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: or is it actually someone obfuscating, someone pretending to, you know, you know, spoof his IP address? So, you know, it is very, very challenging.

I'd suggest for law enforcement to, You know, there- there's not gonna be one easy fix, I think so. Sorry to talk for a long time there, but I think it's just a very, very hard. answer.

Garrett O'Hara: I- I'm just gutted that. We didn't figure it out on this podcast. I thought th- that was gonna be the scoop for the world. That between, between the two of you, you were gonna tell us how to, how to fix uh, [laughs] this enormous.

gl- global problem.

Carl Wearn: I think Francis has hit on the, the, what will happen there. uh, which is, he said we we've discussed repeatedly. particularly in the last two years is, you know, government. Um, you look at the p- the US presidential. Um, announcement in relation to cyber the, the geopolitical events that are going on.

Um, and really you've got to look at it and and assess, you know, what, what is likely to happen. Well, if it keeps on running amok you know, is likely the preeminent threat and has been for over the last year there there will come a time where there will be regulation, whether it's, you know, ideal or not, and really.

uh, Even then, you know, that could be brought out in, let's say the UK, that's one jurisdiction and this is really the crux of the problem. There's no, you know, there's no law that applied worldwide to stop these people

Garrett O'Hara: Mm-hmm [affirmative].

Carl Wearn: ...doing this. They can operation with almost uh, impunity in some uh, jurisdictions as Francis refers to.

Um and that's really the crux of the problem, you you know, y- you who are the world, police? They don't exist. Um, getting hold of these people and, and pulling them in, grabbing them by the collar is is virtually impossible. And uh, you know all these people, have got the tools, we've got VPNs, Tor, all the rest of it to obfuscate who they are.

Uh, they can pretend to be other threat actors if they're inclined to, because uh, we publish reports, with all of their TTPs on them. So I'm sure they read the stuff that we put out. I would if I was them.

Garrett O'Hara: And then pretend to be somebody else. I feel like it- it's, it's funny. So [laughs] I'm I'm laughing cause we, we have we have a screen share going at the moment and uh, my, my mind went exactly where Francis mind went in terms of world police.

And let's just say pup- puppets

Dr. Francis Gaffney: It was intended [laughs].

Garrett O'Hara: ... [laughs] puppets, and we'll leave it there. But I'm guessing many people will know uh, exactly what we're talking about. there. great, great movie. Um, it would be Great. to just as we kinda, run down, And I suspect this is probably gonna be the last uh, question, or maybe last two questions we get to, but you know, kinda like crystal ball stuff, looking forward, you know, we've, we're, kinda, we're in the depths of what the problem is today and the complexity of that as you kinda, roll forward over the next kinda, couple of years, 5 years, 10 years, w- what can we expect in the future?

Do you guys think,

Carl Wearn: um, expect them to look for. Any and all ways to get into a network, you know, however that may be, I think ransomware really has likely come about because of the increased efficacy of scanners and AV detection you know, we're detecting masses more than we've ever detected.

And that's definitely not down to like an increase in customers proportionally it- It doesn't marry up. The increase is hugely out of proportion to any customer base increase. Um, and that's across the world globally. Um, you'll also see them move very quickly to exploit any global events. And really this comes to the the crux of the matter.

you know, there's no silver bullet. Um, but I would suggest that that what there is, is there's a a layered defense model. We would recommend where a key part of that is is everyone in your organization. Um, knowledge is power. The more knowledge you can give them to fight the, the threats, you know, it really is a, a a multifaceted communications.

threat in relation to technology now, not just email because of exploitation of RDP vulnerabilities zero-days. Uh, they'll try and get in any way they can. Um, and that will involve multiple techniques. We've seen it with campaigns. Um, whereas previously you might see you know, half a dozen types of malware used in a campaign.

Now there's 20. Supplemented by fishing emails at the same time, as well as, a you know, mass attacks on v- specific vulnerabilities. So it's getting hugely more complex. They're putting more effort into it. And really now anyone in an organization should expect that they could be deceived um, by communications.

Um, do not trust, email. Verify everything that that principle zero trust,

Garrett O'Hara: Mm-hmm [affirmative].

Carl Wearn: ...where you do verify the communication has come from the person it purports to be, has to be taken seriously, and don't act on anything without verifying it. And I know we're all in a rush. We've all got busy lives. It's, that's the way it is, but just taking those few extra seconds to verify via another means could save your organization.

Millions. It can be simple as mandate fraud Where bank account details are changed via an unsolicited email or that's pretending to be your CEO, just check always double check.

Dr. Francis Gaffney: for for me, I think you know, the traditional ones as Carl s- said, the, you know, the ransomware, the impersonation the fishing, the, you know, not saying these are standard, but these are concerns of the future One's that are you know, different maybe people haven't thought about would be the access brokerage.

This is where, you know where I- I said, people could use the Olympics now as a- an opportunity to start doing that network scanning network surveillance, and then sell those accesses. Whether it be an insider threat, somebody. saying, "Here you go, you know there's uh, this open [inaudible 00:44:35] all the time. They've never patched it.

They don't- don't Listen to me, therefore, you know, as a disgruntled employee, I'm gonna sell the access or it could be that people have done surveillance on the network. They don't wanna execute the campaign themselves because they don't wanna get caught with that attribution. So they'll sell that access to somebody else.

And we're seeing an increase in access brokerage Um, the internet. of things, So again,

Garrett O'Hara: Mm-hmm [affirmative].

Dr. Francis Gaffney: ... looking at all these in- in- internet enabled devices, whether it even be in hospitals. We talk about health care where doctors are walking around with enabled devices, communicating back to that central computer. we're seeing so many, many walks of life.

um, And these internet of things is just increasing the landscape, the the, you know, access points at which these threat actors could do. Um, and then the last one I wanna talk about 'cause it's a bit of research I'm doing at the moment, is the ethics of AI because you know, to try and address all these new access points, who can do all of these different things.

It's actually people now are looking at AI and ML uh, solutions. Brilliant. You know, no problems with that because you know, one person, one analyst, team of analysts, you know, we just don't have that processing power to get through the numbers we need to, and let's save the humans for the parts we need to, but you know, the AI uh access has alg- algorithmic biases. you know when we look at CVS, we're trying to make C- CVs gender neutral, because you know, people do make these you know, biases. A- and We've written many papers on cognitive biases, you know, where people bring biases with them. So even myself would be, let's say, looking at a particular country, are we bringing a Western b- bias. When we talk about, you know, Australasia uh, things, are we looking at it through the Europe and the UK when actually.

The Australasia region has got a totally different culture threats and actually threat actors. So, you know, do you bring these cultural biases with you? And so when we put these into AI, it actually does come up And the EU just literally uh, recently uh, last month, published a paper on um, these sorts of things they're concerned about because you know, without meaning to, if you introduce a bias into AI, You're gonna get solutions that you don't even realize actually have an inbuilt bias in them.

So it is an interesting discussion. You can say well, e- ethics. I mean, its its own podcast of how one would look at the ethics of AI. Uh, but it is very, very important. I would suggest because these machines will be making decision and- and n- not necessarily knowing that there are biases inherent in that decision making process.

Garrett O'Hara: Yeah,

Carl Wearn: absolutely. And th- these things are vulnerable to attack. The bad guys are gonna be looking to, you know, taint those models anyway, actively uh, much like the third party software compromises we've seen recently. It's an ideal way to affect an organization.

Dr. Francis Gaffney: You talked about university students in the old days, you know, doing great campaigns and having fun, you know, doing uh, silly things rag week.

Uh, one of the rag week things, they did at a place in north London they poisoned an AI machine for a local authority. So when the computer, you know, answered you on the phone, cause you thought it was a person it'd say hello, poopie face. Because that's what they assumed was [

Garrett O'Hara: laughs]

Dr. Francis Gaffney: ...the way of [inaudible 00:47:28] it was took 100 students, And eventually they poisoned the machine to say hello, poopie face.

And that was That became the [laughs] the welcome voice of a particular council for north London.

Garrett O'Hara: I- I really, really wanna finish there. That's just the the- the-

Dr. Francis Gaffney: [laughs]

Garrett O'Hara: ... the absolutely perfect, [laughs] p- perfect point to finish

Dr. Francis Gaffney: Bye, poopie face.

Garrett O'Hara: ... this kinda- kinda conversation. We've hit the highs and what a, what an epic way to finish. Um, it, it's actually just a really interesting area before we do kinda, finish.

I know there's a lot of writing happening um, at the moment around biases and. Even at a human level looking at some of the kinda, decision making that happens in organizations and even in the kinda, judicial system where, when you look at it you know, the plus/minus is, is dramatic. Um, and, and things that people assume would happen consistently, whether that's kind of you know an analysis from an insurance perspective or whatever.

And there's just so many kinda, failings when it comes to decision making that I suppose will be replicated into AI and, and, you know, the models we use to make decisions there because we're human.

Awesome guys, look, superb, superb, superb to have you uh, on the the pod and to get to talk about this stuff. It's really kind of an- an interesting area Um, I'm definitely looking forward to yeah, the, the kinda, research as it evolves and the work you guys are doing in this area. But thank you so much for joining us today.

And we will talk to you again soon.

I hope.

Thanks so much to you Francis and Carl for joining us. That was a cracking conversation as always. Thank you for listening to the get Cyber resilient podcast, Jump into our back catalog of episodes and like subscribe and leave us a review for now. Stay safe. And I look forward to catching you on the next episode.


Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara