With many thanks to Ian Thornton-Trump, CISO at Cyjax, Aviva Zacks of Safety Detectives got to find out all about his company’s threat intelligence services.
Safety Detective: How has your experience in the Canadian Military and police helped shape your cybersecurity career?
Ian Thornton-Trump: It started off being in a culture of security and having the basic precepts of security drilled in. I evolved slowly in the cybersecurity realm: certainly, the basic ideas of segmentation of information, classification of information, and then forming the risk models around unauthorized disclosure of that information became important. My military career started around the time that data processing was almost a new thing. The fundamental understanding of the importance of security was ingrained in me from a very young age.
SD: What does your company do to help mitigate cyberthreats?
IT: I believe that the best cyberattack is the one that never happens to you. Working in the threat intelligence space, Cyjax.com is a world-class Cyber Threat Intelligence firm that is excellent at predicting what may happen to an organization that has exposure on the internet, what might be targeted, and what the threat actor may be going after. So, when you take all of that information, and you apply it to the threat models of an organization, you can get a pretty good idea of how to defend your organization with the intelligence products we create. This offering makes the security spend more effective by directing it against the appropriate types of threats the organization is likely to face.
SD: What verticals use your services?
IT: We currently work with organizations in the financial services vertical, pharmaceuticals, public sector, and policing in the UK.
SD: How does your company stay ahead of the competition?
IT: We look at what our customers need. We actively work with our customers to improve areas that they think have value. So, in one sense we’re very customer-driven when it comes to development and responding to what their requests are. But I think overall, we look at what is happening both in geopolitics and in the cybersphere and provide context around threat actors and threats. As a result of this broad analysis, we often anticipate cyber activity stemming from those geopolitical movements. My belief is that what happens in the physical world impacts the cyber world – sometimes significantly. The situation works both ways, too: we can see cyber activity driving results in the geopolitical arena. We certainly see the relationships between the United States, China, Iran, North Korea, and Russia as the main points of global contention and competition, which, of course, plays out in cyber almost simultaneously. Sometimes we see a major news announcement or a major shift in policy that is rapidly echoed by nation state-sponsored cyber-forces and other cybercriminals. All of the attacks and scams related to the COVID-19 pandemic are a perfect example of that.
SD: What are the worst cyberthreats out there today?
IT: The interpretation of “the worst” case is always based on what your organization “has” and what it has potentially exposed. For the majority of businesses and organizations, therefore, the most likely attack now is ransomware. Recently, ransomware with the added twist of exfiltrating data and keeping it hostage to encourage a ransom payment so that the information that has been stolen is not publicly released, has taken this threat to a new level. But again, the definition of “the worst” is fluid, because some organizations are very brand sensitive. So, for instance, we’ve seen some law firms that have suffered massive data breaches, and as a result, had to cease operation. The data breach that is known as the “Panama Papers” is a really good example of “the worst” outcome possible in that space.
For all organizations, it is a broad spectrum of worst-case scenarios, but it tends to begin with some sort of technical attack involving entry to the organization’s systems. By and large, getting into the organization goes back to the easiest way of manipulating people – “social engineering” – to get them to click on a link or to install some compromised software on their infrastructure which provides unauthorized access. Social engineering attacks are not an exclusive scenario because some organizations suffer from what I like to call “IT sprawl”: tremendous amounts of growth in both cloud platform adoption and expansion of their own infrastructure through mergers and acquisitions. And if the partner in a merger has less than adequate security, you’ve now inherited a very risky situation indeed. Furthermore, you may not have proper visibility on what you have exposed to the internet through this partner leaving an easy point of entry through an unpatched system, or a service that has a vulnerability that’s exposed to the internet. The Marriott data breach, when two travel points programs were merged, is a classic example of this.
While a system may be secure and patched and updated today: tomorrow a serious vulnerability may be revealed by a security researcher. Within a seven-to-ten-day timeline, it is quickly adopted by the cybercriminals looking to exploit that global weakness. And because almost everything is now connected to the internet, and cybercrime respects no national borders, it is immaterial what country you may be in or what systems you may have: financially driven threat actors will look for anything that can be compromised at a global scale by leveraging whatever horrendous vulnerability has been revealed.
SD: Where is cybersecurity headed now that we’re living through this pandemic?
IT: We’ve seen two major trends: first, massive infrastructure investment is going to be required. That includes, of course, security tools and services because many businesses were not properly set up to deal with mass work from home and the challenges of a pandemic, with aging technology and bandwidth constraints for remote users’ VPNs. So there’s a huge opportunity to make the right investment to deal with the ability of your employees to collaborate and work remotely. I think that’s going to drive a lot of the investment over the next couple of years as we attempt to undo what was hastily done in order to get our businesses working remotely.
The other big trend, of course, is part of the digital transformation that we’ve been going through for the last couple of years, which has culminated in the sudden realization that perhaps we don’t have the necessary security in place to facilitate digital transformation without increased organizational risk. We’ve seen this with organizations that have migrated very enthusiastically to cloud-based email services only to discover that not having multi-factor authentication activated has exposed them to account take overs and compromise – if the account that is compromised is a privileged user, the results can be devastating. As time goes on, we will see the response from both cybercriminals and Advanced Persistent Threat groups, backed by nation states, exploiting, exposed infrastructure and conducting relentless attacks against any organization with an internet presence.
So really, one of the key areas that we’re going to need to focus on is vulnerability management. That is making sure our exposed systems are safe and secure, but also limiting access to those systems. After all, if you have a limited geographic footprint when it comes to customers and your own staff accessing your systems, why have you exposed them to the entire internet? It doesn’t seem prudent.
I think one of the other trends will be to adopt a back-to-the-basics approach where we hope to structurally rework a lot of systems as a result of seeing IT supply-chain compromises like SolarWinds Orion. We need to focus on the systems architecture level, so that we can properly accommodate remote external users and external customers, do it in a safe manner, and also apply all the necessary security controls.