An elite battalion of largely twentysomething experts are on the front line of corporate cyber defence
Cyber response team, PwC, London. From left: Kris McConkey, cyber team leader; James Rashleigh, cyber security director; Jay Choi, insider threat analyst; Chris Doman, new recruit; Dan Kelly, reverse engineering investigator
Somewhere deep within PwC’s doughnut-shaped headquarters in the shadow of London’s Tower Bridge, a projection flickers on the whitewashed wall of a meeting room. Its uniform multicoloured dots form an image that would not look out of place on one of Damien Hirst’s production lines. But this is not art; it is science.
Each lilac and rose-coloured spot represents one step of a mesmerising track on the hunt for hackers. For the members of PwC’s newest security team – a pack of cyber sleuths mostly still in their twenties – these bright lights are flares of corporate danger.
Dan Kelly, a 28-year-old former farm boy turned forensic investigator of computer code, sees clues that form what is known as threat intelligence. His team has pinpointed a one-man hack attack amid a string of dots, numbers and letters.
“This is malware that’s been tied to several campaigns, which targeted people in the western and eastern hemispheres,” says Kelly, who left school at 16 having completed all his qualifications early. Malware is shorthand for the malicious software that is the stock-in-trade of hackers worldwide. “What we’ve actually managed to do is tie the malware and the campaigns back to an individual.”
Kelly, an expert in reverse engineering – taking code apart to deduce its origin and purpose – points out that the image projected on the team’s meeting room wall is also telegraphing something personal about his prime suspect. Much like a graffiti artist, the hacker tagged his work, embedding his moniker within the malware. As the malware spread, Kelly and the other crew members could see “that malware is now being used to target human-rights activists, governments and industry. So it looks very, very much like it was state-sponsored.”
The cyber response team at PwC, the professional services firm, is part of a broadening frontier in private security. A growing number of companies are seeking protection against cyber fraud, activism and industrial espionage, perpetrated by unseen enemies who can be thousands of miles away. PwC has responded in kind, launching a hiring spree over the past two years to create an in-house battalion of more than 80 youthful experts from across the UK and abroad. They are part of a world-class team: the firm’s cross-border cyber security unit has been ranked number one globally in 2013 by Gartner, the independent information-technology research company.
The men who form its ranks are now tasked with a Sisyphean challenge: raise the barricades against business-like crime gangs, teenage hacktivists and, increasingly, nations that deploy cyber troops as a way for state-owned enterprises to compete on a global stage with the private sector.
Cyber protection has become one of PwC’s fastest-growing revenue streams, according to the firm, fed in no small part by the increasing number of such attacks and deepening sense of bewilderment and fear within private corporations over who is profiting from these secret cyber wars.
“There’s blurring of the threat and a blurring of who’s behind it,” says David Garfield, managing director of cyber security at BAE Systems Detica, which manages the cyber threat for the defence company and other clients. “There used to be a clear delineation between the bedroom hackers, hacktivists, industrial espionage and the state-sponsored stuff. Now there’s a blurring across all of these. Maybe one is recruited by the other.”
PwC’s team is part of a broadening frontier in private security
Hackers want to steal the secrets and money and damage the reputations of the companies they target. Recent research shows their persistence pays: the UK Cabinet Office estimates that the cost of cyber crime to the country’s economy alone reaches £27bn annually, while a White House white paper on cyber policy this year estimated that data theft to US businesses costs close to $1tn.
Inside the sleek glass corridors of PwC, John Berriman was one of the first in the firm to gauge the private sector’s losses from cyber crime – and recognise the market potential in fighting it. Two years ago, Berriman – a PwC lifer who looks more like the archetypal management consultant than some of his newest digital-forensics recruits – began preaching to his fellow senior partners that investing in cyber specialists could improve the firm’s bottom line. He has since been charged with doubling the integrated cyber teams’ revenues over the next couple of years. Berriman now oversees every facet of PwC’s cyber crusade, from hiring front-line analysts to solicitors who advise on data-protection laws to management consultants who are dispatched to try to explain the various threats to the country’s top executives.
Hiring the right talent has been among his biggest challenges – even for a man once responsible for PwC’s “milk round” in the 1980s, when the firm would scour the UK’s best universities and try to lure their brightest graduates. Cyber experts – some of whom try out for jobs in simulated sessions of “ethical hacking” or “penetration testing”, where they attempt to hack into replications of companies’ systems to find any vulnerabilities – are something of a breed apart for the conventional corporation, he says.
“Do we expect some of these younger tech-savvy people to adjust to our world of management consultants or do we recognise that we have to change?” Berriman ponders. “A bit of each, I’d say.”
It’s not the sophistication that the hackers employ, it’s the fact that they’re persistent
- Dan Kelly, reverse engineering investigator
Stephen Page, who advises both the UK government and PwC on the digital issues facing boards, offers a slightly more nuanced job description of what is needed in a tech detective, no matter the age. “We need people who are not only technically agile but also people who are totally trustworthy. The kind of employees at PwC are the same kind of people you see at GCHQ or the NCA,” referring respectively to the UK intelligence services’ signals and communications arm, and to the UK’s new National Crime Agency, which targets cyber crime.
Sometimes, however, even government agencies’ trust can be misplaced, no matter the rigour of their background checks – as in the case of Edward Snowden, the former US National Security Agency contractor whose actions have sparked a worldwide debate over privacy and security. PwC tries to ensure that leaks of highly sensitive and classified information will never be perpetrated by any of its recruits by submitting them to extensive interviews and background checks. Those who work on the most top-secret client information can be subject to so-called developed vetting, which includes credit and criminal-record checks, scrutiny of references and qualifications, and often requires the subject to have been resident in the UK for more than a decade.
Insider risk is all too real for the analysts within the cyber security team. For all the new technology they are faced with, many cyber-enabled frauds or attacks they review rely on old-fashioned human vulnerabilities.
“The most dangerous cases from an organisational perspective are the volunteers [insiders] who want to give information away,” explains Jay Choi, a polyglot 29-year-old who heads up the PwC cyber team’s “insider threat” analysis. “But how, from an organisational point of view, you deal with that requires a different mindset altogether.”
. . .
The poster boy of PwC’s cyber efforts is Kris McConkey, a 31-year-old who has been obsessed with computers since primary school. McConkey – whose just-so hair, designer stubble and sharp shirts dispel any notion of the hoodie-wearing geek – grew up on a family farm in a rural corner of Northern Ireland and bought his first computer at age 13.
The first thing he did, somewhat disconcertingly to his parents, was pull it apart. Luckily, the young teenager also figured out how to fit all the pieces back together. Within the year, he was learning how to dissect computer viruses and malware. By the time he left school, McConkey had set up his own software company.
“I was always trying to work out how stuff worked, and take things to bits – whether it was machinery, or radios or anything – just to figure it out. I started doing that with computers, and with computer programs as well,” he explains in a soft brogue. “I’ve pretty much done that either as a hobby or as my job for 16 years now; just trying to work out what the bad guys are up to and how to defend against it.”
The most dangerous cases from an organisational perspective are the volunteers [insiders] who want to give information away
- Jay Choi, insider threat analyst
McConkey eventually became the first forensic technology employee at PwC’s Belfast outpost. He is now the team’s elder statesman and heads up the London-headquartered cyber response team. His foot soldiers are not PwC’s typical graduate recruits. Some have gone to university. Others didn’t bother; they already had offers from the UK intelligence services. Some speak several languages. For most, only one language matters: computer code. All use social media effortlessly and for them, the internet is like oxygen; an unremarkable, unconscious part of life.
The newest member of the digital forensic team, Chris Doman, was persuaded to join PwC in February after McConkey spent days “spamming him” on Twitter and LinkedIn. “I managed to get hold of him for a coffee on a Saturday morning in Clapham, ” he says. “And I think you,” he adds, with a nod at the rangy 27-year-old, “went for an interview on the Monday or the Tuesday.”
The reason for courting Doman, a graduate of computer science at Cambridge university, so assiduously was his stand-out performance at an annual competition run by the US Department of Defense called the Digital Forensics Challenge – a global talent contest for would-be cyber investigators where they must solve replications of systems breaches. Out of 2,000 contenders from across the globe, Doman was only bested by a four-strong team from Northrop Grumman, the US defence contractor.
Naturally, Doman – polite and quietly spoken – was also wooed by others, including an antivirus software maker, a couple of boutique information-technology security firms, and another of the Big Four professional services firms.
PwC, whose starting salary for a senior associate such as Doman is more than £40,000, won him over because “threat intelligence – tracking down the bad guys – you don’t get to do that everywhere”, Doman explains. “People I met at other places, they did it as their nine-to-five job but I didn’t feel like they wanted to do it outside of work; they didn’t want to keep reading up on it.”
Above all else, it is this all-consuming passion for the work that McConkey seeks out. He wants would-be employees who “live and breathe systems”. The candidates he hunts “are the people who did it for a hobby and didn’t realise that there were career paths for them where they could just get paid for effectively doing what they enjoyed”.
He adds: “Thankfully, we got hooked into the right stream.”
Not everyone does, of course: while McConkey and his team have found PwC, teenagers with similar skills could be the latest conscripts of state-sponsored hackers or perhaps a criminal gang – or even just sit in their bedroom and do untold damage to a company’s reputation if they see fit.
. . .
Understanding which of these different sorts of actors is responsible for a particular attack is a big part of the job. To the sleuths at PwC, a seemingly random selection of letters and numbers in a code is as telling as a fingerprint left behind after a heist. Such sequences can open emails, unlock bank accounts and even – potentially – control weapons thousands of miles away.
An Advanced Persistent Threat, or APT, is the sort of dogged and well-resourced threat – which often has all the hallmarks of being state-sponsored – that their clients fear. It was an APT adversary whose work was so prettily configured on PwC’s conference-room wall, and the team is aware that, increasingly, attacks are likely to have a political dimension.
“The traditional battle space is no longer between a country and another country,” explains Choi, a former civil servant originally from South Korea, who specialises in geopolitical risk factors as a means of making sense of the digital threats identified by his teammates. “You have nation-states getting involved with non-state actors.”
There’s a blurring between hacktivists, industrial espionage and the state-sponsored stuff
- David Garfield, managing director, cyber security, BAE Systems Detica
The private sector is beginning to wake up to this threat. Clifford Chance, one of the world’s biggest law firms, has noticed that attempted attacks on its work from state-sponsored actors have spiked over the past year. There “have always been quite a high number [of attempted hacks], most of which were relatively unsophisticated”, says Paul Greenwood, the firm’s chief information officer. “What is new for us is the state-sponsored dimension, which we had never seen before.” As an example, he cites the sale of an energy business, which the firm helped advise on. There was an attempt to monitor all the organisations involved in the sale, he says. “The origin of the attempted – and unsuccessful – cyber espionage would appear to have been state-sponsored but the issue was a pure commercial one.”
This asymmetry of risk and threat was the subject of a heated US House committee hearing in March, following the publication of a controversial report by Mandiant, an American cybersecurity company. It identified an elite Shanghai-based signals unit of the People’s Liberation Army, 61398, as being responsible for a wave of cyber attacks against 141 different entities across the English-speaking world. The attacks appeared to be directed at foreign rivals within industries included on China’s 12th five-year plan, such as information technology, aerospace and energy: the sectors in which the world’s second-largest economy is putting its hopes and investment.
“The Chinese firms that compete in these industries are dominated by state-owned enterprises, which ties Communist party officials and their families to this crime against the United States,” declared Dana Rohrabacher, a Republican lawmaker who chaired the March committee. The Chinese government swiftly denied Mandiant’s findings and has claimed, instead, that it has been a victim of US-sponsored cyber attacks.
China is not alone in facing accusations of state spying on foreign companies – and the finger-pointing has threatened some usually placid diplomatic relations. Amid the revelations over the tapping of European leaders’ phones, the spectre of industrial espionage was raised by the mountain of documents allegedly leaked by Snowden. Both the US and Canada were implicated in allegations of state-sponsored industrial espionage against Brazil and one of its biggest companies. Brazil has demanded answers as to why its state-controlled oil giant, Petrobras, was seemingly being spied on by the NSA, which then shared information with its North American neighbour – despite public pledges that the Defense Department does not carry out economic espionage in any medium, including cyber, as it would be a breach of US policy. In recent weeks, the debate has spread to Europe, too. “The Americans spy on us on the commercial and industrial level as we spy on them too, because it is in the national interest to defend our businesses,” Bernard Squarcini, the former head of France’s internal intelligence service, told Le Figaro in October. “No one is fooled.”
How the information is used is contentious – commercial interests in some cases can be argued to be national interests and vice versa. State-controlled entities, be they sovereign wealth funds or national champions, are increasingly used by countries to enlarge their spheres of influence. “The line between national security and commercial security is blurring,” states Neil MacBride, who as US attorney for the Eastern District of Virginia oversaw criminal charges against Snowden. Speaking at a London conference three weeks after leaving his government job, MacBride added that the Mandiant report “certainly has the ring of truth to it”.
All this means that techniques once only found in state-sponsored cyber warfare are beginning to be deployed against corporate targets. Industrial espionage is evolving, from attempting to capture commercial secrets and intellectual property to actually controlling physical assets via hacking.
The hack that has had the largest real-world effect to date was the case of Stuxnet, the virus that destroyed 10 per cent of Iran’s nuclear capability in 2010. While no state has ever officially claimed responsibility, the US and Israel have not denied media leaks that they were responsible.
Some two years after Stuxnet was discovered, a virus called Shamoon – the Arabic version of Simon, whose tag within the code led cyber investigators to believe it was the name of the virus’s author – attacked the computers of Saudi Aramco, wiping the data on 30,000 hard drives of the state-owned company that is the world’s largest oil producer. Saudi officials later acknowledged that the attack apparently was intended to hurt production.
The same virus attacked Qatar’s Ras Gas, a massive producer of liquefied natural gas. While a group called the Cutting Sword of Justice claimed responsibility, arguing that it was revenge for “atrocities” in Syria and Bahrain, analysts have posited that both Saudi Arabia and Qatar are seen as US proxies by Iran. The attack occurred in the same month that Aramco was hit and not long after Saudi Arabia said it would increase oil production to counter any supply problems caused by sanctions placed on Iran.
“This is where the political and economic perspectives converge into one,” explains Choi, who tracks the changing nature of cyber threats for PwC’s clients. “The Aramco case is a classic example.”
More recently – and closer to home – Europol smashed a drug ring this summer that was hacking into the control systems of the Belgian port of Antwerp as a means of controlling containers to ship their narcotics, weapons and cash. The Antwerp case was also interesting because, according to Europol, the drugs cartel outsourced the technical part of the scam to hackers.
Teenagers and young adults with the requisite skills to mount, or defend against, a cyber attack are in limited supply. But the market for them – legitimate or not – is expanding. The worst global downturn in a generation may also be swelling the ranks of the so-called black hat – or nefarious – hackers globally, as legitimate job markets for young people are decimated.
In the US and UK, the market for Kelly and their like has responded to a skills shortage. The US cyber firm Semper Secure found that those with just one year’s cyber experience and an associate’s degree (a two-year undergraduate course) could command an annual salary of $91,000 (£57,000). That is more than double the US national average graduate wage, which in 2012 was $44,455, according to the National Association of Colleges and Employers.
If corporate players such as PwC have had to open their ranks to less conventional candidates, so the darker side has had to become more businesslike. Gangs often recruit from closed online forums – virtual bazaars where everything is on sale, from malware to details of previously compromised machines, and where would-be recruits can showcase their skills in shadowy versions of the test that PwC’s Doman faced in the defence challenge.
And PwC has been able to pinpoint attacks to observe that they occur during predictable timeframes. The firm has noted that such attacks increase in frequency just before the year-end, when even hackers apparently try to impress their superiors in anticipation of an annual bonus.
Garfield, the analyst at BAE Detica, points to a graph that underscores similarities in industriousness between white-hat and black-hat hackers. Sorting through hacks thought to originate in China, Garfield found that the peak activity occurs between 9am-5pm local time, with a slight drop-off during the lunch break. Another spike occurs late into the Chinese night – which coincides with working hours on the US east coast. The team was organised to be working double shifts, he concluded.
Kelly at PwC says that sort of methodical hacker strategy – round-the-clock and relentless – frightens most corporations trying to sort through a rapidly changing landscape of risk. “It’s not necessarily the sophistication that they employ, it’s the fact that they’re persistent,” he says. “[You] go into the office nine-to-five and you’re paid to do that. One day you are going to compromise your target. It may not be down to the level of sophistication but because you’re doing it all day, every day.”
Luckily for his clients, Kelly is equally persistent. He has always pulled things apart to see how they worked. Only now, he says, he could actually be doing it to keep the world safe. As a member of one of the world’s most elite corporate teams of cyber defenders, his skills are pitted daily against those of his unseen adversaries, in the virtual-world equivalent of man-to-man combat.
“The scariest thing about cyber space is that it’s completely asymmetric,” he muses. “It would only take one person to shut something down. And if that one person was able to shut a lot of things down, that could affect an entire country, or maybe even the world over. So that’s the kind of mentality I try to keep in mind when building defences.”
The Kill Chain
A methodology for corporate cyber espionage
Hackers research a target company. Board members, management, location and supply chains will all be analysed.
The hackers embed malware within a document tailored to lure employees from that company to open it – a PDF of an industry conference, for example.
Malware is introduced to attack the company’s systems, either using a bespoke scam such as spear-phishing (see terms below), or an infected USB stick or other portable device.
The virus tries to find vulnerabilities in the systems so it can start unleashing its code.
If successful, it installs itself in a computer and starts to gain entry to the systems.
Command and Control
The malware beacons out to the hackers’ command-and-control server, asking it to issue an instruction.
Exfiltration Actions on Objectives
Data is stolen, or destroyed. The hackers’ aim has been fulfilled.
Tools and terms of the trade
APT An “advanced persistent threat” to systems – that is, groups of hackers that are well resourced and form a sophisticated set-up. They take the long view in trying to penetrate a particular system’s defences. APT is sometimes shorthand for state-sponsored hacking.
Backdoors A (generally secret) way of getting in and out of a computer system without having to go through the normal security checks. This can be for a legitimate use – for IT personnel to sort out issues remotely, for instance – but often hackers will try to create a backdoor on initial recces around a system for future, surreptitious ease-of-access.
Cracker What programmers and cyber insiders call those the general media denote as “hackers” – people who break into others’ computer systems without permission. In such circles, “hacker” is not a pejorative term and refers to those who have some programming skill.
Distributed Denial of Service Attacks When a website crashes or runs slowly after a wave of requests generated by thousands of computers controlled by a botnet. These “zombie” computers in the botnet army may not know they have been compromised. A popular technique of hacktivists such as LulzSec against organisations including Sony and the CIA.
MiTB Stands for “man in the browser” malware, which is favoured particularly for financial frauds by targeting online transactions. It works by introducing a Trojan Horse virus into the user’s computer, which can not only steal passwords and intercept key strokes and browsing activity, but also can redirect the user to bogus websites.
Spear-phishing A reworking of the ubiquitous phishing email scam. In this more bespoke version, an email is sent from a seemingly familiar contact, asking the recipient to click on an attachment that either introduces malware or diverts them to a bogus website. Prior recces on the target’s job – perhaps using social media – makes this a successful technique.
Watering hole An infected website that is frequented by many potential targets, so that each time a target visits the site they pick up a virus or malware that can then go on to steal data. Used successfully in August, for example, against the website of the Dalai Lama’s Central Tibetan Administration.
We're Here to Help
GarryMichael continually monitors the regulatory landscape for federal agencies and their contractors. For questions about how your organization can adapt to the new FISMA requirements, contact us today.