Interview: Ian Mann, ECSC Group, Reflects on the Evolving Cyber-Threat Landscape

It's just five months into 2021, and there has already been an explosion of high profile cyber-attacks affecting major organizations. The year began with the fallout from the SolarWinds incident at the end of 2020, and in recent weeks we have seen ransomware attacks on the US’ largest fuel pipeline and Ireland’s healthcare system, among many others that have wreaked havoc.  

Amid this backdrop, Infosecurity recently spoke to prominent cyber-expert Ian Mann, who has held a number of prominent positions in his career, including as a consultant for the UK’s intelligence body GCHQ. He is currently CEO of cybersecurity service management firm ECSC, a company he founded back in 2000, and was therefore able to provide insights into the threat landscape over a long period of time.

Additionally, he has authored prominent social engineering books Hacking the Human, and Hacking the Human II: Adventures of a Social Engineer.

In what ways have the tactics and techniques used by cyber-criminals evolved over recent years?

You might be surprised to learn that in many ways organizations are still getting breached in similar ways to 15-20 years ago - despite technology vendors trying to persuade you otherwise.

For example, people are still opening up insecure services (such as RDP) to the internet and making basic firewall mistakes. However, what has changed is that these mistakes are often linked to cloud projects – where systems that were traditionally internal to 'secure' networks are now exposed and visible to hackers.

The number one tactic of cyber-criminals is to either:

  1. Spot a technical mistake made by IT; or
  2. Exploit a human error (such as clicking on a phishing email)

The root cause therefore is that if you make mistakes (technical or human), then you are at risk of these being exploited.

A major myth is that hackers 'target' you, based on your industry/organization. This is not supported by the facts.

How well, on the whole, are organizations currently responding to these threats?

Pretty poorly. In 20 years of incident response, I've never seen a breach that wasn't preventable. Neither have I heard of one that wasn't also preventable (once you understand the original root cause).

Although we now have plenty of qualified security people across most organizations, and lots of new technologies, there is little evidence the issue is diminishing. A problem we continually meet is that the security professionals are so busy doing so many different activities that they haven't actually fixed or corrected the important ones that cause breaches.

Good security is about doing the basics really well, and not about playing with new technology and following the latest vendor trends. For example, if you have any internet-facing logins (especially with your major cloud provider) without multi-factor authentication, then you should stop everything and fix this today. 

"Good security is about doing the basics really well, and not about playing with new technology and following the latest vendor trends"

In what ways has ECSC Group adapted its focus over the years in response to the changing threat landscape?

Whilst our emergency incident response, testing and wider consulting services evolve each year, the biggest changes have occurred within our Managed Detection & Response (MDR) division.  

Whilst some clients still want some specialist protection, such as properly configured Web Application Firewalls, the biggest growth area is 24/7/365 monitoring and detection services. People recognize that, despite new protection technologies, mistakes happen and breaches occur. When this happens, fast and effective detection and response makes the difference between a worrying event that is resolved, and a major escalating breach affecting the business and people's careers.

This is why, using funds from our late 2016 IPO, we expanded our Security Operations Centre (SOC) by opening in Australia. We firmly believe you need a true follow-the-hacker 24/7 operational capability. In our experience, you cannot recruit, retain, and keep sharp analysts and investigators with them working night shifts.

How do you see new technologies impacting the cybersecurity space over the next 10 years?

Cloud migrations will continue to cause breaches as mistakes are made and cost-cutting means that essential security protections and monitoring is often compromised.

Within the UK and Europe, GDPR will continue to focus minds with multi-million pound fines. An aspect of GDPR that isn't getting much attention yet is the direct liability of third-party providers, so I expect some large finds there.

I also expect more scrutiny of 'major' global IT providers, given the continual breaches that they both suffer themselves and cause for their clients. I think 'zero trust' should be applied to your IT outsourcing strategy, not just a label used to sell you more internal technologies with marginal benefits.

Artificial Intelligence (AI) will continue to drive new services, especially where detection based on big data is concerned.

Could you tell us about some of the current work taking place at the ECSC LABS division?

Our historic developments in our AI technologies would be more accurately described as Machine Learning. However, we also have some really interesting research projects exploring the power of neural networks. These mimic the way the human brain works, and potentially give outcomes that you either weren't expecting or even intending.

For example, we have been experimenting with having a neural network mimic the actions of the SOC Analysts to suggest areas where they might investigate further. Rather like having a supervisor suggesting further things to explore – however, in this case the supervisor is an artificial brain that has learnt from previous Analyst actions.

Don't get me wrong, anyone suggesting AI will replace humans is either lying or doesn't understand cybersecurity. However, AI is already an essential step in allowing detection of cyber breaches that would otherwise be impossible.

What’s Hot on Infosecurity Magazine?