The Cyber Security Podcast 2023 Briefing You Need to Hear

Hi there. I’m John Douglas. I’m the Technical Director and Head of Incident Response at First Response.

And you were one of the wonderful people that I met at the SuperOps SuperSummit, which was a conference in London in the UK several months ago now. And I was introduced to you after the event. And I can’t remember the exact words that someone said, but it was something along the lines of, “This guy here, John, he’s the MSSP that MSPs turn to when they have a major cybersecurity problem.” That’s just a fascinating way to be introduced to anybody.

Tell us a bit about your career, John. Before you talk about what you do now and how you help MSPs, what’s your background? How did you get into this kind of position?

That goes back a very long way. So originally I’m from New Zealand and I was studying IT at university when IBM released the very first IBM PC, the one everybody remembers with the Charlie Chaplin ads and so on. I worked on VAX-11/780s and other sort of large mainframe systems and things in New Zealand.

I moved to Japan working for Yamaha as a programmer after I finished my degree in New Zealand and I was designing computer software for designing motorcycles for Yamaha. I spent a bit of time working for a translation company in Nagoya in Japan. Then moved to Tokyo where I started working for a French investment bank doing basic IT support across the trading floor in Japanese, English and in French.

After a little while there I discovered a way of reorganizing our network that meant that we could get data into the traders two milliseconds faster than the guys down the road, which in investment banking makes a huge difference. So the architecture team in London transferred me to London on a two-year secondment 25 years ago, and I’ve kind of been here ever since.

I worked for the bank for another six years in London designing Active Directory security architectures and structures. And after a very nasty merger where it became an unpleasant place to be, I left and I started working for the Metropolitan Police as a forensic scientist. I did a master’s degree at Cranfield in forensic science and then spent the next 10 years chasing pedophiles around the internet, doing human trafficking investigations and murders, rapes, drug investigations, all kinds of stuff that involved computer forensics.

And then in 2012 with austerity and so on, I left and with some like-minded colleagues, we formed First Response, primarily to do digital forensics and litigation support for civil cases. But we very quickly got pulled sideways into doing incident response and helping companies that had been the victim of a cyber attack and how to respond to that and remediating and recover back. And that kind of brings us up to date.

What an amazing career. And I definitely want to come back onto First Response and the work that you’re doing now in cybersecurity, but I have to delve back into some of that career. So first of all, what was it like working in Japan? I’ve actually been to Japan. There are very few westerners that I know that have been to Japan. You are about the third or fourth person that I’ve spoken to. But what was it like living there and working there?

Well, to begin with, it was pretty tough. So I was working for Yamaha and the Yamaha factory is out in the middle of nowhere. It’s kind of out in the fields, miles away from Tokyo. And I spoke no Japanese whatsoever. So on day one, they took me to the factory and took me to the line and I thought, “Oh, excellent, I’m going to get a tour of the factory” ’cause I’m into bikes and I rebuilt engines and so I know my way around. And I thought, “I’m going to get a factory tour.” Anyway, they put me on a position in the line and then said, “Today, Douglas san, please put clutch in engine.” And I thought, “What? Hang on. Me putting clutches in engines? That’s not right.”

Anyway, long story short, after a quick conversation with a translator, it turns out that everybody that joins Yamaha and pretty much any of the big makers in Japan, you spend the first three months of your career regardless of whether you’re in graphics design or accountancy or whatever, you work for three months on the line, kind of like army basic training. So that was a huge interesting experience and that’s pretty much where I learned to speak Japanese in that day-to-day interaction. And that became really helpful in the time that followed.

I bet. And I bet you could also change a clutch on a motorcycle as well, which I’m sure would come in handy at some point. Let’s look at the digital forensic part of your career. So you were with the Metropolitan Police, which is the police force in London, here in the UK. I mean that must have been an insane job because we’re talking fairly recently. I think you said you left in 2012, so less than a decade ago that you left that. And I imagine that was when the internet was really evolving fast, so you must’ve been constantly trying to keep up with how criminals were hiding things from the police.

Yeah, indeed. And forensics is an arms race, very much so, a technological one. We spent probably a good 40% of our time researching technologies. And not that we were going out looking at technologies and pulling them apart to see what they could be used for, but it was more that a case would turn up on the desk where a particular organized criminal network or just an ordinary person who had decided to do something dodgy had utilized a piece of software. And one that I remember from the early days was Google Hello. The pedophile community sort of landed on that and started using Google Hello to transmit indecent material of children between each other completely under the radar. And it worked out quite effectively for them.

But we had some good connections in with Microsoft and with Google and others. And so they gave us access to diagnostic tools that allows us to reverse engineer some of the data structures so we could actually generate evidential material to take to court and give evidence.

But what was really interesting for me about the whole forensic process was more the diversity of locations where artifacts could be found. So for example, I had a case, I was working on a murder investigation and I was working with the police officer and we’d come to a really good point where I had everything that he needed and he said to me, “Oh, I wish you could help me with my other case.” And I said, “Well, what’s your other case?” He said, “Oh, it was a drugs case.

We arrested this drugs dealer in his car and just before we were able to arrest him, he ripped a lanyard, a USB stick off a lanyard around his neck and threw it into the river. I’ve been unable to recover it, and we’re pretty sure that had all the details of all of his drug deals on it.” I said, “Okay.” And he was in his car. “What car was he driving?” It turns out he was in a Bentley.

Anyway, again, long story short, I contacted Bentley. The vehicle had been impounded and with some diagnostic tools that Bentley gave us we were able to download all of the GPS data, all of the chat logs and all of the SMS messaging, call history and everything else that had transferred from his iPhone across Bluetooth and had been stored in the car. So whilst he’d got rid of a lot of the data on his mobile phone and on this USB memory stick, we were able to pull back a huge tranche of data from the car itself.

And of course, when you sort of superimpose the GPS data with the call dates and times and some of the message information in the chat logs, you’re able to immediately unravel a whole lot of coded text and start to associate that with some of the other people that he was working with.

That kind of technology and being able to think outside the box and grab stuff, keeping in mind this is 20 years ago, so it was pretty cool stuff. I mean, that’s fairly trivial to do these days because mobile phones and so on have got GPS units and everything. It’s all in one box. So if you’ve got access to that mobile phone, you’ve got everything.

Yeah. There’s a message here for criminals, which is if you’re going to do crime, then leave your phone at home and drive a 1980s car, which isn’t connected and doesn’t collect any information whatsoever.

Let’s come straight up to date then, John, and let’s look at what you’re doing within First Response. So you formed this business back in 2012, and as you said earlier, your aim was to help with litigation and forensics, but you then diverted off into this amazing cybersecurity world that we’re in here.

So what caused that shift? Was it literally demand, business turning up at the door or was there something else that caused you to go off in a different direction?

It was business turning up at the door, but came from an unexpected direction, and that was law firms that we were already working with and supporting them in civil litigation where perhaps one of their clients was suing an ex-employee for stealing data or something, taking it to a competitor. But often the law firm would get involved in say, a ransomware incident that one of their clients had suffered.

And so they would call us and say, “Hey, what can you do to assist us? We’d like to try and figure out who the attackers were.” But very quickly it became more around, “Actually we don’t care who the attackers are because they’re outside the UK, they’re outside of our jurisdiction and we’re not going to be able to do anything with them, but can you help us get the data back?”

And so we’ve been doing an awful lot of that. And certainly through the Pandemic, UK organizations, and I’m sure most of your audience will also click with this, that organizations absolutely struggled to make that transition from on-prem to working remotely.

A lot of organizations managed to make that transition, but they didn’t do so securely. And so we saw countless incidents of organizations that were publishing RDP directly to the internet, which is just a recipe for disaster, and they were getting hit with ransomware. In sort of the peak of the pandemic we were probably dealing with four or five cases of ransomware every week. It was just crazy.

And how have you seen cybersecurity change? I mean, you mentioned the pandemic, which is obviously three odd years ago now that it started. But over the last three, four, five years, how have you seen the kind of attacks change and what kind of new, I mean we all know what the new threats are, but as someone who’s actually dealing with it day to day, how have you seen it change?

I think probably it’s become more organized. Cyber threats are no longer some guy in a hoodie in his basement who’s just out for grins and giggles. This is organized criminal networks and nation state threat actors that are doing this either to obtain intelligence for economic, military, or health and academic data that they’re stealing, or in the case of organized criminal networks, it’s purely financial. They’re doing everything for financial gain.

And they’re hugely organized. I mean, ransomware attacks now, typically you’ll see a ransomware author who will be a pretty intelligent guy and experienced programmer writing in C++ who will create a very cool piece of ransomware, and he will then market that on the dark web to organized criminal networks under a franchise scheme where the original author gets 20% of whatever ransoms the organized criminal networks are able to generate, all paid in Bitcoin.

And the organized criminal networks themselves have set this up entirely as a business enterprise. They have help desks being run internally and sometimes they’re outsourced to Southeast Asia. We’ve got large groups of people sitting there waiting to answer the phone to help companies navigate the process of buying Bitcoin or decrypting their data.

If they’re having struggles to run the decryptor and decrypt the data, having paid the ransom, the help desk is there to support them. It’s a really slick professional business now. It’s not the chaotic script kiddie that probably the media is still portraying them to be.

Yeah. Which then begs the question, what do you think it’s … I mean, this is very much a crystal ball question, but you’re at the cutting edge here. What do you think is going to change in the next two to three years?

Well, everybody’s talking about AI, and I have to agree with one of the speakers at the conference that we were at in London recently, that AI is neither artificial, nor intelligent. It’s just neurological language processing. It’s nothing particularly clever. And we can see from some deeper analysis of ChatGPT that it looks pretty amazing on the surface, but when you start to dig into the detail of it, it’s actually quite inaccurate. It’s giving misleading and false reports.

Because I do malware reverse engineering as an ex-programmer myself, I’m always interested in some of the, not just hacker forums, but also some of the hacking YouTube channels and so on that describe how they’re using ChatGPT to help them write code and in some cases, code that could be used maliciously. And in every single instance they’re saying there’s huge functions and sections of code here that are either wrong or simply missing and the code will not operate as requested.

Now, it might be that either the ChatGPT is not clever enough to do it properly or that somebody’s coded it in such a way to not provide those results. I think it’s more likely to be the former than the latter.

The one thing that we can guarantee with cyber crime and with the threat online is that it will continue to evolve, that law enforcement are doing an enormous job to try and keep up with the technological change but it is definitely an arms race. And I even see it in my field of digital forensics. When we’re trying to analyze artifacts, we’re always one step behind the criminal.

So a new tool would become available on GitHub or will be released by a third party developer, and they’ll start using it for criminal purposes. We then have to take that tool, reverse engineer it using tests and test data to try and figure out what it’s doing and how it’s working in order to determine where the artifacts will lie that we can then use in our investigations. So there’s always a delay. And even the large companies that make forensic tools for law enforcement around the world struggle with exactly the same problem.

You’ve got UK government at the moment trying to put through legislation that will weaken encryption such that law enforcement is more easily able to understand what would-be terrorists and other subversive people are communicating about. But there’s a huge conversation there just on itself really. It’s not a good look either for the government or for personal privacy. But the evolution of cyber crime and the way that threats against the UK evolve will continue unabated.

We’ve already seen that with the Ukraine War almost within weeks of the UK pledging support for Ukraine in quite loud terms, that attacks went up from around 300 to 350 attacks per day to now well over 3000, almost 4,000 attacks per day in a 24-hour period. And those are all just from the territory of Russia.

In the last few days the NCSC and GCHQ, the primary intelligence gathering organizations for electronic communications in the UK and the NCSC, which is kind of a cyber advisory group as part of GCHQ, have warned that UK national critical infrastructure organizations like the power grid, national rail, gas and water suppliers and so on, that national critical infrastructure are being targeted actively by Russian threat actors and that we need to pay attention to that.

Yes, yes. I’m going to date this interview, John, because we never normally, we record these interviews quite far in advance of the podcast, but you and I are speaking towards the end of April. So whenever this is is broadcast, I just want to put that date on there because I have a feeling that cybersecurity is going to move on in just the two, three months between time of recording and broadcast.

One final question for you, and then we’ll talk about what you do with MSPs. What’s the phone call that you dread getting? What’s the piece of information that you know is going to keep you awake tonight?

There are varied and many. The biggest one is when a company calls us to say that they’ve been the victim of a ransomware attack, that all of their backups have been trashed and that they’ve got no logs. It gives us almost no scope for remediation, and it gives us very little scope for making any determination as to who’s responsible.

And I’m sure that there are many MSPs that would perhaps give a very similar answer. But we did open this interview by saying that you are the guy that MSPs call when they’re in trouble. So tell us what you do with MSPs. How do you help people? What’s a typical case for you, like a case scenario?

Again, it’s typically some kind of, it’s an incident of some sort. And it can be anything from a disgruntled employee who’s decided to sabotage the internal systems because he has some knowledge or she has some knowledge of them. It may also be the case that a sexual harassment claim has been raised to HR in a client of the MSP, and they’ve been asked to go in and have a quick look and see is there any data there that substantiates the claim.

Now, the wise and wily of the MSPs will understand that the moment you start getting involved in those kinds of investigations, you’re putting your neck on the chopping block, so to speak, evidentially, because everything that you do at that point can potentially be called to. If that process winds up at a tribunal or at court, if it becomes serious enough, then the MSP can be compelled to give evidence at court about what they did and how they did it.

And if you don’t have a forensics background and don’t understand the implications of what you’ve done, for example, just powering on a Windows PC will change 600 dates and times, so that’s 600 pieces of evidence that are now lost forever. Digital evidence is quite fragile, so knowing how to deal with it is important.

We work with a number of MSPs where in the event that they have some kind of incident that potentially could get sensitive either for internal political reasons or just because it may potentially involve some criminal action, then at that point they’ll say, “Hey, listen, can you guys have a look at this for us?” And that gives a sort of at arm’s length third party independence to the entire process, which makes life much easier. And obviously everything that we do, we handle data evidentially and we’re able to give evidence of court as expert witnesses. We’ve done that for many, many years. I’m really comfortable in that process.

Yeah, no, I can imagine. John, thank you so much for your time on the podcast today. Just finally, tell us what’s the best way to get in touch with you and what’s your website address?

Probably the easiest way is simply to go to our website, which is www.first-response.co.uk. There’s a contact form there. There’s phone number at the top, and pretty easy to find us.

For more cyber security expert news and information similar to what was discussed on this cyber security podcast, please be sure to check out our other blog posts here:https://first-response.co.uk/blog/

You may also like: https://first-response.co.uk/articles/uk-and-us-cybercrime-statistics/