Incident Response, TDR

Don’t spend more, spend better: Interview with FireEye’s Richard Turner


It's “the same but different” says Richard Turner, EMEA president of security company FireEye, characterising the company's most recent Advanced Threat Report. “I think 2015 will go down as the year with the highest number of breaches” he says. Interestingly enough, 2014 was the last year with the highest number of breaches, and 2013 before that.

Richard Turner became EMEA president of FireEye this February after nine months as EMEA vice president. Richard has spent years in cyber-security, armed with stints at an array of bleeding-edge cyber companies including Proofpoint, CertiVox and Clearswift.

FireEye's new Advanced Threat report for the EMEA region it has three principle findings. First that aerospace companies, energy companies and governments were the three most targeted types of organisation. Second, that Israel, Saudi Arabia, Spain, the UK and Germany are the most targeted countries; and finally, that it's becoming harder and harder to distinguish between the kinds of attackers that organisations do face.

“We see a blurring of threat actor groups.” he says, “it's pretty difficult for us to identify whether, of the hundreds of groups we do follow, it's a new group, or its a existing group using a different technique or it's a technique that in the past was used by a nation state is now being used by organised crime

But what are the implications of these findings? “We've seen a massive growth in the number of successful attacks as highlighted by headlines” says Richard. But: “There aren't similar headlines in newspapers about shutdowns, prosecutions, jailings and those kind of things.” There is, according to Richard, a widening gap between solving these problems  and the ability of attackers to successfully breach organisations.

We continue to see that organisations, especially in Europe, “whether they be private actors or government” are failing to recognise, “that they're spending a lot of money trying to solve this problem; what they're spending is not terribly effective.” Instead falling back on what Richard calls “historical, layered defence strategies.” There is a tendency to think that by merely upgrading their software and building up their walls, organisations are safe.

While people don't need to spend more Richard told, they do need to “spend differently, change their attitude focus on a more dynamic approach to this problem.” He added, “organisations continually need to think about how they really readjust, refocus on strategies that enable them to be resilient and recover from a cyber-attack.”

Organisations have to take, “less from these historical security models” which say “Hey, it doesn't look like anyone's climbed over the wall, so we must be secure.” Richard reminds us, “Yeah, but they might have dug under the wall.”

FireEye's Mandiant Team recently discovered SYNful knock on nearly 200 Cisco routers around the world. Previously thought only theoretical, SYNful knock presents a new kind of bug, which, as opposed to climbing over the proverbial walls, digs under them and leaves an open door into the victim's network.

The Cisco implant, “was an interesting one, because instead of subverting the technology  they actually leveraged normal security vulnerability (like a password) to come in and mount a very sophisticated cyber-attack.” The significance of this attack, Richard states, is that, “If they own the edge of the network, they can see anything that's going in or out of the business; the fundamentally own the pipe in and out of the business.”

This is quite a new development, not just because of its type but because of it's covert qualities. The Cisco attackers “were capable of deploying into the device without raising the alarm. That reflects a capability and sophistication that I don't think we've seen before.” This kind of discrete attack is on the rise. “Stealth is going up” as is attackers', “desire to remove the cyber-evidence of their attacks.”

While cyber-resilience gets ever more sophisticated, “we're failing to overcome human behaviour from a cyber point of view.” People are more than happy to post potentially revealing personal information online, which helps cyber-attackers massively. “We're seeing credential theft grow," says Richard. it's “one of the reasons mobile devices are being increasingly targeted.”

What is more is that attacks are going from the general to the specific: “We see fewer and fewer attacks that involve what you might call traditional malware.” The malware Richard does see is ever more specialised. Attackers are changing their activity to adapt to security companies' improvement at detecting traditional attacks. Now, if there's a specific asset that they want to compromise that they'll go through the time, effort and trouble to mount a stealth attack that has the least chance of detection.

If you're in the human resources department and someone sends you a job application with a CV attached, the assumption is it's safe as long as it's made its way through the old layered defence systems. People and organisations, must be continuously vigilant Richard reminds us.

“You've got to assume that nothing is really what it seems until you really know what it is.” Last month, Bitpay, a bitcoin processor lost 5,000 bitcoins when hackers managed to get into the email account of the company's CFO and requested several transfers of thousands of bitcoins from the CEO. Richard says “That whole attack could have simply been stopped by someone picking up the phone and saying, ‘Hey, got your email, just wanted to check if you really want me to send this'.”

Richard says it partly comes from the problem that people think there is some kind of invisible force field that is protecting them.

People are, trying to balance convenience and security efficacy, he says: “I think we're going through an era where convenience has been winning a little bit.”

So how to fix these problems and plug these holes? Richard offers a couple of solutions, in line with his philosophy of an agile, reactive security strategy. Organisations have to figure out who and what is most important to them, because those people and that data is most likely to be targeted.

Richard returns to his central point: Don't spend more, “spend on the things that are most valuable to you”, the things that will be most effective to getting organisations back to work after a breach rather than continuing this legacy historical approach of spending on stuff that from a human point of view makes us feel good but doesn't really address the issue of cyber-resilience.

Sharing intelligence and building "communities of trust" might be another way into future cyber-resilience. Although he hates to use the expression he says, a 'neighbourhood watch' might not be a bad way to characterise what, at least in part, is required. 

Quoting Mandiant founder, Kevin Mandia, Richard says to keep someone out you need to be lucky 1000 times, to get in you need only to be lucky once. Organisations on the leading edge of trying to become resilient, are "recognising that they can't do it themselves; they're starting to partner up: They know who they're going to call in the event of a cyber-incident; they're procuring intelligence; they're working closely with experts." Richard adds, "Not everyone's doing that, and that's why organisations continue to be vulnerable."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.