Exclusive: ‘A moving TARGET’ – Rowland Johnson, Nettitude in “The Paytech Magazine”
Nettitude was one of the earliest cyber security specialists to take a forward-looking, threat-based approach to penetration testing. Banks’ experience during the pandemic has only gone to show how right it was, says founder Rowland Johnson
Staying ahead of the proverbial curve has long been the aim of Rowland Johnson, starting in 2003 when he founded one of the first cyber security companies, Nettitude. He subsequently turned it into a world-class, threat-led cyber security service for organisations across the globe so that they, too, could stay one step ahead of criminal cyberminds.
Nettitude has grown from a small, UK-based team, into an organisation with offices in Asia, Europe and North America. In 2018, Johnson led the company through its successful acquisition by Lloyd’s Register as that organisation rises to the data-related challenges to supply chains posed by Industry 4.0. Johnson observed at the time that: “As the worlds of information technology and operating technology collide, the need to build integrated cyber security solutions will become essential.”
It’s not, then, a cyber security consultancy focussed on delivering services for organisations that simply want to tick a box for compliance purposes; it’s aimed at companies that really want to understand the risks presented to their own organisation – and others that they deal with.
“We operate internationally, through literally hundreds of offices distributed across the world, and work with some of the most sophisticated clients globally, delivering penetration (pen) testing and red-teaming services, as well as managed detection and response services,” says Johnson. And it’s constantly scanning the horizon to understand what the various threat actors operating in what he calls ‘the wild’ are doing today. “We then tailor our services to mimic those types of activities, and, because we really are operating at the forefront of the industry, compliance almost hasn’t caught up to that space.”
Bad actors are agile, quicker to respond to changing environments than legislation and regulation, which can be years behind industry developments, says Johnson. And how fast threats emerge has been demonstrated during the pandemic, when the volume and nature of online transactions changed dramatically, amplifying fraud opportunities as secure processes were put at risk of being compromised by the mass shift of staff to homeworking.
Historically, testing focussed on organisations’ defences in their offices. As a result, many organisations have been found wanting when it comes to having a playbook for testing their resilience when staff are at their corporate laptop in their kitchen, shed or living room.
“With COVID, two-thirds of the world is now working from home, yet most organisations haven’t really had any kind of assurance activity conducted to try and understand what risks are associated with that,” points out Johnson.
“Many of our clients are seeing those threats and saying ‘OK, let’s do a simulation. Let’s do a test that mimics those real-world issues we’re seeing today’. They’re the types of clients we can look at doing some really exciting work for.”
Nettitude is closely involved in delivering the TIBER-EU initiative, which was designed to do precisely what these clients demand. Jointly developed by the European Central Bank and European Union national central banks, the European framework for threat intelligence-based, ethical red-teaming was also the first EU-wide guide to how authorities, entities and threat intelligence/red-team providers should work together to test and improve the cyber-resilience of entities by carrying out controlled cyber attacks.
TIBER tests mimic the tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence for the organisation being targeted. They are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems, i.e. its people, processes and technologies. The outcome isn’t a pass or fail; instead the test is simply intended to reveal the strengths and weaknesses of the subject, enabling it to reach a higher level of cyber-maturity.
But such a programme shouldn’t be seen as a magic bullet, as Johnson notes: “Even if you look at organisations that have been through a TIBER exercise, or, before that, maybe a CBEST exercise, I suspect many of those tests were done in environments that look very, very different to the mode of operating today.”
Nobody could have envisaged, 12 months ago, that most major banks would end up having the majority of their employees working from home. These banks built infrastructures over which they had significant control, including monitoring traffic into and out of their managed environments.
“Web services were typically being accessed from banks’ core data centres, or from bank branch offices, and they were coming from predictable IP address ranges. But now, in this new environment, suddenly all of those systems are being accessed by people sitting at home. How do you distinguish them from a bad actor?” says Johnson.
Now much of the emphasis is on understanding whether or not these remote users can be compromised – not least because threat actors are targeting individuals. In a recent Insights report into bank security during the pandemic, KPMG noted that ‘fraudsters have been handed a new and very tempting field of play’, with employees more vulnerable to phishing emails and other scams. Hostile home networks – households where multiple family members could be logging in on the same network and clicking on links and content of many different kinds – potentially exposing corporate devices to malware that could then enter bank systems if the right endpoint controls are not in place, are a clear threat.
KPMG also pointed to the huge rise in the use of video conferencing, some of which has been shown to have sub-optimal security standards, with suspected instances of uninvited parties eavesdropping or even hijacking conversations, as another new vulnerability.
“What COVID-19 has created is effectively a huge monitoring challenge,” it said. And Johnson agrees: “By targeting users at home, the threat actor might pivot from that compromised device into a corporate network in a way that was never happening previously,” he says.
It’s these kinds of issues, which are systemically important to the financial system itself, that regulators are alert to: threats with the potential to impact not just a single bank portal, such as a new mobile app, but the heart of the institution and the others it deals with. For that reason, cyber security protection isn’t a country- specific issue and needs to be examined through the prism of whole regions, says Johnson.
Rather than focussing on banks in country X or Y, what threat actors are looking to do is ‘identify service providers that exist in one country, that might have a weakness, and leverage a foothold they may find in those entities to then target another bank, or another financial institution, in another country’ he says. Hence, one possible outcome is that some attacks will pivot through multiple institutions, multiple parts of the supply chain and multiple countries or regions. As a consequence, ‘if you only take a domestic approach to delivering assurance, you’re only looking at a fraction of the problem’, warns Johnson.
Institutions need to take off their blinkers. “Many organisations say ‘we will test the things we own, we can’t test the things we don’t own. We will test the corporate laptop, because we own it, but we can’t test home users’ networks because we don’t own those’,” he says. “The reality is that old methods are now being challenged due to the possible impact on organisations posed by home networks.”
Self-evidently, the home user network has a number of potential vulnerabilities.
“If threat actors are known to be targeting home-user networks and, from there, jumping to the corporate laptop, organisations are going to have to challenge the level of assurance they have against those types of infrastructure. Instead of saying ‘we can’t ever test the home user network’, I think people will have to accept they will be,” adds Johnson.
And the threat is only increasing. As the US’ Office of the Comptroller of the Currency (OCC) recently noted in its forward look at cyber risks to banks this Autumn: “Cyber actors have become less inhibited and more sophisticated with their knowledge of the financial institution operations and vulnerabilities in bank applications or systems. In addition to exploiting susceptibilities, cyber actors continue to use popular exploitation methods, such as phishing and credential theft, to compromise bank systems. While banks overall have adequate cyber security systems, examiners continue to identify concerns in banks related to bank information technology (IT) systems, change management and information security.”
Ransomware is of particular concern, given it can lead to disruption of core business activities, operational outages, lock-out from business data and switching to manual operations. Yet, for Johnson it isn’t simply a question of ‘do this one thing, and this will improve an organisation’s security posture’.
Threat actors are moving targets who invariably hold the advantage; their very flexibility means that testing an organisation’s security robustness is a constant process which should be informed by real-world experience and not seen as a box-ticking exercise.
COVID-19 has shown that the threat today is demonstrably not the same as the threat yesterday. The pandemic is (hopefully) a once-in-a generation occurrence, but as our finances become embedded in our lives, with our homes, our transport and even our bodies connected with financial services providers, the key is to stay one step ahead of the exponential curve in cybercrime.