In this interview, we spoke with Colin Hardy, Malware Specialist and Head of Security Operations. Colin has deep security experience across a variety of areas, especially security operations, incident response, data privacy, and technical investigation. Interestingly, he is co-hosting InfoSec Real, a Youtube podcast aimed at showcasing the real-life of Information and Cyber Security where he interviews key industry high-fliers who are super-passionate about defending the cyber threat landscape. Continue reading and discover his unique insights on data breaches and malware threats.

1. Can you give us an introduction about yourself, Colin? How you ventured into the cyber security world?

I’m Colin Hardy aka @cybercdh. I’m the Head of Security Operations & Response at TalkTalk; an internet service provider based in the UK, and the co-host of the InfoSec Real podcast.

My passion in cyber security stems both from a fascination with investigating criminal activity and the vast landscape of opportunity that exists within the industry to grow and develop skills to be proud of. In my early career, I helped identify, detect and prevent identity fraudsters operating within the mobile phone industry. I found that with some simple technical skills it was possible to make a big impact in disrupting the activity of career-criminals and as such I was super-proud to be awarded a Commendation from the Metropolitan Police Service.

In 2012 I took a free online Computer Science course delivered through the edX platform with Harvard and this course undoubtedly changed my life. I was able to solidify my self-taught technical and coding knowledge into structured ways of thinking and learned how to solve problems with code and think more algorithmically. The course paved the way for me to significantly develop knowledge in forensics and digital investigation methods.

In 2015 I was extremely fortunate to be given an opportunity to work for Bank of America Merrill Lynch within their Global Information Security team where I was responsible for managing security incidents and helping to protect organisational assets. When I first joined, I was completely out of my depth but I was surrounded by industry experts who were so passionate about sharing knowledge and I had an amazing mentor, which meant that I developed extremely valuable technical and soft-skills at an exponential rate which I carry with me today and aim to inspire others with through my current role.

2. What soft skills do you think are most important for cyber security professionals?

Communication and Relationship skills have been absolutely essentially for me to progress within the industry; both in managerial and non-managerial positions. Let’s take a look at both.

Communication – I found quick success within the industry through being able to articulate complex topics into meaningful bite-size detail coupled with a risk-based lens. Often-times organisations are targeted with super-complex attack scenarios (e.g. SolarWinds) however C-Suite Executives tend to focus on security risk and the potential for operational business impact versus the associated cost. Through understanding the technical complexities of an attack scenario and translating that into a language senior leaders are familiar with will ensure you’re able to add value to an organisation. Next time you’re trying to explain something complex (even to your peers), try and write it in a tweet!

Within managerial positions, I’ve found communication to be essential in motivating, supporting, and developing a team; especially within the age of COVID as more teams are working remotely and balancing home/work life. Establishing how to communicate, how often, and for what purpose has been a voyage of discovery of me personally, but I’ve enjoyed the outcomes – I’ve had meetings in Virtual Reality, walking team meetings in the wind and rain, heartfelt 121’s and virtual all-hands meetings where we’ve been able to really nail down an operational security-maturity strategy.

Also, being able to translate high-level strategy from C-Suite executives back through to technical audiences is a skill I continue to develop to ensure teams really understand the organisational strategy and how each person can play a significant part in that journey.

Relationships – Building relationships both within a small team and throughout the wider organisation is key to understand how security relates to the wider business strategy. Oftentimes, running a security team will simply cost the business money straight from the bottom-line and therefore understanding the various priorities around the business and how security can best interface with the plethora of tools, technologies and processes a typical business has will help ensure that you can add the most value to an organisation.

Also, in terms of personal development, I’ve found the key to building a successful relationship with mentors and peers is to focus on building your own credibility whereby you can add value to the conversation. Mentoring is great, but often I find the conversation is one-sided; the mentor delivers great insights and the mentee consumes all the information. What’s worked better for me is to focus on also delivering value back to the mentor by sharing ideas and different ways of thinking; thus helping to cement a future lasting relationship that continues to promote professional growth.

Someone once said to me that ‘you are the average of the 5 people you surround yourself with’. That really resonates with me and I aim to bolster the average of others that I share my professional circle with also.

3. As we saw from your profile you define yourself as a Malware Specialist. Please, talk to us about a day in the life of a malware specialist.

There are lots of focus areas within the cyber security industry and I really enjoy detecting, defending, and investigating malware attacks. I spent a lot of my time in Bank of America working with an amazing team who focussed on hunting for attacks, reverse-engineering nation-state grade malware and building detection mechanisms to prevent any business impact. I’ve been completely hooked ever since and whilst my role now is less hands-on, I enjoy inspiring others to develop their technical skills to help keep pace with this fast-moving landscape through my YouTube channel and podcast series.

As a malware analyst, you can expect to be engaged in incident response scenarios where the goal is to extract as many key Indicators of Attack (IOA’s) and Indicators of Compromise (IOCs) as possible in order to defend against an attack and to go proactively hunting for infections. You’ll also need to keep up to date on new and emerging threat-vectors; so keeping your analysis skills up to scratch is super-important as adversaries will constantly develop their capability to defeat security controls. You may also be called upon to advise on strategic business investments which aim to strengthen security controls based on your knowledge of the threat landscape.

Having specialised knowledge with how malware operates and how you can defend against it will enable you to add serious value to any security team.

4. Could you please tell us what was the most important cyber security lesson you learned in 2020?

SolarWinds was certainly an eye-opening event in 2020 and will undoubtedly have ramifications across the industry for some time to come. The main issue I think the situation highlighted was that third-party risk is a hard problem to solve – how does one organisation truly trust the software or hardware they buy from another organisation? The reality is systems, people, software and processes can all be hacked and it’s clear that there are entities, likely nation-state backed, that have the capability to infiltrate even the most security-protected environments.

I don’t necessarily think this risk has changed because of SolarWinds though; it’s always been there, but the fact that SolarWinds has happened has really put this threat-scenario on the map with C-Suite Executives who now are able to understand more about the complexities and realities of cyber-attacks. As a result, exercising incident response processes and crisis management protocols has never before been so relevant.

The second thing I absolutely learned and continue to be reminded of is that this industry never stays still and now is an exciting time to be part of it.

5. Now let’s talk a bit about data breaches. Are data breaches unavoidable? If yes, is there a right and wrong way to deal with them when they occur?

I recall a video clip of Benjamin Netanyahu, the Israeli PM, giving a speech at the ‘Cyber Tech 2017’ conference where he talked about cybersecurity being an ever-growing problem for organisations across many industries.

“Because every system can be hacked – our airplanes, our hospitals, our cars, our banks. Actually the most important word here is our databanks, they can be hacked, and the possibilities of sabotage and worse are all there.”

To that end, one would have to say that data breaches are unavoidable, and in fact almost inevitable – either as a direct result of something that happens in your organisation or from some action in another organisation you do business with that holds your data. SolarWinds is a prime example of this, where many thousands of organisations around the globe became the victim of a system compromise by a nation-state threat actor simply by applying a software update; actions which are actually considered security best practice!

I think there are so many different ways to handle a data breach, and naturally, each response scenario will depend on the factors that apply in each case. Questions such as when to go public with a breach notification or whether to pay a ransom demand to get systems up and running again and how best to keep your customers up to date during the incident are certainly very common amongst incident response and corporate communication teams.

There is definitely a wrong way to handle a data breach in my view; not being open with your customers, not investigating an issue to the best of your capability and not investing in a security-maturity program to prevent a repeat would certainly amount to questionable behaviour. On the flip-side, there’s no real right way of handling a breach either. But above all else, communication is key – ensuring those impacted by a breach are informed and the organisation shows the steps they’ve taken to improve will go a long way to help the business recover.

6. What are some examples of how small businesses can do a better job of protecting themselves against cyber-attacks?

There is some excellent guidance from the UK’s National Cyber Security Centre (NCSC) which applies to both small businesses and larger enterprises when it comes to protecting against a myriad of cyber attack scenarios in the form of their Cyber Essentials framework.

Cyber Essential is a self-assessment that is designed to give protection against a wide variety of the most common cyber attacks, mainly because mainstream attacks are looking for targets that do not have the Cyber Essentials technical controls in place. The guidance and controls include implementing firewalls, protecting against malware, patching against vulnerabilities, protecting emails, and controlling user account permissions.

Larger organisations that have a dedicated security team will likely also want to use a more granular framework to measure their controls maturity and will benefit from researching the likes of NIST or CIS cyber frameworks and also the ISO 27001 Information Security standard.

Two key takeaways from any framework or cyber-control assessment are that user awareness and education are fundamental to the success of any program and you cannot ignore the fact that cyber-attacks will happen.

7. Tell us about a current malware campaign that Cyber Security Directors and CISOs will want to be cognizant of.

The SolarWinds compromise has certainly gained a lot of attention across the industry, mainly due to the highly sophisticated nature of the attack and the underlying malware used and also because of the potential for complete compromise throughout an impacted environment. Some of the world’s most protected and security-focused organisations found themselves victim to this attack and indeed were the intended target, which really highlights the fact that any system is able to be hacked, either directly or vicariously.

Outside of SolarWinds there are plenty of attack-scenarios that adversaries continue to develop. Ransomware is a consistent threat that every organisation should pay attention to as oftentimes ransomware-operators will aim to exploit victims several times, e.g. by first collecting ‘juicy’ data and extorting victims to pay a ransom to prevent a direct leak of the information coupled with a ransom-demand to decrypt impact systems. Ransomware therefore can be extremely costly, both in $-value and in reputational damage.

A rising threat trend is a notable increase in consent-phishing attacks. Malicious actors seek to gain unwarranted access to organisational data within cloud-based applications such as O365. Attackers are able to trick users into granting a malicious app access to sensitive data and so instead of trying to steal the user’s password, an attacker aims to gain overly-permissive authority for their malicious app which can access valuable data such as email or sensitive files.

Regardless of the attack type, organisations should ensure they pay attention to overall attack-vectors, i.e. the method through which an attack can occur. Adversaries are skilled at evading security controls, therefore internal and external defences need constant monitoring and tuning. A strong position is to first invest in asset-management – knowing what you have and where will enable a well-defined strategy for how best to protect it. All too often, adversaries are able to exploit weakness because organisations simply weren’t aware of the impacted asset. VPN exploits and misconfigured cloud storage definitely remain high on the agenda for adversaries too so definitely keep patching and ensure there is visibility into your developer environments.

8. What advice do you have for entry-level people who want to break into the field of malware intelligence?

I get asked a lot about what certificates or courses would be best for people to take in order to break into this field, and there are certainly some fantastic resources out there which we’ll cover, but personally, I’ve found getting hands-on experience with different types of malware attacks to be the most beneficial coupled with learning to articulate the risk of these attacks in business terminology. For example, learning about the infection-chain of a Trickbot attack is a complex topic that will teach you many skills about malware behavioral analysis and reverse-engineering; but coupled with articulating the risk to an organization about this particular threat will really set you apart in a job interview scenario.

I’d definitely recommend setting up a malware analysis lab and getting hands-on with some of the latest samples so you can get a feel for what organisations are up against day-to-day. For example, Excel4.0 Macros have made a big comeback lately, and they’re tricky to analyse, but being able to quickly pull Indicators of Compromise will be really important to protect an enterprise environment. Also, analysing phishing infrastructure is a good skill to learn, and understanding how best to protect your own operational security (OpSec) when approaching criminal infrastructure is well worth researching.

As for more formal training and education, firstly there are lots of great resources on YouTube which will showcase different attack scenarios and how to approach the analysis. I started by diving into the Practical Malware Analysis book, and whilst fairly old the principles are still very relevant today in how to approach a sample.

Historically, many malware training resources centered around Windows-based malware and x86 architecture, but there should also be a focus on understanding the macOS, iOS, Android, and Linux-based operating systems as attacks often span multiple platforms. Also, your path may take you into the world of embedded systems, therefore getting to grips with qemu and other CPU architectures should definitely be on your radar.

The de facto standard course for malware analysts is the SANS FOR610 GREM authored by Lenny Zeltser, who also maintains a Linux malware analysis distribution known as REMnux. The course is simply fantastic and I’d highly recommend it, but I don’t think it should be a strict requirement for those wanting to break into this area of the industry as personally, I found it solidified lots of self-taught concepts from my earlier hands-on experimenting. It’s an amazing certificate to earn, but one to aim for following some initial hands-on experience.

Keeping pace with the industry is also what I would look for in a potential candidate. Attack-vectors are ever-changing, new exploit code is being constantly released, novel infection-chains are being observed and documented; therefore showcase how you keep up to speed with the landscape and look to follow interesting people across social-media so you can learn from others within the community.

Finally – contribute your research back to the community. Not only will you feel more confident about what you’ve learned already, but you’ll help inspire others who are looking to go down a similar path and also you’ll develop a presence online that will be visible and tangible for potential recruiters. Share your knowledge – it’s highly rewarding!!

9. What policies and practices would you recommend to defend against the latest malware threats?

I’d recommend any organisation wanting to invest in a security maturity programme and to best defend their environment against a complex, ever-advancing threat landscape to invest in People, Process and Technology – in that order!

Identifying the right people that can help understand the business risk and threat profile of an organisation will cement the foundation for developing the right systems and controls. There is no one tool that will protect you from malware, and even if there was it would need the right people to configure it, drive it, monitor it, and react to it, using some form of pre-defined process. Bringing the right people together will enable your organization to develop the capability that is right for your environment.

In terms of processes, there are many cyber-frameworks out there that are very useful to benchmark your progress and maturity against and over recent years I’ve become accustomed to NIST; it’s clearly written, easy to understand, and helps bridge the gap between technical requirements and Executive understanding. Having buy-in from senior leaders to a security program is key (especially when you need funding!). Therefore using a well-known industry framework that is easy for Executives to digest will certainly go a long way to help.

And finally Technology. Having the right people in place, and the right incident response processes developed will enable you to make the right technology investments to protect your environment. There are so many vendors and so much amazing technology to help organisations protect against cyber-attacks that oftentimes it’s overwhelming to keep pace. Also, sometimes it takes time to roll-out a solution within a large enterprise and by the time that you finish, the market may have moved on and new, more advanced capability is being advertised. For me, this is where investing in the right people first will really help, as you will be able to focus on what’s right for your business, your threat model, and your risks versus what each vendor will want to make you think you should be spending your customers’ hard-earned cash on.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.