Interview: John Fitzpatrick, MWR Infosecurity
Image credit: Nick Smith
Today, most businesses are online, which means that if you’re doing something interesting there will be hackers interested in compromising it. There are ways of keeping the bad guys out of your business, says MWR Infosecurity’s managing director John Fitzpatrick.
“There are lots of stories in the news all the time about cyber security” says John Fitzpatrick. “It’s just that most of them aren’t pertinent to what’s going on.” He explains that newspapers will routinely publish shock-horror tales of “people’s personal details being hacked. But in the background, what you have is major Tier One banks in different countries being compromised, with huge quantities of money withdrawn from them illegally. These stories don’t really hit the press. What we’re seeing in the media is the tip of the iceberg.”
Fitzpatrick is managing director of one of a new breed of commercial organisations established to tackle such issues head-on. Headquartered in Basingstoke, MWR Infosecurity is a global cyber-security consultancy specialising in what future online compromises might look like. Sitting in the company’s London Bridge offices, close to the capital’s financial centre, Fitzpatrick elaborates by saying that these top-line stories are of the type “that might keep your PR team busy for a while explaining why your website went offline.Yet the activities that will fundamentally destroy your business are very rarely talked about.”
These are the sorts of stories where ATMs spit out money at passers-by, “but the chances are that such cases, something more significant is going on in the background”. His perspective on the business he works in is important because despite being a youthful 32, he’s been with MWR for more than a decade and has seen a lot of changes in the market. He also worked his way up from summer intern while at university to becoming the MD.
In terms of cyber security, the starting point for Fitzpatrick is that “pretty much everything is done online today. Businesses hold a huge amount of data that is fundamental to their business. Take a bank as an example: if you can’t perform transactions, then your business is pretty much dead. Cyber security is about ensuring that businesses can sustain and continue doing what they do, regardless of threats facing them.”
However, it’s not just the world of finance that is under attack. “There’s an awful lot of espionage going on. Let’s say you’re a defence firm developing and building new technologies that are fundamental. You can’t remain competitive if they’ve been taken by some other nation state, so you need to make sure you’re protecting core critical assets and understanding what they are.” Fitzpatrick follows this up with the alarming statement that “a lot of people don’t realise what these are until after they are hit and have lost x billion pounds”.
It all comes down to this: “If you are doing something interesting, it’s very likely that someone will be interested in you.” Beyond that, you can be pretty sure there will be somebody harbouring the presumption that there’s a way of breaching your security and “stealing data in order to gain some sort of advantage, in terms of intellectual capital or financial gain”.
Where there is risk there will be organisations offering services to mitigate it, which Fitzpatrick describes as his core business. It’s essentially a game of cops and robbers, where good guys have to stay one step ahead of bad guys in order to protect their assets. So how does a company such as MWR assess risks so it can put safeguards in place? “It’s all about research. There are a lot of people who look at what is going on now, but by the time they’ve identified that problem it will have moved on, evolved and become something different.
“Building a solution for a moment in time is never going to be the right way forward. If you are too fixated on today’s problem, you’ll never solve tomorrow’s. What we’ve always done is invest a lot in researching what will happen so we can stay ahead and advise on what people can do to protect themselves in the future.”
There’s an established cultural stereotype that hackers are dysfunctional loners, sitting in darkened basements in their mother’s houses, eating takeaway pizza while trying to score a point off society by attempting to breach the Pentagon’s email system. Yet Fitzpatrick says these people aren’t the real threat.
“The reason we have this image is simply that these are the people who get caught. There are definitely people like that and they are the stuff newspapers write about. But these people lack the skills, infrastructure and experience to perform significant attacks.”
He goes on to say that the hooded hacker will get the low-hanging fruit and if you have been hit by one of these low-level opportunists “the chances are you’ve got things on your network that shouldn’t be there”.
The real threat comes from criminal gangs and nation states, says Fitzpatrick: “We’ve all heard about organisations with entire teams – in some cases tens of thousands of people – who are working in an around-the-clock way. People that don’t get caught are those working in well-funded organisations with good capability. What we are seeing is an increase in capability as people’s security posture is increasing.
“Their modus operandi isn’t so much to find a ‘best attack’ and then go and find someone to perform it on, but they do have a library of attacks they can use. Very often, they’ll start with the simplest one, because if that gets caught and detected, then they haven’t lost anything. They burn stuff that doesn’t matter. But, because that level is now leaving too many breadcrumbs around the network, criminals are starting to work at a more capable level and we will only see that increase.”
The best way to catch a criminal is to think like one, and so when I ask Fitzpatrick if that involves a strategy of getting into the outlaw mindset, he cheerfully replies in the affirmative. The problem with outlaws, of course, is that because they don’t regard themselves as restrained by law, they have potential to move faster than custodians of the law, who by definition must work within it. Yet all is not lost. As Fitzpatrick explains, there is a self-explanatory process called ‘Targeted Attack Simulation’ to which there are five steps.
“Phase Zero is all about understanding what is critical to the client’s business... the thing that would fundamentally undermine its ability to operate.” MWR will typically identify four or five goals based on this initial analysis. “If we’re dealing with a bank, we wonder whether it’s possible to take out all funds and we’ll set that as a goal. We’ll always achieve some of these goals because we’re good at what we do.”
However, says Fitzpatrick, the main objective of the phase is to identify the defence measures that need to be put in place. “It’s preferable to reflect on an attack that we’ve carried out rather than to reflect on one that somebody else has. Ideally, the time to analyse an organisation’s detection response capability is after we’ve carried out the attack and not someone else.” At this point, it needs to be stressed that such simulated attacks, when carried out at the commission and consent of the client, are perfectly legal.
After identifying areas of vulnerability, the next phase is “to get a foothold on the network we want to gain access to. There might be some common strategies we employ. Yet after that we will have significant access. We will be persistent and it will be a real mission for them to get us out at that point.”
The third step is carrying out the simulated attack. “This is what takes time, because this is where it’s all about understanding how the business works.” This phase is important as the simulation is where MWR needs to demonstrate to the client that it is capable of destroying their business. Fitzpatrick recalls an example where the objective was to disrupt a program of industrial control systems: “The guy who we were working with, his face just went white. So far as he was concerned, there was simply no way we could have obtained access to those systems.” Beyond that, had the simulated attack been acted upon, then attackers could have “dumped toxic gases into the client’s facility and killed everyone. If we can do it, a malicious attacker can, too.”
At this point “things really start, because now we have to enhance the client’s detection. Which parts of our attack did they detect, but not respond to? Which parts did they have no visibility of at all? What do they need to do to get us out of their network, bearing in mind that we are quite persistent in it? It’s a really good exercise because, for any organisation, no matter how good their security posture is, there’s always a way to get in. For some organisations, the bar will be higher. Yet there’s always a way to get into their network.”
Because cyber security experts understand what potential attacks look like, “we can help to build a robust defence. A lot of people think that this simply involves spending more money on security. But this is often not the answer.”
Phase Three is otherwise known as ‘Breach Notification’ and “this is where our cyber and AI guys work with the client”. Typically, this will involve revealing a small piece of information gleaned from the attack to trigger an investigation. “It might be an IP address. Then we’ll work with them on the investigation to see where they weren’t effective in their defence.” In other words, if this were a physical crime scene, the simulated attack deliberately leaves a footprint.
The final phase is to sit down with the client and go through what’s happened, run a few more real-life simulations, bring in management and role-play how the organisation handles the fallout at a senior level. “Crisis management, basically.”
Even though the ability to predict how hackers think lies at the heart of his business, Fitzpatrick has never been a hacker, nor does he claim any early interest in the phenomenon. “But I have always been interested in the way things work.”
He studied computer science at the University of Southampton with vague notions of becoming a software developer, “writing computer games or something like that”. Looking around for summer work with the Step internship programme, he saw two openings, one in writing software for a now defunct mobile phone developer, the other with a company called MWR Infosecurity. The latter “sounded fascinating, but I looked at their requirements and they said ‘must have knowledge of Ethereal, Wireshark’ and so on.”
Assuming there were plenty of aspiring computer scientists in the same boat but knowing these tools better, he went for the other job, “because all the awesome clever people would be going into cyber security. However, I caught up with Luke Jennings [now head of R&D] of MWR at the pub and as a result went for a placement with them the following year. That was August 2006 and I’ve been with them ever since.”
Although he signed up for a master’s degree at Southampton, he never returned to complete it “because it seemed a bit daft to go back to university to qualify myself for a job that I already had. I joined MWR as a summer intern as a developer, but I was asked if I’d like to have a stab at security testing and I thought that would be fun. On my first project, we managed to extract an entire database, including usernames and passwords, account details, credit card numbers and so on using some quite clever techniques. I think people looked at me and they must have thought I was all right at the security stuff as well.”
As a manager, one of his prime concerns is the skills shortage in the cyber-security market, so a critical part of his job is to attract, nurture and retain the best people. “There are plenty of firms that do what we do,” he says. But, he explains, a lot of the competition comes from smaller and newer firms competing in the talent-hire pool by offering marginally higher salaries. Which means that he’s big on loyalty. He thinks that the best way to run a successful team is to trust the people you work with, “and the guy who’s been with you for five minutes isn’t necessarily that guy”.