Interviews | July 7, 2017

Black Hat Europe Sponsor Interviews: NCC Group, and Palo Alto Networks

Matt Lewis

Matt Lewis
Research Director
NCC Group

NCC Group

Q: As research director for the NCC Group you have investigated topics ranging from the security of connected cars and biometric technologies to memory scraping for credit card data. What do see as some of the biggest emerging security threats to enterprises? How is NCC Group positioned to help organizations address these threats?

This past year as an industry, we have seen significant rise in ransomware. This is certainly an immediate threat to most enterprises and can be catastrophic for businesses who might get hit and that do not have a recovery or backup plan. Our other core observation on threat …is the consistent theme of general poor enterprise security posture or immaturity in terms of cyber resilience. This is seen through the many data breaches publicized in mainstream media almost on a weekly basis. Most, if not all, mitigations to the threats of ransomware and data breaches are known, tried and tested, yet many organizations fail to put these controls in place. Commonly we see missing software patches, weak passwords, lack of secure SDLC, etc.

NCC Group is well positioned to help organizations address these threats through a full suite of services. With one of, if not the world's largest technical security testing teams we can assess organizational security through our penetration testing and red teaming services. Once we understand an organization's vulnerability and exposure we can then provide training services, help to implement process, policy and procedure and more broadly, help those organizations wanting to make systemic improvements and improve their overall cyber security maturity and capability. Our Cyber Defense Operations (CDO) are also available to help organizations in incident response, whether that be proactively through training and threat detection, and/or reactively, by providing on-the-ground support for when organizations face cyber attack or suffer a data breach.

Q: How has the threat landscape impacted NCC's go-to market and product/service development strategies? What's changed in the last few years?

The pervasiveness of technology, particularly as seen through IoT has seen us broaden our technical expertise in IoT and hardware. Over the last few years we have built up expert-led hardware lab facilities in Canada, the UK and the US. Creating a secure hardware product can be challenging, however, our embedded systems security specialists help manufacturers and vendors to design and test products to ensure that they meet the level of security expected. Our approved hardware and certification labs now let us test and assess a huge range of embedded systems, from low-level chip-off work up to application-layer, and everything in-between.

Our red teaming capability has also been significantly boosted over the past two years. We've seen a rise in demand for end-to-end, real-world scenario testing of enterprise security, emulating what adversaries do so that control failures can be identified to understand risk and priorities for mitigation. We've worked hard on making these services easily accessible to our clients, whereby we can ramp up technical teams with global coverage in short timeframes. [We are] leveraging homegrown capabilities such as our Piranha phishing platform to pull together phishing campaigns, which is one of the core steps in a red teaming engagement. The platform itself even offers a self-service capability so that our clients can perform their own phishing exercises to assess staff awareness.

Another change we've seen is the demand for, and value in threat intelligence. Our expert threat intelligence services have been developed to provide information to our clients on which threat actors are out there, what their intent is and which tactics, techniques and procedures they use to execute attacks against our clients or the sectors and markets in which our clients operate.

Q: NCC Group offers a pretty wide portfolio of security services. Which ones do you expect to focus on the most at Black Hat Europe 2017 and why?

With Black Hat being one of the most technical global cyber security events, we anticipate focusing on our technical security services. While penetration testing is a common service that we provide to over 15,000 clients worldwide, within our technical security consulting division we have niche practices that exist to service our clients and the wider cyber security community on those niche areas. Example practices include hardware, cryptography services, exploit development, and more broadly, our research. Last year we invested over 1,600 internal days on research. This was for a combination of internal tool and methodology development, and also externally released research by way of whitepapers, conference talks, technical blogs and various open source tools released via our labs and public GitHub repository.

Our intention is to impart on current and prospective clients that we have a truly global, truly capable team of deep technical specialists within cyber security and that there is no challenge too big for us. Many of the challenges in cyber security are technical; we want to work with our clients to help them understand and address those technical security challenges.

Greg Day

Greg Day
VP & Chief Security Officer, EMEA
Palo Alto Networks

Alexander Hinchliffe

Alexander Hinchliffe
Threat Intelligence Analyst
Palo Alto Networks

Palo Alto Networks

Q: Greg, GDPR goes into effect in just over six months. How is Palo Alto Networks helping enterprises prepare for the mandate?

Palo Alto Networks has been communicating the significance of GDPR for over 12 months now. Our aim is to share the knowledge and best practices we have built with our partners, including legal partners, consultancy firms and cybersecurity experts, as widely and openly as possible. As the deadline draws closer, this mission continues and this content is available to anyone at

As a technology company, we help organizations in a number of key processes on the GDPR journey. This starts with the capability to understand how and where information flows between applications and users, through our usage reports that give insight both inside and outside the business network.

To minimize the impact of GDPR, organizations should be looking to enforce stronger preventative measures wherever personal data is being used. To do this we encourage customers to leverage the zero-trust mindset applied through our next-generation firewall platforms.

Critically, the security incidents that GDPR addresses occur most commonly from credential misuse. Specific new capabilities in our Palo Alto Networks OS-8.0 release simplify multifactor authentication zoning and identify phishing attacks. As a result of our acquisition of LightCyber, customers can also spot abnormal spikes in traffic through user behaviour analytics and other capabilities.

Many of the requirements for state-of-the-art cybersecurity and breach notification are about organizations applying best practices. While many have, for years, used a variety of disparate best-of-breed tools, the human intervention required to coordinate cybersecurity has hampered the effectiveness of this approach. GDPR provides the ideal opportunity to consolidate and automate cybersecurity processes around a much more proactive prevention security posture, which is core to Palo Alto Networks own strategy and vision.

Q: Alexander, as a threat intelligence analyst you are constantly exposed to the latest tactics, techniques and procedures used by threat actors. What should enterprises be scared about the most? What keeps you up at night?

Good questions! Having witnessed the changes in attack methodology over many years, something to be aware of is the evolution of persistence techniques and detection evasion. During the installation stage of the attack lifecycle, as the attacker gains a foothold on a compromised host, they will try and move laterally to compromise other hosts, increase this foothold across the network, and hopefully gain the privileges required to perform the action on their objectives.

The evolution in cybercriminals' techniques to achieve this has shifted to include greater, and more sophisticated, use of built-in tools provided by the operating system. These tools themselves are becoming ever-more powerful, allowing for system administration, are occasionally run with elevated privileges and often have implicit trust to run on the system, and can therefore sometimes be ignored by some security software leading to further compromise.

This self-sufficient method doesn't just stop with the installation stage. It can also be used for Command and Control (C2) communication as well as data exfiltration, and can often be done in memory, leaving no footprint on the system's disk. Furthermore, techniques can be employed to eliminate traces of compromise by removing system event entries that could lead to post-breach detection and hinder incident response.

Aside from my young kids, or the thought of being compromised by malware myself, attribution of adversaries sometimes keeps me up a night. It's an art form more than anything, extremely difficult if not impossible at times, and is fraught with problems and numerous rabbit holes. Many of the indicators that could lead to successful attribution can be forged to frame others, so occasionally I find myself running in circles when investigating. A colleague of mine uses an apt term for these situations – attribution soup.

Q: Greg, the cybersecurity security skills shortage has become a very real problem for organizations worldwide. To what extent can automation help alleviate the issue? For what kind of security tasks do you absolutely need human skills?

Cybersecurity can typically be broken into two kinds of threats: known and unknown. With the former, it should be possible to leverage automation for prevention, but the challenge today is that too many incidents fall into the "unknown" category. Scarce human cybersecurity expertise and resource must be prioritized to be able to deal with what should be the small percentage of truly unknown attacks, and correlating the business implications of these.

Why are so many of the known attacks identified as unknown? Attacks are made up of multiple phases that must be correlated together in order for there to be confidence in the conclusions we draw. The problem is that too many organizations are still using fragmented security tools that give partial answers and cause confusion with duplicated alerts. All this means that a human must step in to validate and make the final decision, which is no longer sustainable.

Organizations recognise this and are moving from reliance on a collection of historical best-of-breed tools to consolidated security platforms. These allow much greater automation, by leveraging security tools that are natively integrated and, as such, share common intelligence. With this level of automation, organizations can correlate each element of an attack across different detection techniques to see the whole attack lifecycle. This reduces the number of alerts, increases confidence in the detection efficacy and thus moves what may seem to be unknown into known attacks.

Automation continues to evolve. With new evolving cloud capabilities and machine learning we can gather richer intelligence that can be processed at greater pace. Organizations can correlate all the permutations used by an adversary over time, not just for an individual attack, and thus build out detailed adversary playbooks. The value of these playbooks is the identification of effective security controls and the resulting evolution of tactics deployed by the adversary, which becomes an ongoing cycle.

Q: Alexander, ransomware was a pretty hot topic at Black Hat Europe last year. What do you expect will dominate the conversation at this year's event?

Ransomware will likely still factor quite highly in conversations this year, given its continued growth and evolution. Since last year, many more families have been identified, together with new techniques for malware delivery, infection routines, and ransom requests. Some interesting examples include a Middle Eastern ransomware requesting the victim update their public-facing website with violent, politically motivated messages; so-called educational ransomware exists whereby users must read articles about computer security in return for decryption; popcorn ransomware requested victims nominate other parties for infection to avoid paying; and recently, ransomware demanded nude photographs of the victim rather than traditional payment.

Newsworthy variants made use of the EternalBlue exploit to leverage network-based vulnerabilities in Windows to spread ransomware like a worm – something the industry hadn't seen for years. In many ways, the ransomware was a distraction, especially when the poor implementation of the malware is considered together with the low ransom requested. WanaCrypt0r and NotPetya could have been even more effective had it not been for various reasons. However, they did startle Internet users with what could be possible.

Other conversations this year may include threats to cryptocurrencies, not just those that use them, such as ransomware. Considering the evolution of over 1,000 different digital cryptocurrencies, with a combined total market cap of almost $136 billion, this ecosystem is a perfect target for cybercriminals. Not all organizations conduct business using digital currency so many might not be targets of malware looking to steal from their digital wallets. However, everyone is a target for malware looking for additional CPU power to mine said currencies.

Sustaining Partners