Throughout Cybersecurity Month, we will introduce you to our experts, they will talk about what they are passionate about, their expertise and how they are helping to build a safer digital society.
A real IT and security enthusiast, Robinson Delaugerre, Incident Response and Digital Forensics Manager explains his job to us.
The ethos of my job is helping victims. Making sure that companies that are victims of a security incident can take back control and start over.
What do you mean when you say incident?
There are several definitions of the same word. For us, a security incident is the result of voluntary, malicious actions by someone seeking to do harm.
Any violation of digital security can be called an incident, but I believe they may be accidents as something can be done inadvertently. It is relatively easy to respond to an incident. We can take action with the person who made an error or after fraud has occurred.
I call it an incident when there is a hacker opposing me. I call them “threat actors,” someone who will respond to what I am doing and who will continue hacking. It's a very important difference.
It's important in the way we respond?
Yes! There are two main moments in a security incident. Intrusion and detection.
The first stage, intrusion, is when the hacker gets into your system. Detection is when you realize. And between the two, there is a zone: the hacker is in your system, you don’t know about it, and they do what they want. The longer it lasts, the more dangerous it is.
On the other side, after detection, the same zone is mirrored. It is when you know the hacker is there, but they don’t know that they have been detected yet: this gives you a significant operational advantage. It's a key moment.
That is when brains beats bots...
Yes, now we have to be intelligent. If a hacker is good enough, interested enough to stay where they are, then they will. They build an attack that is difficult to detect that will enable them to come back six months after first being detected. They come back from what had been detected the first time.
Between the time when the hacker doesn’t know you are there and the time when they do, what is your margin of maneuver?
There are lots of things we can do during this time.
The first thing is trying to identify the type of hacker and why they are there. These are the first two questions: Who are they? What are they doing here? If it is an opportunistic attack, we can take very fast, strong action. We can scare them by cutting off all access, by deploying security solutions, in a nutshell: we strike hard!
But if it is a complex, intelligent attack and we are having trouble identifying all the ways the hacker is controlling the system, they stay inside and they know we are there, what we have seen, the means we have, and what we haven’t seen yet. Then the hacker goes away, or continues to hide things, taking precautions to be able to come back in the future.
You get a real sense of tension, and I imagine that you are working against the clock. Is the response time essential?
No, actually! It’s counter intuitive, I know. Every second counts to react, but it requires a high level of maturity. I have customers who say to me: “with ransomware you have to act as fast as you can!” But I’m not going to run to put the fire out when the house has already burned down.
Everything depends on your ability to detect things quickly, and to detect subtle things. If I react within 10 minutes, the hacker only has one foot in the IT system. I cut off the foot, close the door, they can't get in again, right? But who have I detected? What have I detected?
If I take a medical analogy, gangrene, we quickly detect the attack and do what the doctor does, cut it off. In this case there is a rapid, direct response. Very little harm is done. But what data has the hacker managed to get in this time? What is the potential they will come back through another door? Do I react 10 minutes after or 20 minutes after?
How have the types of incident changed in the past few years?
In the past decade, what has happened, is that cryptocurrencies have arrived on the scene. That was the beginning of the end. This enabled some hackers to find a way to be paid by taking people’s data hostage, in a much safer way for the hacker. The business model of (non-state) hackers was revolutionized. Up until then, they monetized their attacks by stealing bank cards from e-commerce sites. But these companies were fairly well defended.
Four or five years ago, amateurs went pro and ended up sitting on millions in bitcoin. But that money needs to be laundered. And that is when the networks were created, the hackers got into bed with organized crime, and real cybercriminal mafias were born. You wouldn’t think they were organized like firms, with a hierarchy, teams, departments, and even an HR department.
Hence the coordinated, complex attacks with no specific targets?
Yes, these attacks no longer necessarily have a specific target when they are launched. They become targeted, depending on opportunities and the response.
Yet attacks against hospitals are front page news. Are they not targeted?
No, not necessarily. It is purely opportunistic. It just so happens that hospitals have lots of IT infrastructure and cannot stop working, so they are more vulnerable. Hackers get into a hospital among other targets, but they wait for the right moment, Friday night for example.
And if we talk about this more, it is obviously because it has a significant impact, as continuity of care is at stake. It puts the patients’ health and even their life at risk.
Stress management, both our stress and the victims’, and the fact that there is no room for error. And this takes a whole lot of organization.