Every Nation-State Has an Offensive, Defensive Cyber Capability: It’s the New War Protocol – Context CEO

Context provides technical support to clients, mainly from the finance, defense and heavy engineering sectors. Other customers include Formula One companies, accountants, lawyers and anyone who has valuable intellectual property.

Interview With Mark Raeburn, CEO of Context Information Security, based in the UK


Part of the reason why ransomware has gotten so bad, so quickly is due to the migration of nation-state capabilities to the organized criminals, said Reaburn. Two or three years ago, the organized criminals were using fairly rudimentary malware and phishing for domestic use, by trying to gain access to bank accounts to steal whatever they could. As with everything, evolution takes over, and they work out that rather than going for individuals, they can go for corporate entities, allowing them to get a lot more money into their accounts.

The problem is that going after corporate targets is a lot more difficult than going after individual machines. They have been aided by the huge amount of work that has been done by security companies to understand how nation states use malware. The one that has probably had the most work done on it is Stuxnet. When the Stuxnet attack was analyzed, it probably had between 40 to 50 papers on the internet about how it was put together and how it was used.

The criminal gangs can read that as well as you and I, and they can work out that they can do much better things with more advanced malware. It has become an open market, so people will write very capable malware for the criminal fraternity, allowing the organized criminals to become more prolific than they used to be. They have also been able to monetize that in a way much different than they have struggled to monetize traditional crime from domestic sources. Corporate money moves around much faster because it’s generally in a banking infrastructure, unlike individual money, and moving large amounts of money isn’t as suspicious for them as it would be for individuals.

All of those ingredients have served to fuel the fire, and to increase the capabilities of the bad guys, and it is also exceedingly difficult to catch them. They generally operate in other parts of the world where there is no jurisdiction, and their risks of getting caught are really low. We are totally unprepared for the volume of malware that’s occurring, and it will only get worse.

Shadow Brokers

We could speculate all day about who it might actually be, but the fact that the files have been dumped on the web for less than they are worth suggests that it is the handwork of a nation-state. Criminals tend to want more for what they have stolen, while nation-states want to cause problems and embarrass people – that’s their method of operation.

It’s no secret that every nation-state has an offensive, defensive cyber capability- it’s the new war protocol. Malware cyber offensive and defensive capabilities are now part of the normal political and military capabilities. The UK and the US recently announced that they have a joint cyber partnership to further their abilities in that area, which will only grow in time. It raises the question of all the plethora of malware that can be used for offensive capabilities, and then drawn into a criminal fraternity. There are parts of the world where they develop that capability, but don’t have the money to pay the researchers, so they freelance. What’s developed in the office during the weekday can be used over the weekend, and we have seen examples of that.

There are consultancy companies that sell their services to anyone who will buy them – and they make no distinctions. It only increases the need for everyone to be more aware of the risks, but it’s not the high-end stuff that’s affecting most people, it’s the really simple stuff that still works.

Context provides technical support to clients, mainly from the finance, defense and heavy engineering sectors. Other customers include Formula One companies, accountants, lawyers and anyone who has valuable intellectual property.

We operate in four distinct areas, but assurance is the biggest for us. This involves an analysis of the security arrangements already in place, and determining if they are adequate or not. We also check if the security arrangements are up to the expectations of the organization, and this is mostly penetration testing and red teaming. We test the entire security posture of the organization, including the people, processes and procedures, then deliver a report back to the organization, highlighting their weak areas that an attacker might use to gain access.

We have forensic capabilities to investigate malware, network traffic, identify compromised machines, and to work out who, why, what and where. We generally end up presenting to the board, at the end of the exercise, and we recommend a remedial set of plans to help them.

Research is focused on new technologies, where we look at hardware/software, take them apart, and help remediate them before they go into production, are sold, or incorporated into a large environment.

When a client wants to redesign their network, segment their network, want policies, or they want to know how they compare to whichever control framework they might consider relevant – we offer technical expertise to help them figure it out.

Context Investigates Breaches

Context also does investigation response, which is focused on the investigation of breaches that companies have. Occasionally, it is proactive – before they have been breached, and we help them think about what would happen if they were breached. Sadly, most of the time, it involves the investigation of a breach that has already occurred.

When we carry out an investigation, the breach has generally already occurred, and we are looking for evidence of that event. In 40 percent of the cases we handle, there isn’t sufficient logging and data on the site to be able to draw any firm conclusions, so you find yourself looking for future events rather than evidence of past events. What certainly ends up happening is explaining to the organization what they need to have in place so that if another event happens, they do have the evidence.

In some cases, there is plenty of information and we can carry out a full investigation, produce a full report to the board with an explanation of what happened, what data is lost, who we think might have taken it and why. If it’s a nation-state, they will generally come back to do it again, so we help the company think about how it affects their business and how to segregate data. For most companies, it’s not everything that matters, so we work with them to prioritize and put the most important parts of their business under the best security. It depends on the organization, since they all have different needs and different risks. Getting the policy right within an organization is also important, it is necessary to ensure that the organization is delivering against that policy, which why the red teaming and pen testing we do is very important.




Speaker : Mark Raeburn, CEO of Context Information Security, based in the UK

CONTEXTAbout Context

Context was founded by a group of security managers and consultants whose experience led them to identify the need for a truly holistic and product-agnostic security services consultancy. Context was launched in 1998 and has a client base including some of the world’s most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise informs all our work, while a comprehensive approach means we can help clients attain a deeper understanding of security vulnerabilities, threats or incidents. Our strong track record is based above all on the technical skills, professionalism, independence and integrity of our consultants.