Always be prepared for a breach. As stated above, a proactive approach to data and cyber security is vital. Identify how you’ll respond to particular incidents (crisis and IR planning, fire drills, etc)
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing James Campbell.
James has over 14 years’ experience in helping global organizations tackle sophisticated cyber espionage and criminal campaigns. James has a deep passion for cyber incident response, forensics and cyber crisis. His background includes a career in intelligence previously leading Australia’s National Incident Response capability as the Assistant Director of Operations at the Australian Signals Directorate.
After moving to the UK in 2013, James started working with PwC to help build and lead the Cyber Incident Response service. As a Director within the PwC cyber practice, he worked with his team on unveiling the APT10 Cloudhopper cyber espionage campaign, as well as helping many global organizations investigate, isolate and mitigate significant compromises.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Sydney, Australia with my incredible dad. When I began high school, we moved to a small surfing town just north of Sydney, known as the Central Coast. The Central Coast is not known as a place where people grow up to be cybersecurity professionals, and it was certainly one of the last places to get decent internet; however, the sun and beaches made up for it.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I was inspired to pursue a career in cybersecurity back in high school. During that time, a number of my mates were also into tech. This was a time when not everyone had a computer, and even those who did, did not necessarily have easy access to the internet. We loved setting up little networks — our own local area networks (LAN) — and playing around with computers. In our free time, we learned how computers worked, and familiarized ourselves with the tactics and strategies hackers used to break into them. As I grew older, I became very interested in figuring out how to STOP hackers from infiltrating systems, which is what led me to my career.
Can you share the most interesting story that happened to you since you began this fascinating career?
Other than starting a company during a global pandemic which is certainly a highlight, it’s hard to choose the most interesting story. I think at each stage of my career, I have met so many amazing people, and have had countless crazy moments, many of which I can’t publicly disclose. However, picture getting a call that requires you to be on an airplane within 40 minutes, and calling your girlfriend apologizing because you won’t be able to make it for dinner (but you’re unable to share where you’re going or for how long). Exciting yes, but not great for relationships. I’ve helped put some really bad people in jail, contributed to decisions that had national and global impacts, and even acted as a shoulder to cry on for organizations that fell victim to major ransomware incidents. So many great stories, worthy of a beer at the pub. And I know there are a lot more to come — I am really looking forward to that.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My family, close friends and work colleagues have all played a significant role at some point in my life and career.
In the early days, my friends and extended family introduced me to computers, and my dad always fostered all my interests regardless of what they were, even in tech despite not actually knowing much about computers himself. He always encouraged me to pursue a path in what I was passionate about and continue to learn. I’d never be where I am today without his support.
Throughout my career, I’ve met countless people who have inspired me. Many of whom have become close friends and mentors. There are too many to individually recognize, but they’ve all had a major impact on my life and have helped shape me into the person and professional I am today. If you have a genuine passion for something, and surround yourself with people with that same passion, you’ll do amazing things.
Are you working on any exciting new projects now? How do you think that will help people?
Absolutely. Me and my co-founder, Chris Doman founded Cado Security in 2020 to revolutionize incident response. By building the first and only cloud-native digital forensics platform, we have a mission to empower security teams to respond faster by taking the complexity out of cloud investigations.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The advice I would give to my colleagues would be to identify and understand their strengths and weaknesses. Once you are able to identify what those weaknesses are, you will understand how to deal with them. Further, don’t shy away from utilizing the resources around you to help you tackle them. I would also advise my colleagues to never take things too personally and that It’s okay to take a step back and decompress, preferably with a friend and an ice-cold beer.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The first aspect of the cybersecurity industry that excites me the most is that the industry is constantly changing. I love that there is always something new, therefore I am always learning. The second is the challenge of developing novel, innovative ways to discover and stop the bad guys. Lastly, is the cybersecurity community. I love the people in this industry. Everyone is always sharing their experiences, valuable lessons they’ve learned, and best practices for how to continuously improve and evolve. We all have each other’s best interests at heart.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
With data moving to the cloud at rapid rates, organizations are faced with a new set of challenges. Where data goes, attackers follow. And as you know, attacker techniques are continuously evolving.
For example, in August of last year, attackers dubbed “TeamTNT” compromised several Docker and Kubernetes systems through a crypto-mining worm spread that steals AWS credentials. This is the first known worm that contains AWS-specific credential theft functionality, indicating a wider trend. As organizations continue to migrate their computing resources to cloud and container environments, attackers are right behind them.
The complexity of cloud and container environments means organizations need to ensure they have the right visibility to efficiently investigate and respond to these types of emerging threats. Fortunately, modern DFIR platforms can take the complexity out of cloud investigations so security teams aren’t bogged down by tedious and often frustrating tasks to get the visibility required to conduct a thorough investigation.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Unfortunately, I can’t disclose some of the best stories I have. However, during my time within the PwC cyber practice, my team and I worked on unveiling the APT10 Cloud Hopper cyber espionage campaign, which was a rewarding experience. The APT10 Cloud Hopper campaign leveraged access to several large technology service providers in order to gain backdoor access to their customers. Unveiling the APT10 Cloud Hopper campaign shined a light on the importance of conducting a thorough forensics investigation to identify root cause using access to as much data surrounding a security incident as possible. Without diving in deeper, you can’t understand the full impact of a security incident, and thus can’t respond with confidence.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The one thing I’ve found the most useful is not the tools, but understanding the environments and the data available. Once you fully understand the situation and scope, then the tools become more relevant.
Back in the day, I used to frequently use a patchwork of open source tools to complete a job efficiently. Those tools were all good in their own rights, but it was never easy to piece everything together. That’s ultimately why we built Cado Response — to provide a single platform to conduct an investigation swiftly.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency or hire their own Chief Information Security Officer?
It is no surprise that there is a shortage of security professionals in the market, so you need to utilize smart solutions to fill this gap. But you will occasionally need to call on experts like managed service providers (MSP) and Incident Response (IR firms). In addition, make sure you test and run exercises in preparation for what to do if/when a breach occurs.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
We quite often see that analysts don’t dive deep enough, often enough. Detection tools today are great, but when analysts solely rely on them, they can easily miss something. Unfortunately, they tend to miss the most damaging security breaches, i.e. when an attacker has switched to “living off the land” meaning they no longer utilize malicious software but rather legitimate users and tools in the environment.
Four signs to look for are:
- unusual hours of activity
- accounts that are being used that should not have active logins (i.e. service account)
- accounts logging into machines that would not normally have the remit to do so
- unusual data volumes or connections to your network
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The first place to start is to establish a crisis and incident management plan before a breach even happens. Taking a proactive approach to security should be a priority. However, if you do not have one in place and an attack has already occurred, it is important that the organization thoroughly understands exactly what has happened. It is imperative for all the information and details to be gathered, in order for organizations to respond accordingly and ask the following questions:
- What are the necessary resources, both internal and external?
- What data has been impacted?
- What legal and/or customer obligations do you have as a result?
Once those questions are answered, organizations will have identified the vulnerable data and focus on preserving it. They can collect it in a forensically sound way, conduct investigations as needed and begin to take remediation actions.
Companies and organizations should take these recent measures very seriously. The Cado Security team has paid close attention to recent developments. We’ve built our platform with these regulations and measures in mind to ensure that we meet the requirements that our customers have in this space.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The most common data security and cybersecurity mistakes that we see companies make are:
- Not conducting a full proper investigation — When organizations are not digging deep enough (relying on detection solutions and high-level system data only) they fail to understand the real risks.
- Not understanding where the company’s data is and how it’s used across its environment — -Organizations should know where the crown jewels reside and where the weakest links are.
- Lastly, not understanding the recovery and backup process — A best practice is to store data in offline backups so attackers cannot compromise them.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, the risk to organizations has unfortunately increased.
On one hand, the rapid transition to remote work has led to a sharp increase in cloud adoption, and in many cases, cyber security has fallen behind. While legacy security tools have promised to adapt to the cloud, there are still major limitations and hackers have taken notice.
Further, COVID19 has even made those more traditional cyber investigations extremely difficult. We’ve spoken to many organizations that cannot conduct a proper investigation because they are unable to fly to the location of the physical device. This, unfortunately, means security teams are either not conducting proper investigations at all, or are forced to hack together manual techniques to conduct remote collection, which doesn’t always work as planned.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
The 5 things that every company needs to know in order to tighten up its approach to data privacy and cyber security are:
- Know your organization’s data and where it is located
- Stay informed on the everchanging rules and regulations
- Listen to the customers (what are their concerns and what are you doing to protect them) and adapt accordingly
- Always be prepared for a breach. As stated above, a proactive approach to data and cyber security is vital. Identify how you’ll respond to particular incidents (crisis and IR planning, fire drills, etc)
- Lastly, know your organization’s threats, its weak points, and its gaps. Where are the risk points?
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective, layperson and something everyone can do!)
The advancements in technology, in particular the cloud, have made life so much better, but the general population is scared of security in our new tech landscape. I’d love to make security easier, more accessible, and less scary to everyone.
How can our readers further follow your work online?
Readers can follow us online, and on LinkedIn and Twitter, links provided below.