Protecting the Financial Sector Never Goes out of Style

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 140 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest this week is Daniel Cuthbert. He's global head of cybersecurity research for Banco Santander, and he sits on both the Black Hat review board and the Black Hat training board.

Our conversation centers on his work in the financial industry, his unusual path to cybersecurity, and his thoughts on creative diversity. We get his take on threat intelligence as well as his insights on team leadership and seeking a career in the space. Stay with us.

Daniel Cuthbert:

I've been, I guess technically involved in hacking since mid-90s, although we didn't really have much of a penetration testing industry back then. So you went down the route of either developer network admin, sysadmin, or some kind of engineer. And those are the ones I went into. But I actually studied fashion, so my creative background was where I wanted to go, but the hacking side was always one that appealed to me. I loved tearing stuff apart, working out how it worked, what it did, how they built that. And then as the world wide web was coming up, that kind of fell into place where you could now maybe get a career doing this. And I got one started at the Financial Times in ‘97, where we were helping build the first ft.com website, and that started the whole journey.

Dave Bittner:

And so your position today, what's your day-to-day like there?

Daniel Cuthbert:

It's mostly to do with understanding where the group's going from a security perspective. So looking at how attacks are evolving, attackers are evolving, engineering solutions to make the group and our customers a lot more secure, and just generally keeping on top of what's happening in the industry, what's happening in the criminal world, and how we can start making a big dent in those who still think it's easy to hack and gain access to people's data.

Dave Bittner:

You work for one of the largest financial institutions in the world. How do you manage the scope of that job? It's vast. How do you break it down to manageable pieces?

Daniel Cuthbert:

It is. Luckily with us in the research side, we're not fully operational. So we get to step back a little bit. It doesn't mean that we're not busy. We've still got some pretty large tasks to try and do. But it's more about where can we make an impact that drastically makes the lives of hundreds of thousands of employees and hundreds of millions of customers a lot better. And that drives a lot of what we do.

There's simple things like skimming. Credit card skimming is annoying. It's silly. It's crazy that it's still a problem. So how do we solve that? Also, how do you make it now where customers can feel secure when they do online banking no matter where they are, no matter what network they're on? So some of the problems that we as an industry try to face and fix for a while now, we're trying to look at doing.

Dave Bittner:

Is there a lot of collaboration in the financial industry?

Daniel Cuthbert:

It's definitely getting better. Traditionally, I think, in the 15 years I've been involved with banks and testing for banks, they weren't sharing as much as they should have done. But it's definitely getting better. Because I think if you look at the attacks against not just banks but everybody, the wave of criminality has just become so big that you'd be crazy not to try and share and collaborate now.

Dave Bittner:

You do quite a bit of work with Black Hat, both on their review board and their training board. Can you give us some insights? What are your contributions there?

Daniel Cuthbert:

Yep. So I sit on the numerous review boards for both the US and Europe. And that generally means when the CFP, Call for Papers opens, we go through and review each talk and hopefully get it accepted in the lineup for whichever con that's at. In a couple of weeks we have Black Hat London. And that's actually a considerable amount of work. It's normally about two or three months of solid work.

I think this year for Black Hat USA, there were nearly 20 hours of solid phone calls alone. So, we do take it very seriously. I think a lot of people think that we just spend a couple of minutes on our paper and just move on. It's not, we do really talk about it, Slack and DMs, and I reach out to a lot of presenters if I think that the idea is good, but it's just not being articulated in a way that we understand it. I'll get on to Zoom or any other chat medium to say, "Listen, tell me what you're trying to solve here. I want to hear more."

Dave Bittner:

What are your recommendations for the folks who are trying to get in some of those presenting slots? Are there common mistakes that people make?

Daniel Cuthbert:

Yeah, I think the best bit of advice I can give is don't think that you shouldn't submit. This is a weird misconception that you think, "Oh it's not good enough. I'm not going to bother." That's always not the case. And then the second one would be, get a friend to read your submission.

It's quite sad to see how many submissions are incomplete or they don't make sense or somewhere buried in the submission is the nugget of what drove you crazy. That itch you wanted to scratch but you’re just not articulating it in a way that should be easy for everybody to understand. And I think if you gave it to a non-technical person to say, "Read this and tell me what you think." They'll give you a lot of honest feedback. And the last couple of years I've been trying to reach out to a lot of people to say, "Listen, like I said before, I think I know what you want to talk about but explain it to me again." And we have helped them rewrite the submission or so on. So the easiest thing is to just get people to review it and not those that are just going to nod and say that was amazing, but honestly give you valid feedback.

Dave Bittner:

What do you get out of that personally? Why is it important for you to spend some of your time on tasks like that?

Daniel Cuthbert:

I genuinely love it. I love to see what people have got up to on the cold winter months or the stuff that they've been working on for years.

I'm very lucky that my job is my hobby. So, it's pretty cool and very privileged to be able to see what's coming, in six months’ time, where the industry could change. Some of the amazing clangers that people might drop that could potentially change how the internet works or people use the internet. So, it's a truly honorable position for me to be in and to see what people are working on.

Dave Bittner:

What is on the horizon when it comes to security and the financial institution and with banks in particular? What sorts of things with your work in research do you see coming in the future?

Daniel Cuthbert: It's a vast question. I think especially in Europe, PSD2. So, the Payment Services Directive has really changed how banks work with other banks and other services. It's really opened it up, API all the things, I like to say. And I think that's really changed how data's now being used and people can do stuff with their money more than there used to be.

I think banking is definitely changing. One of the areas I'm really enjoying looking at the moment is wearable contactless payments. So I rarely travel with a wallet now. I've got my phone and I use that for, I'd say about 90% of all my payments at the moment. But again, I'm also getting annoyed with phones. I don't want to carry a phone anymore. So the idea of a wearable contactless payment ring, that's quite appealing. So it's going to be interesting to see the innovation that's happening over the next couple of years as people move away from traditional banking and more into modern ways of banking.

Dave Bittner:

What sort of effect has GDPR had on you?

Daniel Cuthbert:

Quite a bit actually. I never thought I'd be actually very pro-legislation or laws such as that, but I think it was needed because it was too easy to gain access to people's data.

There was no real responsibility for that company to do anything to make your data secure. Oh, you've been hacked. They'd wheel out the person to be in front of the cameras. They'd say it was a sophisticated and advanced attack and we're really sorry, and we've hired the best people to come and fix it now. But that was it. They never did jail time. The company never really suffered. The people that did suffer was the poor schmuck whose data was lost. And then now having to deal with the cleanup. And I think what GDPR has given, at least in my experience, is that huge stick. And we saw that with British Airways. That was one hell of a fine and it's made a lot of people finally realize, you can't just treat people's personal data with such disregard.

And it was like that. The amount of pen tests we did were just shocking. They did not care what was happening with people's data because there was no punishment. Why would you spend all those millions on security when nothing was really going to happen to you?

Dave Bittner:

I want to get your perspective on threat intelligence and the part that you think it plays in an organization's defenses.

Daniel Cuthbert:

That's a controversial one. I'm disturbed, I'm worried by the vast wave of threat intelligence at the moment. It's very in vogue and there's, wow, so many companies doing at the moment. And I think the key thing with any kind of threat intelligence is, you have to know how to use it. And I think a lot of the time, you have all these feeds and you have these people telling you, "Listen, we found this group and here's the APT number and they're doing this TTP and everything else." And it sounds great.

And they're telling everybody in the world how the Chinese are doing this and the Russians are doing that. But what a lot of the time we're not seeing is how that company, that individual at the company can actually act upon that. And I think it's become more of a race to the bottom with a lot of these newer firms trying to outperform each other by just doing these amazing exposés, as a hacker of 20 plus years, pretty vanilla hacking techniques. There's nothing fancy about it. They used a VPN. Oh my God. Yeah. A lot of them do use VPNs.

So I think it's still a relatively new industry and I think there needs to be some kind of balance between the amount of information that's going out. It definitely serves a place. It really does, because if you're trying to do that yourself, there just isn't enough hours in the day. And I think that's where a really good threat intelligence can really help you. But at the same time, they can't tell you what you need to know. That's your responsibility. You understand what the risks are for your business, how you need to use them, how you need to articulate that to the various teams, to the board and so on. So it's going to be interesting to see what happens with the threat intelligence community in the future.

Dave Bittner:

How would you describe your own leadership style? How do you manage your team?

Daniel Cuthbert:

I don't, and if they maybe listen to this they'll probably laugh and point fingers, but I treat everyone like adults. We all have things to do. We use the tools everybody else does, JIRA. You have a task, do it, don't care when it gets done, don't care what you're doing for the rest of the day.

That's it. I'll be there bending over backwards and giving support. But that's where I draw the line. I don't want to be that micromanagement type person. Treat people like adults.

Dave Bittner:

What do you look for in employees when you're sifting through resumes and folks are applying for jobs they want to come work for you, what makes someone stand out from the crowd?

Daniel Cuthbert:

I think it's the itch. It's the passion. It's the, does this person seem as obsessive as I am when I'm trying to help or change or fix or break or do something? I tend to look less at CVs these days than ever before. I love to just take people out and have a coffee or a lunch. Just say, "Listen, what are you working on? What's your itch? What's keeping you up at night? If you could change banking for 160 million people, how would you do it?" So yeah, it's a bit of a different way of doing things, but I'm more into the personal side than anything else these days.

Dave Bittner:

When we started our conversation, you mentioned that you originally had had an interest in fashion and that sort of thing is something that I'm hearing more and more of folks who have backgrounds in the more creative arts and music or fine arts or things like fashion. How do you think that that background serves you well in the work that you're doing today?

Daniel Cuthbert:

That's a very good question. I'm very much a visual person. It's why I'm really bad at writing code and doing anything maths-related because I just don't think that way. Give me pencils, give me charcoal, give me stuff I can manipulate with my hands and I can see, give me the psychology of color of something that I love looking at.

And I never thought the two would work together. But actually, in the last four or five years, they really have. At SensePost, we worked with rule of Tamminen, Andrew from Paterva, and they were building Maltego, and that was link analysis. And when I was tracking ISIS, you had this vast amount of data but you had it on a screen where it was incredibly visual. It was no longer just code. And I started to really pick that up. Now we're doing a lot of hardware and hardware design and prototyping and I've literally gone back to sketching and using charcoals.

We're doing a Christmas project for the team and I pulled out a piece of A3 paper and I sketched it and I was smudging charcoal in and making a mess. And it was phenomenal because this is a fairly wide mix of technologies and nixie tubes all the way to APIs. And here I am sketching in a clutch pencil with charcoals and using spit like I did at art school to shade the boxes.

And so I think that the creative side, I agree with you, there's a lot of my friends who come from creative backgrounds and it's nice to see a lot of them are now coming out. One of the best hackers I've ever had the pleasure of working with, a guy called George, was a zoologist. He loved insects, but he was evil. My God could he break stuff. It was nice to see a lot of people thought back then it's competing technologies and skills and degrees now working together.

Dave Bittner:

I can't help wondering if it's also a sign of maturity in the industry that there's more openness. There's an opening up to this diversity in styles of thought in different modes of creativity than we saw in the past.

Daniel Cuthbert:

Yeah. I mean our industry is still very young, 30 years, 30-40 years, and I think we're still finding our way. We've gone through the rebellious teenage years, the awkwardness, the fumbling, too. Okay, we're adults now, we need to grow up a little bit more and I think that's where people are a lot more welcoming to just so many diverse backgrounds because technology is hard.

It's not an easy industry. There's always new tech that you have to learn and there's a constant pressure to learn that and make sure you're good, at least for me. I have some of the worst imposter syndrome in the world. The people on my team are just incredibly intelligent and it's very daunting when you walk into the office because you'll have some say, "That's super easy." In the back of your mind you're going, "No, it's really not. I'm going to go home and spend five hours reading this because it's not super easy."

Everybody brings different skills in. I never thought I'd be using charcoal and yet it was found useful. So, it's good that it's very welcoming.

Dave Bittner:

I think also for me personally, it's endlessly intellectually stimulating to be around those types of people who are thinking and functioning at that high level because there's always something to learn.

Daniel Cuthbert:

I don't think there's been a day in the last decade where I haven't learnt something every day and I love that. It's also annoying because you don't just get to go to bed. When you go down that rabbit hole, I guess maybe it's the small subset of us. But when we have that itch, you forget to adult. A perfect example, I thought I just had a chest infection. I ignored it. Nope, it was pneumonia. So sometimes it can be annoying when you can't adult, but the other times it's great to be around lots of people that get to inspire you and you learn a lot.

Dave Bittner:

What's your advice for that person who's coming up considering a job in the industry, specifically in the financial side of things? What sort of advice would you have for them to prepare for that sort of career?

Daniel Cuthbert:

I think when you first come in and if you're fresh, you're going to be so overwhelmed. I mean, wow, there are so many different areas in the industry that you can get into. And I think there's always the push, especially in a lot of the newcomers that I've mentored where they want to do everything. And I think that's dangerous because you'll burn out really quickly. You want to join the industry because you either have an idea or you have an itch or you have a skill. Stick to that. Don't worry about all the other squirrel distractions that are happening out there. They will come.

But if you say, "Right, I really enjoy hardware, I love electronics, I love how things work." Stick to that, build that up and then start that as your great foundation. And then only when you're comfortable with that and you feel like I've mastered this, do you move on to something else. Because I've seen a lot of the newcomers that I've mentored, they want to do everything and it just burns them out badly and they start resenting and you're only in year two, keep it minimal for now and then build upon that.

Dave Bittner:

Our thanks to Daniel Cuthbert for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.