October 22, 2018 • Amanda McKeon
Joining us today is Nicolas Cairns, director of Aegis 9 Security Intelligence, a cybersecurity firm located in Canberra, Australia. In his career, Nicolas has worked in both offensive and defensive cybersecurity operations, threat intelligence, malware analysis, digital forensics, and incident response, as well as threat and risk assessment.
He shares his experience building a career in security, transitioning from the military to the private sector, having a hand in Australia’s first intelligence collection system, and working as a pen tester. Throughout it all, his career has been marked by a strong work ethic and desire to keep learning, to keep improving, and to put in the extra time and effort. We’ll hear his thoughts on threat intelligence, specifically how organizations can best manage the growing volume of information available, and how to best transform that information into actionable intelligence.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 79 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Joining us today is Nicolas Cairns. He’s the director of Aegis 9 Security Intelligence, a cybersecurity firm located in Canberra, Australia. In his career, Nicolas has worked in both offensive and defensive cybersecurity operations, threat intelligence, malware analysis, digital forensics, and incident response, as well as threat and risk assessment.
He shares with us his experience building a career in security, transitioning from the military to the private sector, having a hand in Australia’s first intelligence collection system, and working as a pen tester. Through all of it, his career has been marked by a strong work ethic and desire to keep learning, to keep improving, and to put in the extra time and effort. We’ll hear his thoughts on threat intelligence, specifically how organizations can best manage the growing volume of available information, and how to best transform that information into actionable intelligence. Stay with us.
I enlisted in the military when I was around 17 years old. I joined what we used to call — the colloquial name is — a “geek.” So, it was the easy then when you joined the military, to do all their signals — their networking, the servers, the connections, the deployable systems, and when you go into the field, oversee the operations. You were the guy, or the team, that created the network and made sure that it was up and running for the commander.
I did that for about 12 years before I left the military. I was at the Defense Force School of Signals, where all the Navy, Army, and Air Force information technology recruits from all the different disciplines go to learn and train. I was a teacher down there.
While I was in the military, I thought, “I really enjoy security!” Security wasn’t a big thing back then. In my journey, being in the military, I decided to do extracurricular training, doing SANS courses, Linux courses, Windows fundamental courses — the low-level stuff — to build myself up to when I was going leave the military, to then become a security expert.
After leaving the military, I joined a security intelligence company. My main two roles were pen testing and intelligence collection operations. One of the main things I did while I was there was, I built Australia’s first deployable, tactical intelligence targeting collections system. So what it does is, you deploy this box into the field, and then you do your tactical and operational intelligence. It could be in the forward operating base, it could be anywhere in the world, and that data does get sent back to the strategic network. I was the guy, the dude, that designed the system — well, not designed the system — but built the system from the design, and then implemented the training. I taught military individuals in intelligence disciplines how to track, target, and collect information using certain products and systems, and then collate their data together to provide actual intelligence to their leadership.
And from then, that company had some issues, as some do, and I left and moved on from that, and focused more on offensive security, like penetration testing, and also open source intelligence. I blended those two disciplines together — that’s where I am at now in my business. It’s security intelligence, so it’s a blend of both intelligence discipline and also the security function.
In most of the companies from then on, I was doing the same function, except in my last role I was the head of threat intelligence for a SOC or an MSSP. I leveraged those disciplines of the offensive security, and then reversed them around to become on the defender side and understand how nation-state groups, hacktivists, and all those malicious threats get into networks, get into companies, get into systems, and then exploit them. And so, then we flip that around to better defend against them.
I’d like to dig into some of the specifics of some of the things you’ve specialized in. Can we start with penetration testing? What was the process by which you acquired the skills to be effective doing that?
Yeah. That’s a good question. There are lots of people’s opinions on penetration testing and how it works, you know, what’s the process of getting there? And I found that one of my main goals or personal things in my life is continual learning. When I was in the military they didn’t teach Linux fundamentals, Linux Kernel, Linux networking, all that kind of stuff, so I had to learn that off my own back.
Once I had a good base of understanding of how the Linux operating system worked, how the programs work compared to how Windows operating systems work, I built on that and then went into the offensive side because there are a lot of tools and processes and flow processes within penetration testing. I built on the Linux operating system, so once I did that, I took all my SANS courses, other courses, to build me up in certain areas that I wasn’t fully competent in.
Once I got to that level, then I just started out doing deep dive programming, bash elif scripting, and using a lot of open source tools and a few paid tools to get me to the base where I needed to be. And then once I was there, you’re continually learning, so when a new course comes out, when a new training opportunity comes out, always be the first one to put your hand up and get on that so then you’re always at the forefront of technology.
And especially within penetration testing — it’s such an offensive hacking, assurance methods. It’s always evolving. It’s always changing. People are bringing new tools, new tactics, new pieces of malware. New APT findings come out, so pen testers use those findings to pen test their client networks to have a better result for the client.
I’m curious what your take is on how much your own creativity comes into play when you are doing penetration testing. I would imagine, like you say, taking courses was very important to you, keeping on the cutting edge of the latest technology and the latest techniques, but at some point, it’s up to you to assemble those things and apply them in a creative way.
Yeah, that’s exactly right. There are so many different tools, processes, and things you can use to do your job, but it comes down to you and how you use those tools to create an outcome. And I found in my security career — nearly 18 years now — that you need to have a good process flow and execution. So I have a good basis of the OODA loop. That’s an intelligence discipline and framework to find, track, and then execute actions, especially within penetration testing. You need to have this continual loop of operations and a process from which you do it. And even though you might come across outliers or pieces of information when you are doing a penetration test that aren’t normal, as long as you continually adapt and pivot on those pieces of information to get the outcome.
I find that there’s a lot of junior people coming into this field that say, “I want to be an offensive hacker. I want to be a pen tester. I’m just going to run a few tools,” and then they get an outcome and they are going to be hacked. Well, that’s not actually how it works. It’s a complete process that you have to iteratively go through, and then if something comes up, you pivot on that and you process it and you move on. I would say it’s through experience and through dedication that you get a complete process going.
And I suppose a lot of that experience informs your sense of what not to do.
Exactly right. And there’s lots of things not to do, especially within different corporate environments, governments. But when you create your rules of engagement, that allows you to enact your assurance methods on that client. There might be a different caveat. One client might say, “You can attempt to get a shell on every single box you’re trying to hack,” and some clients might say, “If you can identify this shell and you can do a proof of concept on a test box, then we’ll approve that as possibly exploitable, and we’ll patch that or we’ll implement new recommendations.” So it’s all client specific. It’s not like the Wild West where you can go online and use[an auto-exploit and then pop all these shells on different boxes. It’s not that in real life. You actually have to take the client’s needs into consideration and then execute your penetration test and flow based off those client needs as well.
I suppose, also, you must have your own sort of overarching set of ethics that come with these things with as well.
Yeah, that’s right. After so long in security — and me, now near on 40, and I’ve got four kids — I have this humble experience and mentality to my work. So it’s not about finding the coolest exploit and exploiting the most boxes that you can, it’s about doing the best for the customer and the best for the client and what helps them the most and what will better protect them against an adversary trying to infiltrate their system.
And you need to, as a pen tester, you need to emulate the adversary and find all the ways. And the better you can understand the adversary and your client, the better the outcome is.
Can you take us through when you’re doing open source intelligence assessments? What do those engagements look like?
That’s a pretty interesting one. I’ll do a few of them. Especially in the current environment, there are lots of data. So much data online that people don’t understand how much information gets brought online. I don’t have my Facebook account because I understand the tools and techniques that most hackers use to exploit that data.
For example, an open source intelligence investigation on a client or a person or industry goes through lots of processes and flows. The main one is what you’re targeting, so you target your malicious adversary. You understand who they are, what they’re doing, and why they’re doing it. Once you understand the basis and put yourself in their shoes, the next step is to be precise and be understanding and be clear on what they want and what the client wants and mesh those two together. And once you’ve done that, then you need to use the tools and techniques which you’ve created to collect their data and push all that data into an aggregate system. Some people put all the data in one point. Then you can pass through it, clean it up, understand where the client is — not the client or the person you are targeting is — and what they’re looking for.
So, for example, I was doing an investigation on the trafficking of illicit drugs. A lot of fentanyl and carfentanil out of Hong Kong and China into the U.K., and once I started to scratch the surface, I started to see that they’re these overt organizations that interlink together by multiple aliases, multiple email addresses, and they’ve got this massive ring of fentanyl being exported from China into the U.K., and they’re like, “How can we stop this?” Once you start tying that together you’ve got, for example, 15 different organizations tied together by one alias or one email address and you need to find the correlative evidence that ties packages coming into the country with addresses back to locations which then could be properly prevented from coming into the country.
It’s complex and depends on the cost, depending on what the outcome is. In that case, for example, the outcome was to provide an overall understanding of how fentanyl gets sold online, how it gets trafficked, who are the main players, what is the communication method? And in that investigation, it was Wickr and Skype and WhatsApp [that] were the main communication methods between sellers and buyers. And then, what can we do about it? We’ve got all this data, all these organizations — how do we block that?
So, for example, there was something like 37 different organizations selling fentanyl in big quantities, producing 500 kilos a week on one street in China, in one province. When fentanyl comes into the U.K., for example, from this specific industrial area, you want to flag that data or flag those packages from coming into the country and do further investigation on that. I know many people don’t understand fentanyl, but if you do one gram of fentanyl, it’s like 40 doses. So trying to track one tiny gram of fentanyl in the mail is like a needle in a haystack, but if you tie the open source intelligence back down to, “This is in this one province — how about we target that and filter packages coming into the country from there?” then it’s easier to block that threat.
Now, in the work that you do, when it comes to tracking these open source intelligence items, is it true that most people think that they’re being more stealthy than they actually are?
Well, most people think that they are an internet sleuth, so they put the data online and tick their proxy settings and then they’re safe, but that’s not really it. There are lots of smart people out there that make smart programs that extract the data from behind the scenes. And what I’ve found — because I’ve created multiple open source intelligence training courses before and I’ve taught this before to the military and to the private sector — is that to be able to understand where your data is going to, collect data on an individual organization, you have to understand the framework behind how the data is getting presented.
So, for example, if you say, “I have a Facebook account, but it’s locked down and I’m safe,” or, “I have a Twitter,” or, “I have a Wickr account,” or, “I have whatever online presence account it is,” if you understand the framework of the architecture of the system behind it, then you can pull the data out.
For example, I work closely with a company that creates tools and scripts and programs to extract this behind-the-scenes data on Facebook. It correlates it together in one format. Experienced analysts will say, “Okay. These people are tied together by this person. They’re tied together by this location,” and that kind of stuff. When you lock down your Facebook account, you think you’re safe. But you’re not actually safe.
The best way to be safe online and to not have your information exposed is, just don’t do it in the first place, because there are so many people. There’s a guy, his name is Justin Seitz, he’s a big programmer and he’s an open source guy and he created a program called Hunchly that scrapes and collects data while you’re processing your investigation online, and it puts it in a database. For example, you may have your online account one day and then you take it down, but then that data is collected somewhere online and can be potentially used against you one day. So, if you don’t want to be found out or want any information to be found out about you, just don’t put it online.
Easier said than done, right? Especially these days, I suppose.
Exactly. You’re right. And there are all of these exposures and dumps and hacks going around. You think your information might be private. You might not even have an online presence. You might say, “My online presence is zero,” but then I’ve got all this data in what we call the deep web. That’s the data behind the password-protected logins or the data behind systems that shouldn’t even be online — that’s like the deep web. And when organizations or companies get exposed or breached that are running their systems online, or in AWS, or in buckets, or in droplets, all that kind of stuff … When that stuff pops out, you might not have an online presence, but now you do because your email address, you phone number, is being exposed online and things form from that.
I want to talk some about threat intelligence, which is certainly an area of your expertise. Can you describe to us what part you think threat intelligence plays in organizations trying to defend themselves?
Yeah, that’s a good point. My love affair with security is in threat intelligence, and threat hunting is one thing I find … For myself, personally, threat intelligence means understanding your adversary — their tactics, their modus operandi, what they do, how they do it, and then turning that into a defense of context. Completely understanding your enemy. Being in their shoes. Their viewpoint. Their geopolitical context. Their domestic political context. Their international relations context. And then, what tools and techniques they use to breach organizations. All the different APTs. All the different hacktivists. All those kinds of things. And then, you then enact those tools and techniques in your own environments to better understand them, and then, you flip that on its end and say, “Okay. This is how they are getting in … How about we detect that? How about we write processes and new rules, products, to better detect these threats?”
So it’s a full circle.
It’s definitely a full-circle thing. It’s not about, back in the day, when “threat intelligence” was the thing to do and the new evolving thing was about the technical indicators … Well, it’s not about that anymore, because things in technology change so much that you can’t count on those things. You have to count on the processes. So how, for example, is a group or an APT conducting operations on a large scale? What types of infrastructure are they deploying? What are they re-deploying and using on their operations? From then on, down to a lower level, what are the tactical things? When their malware or their offensive operations are being enacted, what are the processes they do? When they drop something on a disc, what does it usually look like? Or when a piece of malware gets excluded in memory, if it’s not going to touch disc, what’s the process execution? What are the files its combing? What are the files it’s reading? Who’s it calling back to? All that builds the context of the intelligence and how you can better prevent against it.
I find, as well, within big organizations and governments, is that they focus a lot on the tactical — as I just talked about the tactical stuff with our intelligence — but they’re like, “Okay, we understand that this APT is operating like this. They are using these tactics … So why is this actor doing this thing?”
For example, China. Why are these Chinese APTs doing these offensive operations against these different clients or governments? Have you looked at the Chinese current five-year plan? Have you looked at the DPRK, and their relationship with China? And they’re sending their new IAT recruits to China to come back to North Korea to be trained — why are they doing that? What’s the relationship between China and North Korea? Then you can better understand the context of the actor as a whole, not just at the lowest level.
What’s your advice for organizations in terms of getting a handle on this fire hose of information? How do you make threat intelligence feeds manageable, but then, also actionable?
Yeah, that’s a good one as well. There are so many different intelligence feeds out there at the moment that you can get overwhelmed with data and you don’t know what’s good data and what’s bad data. I found, in my experience, that you need good people, ones that understand the technologies that are being utilized. And the second thing is to have a system that pulls in the data, aggregates it, deduplicates it, correlates it, and then puts it in a way that your system can handle.
So, for example, some systems might use an orchestration system. You pull in 300 different threat feeds, but then, you want to only orchestrate in what you know — enriched certain pieces of information that comes in — so that if it relates to a vulnerability or a system or an application that you’re running, then you want to enrich those indicators. You use orchestration tools to pull these different components in and then amplify that data and send it out to your customers. So it’s about aggregating the fire hose of the internet of indicators and tactics and bringing it all together.
And once you’ve done that, you’ve got your SOC, you’ve got your SIEM, you’re outsourcing that data to someone else, and then, it’s about getting the right people in to understand how threat actors do their thing, and then write specific rules, detection programs, and use cases that can defend against that, because all that data that comes in is based off of one sort of technique or operation, specifically. For example, out of those 300 million or thousand indicators that come in per day into your system, a lot of those indicators have the same tactical presence on disc, in memory, and you just have to have the team that can go through that data and understand it.
Our thanks to Nicolas Cairns from A9 Security Intelligence for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We’ve hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.