robsonphoto - stock.adobe.com

Group-IB CEO talks up global threat landscape

Public attribution of cyber attacks could backfire while a global cyber norms framework won’t emerge until a catastrophic incident occurs, says the head of Singapore-based Group-IB

Identifying threat actors and their motivations behind a cyber attack may help law enforcers know who they are up against, but doing so publicly could backfire.

That is according to Ilya Sachkov, CEO of Group-IB, a Singapore-based cyber security firm, who noted that threat actors could be alarmed by reports that they are being watched and change their modus operandi to avoid further detection.

“They will change their attack infrastructure and the kill chain link could disappear for some time, even years in some cases,” Sachkov told Computer Weekly on the sidelines of the company’s CyberCrimeCon 2019 conference.

Sachkov added that threat actors could also employ deception methods to mask their identities, such as using multiple languages in malicious code. Some may even stick to their native tongues, going against the misconception that doing so will give themselves away.

Citing the TTPs (tactics, techniques and procedures) of the Lazarus Group as an example, Sachkov said the advanced persistent threat group likely to be behind the 2014 Sony Pictures hack and WannaCry had employed different layers in its attack infrastructure that indicated the involvement of multiple nationalities.

“The only reason to publish an attribution shouldn’t be that it’s Russia, China or the US behind an attack. It should be technical, proven data, such as operational indicators, which will help companies to stop and predict crime,” he said.

Known for its threat intelligence capabilities, Group-IB was founded in 2003 by Sachkov and his colleagues at the Bauman Moscow State Technical University. Since then, the company has built up a global outfit of cyber security experts skilled in malware research and incident response.

“Without incident response and forensics capabilities, you will never understand what's really going on,” Sachkov said. “It’s only through incident response that you will get the necessary technical indicators and understand the kill chain. This information can then be fed to your threat intelligence structure.”

To ensure its independence, Group-IB moved its global headquarters to Singapore in 2018 at a time when cyber security companies were finding it hard to shake off government influence – or the perception that they are being influenced by their governments.

Cybers threats from nation-states and state-linked threat actors are a growing concern globally, with some groups and governments already calling for more responsible behaviour in cyber space.

To stop state-sanctioned digital arsenal from falling into the hands of cyber criminals and terrorists, Sachkov said the use of digital weapons should be restricted by the United Nations – though he conceded that real action will come only after a catastrophic event when lives are lost.

That said, Sachkov said some countries have started to put aside their political differences in multilateral efforts to combat cyber threats, having realised the potential impact of those threats on their economy and national security.

The Association of Southeast Asian Nations, for example, formed a committee in October 2019 to implement 11 voluntary, non-binding cybre norms recommended in the 2015 United Nations Group of Governmental Experts report.

The working-level committee will have a year to study and propose recommendations in specific areas including Cert cooperation, protection of critical information infrastructure, and mutual assistance in cyber security.

The private sector is playing its part too. For the greater good, Sachkov said Group-IB is open to sharing threat intelligence with rivals, including FireEye, which inspired him to start Group-IB after he read a book on cyber crime investigation co-authored by Kevin Mandia, the founder of FireEye’s Mandiant unit.

Read more about cyber security in APAC

Read more on Hackers and cybercrime prevention