In this episode for The Pivot podcast, we welcome Daniel Card!
Daniel is a seasoned technology and cybersecurity professional who has worked with organizations globally to help protect, detect, and respond to cyber threats. He is active in the UK cyber community, serving on the UK Government Cyber Security Advisory Board. You can usually find him online conducting innovative research and seeking new ways to combat cybercrime.
In this episode, we draw upon Daniel’s extensive experience and expertise as we delve into the world of cybersecurity together. We discuss some of the challenges posed by laws, the lack of understanding or misunderstanding from the public, as well as the collaboration between companies and cybersecurity professionals. During our conversation, Daniel also shares some commonly practiced security methodologies and examines the issues from personal, organizational, and global perspectives, calling for greater focus on global cyber defense.
The Pivot, Your New OSINT and Infosec Podcast 🔗︎
Brought to you by Maltego, The Pivot is your OSINT and infosec podcast that dives deep into topics pivoting from information security to the criminal underground. Through The Pivot episodes, we aim to share insightful information for beginners and seasoned investigators alike, shedding light on all things OSINT and infosec from an insider’s perspective.
Each episode features one or two of Maltego’s Subject Matter Experts as the host and an external expert, researcher, or industry leader invited to share their projects, stories, experiences, and advice.
Where to Listen to The Pivot? 🔗︎
The Pivot podcast is available on Spotify, Apple Podcast, Google Podcast, and the Maltego YouTube channel. Each episode is 45 to 60 minutes long and is released on the 15th of every month. Stay tuned with us for more updates!
Where did you start your cyber journey? How did you get into this world? 🔗︎
Daniel: I started playing games when I was a kid. I used to play Wolfenstein 3D and have an Amiga. I’m one of those like Afterburner on the Spectrum where you have to use cassettes to start the game. You had to rewind the cassette because it didn’t start from the last time you played it, so you put cassette number one in, and you were on the runway, got to the end of the runway, put cassette number two in, then you take off and put cassette number three when you launch a missile. I wanted to be a game designer, so I used to make some half-life levels and did stuff in World Craft in quake and doom levels. I was bad at all of that stuff, but I really liked technology. Although I can’t remember how old I was, I went and killed malware using floppy drives.
These stuff are what made me sort of get into this space of the security world and the IT world. People have got very, I think, odd views because IT, security, and technology are pretty much the same stuff. There are completely different mindsets, lenses, skills, and specialties absolutely. What we’re talking here is about how we secure people using computers. We’re saying how we protect people on computer systems, and that’s really where my journey started. As a kid, I played games, learned how to code badly, created level editing, graphics design, 3D modeling, and all the stuff, explored computers that way, and then, obviously, when you’re a kid you like to break things because who doesn’t?
From a professional point of view, I’ve done lots of different roles in tech, even though I moved quite quickly into design roles. I designed solutions, re-architected, understood businesses, and looked at the fun parts, like the operating model, the organizational structure, the finances, the portfolio, the ROI, and all of the bits that you need to be doing. Without any of the logistics, resources, money, drive, and motivation to do anything, you aren’t going to be playing with some cool technology. These things don’t exist in isolation. I find a lot of people like to exist in isolation, and that’s fun for me to look at things like this. Then I sit there going, “Okay, great. What do I do with this information?” One of which is obviously trying to help people, and the second part is like, “Oh, there’s a marketing angle to it.” Don’t get me wrong. I might write a blog post that sits on SharePoint, and the article might not always be released. There is that sort of point.
What are the commonly employed methodologies companies actively apply to secure themselves? 🔗︎
Daniel: Literally, the driving force in most scenarios, I’d say is a contractual requirement to meet. Security posture X is what drives organizational changes. That has been my experience, and I’m not saying that this is always the case. Looking at a lot of contracts and security postures, I can tell you that they don’t always align. I think it’s important to understand that you don’t do security in isolation. If you do it in insolation, it’s just the cost and friction. It won’t be aligned, relevant, and probably suitable for the business or the organizational outcomes you’re going for. It has to be taken from a quality, safety, and risk perspective with operational excellence being secure. Is everything always about, “Oh my God, we need to stop the baddies?” Of course, we do need to stop them. However, security to me isn’t that, it’s everything. It’s got to be the whole of society, the whole of life, and the whole of organization.
It needs to be excellence. If you have an excellently operated and managed system, it will be secure. It depends on the inputs. If you have no security input, knowledge, and experiences thrown in, it could still be efficient, but it’s a leaky bucket. That’s how I see the differences. If you care about quality and the details and you’ve got a motivating reason from a business and organizational perspective to do it well, you’re not asking what looks good from an abstract point of view. Instead, you need to be asking, “What looks good for my company? What keeps me, my team, my brand, and my customers safe? How does my supply chain fit into this? How does this work with the organization?” Or if it’s not business, “How does it work from a personal level?”
Everything is about hunting the bad guys, but isn’t it a bit too late to chase the bad guys when things already happened? 🔗︎
Daniel: I work in like offensive and defensive security, and I don’t really care about labels so much. Nonetheless, there is not a focus globally on defense, when I say defense, I mean, cyber defending of organizations, and I think the Cyber Threat Intelligence (CTI) world is obsessed with chasing bears and pandas and putting them together like cartoons. I don’t mean that this is not slum CTI as a practice because the practice is cool. Sometimes I think to myself, given that for a cyber defensive world to exist, a cyber offensive world must also exist, and therefore industries that thrive on crime, it does beg questions such as, “Why aren’t there real conversations about country level attack surfaces? Why are there not honest conversations about what systems are like?”
I think, in the cyberspace, there’s all this idea that you can be perfect and you’ll be all-knowing and omnipotent. I go into lots of organizations and look at their networks as well as their people processes and decks. Strategically, there’s loads of good stuff around education and cyber awareness. We’ve even got a whole month dedicated to the thing and there’s money being put into the initiative of Cyber First for the UK and CSC. Nevertheless, I’m seeing gaps. If you tell someone you’re going to go and cyberpunch them, you probably should make sure that you’ve got a shield first whereas I’m not seeing the shields. I reckon someone could take that out pretty quickly if they were motivated.
I try to be measured and balanced in how I talk about tax services about cyber stuff as I think it can scare people as well. I mean, it scares me sometimes when I go and look at some stuff thinking, “Jesus, how is this still how is this online? Is it pwned?” There is a probability factor in here just because something is vulnerable doesn’t mean it’s exploitable. Just because it’s exploitable doesn’t mean someone has exploited it. It also doesn’t mean they will exploit it. I literally build honeypot networks, where I’ve done this with entire simulated full networks.
You have to have the right alignment of stuff. There’s a saying that defenders have to be right every day while an attacker only has to be right once. For an attacker to be right, there’s usually about a minimum of seven things that have gone systemically wrong. All have to be in alignment for things to work. If you get into someone’s perimeter network, it doesn’t necessarily mean you’re going to be able to move. People do not talk about how difficult some of this stuff is. In 90 percent of networks, it is a problem. I think it’s complicated and it goes back to the communication. Anyone who’s worked in sales will know that if you try and sell something complicated, it’s a lot bloody harder than if you try and sell something simple. I think that we’re at risk from a society point of view of oversimplifying everything and then making the wrong calls because the hard calls the hard, and the decision-making on complexity is more complex. That’s my kind of view of the world.
What challenges cybersecurity professionals might encounter when working with organizations? 🔗︎
Daniel: I’ve been asked very quickly after scanning significant numbers of assets about what the top five things for the organization to fix are. I don’t know your business, and it depends, doesn’t it? It depends if it’s a long-term customer or if it’s a short-term engagement as well as if this happens often. I talked to people when we did a transformational piece by asking, “How long do you use your probationary period stand for in a contract? If you hire someone. Is it three or six months? In two weeks, for example, what do you think someone’s going to be able to tell you about your business that you don’t already know? How do you think you’re going to come up with an answer of what to do off the back in a day?”
I’ve seen this in the world where a sales organization will parachute a technical person into an organization, and they’ll do a day’s workshop, producing a roadmap. It’s like, “ Okay, I found 50,000 vulnerabilities and 100,000 criticals across 20,000 assets. I have no idea what you should do, mate. I think what you should do is put together a financial package and a structure that tells you what’s really important to make sure you’ve got some money.” Without any money and resources. It doesn’t matter whether you identify five things or 500, you won’t be able to fix them, You don’t just sit there and go run through the process of saying, “Cool, we need a project.” You need to go and get the right support from leadership.
You might as well sit there and make a decision that says, “I don’t care that it’s not batched.” You might shore it up and isolate it on the network. Still, I don’t think I’ve ever walked into an organization and gone, “Is everyone bored sitting around doing nothing?” Largely speaking, teams are overutilized as it is, and that’s with their 90% having a bad posture. Then you throw on a bucket load of vulnerabilities, security requirements, and contractual. Sometimes the answer is just silence.
In some European countries, it’s illegal to scan and finger websites and domains. Is that also the case in the UK? 🔗︎
Daniel: I’m specific with what I ever looked for, and I use loads of passive sources of data. I want to be careful how I phrase this. People should be considerate and careful while looking at legal. We also need to educate people on how this works because the criminals are scanning and doing whatever they want 24/7, 365. We run honeypot networks, and I can find serious, organized crime quite quickly. I don’t think people know exactly how the Internet works. For example, some people are like, “A bazillion cyber attack occurred.” Nonetheless, it’s not a bazillion. They may have sent you to 2 million packets. Trying to define what it is and isn’t a cyber attack, what is an event, what’s an incident, and how to put metrics. That’s one actor.
Also, people from a policymaker through to a personal person don’t really quite get how this works. There is a risk and I’m hoping that at some point the UK government and other governments will reform and change the computer misuse, so we are enabled to defend the country, do research, and do business. There are commercial implications of laws prohibiting basically benign passive actions. Bear with me as I’m not a lawyer. If I write a bit of software for research to ransom with a computer that I own. That shouldn’t be illegal, and it probably would be under the Computing Machines Act as it’s written.
There’s a huge visibility gap. You’ve got what people could use the Donald Rumsfeld Analogy, what people can see, different companies like Audio Visual (AV) providers, DNS providers, Internet Service Providers (ISPs), and lots of telemetry. Nonetheless, there’s a gap as they’re disparate and siloed. Not everyone is going to share their data and build the same picture when they smash different data sources. There is no omnipotence on the internet. I mean, you can send a cat gif, and it could be malware while no one knows about it. Thus, I think it’s important that people understand crime research is much needed.
There’s More! Listen to Our Full Interview with Daniel! 🔗︎
If you have found those interview snippets interesting, don’t miss out on the complete version!
Listen to our full interview with Daniel to learn more about:
- Why Daniel believes humans are the greatest strength in protecting their organizations
- Three characteristics people should adopt to get into the world of cybersecurity
- Daniel’s perspective on cyber attacks from global, national, organizational, and personal levels
And much more!
Check out Daniel’s work on Twitter!