© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Nick Palmer, Group-IB: “without fundamental knowledge, it is impossible to stay ahead of bad guys”


From state-orchestrated to group-governed attacks, the world has seen a surge of cybercrime during the pandemic. And it doesn’t seem like threat actors are planning on taking a break anytime soon.

The pandemic has not only created a perfect hub for cybercrime with the majority of businesses adopting a remote work model, but also added challenges for security professionals, with many employees being left unaware of how to appropriately protect their digital presence. In such a context, it is unsurprising that cybercrime is on the rise, but so are the solutions to tackle it.

Nick Palmer, the head of Global Sales at Group-IB, discussed with us what the modern cybercrime landscape looks like, as well as shared details about the services the company provides to help detect and prevent cyberattacks.

Since your start in 2003, Group-IB has grown exponentially and is now trusted by many well-known organizations. Can you tell us more about your journey?

Group-IB was founded in 2003 by two individuals, university students back then, and was initially intended as a cybercrime investigations company. Probing into numerous cyber incidents, the Group-IB team faced the same problem: despite the fact that the victim companies did use cybersecurity solutions, they fell prey to cybercriminals.

This pushed Group-IB to develop its own products based on the knowledge and expertise it accumulated in numerous investigations worldwide. What makes these products unique is their focus on real attackers. This actor-centric focus is present in every one of the 600 employees that Group-IB has today, with everyone being committed to investigating and researching cybercriminals and how they can impact different businesses around the world.

Throughout its nearly two-decade-long history, Group-IB has been using this actor-centric focus in order to develop different products and services that help organizations prevent cyberattacks from happening, gain knowledge about adversaries and improve their cybersecurity posture to prevent cyberattacks from taking place. This product and service portfolio is intended for the detection and prevention of cyberattacks, online fraud identification, investigation of high-tech crimes and prevention of IP misuse by cybercriminals.

As a company that focuses very heavily on investigating cybercrime, we also have formed tight relationships with INTERPOL, Europol, the Dutch National Hi-tech Crime Unit, and police agencies worldwide. As cybercrime has no borders, we seek to collaborate with different law enforcement all around the world in order to disrupt cybercriminal activity.

Another part of our international journey and Group-IB’s journey in general is that we are not just delivering leading expertise and cybersecurity services and products, but also developing boots-on-the-ground strategy to cover each region Group-IB operates in. Thus, in 2019, we set up a global HQ in Singapore, where we now have over 50 people working, and every technical discipline of Group-IB’s business is represented. This enables us to research more closely local threats for the Asia-Pacific, get to know threat actors operating locally as well as liaise with law enforcement in the region. We developed similar research centers also in Dubai and Amsterdam, where our European HQ is located.

One of the main fields of your research is state-sponsored cyberattacks. What are they like?

For Group-IB, it doesn’t matter whether an incident was caused by a script-kiddie, someone with just basic technical skills, financially motivated threat actors or nation-state attackers, as we have zero tolerance for cybercrime. Group-IB approaches each incident to examine it from all angles and collect as much information as possible to then provide it to our customers so that they are prepared to prevent similar attacks that might target their business in the future.

Group-IB researches state-sponsored cybercriminals, as the significance of operations by state-supported attackers is constantly growing, and they have great research interest. Each year, Group-IB analysts see new APT groups joining the global intelligence service stand-off and also find evidence of activities of existing attackers who earlier remained under cybersecurity analysts’ radars. The main findings of our company’s research into state-sponsored attacks are traditionally included in our annual High-Tech Crime Trends report that represents an overview of various aspects of cybercrime industry operations and predicts changes to the threat landscape for various sectors. This year we’ll present the 10th edition of our annual report.

How did the pandemic change the nature of cyberattacks? Did you add any new services to combat emerging threats?

The COVID-19 pandemic has resulted in many people having been laid off, and this created a perfect storm, where people deprived of their source of income started looking for other ways to earn money and tried out cybercriminal activities. We saw quite a lot of attackers enter the cybercriminal space. This was facilitated by the fact that one can find all the tools needed to conduct a cyberattack offered for sale in the underground. Using services and instruments available in the darknet, cybercrime newbies can carry out “turnkey” attacks in a relatively automated format.

In terms of changes in attack scenarios, during the pandemic, cybercriminals actively exploited all the COVID-related developments to conduct social engineering against the victims. I, however, cannot say that these attacks were sophisticated in terms of methodology — the TTPs of threat actors remained more or less the same and they didn’t require the introduction of fundamentally new solutions or services, but rather raised the profile of existing ones.

Against the backdrop of the pandemic, companies had to shift to remote work literally overnight, with the majority of them having no prior experience in organizing remote work for the employees. The remote work mode has considerably expanded the attack perimeter: each staff member working from home turned into an additional opportunity for cybercriminals to compromise the organization’s infrastructure.

This spontaneous switch to distance working required companies to conduct a proper audit of their infrastructures to make sure that they can resist the pandemic-caused influx of cybercrimes. To help CISOs and corporate cybersecurity teams to do so, Group-IB launched a so-called StayCyberSafe campaign back then whose aim was to describe methods helping cybersecurity analysts to independently assess potential risks and ensure that all the necessary technical steps to transition employees to a home office were taken.

Digital forensics seems to be gaining a lot of traction recently. However, it is still a little-known practice. Could you tell us more about this cybersecurity field?

To me personally, DFIR (Digital Forensics and Incident Response) specialists are like superheroes of the cybersecurity world. When a company just learns of an incident, everything is on fire, and it is extremely important to engage professionals with a sound action plan. DFIR experts collect all the digital traces after the incident to determine what, how, and when happened, identify the patient zero, and retrospectively reconstruct the course of events.

Not only can they come in, put out the fire, and push the attackers out of the network, but they also give broad recommendations on what the company affected can change in its network to prevent these types of incidents from happening again. For companies that don’t want to wait for the fire to start, we offer a compromise assessment service, with our DFIR experts going to the firm’s network to understand what security practices it has in place to make sure that the organization is prepared for the moment when an actual attack takes place. And for most organizations, it isn’t about if, but actually when.

In your opinion, what are the biggest misconceptions when it comes to business cybersecurity?

I’d say that it is perceiving technologies and cybersecurity solutions one company has installed as a silver bullet. Attackers are people, and people have behaviours and techniques that can be investigated by real people. And if you don’t have that actor-centric focus and knowledge about how attackers target different businesses, you cannot build technology that will prevent such attacks in the future.

It’s futile to develop cybersecurity solutions using artificial intelligence and machine learning in a bid to make everyone’s life easier if you have little understanding of who the bad guys actually are. Adversaries’ techniques are changing all the time, and without fundamental knowledge about the specificities of threat attackers targeting a particular industry, region, or country, it is impossible to stay ahead of bad guys.

Which security solutions do you see becoming the norm in 2022?

Today, we see a lot of early adopters of Security Orchestration and Response (SOAR) solutions; it's still an early adopter stage for a lot of large enterprise customers, though. What companies, in my opinion, really need now is to get down to basics and think about such things as what type of email security they have to try to prevent initial infection in the network or ask themselves if they have endpoint monitoring capabilities to offer automated response capabilities for their security operation centers.

There are lots of exciting solutions on the market, but organizations first and foremost have to understand what are the cybersecurity essentials that they need to have in place, how do they use those in their information security departments and if their staff is trained and effectively employ those solutions in their network. Only provided companies have those fundamentals, sustained processes in place, and trained employees, they can start scaling various security solutions.

Tell us more about your annual event — CyberCrimeCon. Is there anything new about the concept of this year’s event?

CyberCrimeCon is one of my favorite times of the year. It also falls around Christmas or a little bit before. This year, on December 2, we’ll have the conference’s 10th edition. It’s really a chance for cybersecurity researchers and professionals, as well as law enforcement, to all come together and talk about the recent changes in the cybercriminal landscape, new threat actors, successful investigations that took place to provide awareness to various companies about what threat actors are doing now and what we think is going to be in the near future. It’s also a great opportunity to network with important individuals.

To meet the global demand for high-fidelity data on the international threat landscape and reliable forecasts for its future development, this year, Group-IB’s trademark event will, for the first time, be divided into five streams. Group-IB will traditionally present its Hi-TechCrime Trends report that summarizes the key developments of the threat landscape of the past year and provides forecasts for the future, which prove to be correct each year. Releasing this report, Group-IB seeks to help businesses build feasible cybersecurity strategies.

And finally, what’s next for Group-IB?

Group-IB is currently on an amazing growth trajectory, launching global threat intelligence and research centers all over the world. As part of our East-West strategy, we now plan to expand into the North and Latin American markets. Group-IB’s experienced professionals will continue to research complex cybercrime and cybercriminals as they evolve with this local boots on the ground strategy to stay one step ahead of cybercriminals and adversaries.

Leave a Reply

Your email address will not be published. Required fields are marked