Sys admins, data scientists, analysts: How attackers' sights have switched to the tech-savvy

With so many more routes into sensitive data, the pool of potential targets for computer criminals has widened to take in even those with considerable IT expertise, according to Darktrace director of technology Dave Palmer.
Written by Toby Wolpe, Contributor
Dave Palmer: You're going to see a lot more targeting of systems administrators, who often experiment with new types of software.
Image: Darktrace

It used to be that the last person you'd want hacked in any business was the CEO. Certainly, even now, explaining how the top manager's emails were compromised would still be an uncomfortable experience.

But the truth is there may be more rewarding individuals to target, and that fact hasn't gone unnoticed by the criminal fraternity, according to Dave Palmer, director of technology at machine-learning security firm Darktrace.

"There's been a lot of talk about targeting systems administrators. In fact there was coverage from some of the Snowden material that GCHQ were interested in systems administrators in relation to the Belgacom alleged incident," he said.

"Now, I don't know if any of that's true or not. It certainly isn't something I'd know about. But we worry a lot about what we call privileged users - whether they are administrators or whether they just have access to privileged data."

Palmer, who spent seven years at UK government communications agency GCHQ and seven years at MI5, now runs the customer-facing aspects of the Bayesian mathematics-based technology used by Darktrace.

"Companies aren't making money because of what the CEO said or what email he sent today. They're making money because normal people like all of us, whatever our specialism, are interacting with our data, interacting with our customers our suppliers," he said.

"Privileged users [are] different in each company or any organisation and that's a really early conversation for us in understanding context. What makes you money? How do those wheels spin every day and what would cause the CEO to step down?

"Data scientists at the hedge funds are often the people of most interest to a hedge fund. What data are they using? What do they do with the data once they've got it?"

Along with data scientists - and security researchers themselves - systems admins are increasingly a target because of the way their privileged access combines with a need to try out new tools.

"Systems administrators, who often experiment with new types of software, are partially predictable. You can guess what sorts of media they consume and the websites they go to and the types of software they download. Targeting them is something you're going to see a lot more of," Palmer said.

As well as specifically targeting such individuals, attackers are also employing malvertising, where legitimate online advertising networks and webpages are poisoned with malware-bearing adverts.

At one Darktrace customer, the security staff recently experienced difficulties in convincing its own IT team that there was almost certainly a problem with one of its systems administrators.

"They asked us to help. We asked where the systems administrator had been recently and they said, 'Well, he's on a plane now'. We said, 'Brilliant. Let's have a look. Ah, he's also reprogramming four computers right now. So he might be airborne but he's either got the best Wi-Fi in the world or there's a problem with his computer," Palmer said.

Darktrace usually provides its users with an appliance - a box of standard hardware optimised for high performance, running the machine-learning algorithms and Bayesian software that examines corporate network traffic. From every piece of network data collected, it tries to extract up to 300 different measurements.

"What we're really interested in doing is sucking up as much as possible of the customer's network traffic - within the networks not on the edges. That lets us see how everyone talks to each other and how everyone talks to the datacentres," he said.

"In a corporate environment, you're exceedingly predictable and when you're using corporate IT you're even more predictable. It's set up by someone who isn't you and in a standard way. The way you use information each day will be unique to you but it won't change very significantly over time."

So individuals have their own patterns but they also belong to a group of people fulfilling similar roles, with which they share common behaviours.

"No matter what your job is, whether you work in a call centre, or you're a sales person, or you're a lawyer or a judge. You share very specific patterns," Palmer said.

"There might be a large amount of dimensions of your behaviour that varies a lot. But the first time you appear to be acting like a systems administrator and changing other people's computers, or your laptop starts advertising itself with maybe software you've never used previously - and that no one else in the company is using - and your behaviour shifts and you've stopped conforming with the security practices of the organisation - they're the signals we're looking for."

The combination of logging individual behaviour and that of classes of people doing similar jobs helps flag up security issues, even if they have existed ever since the Darktrace technology first started monitoring traffic.

"While we might, from some of the maths perspective, say in the early days, 'Hey, this machine is making 13,000 queries a day out to this server in Poland' and learn that as normal for Emily, you would get a clue later on that says, 'Emily's fundamentally different from everyone else who's like her'," Palmer said.

The technology points up those potential problems for security staff to look into.

"We're all about enabling a human being to look at the stuff we believe is most important. This isn't a magical box that says, 'Emily's laptop has been compromised by this piece of malware, on this date, and here's what it's doing'," he said.

"We describe the behaviours, we describe why we're worried about a person's or a machine's behaviour. We put that in the context of other machines and other people and their behaviour in the past and what's changed."

Darktrace uses a number of mathematics techniques to detect such changes. It employs Bayesian analysis to moderate across many maths and machine-learning algorithms all running in parallel.

"Rather than have one model for Emily, we'd have at least six or seven relating to Emily as a person and many more in relation to each of her devices," Palmer said.

"Where the Bayes, and some of that belief modelling [comes in], is not quite arbitrating, more smart filtering, to say which of these techniques are not working here and, in light of evidence I've just found out, do I want to revisit my assumptions about something I knew about yesterday or previously? That's where quite a lot of the power of the probability theory comes from on top of the machine learning."

Even though the targeting of privileged employees can be quite sophisticated and subtle, what follows often is not.

"Frankly, most things are very noisy. The first time Emily's machine pops up with a new piece of software that's just tried to download 1,000 or 500 files, that's what a normal piece of clumsy malware looks like, even one that's targeted," he said.

"One of the spearfishing campaigns we worked on, an administrator's secretary's computer was compromised. It was quite subtle in detecting where the file servers were. But when it finally detected them, it read every file in the whole company, looking for things, searching for special words and phrases and file names it was interested in."

Because access to privileged and potentially valuable data may extend to people beyond the immediate confines of the organisation itself, Darktrace network monitoring may have to include individuals in partner businesses and outsourcers.

"We have to go as far as whoever is touching the information or systems that the customer cares about. One of our biggest customers has outsourcing all over the world. They have outsourcing they thought was in Scotland that was in India; they've got outsourcing they thought was in India that's in Scotland," Palmer said.

"There's a real cups game going on here. The person you might have met every day might be suave, from the same country, speaks your language, shares cultural bonds. That doesn't mean that's where the work's done."

With a large amount of highly-skilful and sensitive work on data now being carried out in eastern Europe, and with India well established for development, services and call centres, the monitoring may have to be very wide. Particularly because businesses may not even be sure where their sensitive data and systems are located.

"Companies don't find this out. This wasn't one of our customers but I was talking to a friend in another company recently and they visited a datacentre to do some checks on behalf of the CIO and found that that company hadn't had a datacentre there for years," Palmer said.

"The CIO had sent them in that direction and they hadn't been there for years. It was in a different country. It wasn't even just in a different post code. That's less funny now the cloud is becoming more prevalent. You imagine you can draw a ring around where you stuff is and where your people are? Rubbish."

More on security

Editorial standards