- Welcome to "The Cyber5" where security experts and leaders answer five burning questions on one hot topic in actual intelligenced enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winklevoss, co-founder of Nisos, a managed intelligence company. In this episode, I talk with Mastercard Director of Cyber Intelligence Solutions for Europe Steve Brown. We talk about lessons learned from the UK law enforcement, particularly the Four-P Method of disrupting cyber actors: prevent, protect, prepare, and pursue aspects of digital crime and cybersecurity. We also talk about how Mastercard is pioneering disruption in digital crime, how law enforcement and the private sector can better integrate, and we talk about when attribution is important. Stay with us. Steve, welcome to the show. Would you mind sharing a little bit about your background for our listeners? - Hey Landon, thanks for having me. I'm Steve Brown, Mastercard's director of cybersecurity here in Europe. I'm responsible for our implementation and integration of cybersecurity products and solutions, working with Mastercard customers to identify the latest cyber threats and vulnerabilities that they have, and to work with them to identify the best solutions and best practices to how to address them. Prior to joining Mastercard a year ago, I was an officer with the UK's National Crime Agency. Finished as a senior manager within the National Cyber Crime Unit really leading investigations and intelligence collection around cyber criminal groups, organized crime groups, nation-states, and then prior to that, for four years, I was the UK's cyber attache based in the United States where I worked with the FBI's Cyber Division and looking at the sharing of intelligence and information and investigations of some of the biggest organized crime groups out there. All views expressed are my own and not those of my employer. - Appreciate you joining us, Steve. From your perspective, when you were in law enforcement days, you had what we'll call the Four-P approach of prevention, protection, preparation, and pursuit. How has that translated to the private sector? - Well, the Four-P approach really represents a diverse approach that you have to have to reflect the threat that we all face today. That threat itself is diverse in nature and typically asymmetrical, so they'll rarely be a one-size-fits-all solution to it, and we must therefore be creative in our responses and not become siloed. So that Four-P response was looking at each of the strengths that different departments and different parts of the community could bring. Now the most dangerous for me is, well, it's always worked that way, but organized crime groups and nation-states don't work like that. They take time to debrief. They recognize their own good and bad practice, so they'll alter their MOs or their TTPs, and we have to try and keep pace, and to do that, we have to diversify our approaches. So looking at those four Ps, if you like. So prevention, certainly my law enforcement days, was about recognizing the potential cyber criminals of the future. Those that had a vocation, those that had a skillset within. Could be coding or computer science. You would perhaps end upon a path that they shouldn't, so how could we then work with non-for-profits or with charities, with schools and education, to provide guidance and support for them to make them see the rights and wrongs and to be able to provide them with a legitimate and innovative surroundings, and we continue to do that. So here at Mastercard, the work that we're doing within our entire cyber intelligence community is looking at providing education, providing awareness to schools, to clubs, to associations to help provide those opportunities for those with those natural skillsets and their natural inquisition into cyber and cybersecurity to help shape their lives to help hopefully shape some careers to fill the cyber skill shortage that we have. I think when we look at protect, that's about, for us now at Mastercard, is about ensuring that our customers have the right knowledge. They have the right amount of threat intelligence to know what it is, to know the threat that they're facing so that they know their enemy. They can then begin to implement the right solutions. They can be proactive in ensuring cybersecurity is at the core, or as close to the core, as possible to your business. Prepare or preparedness is really about that kind of red team inner resilience, accepting really that within any industry, within any sector, that you will be subject to a cyber attack. Not that you could be, but that you will be nowadays, but being practiced in your business continuity. So as when that happens, you know where to turn. I often hear that the terminology about having a playbook, but I think it goes beyond that. It's not just about having a playbook, but do you know where it is? Do you know what's in it? Have you practiced it, have you truly prepared? Do you know who to call? What are your contingencies? Do you know what people's roles are? So really practicing, really becoming prepared for when you are the victim of a cyber attack, and then that final one, the final piece really about pursue. So traditionally, I think the bastion of law enforcement and the intelligence community, but there is a huge role for the private sector to play here. It's not just about arrests and search warrants and the like, it's about more. It's about the provision of intelligence. It's about the ability to provide expertise in infrastructure takedowns and attribution. Victim engagement, or even the provision of witness testimony. I, myself, having left government, but you'd like to think the kind of skills and expertise that went with me, I'd still want to be able to provide those to law enforcement and the intelligence community where I can, and if that means providing witness testimony or providing the assistance around victim engagement, that I want to do that because all of these are integral to law enforcement successfully pursuing criminals and organized crime groups and ensuring that there are arrests, there are indictments, sentences, and sanctions that go with them. - Where would you say Mastercard is differentiated in leading the space? - I think Mastercard's entire strategy is about securing the digital ecosystem, our cyber security strategy, that is. It's not enough that we would only focus on Mastercard and keeping ourselves secure and compliant. It's about providing a commitment to every one of our customers to provide the most innovative technologies, to invest in the latest solutions, to be an active part of the community, and to ensure that our customers are positioned according to the threats that they face. You know, we have to be agile. We have to try and drive control of our infrastructure. We have to drive compliance as well, but to be able to do that, we have to look at building our virtual walls even higher or providing our customers with the opportunity to build their walls higher, so provide technologies that better define authentication across payment systems, identify those anomalies that are congruent to compromise data and fraud. We look at defining and improving standards. I mentioned it in the previous answer. We always have to look to improve. We always have to look to impart best practice, and in November of last year, we launched Mastercard Cyber Secure which is a unique AI-based technology that better identifies account data compromise events through PAN identification and notification, and what that does is it helps to reduce that window on cyber criminals and fraudsters alike. Now, we saw a number of cyber attacks last year where they only came to light three months after they'd actually happened, or they were only revealed by the victim three months after, and what that does, aside from give the victim company time to recover, unfortunately then, it creates a window of opportunity for cyber criminals to utilize that compromised data and fraud to utilize it in human trafficking or any other types of nefarious activity or espionage, but what Mastercard Cyber Secure does is it utilizes risk assessment technology. It identifies, assesses, and prioritizes those vulnerabilities to every one of our issuers and acquirers across the globe, and it provides action plans, mitigation structures, that harden our customer's infrastructure. What we want to be able to do as well is support those areas most in need. So look at SMB, small and medium businesses. Recognizing the importance of SMBs as the lifeblood, if you like, of our economy, both digitally and on the high street, certainly in times of need. You're in the COVID pandemic last year and at the beginning of this. They often don't have the capital or the resource to invest in cyber security, so we've worked with our technologists at RiskRecon who we invested last year to provide a solution specific to SMBs that is affordable, it's accessible, and it's understandable to the layman. We don't want to swamp them with ones and zeros and cyber technology and cyber solutions that they can't understand or implement. We did the same with healthcare. The propensity of cyber criminals and organized crime groups to attack the healthcare system at anytime. I think back to WannaCry and the like, but certainly more so last year with the COVID pandemic, at the time of a real need for the world, and criminals were attacking them. So we developed our Healthcare for Heroes initiative, again providing cybersecurity solutions for free to those most in need, and it's certainly part of our commitment at Mastercard to continue to do so, to continue to provide those technologies, and to give our customers the best chance to prevent themselves becoming victims of cyber attacks. - Well, I think that Microsoft, it could be argued, is leading the way in pioneering the end point with ATP as just an example. I think that anybody that has knowledge of ATP and the unique data that they're bringing together to look at the OS, would you agree that Mastercard is kind of taking the same approach, but almost external to a company's perimeter, or is it kind of an all-encompassing type approach? - One of our biggest drivers is about the perimeter, so our investment and our acquisition last year of RiskRecon is testament to that. It's about identifying threats, not only of vulnerabilities rather on your own infrastructure, but about how you scale that to include third parties or fourth or fifth parties. That point of opportunity that criminals have recognized in the chain, the points of weakness and vulnerability for them to be able to exploit, have never been more evident than they have in the last three months with the attacks on Solar Winds and Accelllion, and then recently obviously with the Microsoft Exchange zero day that have come to prominence in the last week or so, and to look at that kind of advanced threat protection, can we provide our customers with the most up-to-date and reliable information possible, and that's really our driver, to give them the opportunity to have qualified, data-driven decisions, to have the objectivity around their own infrastructure, and to have that objectivity around their third parties, provides them with the opportunity to make the right decisions rather than what we tend to do in the cybersecurity community is be driven by subjective risk assessments or subjective questionnaires. If you remove that and provide yourself with an objective assessment, you really do get a true feel for where those proper vulnerabilities are. Furthermore, where you need to prioritize your response and provide those mitigative solutions, and again, it's about going beyond just your own infrastructure. It's providing that target hardening right across your ecosystem, regardless of your sector, whether that's, for Mastercard with us, the issue is it acquirers or whether it's further, whether that's government, healthcare, retail, or technology. - For a lot of large and mature enterprises, especially in the FI industry, the Four-P approach is starting to gain traction. How would you characterize mature enterprises' ability to pursue? - I think there's an undoubted ability to pursue. It's just then a question of application and legality for those within mature enterprises. The provision of intelligence, the ability to provide those expertise that I talked about before, and being integral to law enforcement success, but the wider cybersecurity community success is all about that ability to pursue. So when you think of the masses of data that large, mature enterprises collect, the vast amounts are actually unused. They're a by-product, if you like, of business and subsequently discarded normally because of rules such as GDPR, but how can that data be refined? How can it be legally refined, and what can be taken from it? How can it be used? Can we identify new threats? Can we identify new TTPs of criminal groups that are out there, or nation-states, and again, provide that back to the community? Not just have a reliance on law enforcement or the intelligence community to tell us what's happening, but how can we shape it? How can mature enterprises become more proactive in their ability to pursue? Some in the industry are incredibly proactive and pursuit-driven. They've invested in significant and substantial investigative teams and expertise. Those capabilities will ensure that those enterprises give themselves the best possible chance of identifying criminal behavior or nation-state behavior or advanced persistent threats and therefore give themselves the best of the ability to assess for weakness and vulnerability to then mitigate it. I think some of the best operations that I worked on or investigations that I worked on in law enforcement were centered on support from private sector, that ability to be able to provide data analytics and interpretation, the ability to provide persona and group attribution, all derived really from datasets that were gathered by private sector groups, so like I said, there's an undoubted ability. It's just a question of the application and knowing where and who to turn to. - Some enterprises indicate they don't want to pursue outside their firewalls, and they're happy just blocking at the firewall and maintaining confidentiality, integrity, and availability of data systems and networks and getting back up to normal. That's all they really care about. How would you change that mindset? - I want that mindset to be more positive rather than just being defensive. And then, don't get me wrong, I understand there are reasons for that, resources and budget and the like, but I think it then comes down to a question of being resilient and being proactive. I don't consider it enough now to sit back and react to a cyber attack or to be defensive in your strategy. I think cyber criminals and nation-states are too sophisticated and calculated in their approach to just try and keep them at arms' length, and as many have found to their cost again over the last 12 or 18 months. I think what CSOs, those of a defensive mind should be looking to do, is get on the front foot. Private enterprise should be about being proactive in their approach, knowing your estate, knowing your Internet touch points, your devices, your networks, your wider infrastructure, and then only being able to truly appreciate the risk that you possess, but you need to go beyond that. You then need to know your enemy. You need to know their techniques. You need to know their tactics and protocols to further target-harden yourself and your infrastructure. So it's a point of attribution. How can you defend yourself if you don't know where they're coming from? So their IPs, their C2s, their personas, their groups. Gather as much knowledge as you can about how they move to give yourself and your enterprise the best chance of preventing that attack from happening. I think if you just play by the compliance rule book, cyber criminals, organized crime groups, don't play by rule books, and they're always changing those TTPs. So those risk and compliance frameworks can quickly become outdated, and it only takes a second for them to become outdated for a cyber criminal to take advantage of that. I think it's wise to be cognizant of other techniques outside of what's purely technical as well. So I'm thinking I'm talking about social engineering, even physical compromise, insider threats, and the like. Security is a company-wide responsibility, but that has to be driven from the top. So the CSO has to impart that knowledge, and he or she really has to demonstrate how they're doing it to provide continuous education and awareness around security, cyber security, and more. - When is attribution important for enterprise, and I'd like to kind of break that question up almost into two. I think you have the how and the why part of attribution, then I think you also have the who. When do you feel that each is appropriate at what level for an enterprise, and then the second question really is let's assume we're talking about medium and large enterprise, and let's assume we're also talking about small enterprise who also is resource strapped. Talk through that question of scale around attribution, if that makes sense. - As I mentioned before, I think attribution will always or should always be a part of your cyber security strategy and how you present yourself as a company, whether you're small, medium, or large. To have it at the very core of your business should be now a major component part of how you build a business. So proper attribution really can be a major source of resilience and determine how your company reacts to a cyber attack. If you are under attack, are you able to ascertain quickly what type of attack it is, by who, and what data is at risk, and again, that comes down to your ability to be able to attribute. If you can, and you can attribute, then the likelihood is that your ability to recover is heightened and ability to restore critical functions as soon as you can. You're giving yourself the best possible chance by again having that proactive stance, by having that ability to attribute, and all of these, if you think about it, are positive indicators. Again, having that humility to accept that you will be victim to a cyber attack, but having the ability to be resilient, and those positive indicators can be then shared with customers, with investors, with shareholders. They all want to see or should all now want to see that you value the confidentiality, the integrity, and availability of data as you mentioned before. Certainly as we move into younger generations of customers, investors, and shareholders, they know the importance of their data. They value the importance of that data, but certainly they value the importance of those that they entrust with that data, and I think cybersecurity and certainly cyber resilience should be a source of capital in the market, right at the very top of your multinational, large corporates, but also then your SMBs and your startups, your FinTechs. If you can demonstrate that to potential investors and shareholders, then it should be again a core component of being able to grow, and so yeah, to demonstrate those kind of good practice procedures alongside strong, solid cybersecurity values provides those with a kind of warmer feeling that you will be doing all you can to keep their data available to them. - But even from your days back at FBI and kind of even what we've gotten into, even with Nisos, a lot of times, we'll attribute sometimes down to the who when it's appropriate and attribute the identity, and you roll back the identity, and it's a software developer, and you ultimately get pretty good granularity on their technical skills which can also inform how you build your defenses further. I think that has a place as well. - Yeah, absolutely. Again, it comes down to knowing your enemy, knowing your adversary, and knowing what their capabilities are. Also knowing what their motivations are, so if it's a criminal group, usually that's, more often than not, is financially motivated, sometimes for malice or maybe mischief at times, but certainly financial motivation, but is it nation-state? Are there more kind of nefarious activities or motivations at play her with the influence operations? Are there the ability to undermine the kind of financial integrity of a country or of a company? Are there bids to undermine the kind of economic and democratic stability that we all hope and rely our kind of worlds spin upon? So knowing, again, exactly what they are looking for, knowing exactly what their intentions are with your data and with your company are key to then how you position your response and position your ability to be able to attribute. If you're a small company, you're not probably not going to worry too much or you're not going to be able to duly arm yourself with the capabilities to defend a nation-state attack, but you can take simple steps by ensuring your software is up to date, by ensuring you practice good email security to give yourself the best chance of preventing cyber attacks against you, and those methods, those policies, stand true whether you're a small or medium business or whether you're a large multinational. Again, knowing your enemy, I've taken the simple steps to preventing your enemy from gaining access to your network. - Let's get into geopolitics now 'cause I think you just touched on a great new topic. From 2001 to 2010, the world as a whole was concentrating a lot of government resources on geopolitical threats such as asymmetrical threats that frankly only government could solve: counter-terrorism, counter-narcotics, weapons proliferation. And while these threats certainly still exist, we're now faced with nation-state threats on which cybersecurity and offensive and defensive operations and combating those threats in the digital space is a major component. Not only is it a major component, it's a major component of the private sector can certainly help with as you've uniquely laid out with Mastercard, but how can the private sector be more useful? - Collaboration I think in one word. I think the nation-state threat is very real. We've seen the recent attacks such as Solar Winds and even last week with the Microsoft Exchange attack, and they're still quite raw, and I've heard those described as watershed moments, but we should go back further than that. We go back to WannaCry and NotPetya. These were demonstrations of the power, the persistence, the kind of technical capabilities of those that wanted to harness those skillsets for ulterior motives beyond financial incentive and gain. We also see the closely blurred lines of organized crime groups in nation-states and their recruitment of the cyber criminal elite into those groups, and again, leveraging very unique skill sets for data compromise, influence operations, sanctions, avoidance of law. So I think these examples should therefore really illustrate to the private sector that we have a vital role to play because ultimately, we are all potential victims, and if we don't culp together, if we don't pool our resources and our collective strengths, then we all stand to become a victim of them as, unfortunately, the likes of FireEye recently have. The data we collect, the data and analysis that we perform in the private sector, the trends we see, they're all vital in assisting law enforcement and the intelligence community in their fight to protect our nations, our sovereignty, our critical national infrastructure. So that ability to collaborate and that ability to share has never been more important in my opinion. I think we should look to engage wherever possible with law enforcement. I've been certainly very fortunate in my career. There's many examples of such partnership, productive and proactive. So we here in the UK, we have the National Cybersecurity Center. There in the US, you have your equivalent where I was lucky enough to work at the NCFTA, the National Cyber and Forensics and Training Alliance in Pittsburgh, and they're are two great examples where you bring together the hearts and minds of cybersecurity professionals as well as investigative and analytical capabilities to identify and prevent cyber crime from occurring looking at things from different angles, whether that be your financial institutions, your government entities, your antivirus or software producers and providers. All of these different capabilities give things a different look and not necessarily solely through the lens of law enforcement and the intelligence community. It gives the point of view of a potential victim, and certainly we in the private sector can bring that, but it can't be done in isolation. It can't be done solely by law enforcement and the intelligence community. So I'd say certainly collaboration. Cyber criminals are collaborating. Organized crime groups are collaborating. They're truly international and have no respect for borders. So whilst we are bound by regulation and legislation, I think collaboration has to be one of the ways that we can help each other. Sharing information, sharing intelligence, best practice, bad practice. Learn from our mistakes in a bid to really try and protect our environments, our infrastructures, our customers, which that ultimately means helping to protect our own personal and private lives, too. - Is the collaboration happening at the tactical level, right, because I think any time law enforcement reaches out or requests for information from the private sector, usually there's a culture of resistance from sometimes general counsel, sometimes from a board, sometimes from HR from that perspectives 'cause look, I mean, companies gotta protect their brands. I think we all respect that. Do you feel that the collaboration is happening at a scalable fashion where it's gonna be effective really at the analyst level? - I think it already happens at the tactical level. I think certainly those communities exist with law enforcement and the intelligence community and the private sector. Certainly contacts in your kind of wider network within the cybersecurity community enable that to happen. Whether that's not normally on a formal process, but certainly informally to be able to give those kinds of intelligence tips and notes about threats and techniques and tactics, but it's not happening, in my opinion, on a strategic level, certainly at the scale that it needs to, but there are moves afoot to change that. There are regulations. There is the implementation of new legislation and regulation. Certainly here in Europe, the Digital Operational Resilience Act, DORA, which it's under the Digital Finance Act, will allow financial institutions to be able to share information, to share intelligence, to share threat intelligence around specific cyber groups, cyber attacks, and provide a vehicle for companies to be able to share that information within the cybersecurity community. So whilst I agree that it does need to happen at the kind of the top level, I still think it is going on at a more tactical level. - Steve, I appreciate your time. Congratulations on leaving government and joining the private sector. I know you probably have mountains to move certainly over the next couple of years, but it sounds like an exciting mission, and thank you for your time. For the latest subject matter expertise around managed intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos' experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high-stakes security investigations. Without the value the team provides day in and day out, this podcast would not be possible. Thank you for listening.