A hacker, a negotiator and an intelligence official: meet the women fighting cybercrime

A hacker, a hostage negotiator and an intelligence officer walk into a conference… It sounds like the setup to a bad joke, but at InfoSec Europe, it was actually a fascinating insight into dealing with cyber security threats, provided by three women who all had varied experiences in dealing with them.

The London conference, held last week, welcomed social engineer Jenny Radcliffe, who helps organisations tackle the human element of cyber security. She was joined by international hostage and kidnap negotiation expert Suzanne Williams and National Centre for Cyber Security Marsha Quallo-Wright, deputy director for critical national infrastructure, to discuss the cyber security landscape. All three offered vital keynotes in dealing with malicious actors and preventing cyber security threats amid an expanding cyber landscape.

The people hacker

Radcliffe – founder and director of Human Factor Security gave her keynote on her career as ‘The People Hacker’, helping organisations address the human element of cyber security; often considered the weakest link in an organisation’s line of defence.

Social engineering relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices to gain unauthorised access to systems, networks or physical locations for financial gain.

Radcliffe admitted to the Infosec audience that explaining her job to old ladies whom she meets on trains is challenging.

“I basically break and talk my way into buildings – persuading, influencing and manipulating people to let me – and sometimes a small crew – get into places we are not supposed to go. But then I explain how I do it to prevent malicious actors from doing the same thing.”

Radcliffe confesses to breaking into banks, offices, government organisations and theme parks : “I’ve had to lay flat in a ghost train before to try and avoid detection. We face dogs, guards and managers, electric shocks and endless confrontations,” she added.

The hacker described a good social engineer as one who is discreet and focussed on the task in hand. “It takes incredible discipline to remain focussed on the job,” she added.

Recalling a rare mistake, she described hiding in a broom cupboard waiting for office staff to go home when she spied the remains of a birthday cake that had been left out. “It all went wrong when I ate the cake – as soon as I broke this code there were chases,” she added.

Radcliffe believes that the physical penetration tester world – and security teams in general – need more diversity among their ranks and especially more women.

“It’s definitely advantageous to have a more diverse security team because I’ve been stopped more times by women security guards than I have by men,” she revealed.

“It’s dangerous to think that all hackers wear hoodies and sit in front of computers. Diversity is the a key to a more secure work place. Different routes into the industry must be opened up,” she added.

Radcliffe also thinks that as the technology and cyber attacks become more sophisticated, it’s vital that the cyber specialists and the IT team work closer with social engineers.

“Over the next year or so we are going to see the hacks and the tech getting better – but we can educate people on what an attack looks like, what an approach looks like because most cons look the same:  they are emotional, they are time-bound, there are calls to action – so I think we can still beat it.”

Not overlooking the human element of cyber crime was a point that was brought home when an audience member asked Radcliffe if biometric security technology was making it harder for her to break into buildings.

She smiled knowingly and replied: “Not really because there’s always someone you can get to who’s responsible for switching it off.  Technology will develop but we can always get to the humans.”

The hostage negotiator

Suzanne Williams has been an international hostage and kidnap negotiation expert for over thirty years now. As a Scotland Yard detective she was the most senior ranking officer in charge of both the kidnap and hostage negotiation units. She has also worked for both the UK Government and the FBI.

While there are clearly differences between cyber extortion and a real life hostage situation, Williams believes there are some basics take aways around good negotiation and good communication.

In her opening keynote, kicking off the third day of InfoSec22, she said the first rule was to never look at the situation from your own worldview – firms need to put themselves in the shoes of the cyber criminals.

“Your situation is made up from your life experiences, your culture, your age, your gender. You know what the situation looks like from how you see it but you need to look at it from their eyes and appreciate their challenges,” she said.

“And you need to do that without judgement. No matter how big a criminal, terrorist, you have to step into their world and understand their problems otherwise you won’t begin a good communication that will lead to a good negotiation, which will hopefully lead to behaviour change.”

Williams also emphasised the importance of being professional throughout the negotiation process – right down to answering phone calls on time and syncing clocks to make sure you are dealing with correct time zones.

“Throughout the crisis response you’ve got to give the perspective that you are competent, confident and compassionate. I listen, then influence and then try to get them home,” she said.

While Williams hasn’t had much experience of working with tech companies dealing with ransomware gangs (her job has mainly involved criminal gangs, terrorists and human hostages) she says that this has started to change since lockdown.

She adds that her main role when firms hire her to deal with a ransomware attack is to focus on the negotiations rather than the technology.

“I’m looking at the strategy, at what we hope to achieve. Are we going to try and buy time? Are we going to try and glean information? So it’s acting on the negotiations strategy and just doing that while the bright people that understand IT do their job and it’s them that hold the key to this,” she added.

Whether it’s humans or IT networks she is trying to rescue, Williams has noted some similarities in criminal behaviour patterns.

“That’s especially true as things get close to a resolution and they get a suggestion that they might actually be getting some money – sometimes this leads people to becoming a little bit reckless and sloppy – because they think they are almost there.  And while we have to maintain our guard to the very end, sometimes that’s not what’s happening on the other side.”

TechInformed asked Williams if there were any circumstances when a cyber-attack hit organisation should pay a ransom. “I’ve got to give you the negotiators answer there: It depends!” she replied.

The NCSC head

Marsha Quallo-Wright, deputy director for critical national infrastructure at the National Cyber Security Centre, gave the InfoSec audience an update on some of the key threats and hacks, as the organisation seeks to make the UK the safest place to live and work online.

According to Quallo-Wright, the most significant cyber attacks last year were those carried out on Microsoft Exchange servers which compromised at least 30,000 firms in the US alone, with many more affected worldwide.

The NCSC – which is part of the UK government’s intelligence organisation GCHQ – said that it was “highly likely” a that a group known as HAFNIUM, which is associated with the Chinese state, was responsible for the activity with a view to enable large-scale espionage, including acquiring personally identifiable information and intellectual property.

Quallo-Wright added: “We see China’s increasing international assertiveness and scale as one of the most significant geopolitical shifts in the 2020s.

“We support the US and EU which have expressed concern that foreign enterprises in China are required to transfer technology as a condition for market access and we support efforts to make sure that they are addressed.”

Moving forward, Quallo-Wright added the NCSC would implement “a more robust framework for our relationship with China that allows room to managing agreements and defend UK values while tackling transnational challenges”.

The general rise in ransomware attacks is a major concern, according to the expert, and those that are being carried out on critical infrastructure are now treated as seriously as state sponsored attacks.

“Attacks are likely to increase in scale and actors are increasingly likely to target managed service providers to gain access to a wider range of targets,” the deputy director added.

Another trend that Quallo-Wright noted was that semi-professional crime groups no longer dominate the market. On the Dark Web now there are DIY ransomware toolkits for use in the wild which has “lowered the threshold for unskilled criminal operators”.

Some of these ‘amateurs’, she added, were simply opportunists, while others have been referred to by one law enforcement official as “street gangs getting in on the act”.

“The main risk with these kind of gangs is that they could inadvertently take out a large target with an unsophisticated attack,” she added.

The Log4J vulnerability which was identified in December last year is another big issue to hit a wide range of businesses both in the UK and abroad.

“This is likely to continue to be a long-term issue as it affects so many of our software products that are widely used and embedded in many that we’ve not even identified,” Quallo-Wright predicted.

For its part, the NCSC reached out to many public and private organisations to follow its technical advice within hours of the vulnerability becoming known.

“What Log4J demonstrated was that we can’t just speak about threats to those who live and breathe cyber security on a daily basis,” said Quallo-Wright.

“We must set it out in terms to reach the broadest audience. It’s on all of us as a community to encourage a culture where it becomes second nature to update software and devices to stay as protected as possible to threats and vulnerabilities.”