Discover the riveting journey of Darren Hopkins, a distinguished partner at McGrath McNichol, who transitioned from the Queensland Police Service to the forefront of digital forensics and cybersecurity. Darren's extraordinary path, beginning with an IT degree and evolving through vital roles in software engineering and information management, offers listeners a unique perspective on the nascent stages of digital forensics. Recalling his time at Queensland Police, Darren shares compelling stories of his involvement in organised crime and child protection cases, which shaped his expertise and led him to establish digital forensics capabilities at prominent firms like KPMG and McGrath McNichol.
The landscape of cyber threats is rapidly changing, and this episode uncovers how organized crime has shifted focus towards lucrative cyber activities. From the days of simple phishing scams to today's sophisticated ransomware attacks that paralyze major corporations, we explore the escalating challenges faced by cybersecurity defenders. Darren provides insights into the commercial and ethical dilemmas organizations encounter, emphasizing the importance of cybersecurity hygiene and proactive measures. We also delve into the role of government regulations in this ongoing battle against cybercriminals.
As businesses strive to protect themselves, the discussion turns to the critical role of tech giants like Microsoft, Apple, and Meta in securing digital ecosystems. We highlight their efforts to integrate security into their products and the emerging significance of operational technology (OT) security. For business leaders, the conversation pivots to essential strategies, stressing the importance of governance and cybersecurity hygiene to ensure business continuity. The episode concludes by underscoring the growing necessity for tech expertise on corporate boards to effectively navigate today's complex technology risks.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Michael van Rooyen (00:01):
My interview today was so interesting we had
to break it into two parts.
Here's part one of thatinterview.
Darren Hopkins (00:09):
A negotiator will come up and say look, we've
had 120 interactions with thisredactor and we've facilitated
more than 100 payments and notonce have they gone back on
their word.
Not once have they leaked thedata if they said they weren't
going to.
Not once have they not shown avideo of them deleting the
information.
Not once have they re-extorted.
So therefore, they're 100%honest as a criminal and their
(00:30):
business model is that themoment they deviate from that,
their business model fails,Because if it was a 50-50 chance
, you're not going to risk itunless you're absolutely
desperate.
Michael van Rooyen (00:39):
Today I have the pleasure in having a chat
with Darren Hopkins, who's apartner at McGrath McNichol.
Mcgrath McNichol specializes inall sorts of things that Darren
will talk about, particularlyaround forensics and computer
related crimes and incidents andadvisory and all things around
cyber.
Darren is well known in theindustry for the work he does.
(01:00):
Darren, welcome to the podcast.
Thanks very much, lookingforward to it.
Yeah, great, and before westart, do you mind just talking
a little bit about your careerjourney and particularly how you
transitioned from working inforensics, computer examination,
from your history at theQueensland Police Service into
becoming a partner at McGrathMcNichol?
Darren Hopkins (01:18):
Yeah, no problem .
Look, I actually didn't intendto be in the career I ended up
in at all.
I did an IT degree and Istarted doing software
engineering and realised I'm apretty rubbish coder and not
something I enjoyed.
So I stayed on and did a secondmajor in information management
and I thought, yeah, I can dothis, that'll be fine.
Like most good students whenthey finish uni, I wanted to do
(01:38):
some travel.
I promised my mum I'd apply forat least one job before I
disappeared and unfortunately Igot that job and it was at
Queensland Police.
And it just happened that theperson who was interviewing me
was an alumni from theuniversity who I used to see
around all the time, so hedidn't want to work with someone
that he didn't know and thatjust worked for me.
And I never got to travel and Istarted my first job in
(01:59):
Queensland Police actually doingIT.
I was actually helping run anetwork and do all the things
that you would normally expectto do in technology.
I worked out very quickly thatthe major problem any IT
professional has to deal with isthe issue between the keyboard
and the chair, which is theperson, and it was just the
right place at the right time.
The year I started they createdwhat they called the Forensic
(02:22):
Computer Examination Unit,queensland Police, queensland
police, which was, I guess, thestart of what ended up becoming
a computer crime and digitalforensics capability and at the
time there was really onlyvictorian police in queensland
police that had a capability andthen we saw the other services
start.
I was the young it guy in theright area, which was crime
operations.
(02:42):
That's where I, supporting this, was part of fraud squad, got
moved into this unit, did sometraining and then over time just
sort of got the experience ofunderstanding what
investigations into digitalforensics was and really back
then we were creating theindustry.
There wasn't frameworks ormethodologies or really even
tools back then to do thesethings.
(03:03):
We were relying on traditionalthen to do these things.
We were relying on traditionaltools to do the things and a lot
of it was understanding thereal underlying technologies to
enable things.
I did that for a few years and Iwas working in areas such as
organized crime.
I did a bit of work with thedrug squad fraud squad.
Towards the end of that part ofmy career, I started doing a
(03:24):
lot of work with what ended upbeing Task Force Argos, which
was part of the crime ops, whichwas dealing with organized
pedophilia and child abuse andthose issues, and my last two
years was effectively lookingfor perpetrators online and
other places, trying to trackthem down and identify and bring
them through to courts andhopefully beyond that, to
(03:44):
protect our kids.
So that was a pretty importantpart of that end of the career.
Then I got asked if I wouldleave police and start a similar
capability with one of the bigfour KPMG at the time and we
helped create a digitalforensics capability there, did
that for a while and seven and ahalf years at KPMG.
I then got the opportunity todo the same thing at
(04:05):
McGraw-Nicoll, so effectivelyhad three jobs in my life and
all three have been a bit of astartup and I'm still here 19
years in.
Michael van Rooyen (04:14):
Wow, wow, it's been 19 years.
That's fascinating.
I knew that police force frombrief chats we've had but I
didn't realize you actuallystarted in doing the basics of
technology right and then reallyleading into that and it's a
long career to be dealing withthreat actors, criminals et
cetera.
Is that just a naturalprogression to lead to motivated
and specializing incybersecurity and privacy and
(04:37):
digital forensics?
Or just the way the market'smoved and you've just been in
that kind of that transition aswe've matured and being more
digitally connected?
Darren Hopkins (04:44):
I've also had a look at how did that career
transition?
Early days, even at McGranicle,when we were first starting, we
were a traditional digitalforensics, e-discovery type
practice a lot of insider threatand work predominantly for
courts and lawyers.
The skill sets we had we workedout pretty quickly.
We're really useful incollecting evidence from
incidents.
And one thing that we'relooking at with incident
(05:06):
response and those types ofcapabilities that if you don't
have a client that's beencollecting data the right way
and doesn't have a SIEM anddoesn't have a security
operation center and hasn'tinvested in technology, they
have an incident.
It's really hard for them towork out what's happened,
whereas the digital forensicside of our backgrounds enabled
us to find the evidence tosupport a breach or an incident
(05:28):
through those methods where nottraditionally it wouldn't be
available.
So we had a lot of peopleasking us to help on incidents
and IR and then we thought, well, the world had moved on and
information security was nowbeing called cyber.
So we said let's just jump onthat bandwagon.
That sounds great.
Yes, how do we as a firm builda brand that recognizes that
(05:49):
we've got real skills here whentraditionally we haven't done
that?
So our incident responsepractice sort of built out from
there and as a combination ofdigital forensics and if you
have a look at a lot of incidentresponders, they call
themselves dfir digitalforensics and incident response.
It's that combination skill set.
So we had the digital forensicsand incident response.
It's that combination of skillsets, so we had the digital
forensics.
I had some really goodinformation security
(06:09):
professionals in the team, sothe SOC operators and the
analysts and the networkengineers, so those people that
sort of know the security side.
We have some pen testers in ourteam.
I mean these are the guys thatcan look at what's actually
happened through the externalview or the insider view or the
vulnerability piece.
And that combination of all ofthose skills sort of meant we
(06:32):
all of a sudden had something abit different and the business
got known for having a goodreputation for being able to
work out what's happened in anincident and how it occurred and
where to go from there.
And naturally that enabled usto then have a practice of cyber
GRC people who can help postthe event fixings, provide
(06:52):
advice and guidance on how toget better.
Michael van Rooyen (06:55):
Yeah Well, I mean, even for me in the years
that we've kind of engaged ordone some cash engagement
together, certainly you know thename McGrath Nickel becomes the
one that they go toparticularly.
You know, just from theexperiences you touched on that
broad portfolio and the parallelof moving to cyber and
connectivity.
I know you spend a lot of yourtime dealing with incidents all
the time and I think Scott Reid,who works in our organisation,
(07:17):
says these are the people youcall.
Right, when things have gonesideways, these are the people
you call.
So I know you lead a big teamof people that really specialize
in that and I think it'simportant and we're just seeing
the continuation of thislandscape of threats everywhere.
Right, it would be interestingfor you to comment on what kind
of trends you're seeing in thecyber landscape today and how
that's changed over the years,from where you started, and also
(07:38):
what are some of the emergingthreats that businesses should
be thinking about today.
Darren Hopkins (07:42):
It's a tough one , isn't it it?
I start most of mypresentations with the cyber
security landscape and wherewe're going to today, and often
I I have a look at what jobs I'mdoing at the moment and are
they changes in what we've beendoing in the past?
Are they different?
If I have a look back, maybefive or six years ago um, just
go back to there far lesssophistication in in what were
(08:03):
seeing the tools and technologythat threat actors were using
weren't that great.
I even think something assimple as a phishing email back
in the good old days you couldgenerally in our industry we'd
pick up these things becausethey couldn't spell Google
correctly and the language isaverage and it was really
obvious what they were trying todo and they used to sort of
just try to catch the people whoare unaware or just not paying
(08:24):
attention.
And then over the last sort ofthree or four years, we've seen
this move where organized crimehas realized that there is such
a large market to exploit and somuch money to be made by
focusing on cybercrime, and wethen had these groups become
more sophisticated and haveaccess to more funding and more
R&D and capability and realizethat there's a genuine serious
(08:48):
market for making money andtherefore some of the industries
that used to drive organizedcrime, like drugs, were starting
to reduce in their relevance tofunding organized crime and
terrorism and all these otherthings.
So, unfortunately, that meantfor all of us that we were
seeing more and more of thesethreats emerging and they were
getting better and better.
And then we started to see thethe evolution of attacks like
(09:11):
ransomware and and I stillremember ransomware started in
people's homes.
Yes, the first lot of ransomsthat we would see would be
someone would break into yourhome computer and find your
photos and lock up your photosand say, if you want to get all
the pictures of your kids back,it's going to cost you $500.
All right, and at the time theyrealised well, people will pay
$500 to get memories that theycan't replace of all of their
(09:34):
children's photos.
Fair enough, in early days itwas such a successful, thriving
little business and it just keptgrowing and then becoming
bigger and bigger.
And then we started to seebusinesses getting hit more and
more and then becoming biggerand bigger.
And then we started to seebusinesses getting hit more and
more and then the way that theattacks would work and the
tactics would change.
Early days it was disruption.
Can I disrupt a business andeffectively cripple them and
(09:54):
then make them pay to get backonline?
And how do we respond?
We all got better at disasterrecovery and business continuity
.
We all started saying howimportant backups are and how
important is it for you to beable to respond and recover, and
we focus there.
So then they started dealingwith extortion.
Well, if they can recover, whatelse could I do to make
somebody sort of pay?
(10:15):
And then we saw this evolutionof data exfiltration and data
thefts and then extorting, andthen the information that was
taking was more harmful, morelikely that we all want to pay
to limit that harm to others.
And I've just seen thisevolution of more sophisticated,
better tools and certainlylarger quantums and much more
(10:35):
sophisticated and bigger attackscrippling really large
businesses that you would hopecould be doing better.
Yes, we're all now beingexploited with the things that
in the past we didn't reallyworry about, things like
vulnerabilities andmisconfigurations and all these
things.
They're the doors that we leftopen that in the past maybe
weren't being looked at as much,but now you just can't ever
(10:57):
avoid your hygiene.
Yes, because the tools haveenabled groups to automatically
scan the world.
Every IP address, everyexternal network has been
scanned all the time for threats, and if they find them, they'll
exploit them.
And then I've seen in the mostrecent times is the use of some
new technologies and really goodsocial engineering to step it
up again.
So, unfortunately, you know,the evolution is more
(11:18):
sophistication, bigger andlarger attacks and far, far
bigger impact on businesses,from that what started small to
now being something that'scrippling even some of our
biggest businesses.
And then the worst thing isthat this response from
governments and others, which isto regulate, to try to reduce
it, and we all then feel theimpact of that, of course, of
course, and then with crimesyndicates, et cetera, spending
(11:40):
more money in the space becausethey know it's quite lucrative
and has become quite lucrative,particularly with connectivity.
Michael van Rooyen (11:45):
Do you feel that there is a tipping point?
Are we fighting againstsomething that just continues to
grow?
Are we fighting with one armbehind our back from our
investment, from the vendors andgovernment and ourselves?
You know?
Is there a balance?
Is it balancing out, or is itjust it's a balancing act?
I guess.
Darren Hopkins (12:05):
Oh, there's an acknowledgement everywhere that
we could all be doing more.
Sure, our vendors and our techproducts that are out there are
absolutely creating incredibletechnology to help defend us and
safeguard us, and they see theopportunity for what it is.
Our governments are completelyfocused on this.
You only have to see the amountof effort that they're putting
into reminding us how importantthis is.
Yes, our regulators probablymove beyond education and
awareness to enforcement and thebig stick approach.
If you get this wrong, I'mgoing to hit you really hard and
(12:26):
there'll be a giant fineattached to it and you won't
like the ramifications.
So you need to do something,and businesses, I think, are now
really acknowledging thatsecurity and cyber and any of
those elements of securing yourtechnology are just as important
as the operational efficiencyyou get from good tech.
So there is more money to dothings, but there's only so much
(12:47):
to go around and we still gotto budget all of the risks that
an organisation has to manage.
Some really positive things I'veseen in the last 12 months is
boards and directors are veryconscious of the risks to the
organisations that they aresupporting and are asking more
questions and expecting morefrom their executives and the
businesses themselves.
Businesses are doing more toactually try to safeguard
(13:09):
themselves.
You know, a real challenge in acountry like Australia is that,
you know, almost 90% of ourbusinesses are SMEs.
They don't have the big budgetsto deal with these big threat
actors and they can't afford thegreat tools that are
potentially available.
So how do we balance enoughthat's affordable and achievable
with the other side of it,which is a full defence piece?
(13:30):
So a lot's been done.
One thing I always hate to seeis I think we sometimes the
money that goes out to threatactors versus what we invest is
probably disproportionate.
Michael van Rooyen (13:40):
Right, wow.
Darren Hopkins (13:41):
I've had some instances where I've seen a
payment to a ransomware operatorof almost $10 million Wow.
And then six months later I'veseen a board approve a
cybersecurity budget tofuture-proof and safeguard this
business, and they approve$500,000 a year for three years.
I thought, well, that's good,it's $1.5 million, we'll get a
(14:01):
fair bit done, for sure.
Sure, but I wonder what theRussians will do because it was
a Russian threat actor with the$10 million they made after they
have their nice holiday and avisa and a few other things.
I'm sure they'll reinvest someof that back into their own
business, and probably a littlebit more than what we've
preserved to go off andsafeguard ourselves.
Michael van Rooyen (14:19):
Yes, and that's an interesting point you
make there around it is treatedas a business.
Right, these guys are runningit as a business.
It's not just something.
They're dabbling with threatactors and we go back to movies
in the 80s it was a dabble dialin play with things.
You know, this is a real,serious business and I think one
of the conversations I heardyou have once is become a real
(14:40):
thing.
Right, I mean, it's happeningand there's a lot of
consciousness about it, but forpeople listening, I don't think
they realize the magnitude ofhow serious this business is.
A question.
Darren Hopkins (14:49):
I get asked if I'm doing a tabletop or a
simulation for a board and weget to the part of one of these
simulations.
This is a ransomware eventwe're trying to emulate and we
want to make it hard.
Often you get to this partwhere you're talking about are
we going to negotiate with athreat actor which potentially
is a terrorist?
You don't know at this pointand would you consider making a
(15:09):
payment?
And there's all of these legalreasons why you may or may not
want to do those things.
There's certainly ethicalreasons why you wouldn't do it,
but there's also commercialreasons why you might go down
that path.
And I always get asked bysomebody how can you trust the
criminal?
How do you know that they'regoing to do what they're going
to do?
And it comes back to well, howhonest is our hacker?
And that's effectively whatsomeone's asking why should we
(15:29):
trust them?
And a lot of that is becausetheir business model is that
without trust they would have nobusiness.
And often you'll see statisticson the threat actor group
you're dealing with and howhonest they have been.
And I've seen instances where anegotiator will come up and say
, look, we've had 120interactions with this red actor
and we've facilitated more than100 payments and not once have
(15:51):
they gone back on their word.
Not once have they leaked thedata if they said they weren't
going to.
Not once have they not shown avideo of them deleting the
information, not once have theyre-extorted and not once have
they not provided the tools tounencrypt.
And not once have they publiclyannounced that they've had a
dealing with you.
So therefore, they're 100%honest as a criminal and their
(16:14):
business model is that themoment they deviate from that,
their business model failsBecause if it was a 50-50 chance
, you're not going to risk itunless you're absolutely
desperate.
Yes, and you'll even seeinstances where new attackers
come in and aren't honest.
Just take the money and thenyou'll hear of other groups
trying to shut them down becauseyou'll ruin it for the rest of
(16:34):
us.
Right, and you know, thebusiness model includes you know
I like to compare it to afranchise type model that we're
comfortable in aust You've gotthese operators who are the big
groups that have the cool namethey can name themselves, yes,
and they do the R&T and theybuild the tools and they've got
the capabilities to attack.
They often also help manage themoney laundering side of it.
(16:56):
It's all well and good to get abunch of Bitcoins, but you've
got to turn it into cash one day.
True, so they'll have that Then.
But you've got to turn it intocash one day True, so they'll
have that.
Then they'll go off and recruitaffiliates and affiliates are
your franchisees and as afranchisee or an affiliate, you
get access to the franchisor'scapability and their tools and
their support and theirmarketing and their Q&A and
their help desk.
These things are provided.
They'll train you on how to dobetter and you can ask questions
(17:18):
and you give up part of yourfee for that service no
different to a franchise fee.
That's fascinating.
And then sitting around theoutside are all the others that
support it.
There'll be recruiters who areout there looking for the next
affiliate who's good.
They'll be out there trying totarget those young, great
security professionals to cometo the dark side.
And there'll be brokers andtheir job is to find a backdoor
(17:38):
to exploit.
They look for that opening inthat business that they can get
in and they'll test it andthey'll make sure it works and
they'll sell that.
So they'll sell access to yourbusiness to an operator or to an
affiliate.
And these days, when we see theattacks.
If someone has bought access toyour business, they've already
got skin in the game.
They've paid some money toattack you and that's why we're
finding they're less likely justto walk away.
(17:59):
They want to get some return onthat investment and this is a
whole business model that sitsaround it.
Even thinking about campaigns,you would have seen it with
phishing emails.
Why is it the phishing emailsstart to tailor based on the
time of the year and the eventthat's happening?
Why are we getting the scamsaround romance scams during
Valentine's and why, atChristmas, are we getting the
package scams?
Because their teams buildcampaigns around what's going to
(18:21):
be relevant to attack us in away that would likely make us
fall victim.
And they've got teams thatthink about these things and
design those attacks, and nodifferent to our own marketing
teams that think about asuccessful approach to winning
work.
Of course and it is it's just areally successful business
network that can work outside, Iguess, the moral constraints
that we have there's no rules.
Michael van Rooyen (18:43):
There's no rules.
Yeah, I mean that that's justsuper fascinating and I love the
analogy about how it related toa franchise right, how
franchise model works and youknow how serious again that this
is a.
This is a business right andthey're there to make money in
there and that's what themission is, right.
And, uh, that breakdown.
If I think about the physicalaspects of going back um a
couple of decades of of crime,it's no different to how they
(19:04):
structure these to recruitpeople to do certain activities
to do it.
It's just digitally now, rightthat that's almost the same
structure yeah, it would meanhard to be a drug dealer.
Darren Hopkins (19:11):
to be honest, in the last five to ten years you
sort of think you know, if youwant to make money with drugs,
you've.
You've got to have a product.
You've got to either create it,you've got to grow it, you've
then got to convert it tosomething.
And you've got to either createit, you've got to grow it,
you've then got to convert it tosomething, and you've got
chemists and others that are allinvolved in this.
You may have a plantation orsomething.
You've got to hide and keepgoing, and there's a whole bunch
of people involved in that.
I mean lots of people who couldblow the whistle.
(19:32):
You've then got to go off andget that product to market.
So you need to package it andbrand it and then get it to foot
soldiers to sell, and all ofthese things have points in time
that you can get caught.
Something could go wrong.
Law enforcement are great atwaiting for the perfect time.
They'll let you spend all thatmoney doing all these bad things
until the point where all theproducts are together and you're
(19:53):
about to get a whole group andthen they'll take you down yes
and remove all of your profitfrom all that investment and
catch a whole bunch of playersat once.
It's deliberate, it's wellconstructed.
Cybercrime is you're sitting ina country with no extradition
treaty and you're all anonymous.
You don't have to see anybody,you don't have to walk out the
door, the money turns up in awallet and you can convert that
(20:13):
very easily into cash and youcan live a pretty good life.
The hard thing is you've got tobe in a country that maybe I
wouldn't prefer to live in, butyou'll live like a god there.
Michael van Rooyen (20:22):
So it's not too bad.
Yeah, fair enough too.
That's just fascinating.
Going back on a point you madeearlier around there's quite a
lot of brilliant tools out therefrom vendors to really help
protect it, and obviously that'scome at a cost.
Is your thinking, as weprogress and mature in this
industry, trying to holisticallyin the technology industry, do
you feel that vendors, the bigones Microsoft, google, apple
(20:44):
are going to really drive thatcontinuously so that customers
and consumers expect thesecurity by design and all that?
Do you think there's a tippingpoint where you see this drop
off?
Or you think that as we getmore hyper-connected, it's the
opposite, we're going to stillsee more opportunity for threats
and breaking in?
What's your view on that?
Darren Hopkins (20:59):
I think our leading tech players your
Microsofts, your Apples, yourMetas and all these other sort
of providers out there providinglarge services.
They're completely invested insecuring their ecosystems.
They have to.
That's what we all expect themto do.
Without the trust in theirproducts, they're going to
struggle to maintain thepositions they have.
The good thing I see comingfrom all of these vendors, as
(21:22):
well as the acknowledgement thatthey need to provide tools and
capability and security toeveryone small, medium, large.
If you take on their ecosystems, the expectation is that, even
as a little player in theirmarket of their tools, you're
getting something good.
And we've seen the likes ofMicrosoft really demonstrate
over many, many years howthey're continually embedding
security into their products,eventually then making it
(21:44):
available to everyone.
And then they're making itavailable to everyone free and
then they're actually forcing iton everybody for free, and
that's, I think, a goodorganization that understands
the value of these things.
I also see it with a lot of ourother tech vendors that have
got fantastic products whodeliberately have some
incredible technology to protectus.
And E is exposed endpointdetection response, the thing
(22:04):
that is looking for threats onyour devices and will hopefully
block and stop and tell youbefore it becomes a real issue,
that tech used to be difficult,hard and expensive, and we would
often rely on the smallerproducts for small businesses.
What I now see is that techproviding an ecosystem that
deals with small, medium andlarge, and actually even
breaking their products up intoareas to support different
(22:26):
organisations of different sizes, using the underlying core
technology, delivered with maybeless or more managed services
Fantastic.
And the other thing I love tosee now is that these core
technologies are very open toworking with service providers.
Open to working with serviceproviders.
So we've got the technology, wecan't provide the service, so
how do I get that then, to teamswho have got the skills and
experience and the connectionsto deploy and run those things
(22:48):
appropriately, rather than atech vendor saying I need to own
everything.
I need to own the tool and thepeople and the relationship.
Michael van Rooyen (22:54):
yep, yep, fair enough, and uh, it's a good
point, and I even realized I'venoticed that you're actually
right about some of these bigbig players pushing on.
You know, thinking about addingthings like Defender into
people's personal subscriptionfor three-star companies, just
choosing Microsoft here as anexample.
And I think that's what we'reexpecting right as consumers,
that we're going to be more andmore protected, so we should see
some sort of decline in someareas, but of course there's
(23:14):
still lots of exposure.
We think about OT networksbeing connected that are well,
not patched and maintained, andthis hyper-connectivity, I think
, is still a huge area wherethere's probably going to be
problems living.
Darren Hopkins (23:24):
Yeah, a huge amount of risk still out there.
Ot is one that in the last sortof 12 to 24 months has really
come to the forefront of being arisk.
We talk about criticalinfrastructure in this country
and the fact that if someone wasto attack us as a nation, the
easiest way is to attack thecritical infrastructure of that
nation, and you do it digitallythrough a cyber type attack.
I have a look at ottraditionally the way it's been
(23:46):
managed and we've worked on jobstogether in those providers and
it's always an eye-opener tohave a look at what you find and
the expectation is that there'salmost if it's not broken,
don't touch it mentality with ot.
Sometimes we think that we canget as much life out of it as we
can and at some point someonestops supporting a product but
we'll keep it until we can nolonger get parts on eBay, if we
(24:12):
can keep it fixed and it doesits job and it doesn't change.
It's a technology that's on oroff or it does something that's
okay Probably not even thinkingthat there's a vulnerability
that's been there for the lastsix, seven years of its life and
we don't apply the same rigorof risk management that we do
with our IT world to our ITworld, but we're getting better
at that as well.
Yes, and in the past we used tosay you know, it's air-gapped,
no one can get to it, so it'ssafe.
And then someone says but Ineed to see if that OT is
(24:35):
working.
So can you maybe not completelygap it and let me have a bit of
a view in, or I need a vendorto be able to come in and
support it.
So you know, they're thechanges in the world that we're
seeing and they open up thatrisk completely.
Michael van Rooyen (24:47):
Yeah, and I see a lot of this OT-IT
convergence.
In fact, a fairly largeoperational technology
organization we're doing somework with at the moment has
actually gone the other way,where the OT team, OT management
and OT manager has taken overthe IT function.
Now they're very heavy OTrelated.
It used to be the other wayaround technology provider
service.
We know there's a differencebetween the two, but the
(25:08):
connectivity and I don't thinkwe've ever found an air gap
network as such so far there'salways somewhere it's been
touched right, especially withshadow IT deploying 4G, 5G.
It's so easy today to getconnectivity in and that's where
the problems are Now movinginto, kind of what keeps you
busy.
As we touched on at thebeginning of the chat, you'll
really spend a lot of timehelping customers with incident
(25:30):
response and digital forensicswhen they've been and incidents
happened and customers withincident response and digital
forensics when they've been.
An instance happened and ofcourse, it's crucial that it's
continuing to grow and increasein the amount of these that are
happening.
What are some of yourrecommendations to businesses on
the first steps that you taketo kind of mitigate that as a
first point?
I know we're touching a lot ofsolutions, everything like that,
but when you, when you'readvising customers to avoid
these breaches, uh, have you gotsome advice for them?
Darren Hopkins (25:51):
the area of incident response, which is
pre-breach, is the area I'd muchrather meet clients in.
Yeah, of course, I think thejourney pre or post-breach ends
up being the same, but one costsa lot more than the other.
If you're doing it post-breach,it's hard, it's fast and it's
undocumented.
The things that you end updoing are very similar and many,
many others.
In this industry.
(26:12):
I think we all sort of singfrom the same playbook and the
prayer book, which is hygiene,is where you need to start.
So we all have technology,networks, infrastructure,
applications, the things youneed to get right first of the
basics.
So make sure your technology isup to date, it's patched,
you've got appropriate backupprocedures in place so if
(26:33):
something happens, you canrecover, and there's a lot of
frameworks out there forassessing your cyber security
maturity.
They all have an incidentresponse.
If I have a look at nist as aframework, which is a common one
we see in australia, you've gotcan I respond and recover.
I always want to focus there.
To start with.
You're never going to be ableto do everything at once, so be
able to get back up and runningif something goes wrong, and
assume it will.
(26:53):
So backups, business continuity, all of those things instant
response plans then get all yourbasics in place so you're
reducing the likelihood of youfalling victim.
Make sure things are up to date, they're patched, that you've
got good technology that issupported and good vendors and
others around you to do thatsupport At some point.
(27:15):
We then want people to investin the ability to detect an
issue when it comes up.
Often we see it, you just don'tknow it's happened until it's
happened.
And in many cases I do anincident response job where we
have to work out the root causeand how this happened and we
realized that they could haveknown months ago that they were
compromised and things werehappening and that is no one
knew.
So there was all of that leadtime to have prevented the real
(27:40):
issue.
So get some capability todetect and never forget that
there is a focus aroundgovernance here as well.
So it's not just a technicalsolution.
Normal sort of rules apply.
It's people, it's processes,technology, it's education,
awareness.
Make sure you got the rightpeople, the right skills and
people know what you want themto do and how they do it.
Make sure you've got rigorousprocesses around all of those
things so you guide people inthe right directions.
You put guardrails up and theyunderstand what is able to be
(28:03):
done and what's not able to bedone and set those ground rules
and then good tech to supportall those things.
So if you pull those thingstogether and it can be, just set
yourself a plan, maybe put afew years around that plan to
give yourself time and budget todo it and then just hold
yourself accountable to it.
There's some really easylow-hanging fruits in all those
plans that you execute, butyou've got to start somewhere.
Michael van Rooyen (28:23):
Of course, of course, and I know that you
spend a lot of time with seniorexecutives and boards.
You get brought in to dotechnology strategy and talk to
boards really taking thatseriously now, because I know
what they're on the hook for.
Is there any additional advicebesides that, where you really
start to get some insights thatyou give them around
cybersecurity and privacy forthe leaders to consider as they
mature and get to understand thecriticality of this aspect?
Darren Hopkins (28:44):
of their business Boards are certainly
far more interested in whattheir businesses that they're
supporting are doing.
I think part of that is ourregulators, like ASIC, being
very, very vocal about theirexpectations of directors and
board members and the fact thatyou are on the hook and you are
responsible and you need to makesure that your business is
doing the right thing.
So we're seeing executives andboards asking more questions,
(29:04):
and that's good and asking theright questions and needing to
see what a business is actuallydoing and is it effective, and
seeing those results, beingaware of the obligations that
sit around those particularroles because as a director of a
business, you've got someliability that sits there if you
get these things wrong as well.
For executives themselves, onething is make sure that you have
(29:25):
adequately resourced thoseexecutive teams to do their job.
In the past, a securityprofessional was an optional
role that most businesses wouldhave.
They're more than happy to havea technologist, and sometimes
that technologist would be notat a C-suite level.
Yes, it might be an IT manager,but then you still have a CFO
and you still have a CEO and youstill have a few other C-levels
(29:45):
and then you had thistechnology role, that sort of
sat down.
I think the seat at the tableis needed.
It and security both areabsolute, critical drivers to
every business.
Without technology, I don't knowany business that would be able
to operate anymore.
It's critical to our ability todo work, to engage with clients
and just to be connected.
Security is the thing thatkeeps it safe.
(30:06):
So if you don't elevate thoseroles to the area that they
should be and given the abilityto actually engage at a senior
level, that's going to be tough.
You're going to have to rethinkthe way you budget for roles
and head count and those things.
That's something there and seethe value in those things.
And the boards need to besupported so that they can see
the things that you're doing.
Yes, I'm a champion for everyCIO, cto, head of IT that needs
(30:28):
a budget right now.
You never get enough and youshould get more yeah, fair
enough.
Michael van Rooyen (30:31):
Fair enough, that's a.
That's a good point for thoselistening.
Uh, take that, take that adviceon board.
When I was in the us last yearthey were talking a lot around
that even boards are now needingto have a size or a security,
cyber security role on the board.
Maybe it might be by a certainsize of business in the us, but
I think they're mandating thatnow as part of their asset or
their, their federal policy.
(30:51):
You think something like thatshould be not necessarily
mandated, but really encouragedby ASIC or maybe even one step
further, to help with thatjourney.
Darren Hopkins (30:59):
I'd like to think so.
I saw that change in the US aswell.
It made sense.
Boards should have someonewho's got expertise around
accounting and finance.
Someone should have expertisearound legal.
You should have just somepeople that can support business
operations, and IT is just sucha fundamental driver to all of
those things.
To have someone without thatexpertise is severely lacking,
(31:20):
and in the US they acknowledgethat, because a lot of the risks
that businesses were trying toaddress were technology risks,
and I would expect that in somepoint in the future there would
be either guidance orencouragement that we need to
make sure that we havetechnologists on the boards.
I'm actually seeing it in manybusinesses we support now.
(31:41):
I'm actually seeing boardmembers being selected based on
their CV around their technologyand their security capabilities
to support and augment theskill set the board has.
That's encouraging.
Michael van Rooyen (31:51):
Whether or not it's mandated, who knows, it
wouldn't be a bad thing tune innext week for part two of my
ongoing discussion with darrenhopkins.
My interview today was so interesting we had
to break it into two parts.
Here's part one of thatinterview.
Darren Hopkins (00:09):
A negotiator will come up and say look, we've
had 120 interactions with thisredactor and we've facilitated
more than 100 payments and notonce have they gone back on
their word.
Not once have they leaked thedata if they said they weren't
going to.
Not once have they not shown avideo of them deleting the
information.
Not once have they re-extorted.
So therefore, they're 100%honest as a criminal and their
(00:30):
business model is that themoment they deviate from that,
their business model fails,Because if it was a 50-50 chance
, you're not going to risk itunless you're absolutely
desperate.
Michael van Rooyen (00:39):
Today I have the pleasure in having a chat
with Darren Hopkins, who's apartner at McGrath McNichol.
Mcgrath McNichol specializes inall sorts of things that Darren
will talk about, particularlyaround forensics and computer
related crimes and incidents andadvisory and all things around
cyber.
Darren is well known in theindustry for the work he does.
(01:00):
Darren, welcome to the podcast.
Thanks very much, lookingforward to it.
Yeah, great, and before westart, do you mind just talking
a little bit about your careerjourney and particularly how you
transitioned from working inforensics, computer examination,
from your history at theQueensland Police Service into
becoming a partner at McGrathMcNichol?
Darren Hopkins (01:18):
Yeah, no problem .
Look, I actually didn't intendto be in the career I ended up
in at all.
I did an IT degree and Istarted doing software
engineering and realised I'm apretty rubbish coder and not
something I enjoyed.
So I stayed on and did a secondmajor in information management
and I thought, yeah, I can dothis, that'll be fine.
Like most good students whenthey finish uni, I wanted to do
(01:38):
some travel.
I promised my mum I'd apply forat least one job before I
disappeared and unfortunately Igot that job and it was at
Queensland Police.
And it just happened that theperson who was interviewing me
was an alumni from theuniversity who I used to see
around all the time, so hedidn't want to work with someone
that he didn't know and thatjust worked for me.
And I never got to travel and Istarted my first job in
(01:59):
Queensland Police actually doingIT.
I was actually helping run anetwork and do all the things
that you would normally expectto do in technology.
I worked out very quickly thatthe major problem any IT
professional has to deal with isthe issue between the keyboard
and the chair, which is theperson, and it was just the
right place at the right time.
The year I started they createdwhat they called the Forensic
(02:22):
Computer Examination Unit,queensland Police, queensland
police, which was, I guess, thestart of what ended up becoming
a computer crime and digitalforensics capability and at the
time there was really onlyvictorian police in queensland
police that had a capability andthen we saw the other services
start.
I was the young it guy in theright area, which was crime
operations.
(02:42):
That's where I, supporting this, was part of fraud squad, got
moved into this unit, did sometraining and then over time just
sort of got the experience ofunderstanding what
investigations into digitalforensics was and really back
then we were creating theindustry.
There wasn't frameworks ormethodologies or really even
tools back then to do thesethings.
(03:03):
We were relying on traditionalthen to do these things.
We were relying on traditionaltools to do the things and a lot
of it was understanding thereal underlying technologies to
enable things.
I did that for a few years and Iwas working in areas such as
organized crime.
I did a bit of work with thedrug squad fraud squad.
Towards the end of that part ofmy career, I started doing a
(03:24):
lot of work with what ended upbeing Task Force Argos, which
was part of the crime ops, whichwas dealing with organized
pedophilia and child abuse andthose issues, and my last two
years was effectively lookingfor perpetrators online and
other places, trying to trackthem down and identify and bring
them through to courts andhopefully beyond that, to
(03:44):
protect our kids.
So that was a pretty importantpart of that end of the career.
Then I got asked if I wouldleave police and start a similar
capability with one of the bigfour KPMG at the time and we
helped create a digitalforensics capability there, did
that for a while and seven and ahalf years at KPMG.
I then got the opportunity todo the same thing at
(04:05):
McGraw-Nicoll, so effectivelyhad three jobs in my life and
all three have been a bit of astartup and I'm still here 19
years in.
Michael van Rooyen (04:14):
Wow, wow, it's been 19 years.
That's fascinating.
I knew that police force frombrief chats we've had but I
didn't realize you actuallystarted in doing the basics of
technology right and then reallyleading into that and it's a
long career to be dealing withthreat actors, criminals et
cetera.
Is that just a naturalprogression to lead to motivated
and specializing incybersecurity and privacy and
(04:37):
digital forensics?
Or just the way the market'smoved and you've just been in
that kind of that transition aswe've matured and being more
digitally connected?
Darren Hopkins (04:44):
I've also had a look at how did that career
transition?
Early days, even at McGranicle,when we were first starting, we
were a traditional digitalforensics, e-discovery type
practice a lot of insider threatand work predominantly for
courts and lawyers.
The skill sets we had we workedout pretty quickly.
We're really useful incollecting evidence from
incidents.
And one thing that we'relooking at with incident
(05:06):
response and those types ofcapabilities that if you don't
have a client that's beencollecting data the right way
and doesn't have a SIEM anddoesn't have a security
operation center and hasn'tinvested in technology, they
have an incident.
It's really hard for them towork out what's happened,
whereas the digital forensicside of our backgrounds enabled
us to find the evidence tosupport a breach or an incident
(05:28):
through those methods where nottraditionally it wouldn't be
available.
So we had a lot of peopleasking us to help on incidents
and IR and then we thought, well, the world had moved on and
information security was nowbeing called cyber.
So we said let's just jump onthat bandwagon.
That sounds great.
Yes, how do we as a firm builda brand that recognizes that
(05:49):
we've got real skills here whentraditionally we haven't done
that?
So our incident responsepractice sort of built out from
there and as a combination ofdigital forensics and if you
have a look at a lot of incidentresponders, they call
themselves dfir digitalforensics and incident response.
It's that combination skill set.
So we had the digital forensicsand incident response.
It's that combination of skillsets, so we had the digital
forensics.
I had some really goodinformation security
(06:09):
professionals in the team, sothe SOC operators and the
analysts and the networkengineers, so those people that
sort of know the security side.
We have some pen testers in ourteam.
I mean these are the guys thatcan look at what's actually
happened through the externalview or the insider view or the
vulnerability piece.
And that combination of all ofthose skills sort of meant we
(06:32):
all of a sudden had something abit different and the business
got known for having a goodreputation for being able to
work out what's happened in anincident and how it occurred and
where to go from there.
And naturally that enabled usto then have a practice of cyber
GRC people who can help postthe event fixings, provide
(06:52):
advice and guidance on how toget better.
Michael van Rooyen (06:55):
Yeah Well, I mean, even for me in the years
that we've kind of engaged ordone some cash engagement
together, certainly you know thename McGrath Nickel becomes the
one that they go toparticularly.
You know, just from theexperiences you touched on that
broad portfolio and the parallelof moving to cyber and
connectivity.
I know you spend a lot of yourtime dealing with incidents all
the time and I think Scott Reid,who works in our organisation,
(07:17):
says these are the people youcall.
Right, when things have gonesideways, these are the people
you call.
So I know you lead a big teamof people that really specialize
in that and I think it'simportant and we're just seeing
the continuation of thislandscape of threats everywhere.
Right, it would be interestingfor you to comment on what kind
of trends you're seeing in thecyber landscape today and how
that's changed over the years,from where you started, and also
(07:38):
what are some of the emergingthreats that businesses should
be thinking about today.
Darren Hopkins (07:42):
It's a tough one , isn't it it?
I start most of mypresentations with the cyber
security landscape and wherewe're going to today, and often
I I have a look at what jobs I'mdoing at the moment and are
they changes in what we've beendoing in the past?
Are they different?
If I have a look back, maybefive or six years ago um, just
go back to there far lesssophistication in in what were
(08:03):
seeing the tools and technologythat threat actors were using
weren't that great.
I even think something assimple as a phishing email back
in the good old days you couldgenerally in our industry we'd
pick up these things becausethey couldn't spell Google
correctly and the language isaverage and it was really
obvious what they were trying todo and they used to sort of
just try to catch the people whoare unaware or just not paying
(08:24):
attention.
And then over the last sort ofthree or four years, we've seen
this move where organized crimehas realized that there is such
a large market to exploit and somuch money to be made by
focusing on cybercrime, and wethen had these groups become
more sophisticated and haveaccess to more funding and more
R&D and capability and realizethat there's a genuine serious
(08:48):
market for making money andtherefore some of the industries
that used to drive organizedcrime, like drugs, were starting
to reduce in their relevance tofunding organized crime and
terrorism and all these otherthings.
So, unfortunately, that meantfor all of us that we were
seeing more and more of thesethreats emerging and they were
getting better and better.
And then we started to see thethe evolution of attacks like
(09:11):
ransomware and and I stillremember ransomware started in
people's homes.
Yes, the first lot of ransomsthat we would see would be
someone would break into yourhome computer and find your
photos and lock up your photosand say, if you want to get all
the pictures of your kids back,it's going to cost you $500.
All right, and at the time theyrealised well, people will pay
$500 to get memories that theycan't replace of all of their
(09:34):
children's photos.
Fair enough, in early days itwas such a successful, thriving
little business and it just keptgrowing and then becoming
bigger and bigger.
And then we started to seebusinesses getting hit more and
more and then becoming biggerand bigger.
And then we started to seebusinesses getting hit more and
more and then the way that theattacks would work and the
tactics would change.
Early days it was disruption.
Can I disrupt a business andeffectively cripple them and
(09:54):
then make them pay to get backonline?
And how do we respond?
We all got better at disasterrecovery and business continuity
.
We all started saying howimportant backups are and how
important is it for you to beable to respond and recover, and
we focus there.
So then they started dealingwith extortion.
Well, if they can recover, whatelse could I do to make
somebody sort of pay?
(10:15):
And then we saw this evolutionof data exfiltration and data
thefts and then extorting, andthen the information that was
taking was more harmful, morelikely that we all want to pay
to limit that harm to others.
And I've just seen thisevolution of more sophisticated,
better tools and certainlylarger quantums and much more
(10:35):
sophisticated and bigger attackscrippling really large
businesses that you would hopecould be doing better.
Yes, we're all now beingexploited with the things that
in the past we didn't reallyworry about, things like
vulnerabilities andmisconfigurations and all these
things.
They're the doors that we leftopen that in the past maybe
weren't being looked at as much,but now you just can't ever
(10:57):
avoid your hygiene.
Yes, because the tools haveenabled groups to automatically
scan the world.
Every IP address, everyexternal network has been
scanned all the time for threats, and if they find them, they'll
exploit them.
And then I've seen in the mostrecent times is the use of some
new technologies and really goodsocial engineering to step it
up again.
So, unfortunately, you know,the evolution is more
(11:18):
sophistication, bigger andlarger attacks and far, far
bigger impact on businesses,from that what started small to
now being something that'scrippling even some of our
biggest businesses.
And then the worst thing isthat this response from
governments and others, which isto regulate, to try to reduce
it, and we all then feel theimpact of that, of course, of
course, and then with crimesyndicates, et cetera, spending
(11:40):
more money in the space becausethey know it's quite lucrative
and has become quite lucrative,particularly with connectivity.
Michael van Rooyen (11:45):
Do you feel that there is a tipping point?
Are we fighting againstsomething that just continues to
grow?
Are we fighting with one armbehind our back from our
investment, from the vendors andgovernment and ourselves?
You know?
Is there a balance?
Is it balancing out, or is itjust it's a balancing act?
I guess.
Darren Hopkins (12:05):
Oh, there's an acknowledgement everywhere that
we could all be doing more.
Sure, our vendors and our techproducts that are out there are
absolutely creating incredibletechnology to help defend us and
safeguard us, and they see theopportunity for what it is.
Our governments are completelyfocused on this.
You only have to see the amountof effort that they're putting
into reminding us how importantthis is.
Yes, our regulators probablymove beyond education and
awareness to enforcement and thebig stick approach.
If you get this wrong, I'mgoing to hit you really hard and
(12:26):
there'll be a giant fineattached to it and you won't
like the ramifications.
So you need to do something,and businesses, I think, are now
really acknowledging thatsecurity and cyber and any of
those elements of securing yourtechnology are just as important
as the operational efficiencyyou get from good tech.
So there is more money to dothings, but there's only so much
(12:47):
to go around and we still gotto budget all of the risks that
an organisation has to manage.
Some really positive things I'veseen in the last 12 months is
boards and directors are veryconscious of the risks to the
organisations that they aresupporting and are asking more
questions and expecting morefrom their executives and the
businesses themselves.
Businesses are doing more toactually try to safeguard
(13:09):
themselves.
You know, a real challenge in acountry like Australia is that,
you know, almost 90% of ourbusinesses are SMEs.
They don't have the big budgetsto deal with these big threat
actors and they can't afford thegreat tools that are
potentially available.
So how do we balance enoughthat's affordable and achievable
with the other side of it,which is a full defence piece?
(13:30):
So a lot's been done.
One thing I always hate to seeis I think we sometimes the
money that goes out to threatactors versus what we invest is
probably disproportionate.
Michael van Rooyen (13:40):
Right, wow.
Darren Hopkins (13:41):
I've had some instances where I've seen a
payment to a ransomware operatorof almost $10 million Wow.
And then six months later I'veseen a board approve a
cybersecurity budget tofuture-proof and safeguard this
business, and they approve$500,000 a year for three years.
I thought, well, that's good,it's $1.5 million, we'll get a
(14:01):
fair bit done, for sure.
Sure, but I wonder what theRussians will do because it was
a Russian threat actor with the$10 million they made after they
have their nice holiday and avisa and a few other things.
I'm sure they'll reinvest someof that back into their own
business, and probably a littlebit more than what we've
preserved to go off andsafeguard ourselves.
Michael van Rooyen (14:19):
Yes, and that's an interesting point you
make there around it is treatedas a business.
Right, these guys are runningit as a business.
It's not just something.
They're dabbling with threatactors and we go back to movies
in the 80s it was a dabble dialin play with things.
You know, this is a real,serious business and I think one
of the conversations I heardyou have once is become a real
(14:40):
thing.
Right, I mean, it's happeningand there's a lot of
consciousness about it, but forpeople listening, I don't think
they realize the magnitude ofhow serious this business is.
A question.
Darren Hopkins (14:49):
I get asked if I'm doing a tabletop or a
simulation for a board and weget to the part of one of these
simulations.
This is a ransomware eventwe're trying to emulate and we
want to make it hard.
Often you get to this partwhere you're talking about are
we going to negotiate with athreat actor which potentially
is a terrorist?
You don't know at this pointand would you consider making a
(15:09):
payment?
And there's all of these legalreasons why you may or may not
want to do those things.
There's certainly ethicalreasons why you wouldn't do it,
but there's also commercialreasons why you might go down
that path.
And I always get asked bysomebody how can you trust the
criminal?
How do you know that they'regoing to do what they're going
to do?
And it comes back to well, howhonest is our hacker?
And that's effectively whatsomeone's asking why should we
(15:29):
trust them?
And a lot of that is becausetheir business model is that
without trust they would have nobusiness.
And often you'll see statisticson the threat actor group
you're dealing with and howhonest they have been.
And I've seen instances where anegotiator will come up and say
, look, we've had 120interactions with this red actor
and we've facilitated more than100 payments and not once have
(15:51):
they gone back on their word.
Not once have they leaked thedata if they said they weren't
going to.
Not once have they not shown avideo of them deleting the
information, not once have theyre-extorted and not once have
they not provided the tools tounencrypt.
And not once have they publiclyannounced that they've had a
dealing with you.
So therefore, they're 100%honest as a criminal and their
(16:14):
business model is that themoment they deviate from that,
their business model failsBecause if it was a 50-50 chance
, you're not going to risk itunless you're absolutely
desperate.
Yes, and you'll even seeinstances where new attackers
come in and aren't honest.
Just take the money and thenyou'll hear of other groups
trying to shut them down becauseyou'll ruin it for the rest of
(16:34):
us.
Right, and you know, thebusiness model includes you know
I like to compare it to afranchise type model that we're
comfortable in aust You've gotthese operators who are the big
groups that have the cool namethey can name themselves, yes,
and they do the R&T and theybuild the tools and they've got
the capabilities to attack.
They often also help manage themoney laundering side of it.
(16:56):
It's all well and good to get abunch of Bitcoins, but you've
got to turn it into cash one day.
True, so they'll have that Then.
But you've got to turn it intocash one day True, so they'll
have that.
Then they'll go off and recruitaffiliates and affiliates are
your franchisees and as afranchisee or an affiliate, you
get access to the franchisor'scapability and their tools and
their support and theirmarketing and their Q&A and
their help desk.
These things are provided.
They'll train you on how to dobetter and you can ask questions
(17:18):
and you give up part of yourfee for that service no
different to a franchise fee.
That's fascinating.
And then sitting around theoutside are all the others that
support it.
There'll be recruiters who areout there looking for the next
affiliate who's good.
They'll be out there trying totarget those young, great
security professionals to cometo the dark side.
And there'll be brokers andtheir job is to find a backdoor
(17:38):
to exploit.
They look for that opening inthat business that they can get
in and they'll test it andthey'll make sure it works and
they'll sell that.
So they'll sell access to yourbusiness to an operator or to an
affiliate.
And these days, when we see theattacks.
If someone has bought access toyour business, they've already
got skin in the game.
They've paid some money toattack you and that's why we're
finding they're less likely justto walk away.
(17:59):
They want to get some return onthat investment and this is a
whole business model that sitsaround it.
Even thinking about campaigns,you would have seen it with
phishing emails.
Why is it the phishing emailsstart to tailor based on the
time of the year and the eventthat's happening?
Why are we getting the scamsaround romance scams during
Valentine's and why, atChristmas, are we getting the
package scams?
Because their teams buildcampaigns around what's going to
(18:21):
be relevant to attack us in away that would likely make us
fall victim.
And they've got teams thatthink about these things and
design those attacks, and nodifferent to our own marketing
teams that think about asuccessful approach to winning
work.
Of course and it is it's just areally successful business
network that can work outside, Iguess, the moral constraints
that we have there's no rules.
Michael van Rooyen (18:43):
There's no rules.
Yeah, I mean that that's justsuper fascinating and I love the
analogy about how it related toa franchise right, how
franchise model works and youknow how serious again that this
is a.
This is a business right andthey're there to make money in
there and that's what themission is, right.
And, uh, that breakdown.
If I think about the physicalaspects of going back um a
couple of decades of of crime,it's no different to how they
(19:04):
structure these to recruitpeople to do certain activities
to do it.
It's just digitally now, rightthat that's almost the same
structure yeah, it would meanhard to be a drug dealer.
Darren Hopkins (19:11):
to be honest, in the last five to ten years you
sort of think you know, if youwant to make money with drugs,
you've.
You've got to have a product.
You've got to either create it,you've got to grow it, you've
then got to convert it tosomething.
And you've got to either createit, you've got to grow it,
you've then got to convert it tosomething, and you've got
chemists and others that are allinvolved in this.
You may have a plantation orsomething.
You've got to hide and keepgoing, and there's a whole bunch
of people involved in that.
I mean lots of people who couldblow the whistle.
(19:32):
You've then got to go off andget that product to market.
So you need to package it andbrand it and then get it to foot
soldiers to sell, and all ofthese things have points in time
that you can get caught.
Something could go wrong.
Law enforcement are great atwaiting for the perfect time.
They'll let you spend all thatmoney doing all these bad things
until the point where all theproducts are together and you're
(19:53):
about to get a whole group andthen they'll take you down yes
and remove all of your profitfrom all that investment and
catch a whole bunch of playersat once.
It's deliberate, it's wellconstructed.
Cybercrime is you're sitting ina country with no extradition
treaty and you're all anonymous.
You don't have to see anybody,you don't have to walk out the
door, the money turns up in awallet and you can convert that
(20:13):
very easily into cash and youcan live a pretty good life.
The hard thing is you've got tobe in a country that maybe I
wouldn't prefer to live in, butyou'll live like a god there.
Michael van Rooyen (20:22):
So it's not too bad.
Yeah, fair enough too.
That's just fascinating.
Going back on a point you madeearlier around there's quite a
lot of brilliant tools out therefrom vendors to really help
protect it, and obviously that'scome at a cost.
Is your thinking, as weprogress and mature in this
industry, trying to holisticallyin the technology industry, do
you feel that vendors, the bigones Microsoft, google, apple
(20:44):
are going to really drive thatcontinuously so that customers
and consumers expect thesecurity by design and all that?
Do you think there's a tippingpoint where you see this drop
off?
Or you think that as we getmore hyper-connected, it's the
opposite, we're going to stillsee more opportunity for threats
and breaking in?
What's your view on that?
Darren Hopkins (20:59):
I think our leading tech players your
Microsofts, your Apples, yourMetas and all these other sort
of providers out there providinglarge services.
They're completely invested insecuring their ecosystems.
They have to.
That's what we all expect themto do.
Without the trust in theirproducts, they're going to
struggle to maintain thepositions they have.
The good thing I see comingfrom all of these vendors, as
(21:22):
well as the acknowledgement thatthey need to provide tools and
capability and security toeveryone small, medium, large.
If you take on their ecosystems, the expectation is that, even
as a little player in theirmarket of their tools, you're
getting something good.
And we've seen the likes ofMicrosoft really demonstrate
over many, many years howthey're continually embedding
security into their products,eventually then making it
(21:44):
available to everyone.
And then they're making itavailable to everyone free and
then they're actually forcing iton everybody for free, and
that's, I think, a goodorganization that understands
the value of these things.
I also see it with a lot of ourother tech vendors that have
got fantastic products whodeliberately have some
incredible technology to protectus.
And E is exposed endpointdetection response, the thing
(22:04):
that is looking for threats onyour devices and will hopefully
block and stop and tell youbefore it becomes a real issue,
that tech used to be difficult,hard and expensive, and we would
often rely on the smallerproducts for small businesses.
What I now see is that techproviding an ecosystem that
deals with small, medium andlarge, and actually even
breaking their products up intoareas to support different
(22:26):
organisations of different sizes, using the underlying core
technology, delivered with maybeless or more managed services
Fantastic.
And the other thing I love tosee now is that these core
technologies are very open toworking with service providers.
Open to working with serviceproviders.
So we've got the technology, wecan't provide the service, so
how do I get that then, to teamswho have got the skills and
experience and the connectionsto deploy and run those things
(22:48):
appropriately, rather than atech vendor saying I need to own
everything.
I need to own the tool and thepeople and the relationship.
Michael van Rooyen (22:54):
yep, yep, fair enough, and uh, it's a good
point, and I even realized I'venoticed that you're actually
right about some of these bigbig players pushing on.
You know, thinking about addingthings like Defender into
people's personal subscriptionfor three-star companies, just
choosing Microsoft here as anexample.
And I think that's what we'reexpecting right as consumers,
that we're going to be more andmore protected, so we should see
some sort of decline in someareas, but of course there's
(23:14):
still lots of exposure.
We think about OT networksbeing connected that are well,
not patched and maintained, andthis hyper-connectivity, I think
, is still a huge area wherethere's probably going to be
problems living.
Darren Hopkins (23:24):
Yeah, a huge amount of risk still out there.
Ot is one that in the last sortof 12 to 24 months has really
come to the forefront of being arisk.
We talk about criticalinfrastructure in this country
and the fact that if someone wasto attack us as a nation, the
easiest way is to attack thecritical infrastructure of that
nation, and you do it digitallythrough a cyber type attack.
I have a look at ottraditionally the way it's been
(23:46):
managed and we've worked on jobstogether in those providers and
it's always an eye-opener tohave a look at what you find and
the expectation is that there'salmost if it's not broken,
don't touch it mentality with ot.
Sometimes we think that we canget as much life out of it as we
can and at some point someonestops supporting a product but
we'll keep it until we can nolonger get parts on eBay, if we
(24:12):
can keep it fixed and it doesits job and it doesn't change.
It's a technology that's on oroff or it does something that's
okay Probably not even thinkingthat there's a vulnerability
that's been there for the lastsix, seven years of its life and
we don't apply the same rigorof risk management that we do
with our IT world to our ITworld, but we're getting better
at that as well.
Yes, and in the past we used tosay you know, it's air-gapped,
no one can get to it, so it'ssafe.
And then someone says but Ineed to see if that OT is
(24:35):
working.
So can you maybe not completelygap it and let me have a bit of
a view in, or I need a vendorto be able to come in and
support it.
So you know, they're thechanges in the world that we're
seeing and they open up thatrisk completely.
Michael van Rooyen (24:47):
Yeah, and I see a lot of this OT-IT
convergence.
In fact, a fairly largeoperational technology
organization we're doing somework with at the moment has
actually gone the other way,where the OT team, OT management
and OT manager has taken overthe IT function.
Now they're very heavy OTrelated.
It used to be the other wayaround technology provider
service.
We know there's a differencebetween the two, but the
(25:08):
connectivity and I don't thinkwe've ever found an air gap
network as such so far there'salways somewhere it's been
touched right, especially withshadow IT deploying 4G, 5G.
It's so easy today to getconnectivity in and that's where
the problems are Now movinginto, kind of what keeps you
busy.
As we touched on at thebeginning of the chat, you'll
really spend a lot of timehelping customers with incident
(25:30):
response and digital forensicswhen they've been and incidents
happened and customers withincident response and digital
forensics when they've been.
An instance happened and ofcourse, it's crucial that it's
continuing to grow and increasein the amount of these that are
happening.
What are some of yourrecommendations to businesses on
the first steps that you taketo kind of mitigate that as a
first point?
I know we're touching a lot ofsolutions, everything like that,
but when you, when you'readvising customers to avoid
these breaches, uh, have you gotsome advice for them?
Darren Hopkins (25:51):
the area of incident response, which is
pre-breach, is the area I'd muchrather meet clients in.
Yeah, of course, I think thejourney pre or post-breach ends
up being the same, but one costsa lot more than the other.
If you're doing it post-breach,it's hard, it's fast and it's
undocumented.
The things that you end updoing are very similar and many,
many others.
In this industry.
(26:12):
I think we all sort of singfrom the same playbook and the
prayer book, which is hygiene,is where you need to start.
So we all have technology,networks, infrastructure,
applications, the things youneed to get right first of the
basics.
So make sure your technology isup to date, it's patched,
you've got appropriate backupprocedures in place so if
(26:33):
something happens, you canrecover, and there's a lot of
frameworks out there forassessing your cyber security
maturity.
They all have an incidentresponse.
If I have a look at nist as aframework, which is a common one
we see in australia, you've gotcan I respond and recover.
I always want to focus there.
To start with.
You're never going to be ableto do everything at once, so be
able to get back up and runningif something goes wrong, and
assume it will.
(26:53):
So backups, business continuity, all of those things instant
response plans then get all yourbasics in place so you're
reducing the likelihood of youfalling victim.
Make sure things are up to date, they're patched, that you've
got good technology that issupported and good vendors and
others around you to do thatsupport At some point.
(27:15):
We then want people to investin the ability to detect an
issue when it comes up.
Often we see it, you just don'tknow it's happened until it's
happened.
And in many cases I do anincident response job where we
have to work out the root causeand how this happened and we
realized that they could haveknown months ago that they were
compromised and things werehappening and that is no one
knew.
So there was all of that leadtime to have prevented the real
(27:40):
issue.
So get some capability todetect and never forget that
there is a focus aroundgovernance here as well.
So it's not just a technicalsolution.
Normal sort of rules apply.
It's people, it's processes,technology, it's education,
awareness.
Make sure you got the rightpeople, the right skills and
people know what you want themto do and how they do it.
Make sure you've got rigorousprocesses around all of those
things so you guide people inthe right directions.
You put guardrails up and theyunderstand what is able to be
(28:03):
done and what's not able to bedone and set those ground rules
and then good tech to supportall those things.
So if you pull those thingstogether and it can be, just set
yourself a plan, maybe put afew years around that plan to
give yourself time and budget todo it and then just hold
yourself accountable to it.
There's some really easylow-hanging fruits in all those
plans that you execute, butyou've got to start somewhere.
Michael van Rooyen (28:23):
Of course, of course, and I know that you
spend a lot of time with seniorexecutives and boards.
You get brought in to dotechnology strategy and talk to
boards really taking thatseriously now, because I know
what they're on the hook for.
Is there any additional advicebesides that, where you really
start to get some insights thatyou give them around
cybersecurity and privacy forthe leaders to consider as they
mature and get to understand thecriticality of this aspect?
Darren Hopkins (28:44):
of their business Boards are certainly
far more interested in whattheir businesses that they're
supporting are doing.
I think part of that is ourregulators, like ASIC, being
very, very vocal about theirexpectations of directors and
board members and the fact thatyou are on the hook and you are
responsible and you need to makesure that your business is
doing the right thing.
So we're seeing executives andboards asking more questions,
(29:04):
and that's good and asking theright questions and needing to
see what a business is actuallydoing and is it effective, and
seeing those results, beingaware of the obligations that
sit around those particularroles because as a director of a
business, you've got someliability that sits there if you
get these things wrong as well.
For executives themselves, onething is make sure that you have
(29:25):
adequately resourced thoseexecutive teams to do their job.
In the past, a securityprofessional was an optional
role that most businesses wouldhave.
They're more than happy to havea technologist, and sometimes
that technologist would be notat a C-suite level.
Yes, it might be an IT manager,but then you still have a CFO
and you still have a CEO and youstill have a few other C-levels
(29:45):
and then you had thistechnology role, that sort of
sat down.
I think the seat at the tableis needed.
It and security both areabsolute, critical drivers to
every business.
Without technology, I don't knowany business that would be able
to operate anymore.
It's critical to our ability todo work, to engage with clients
and just to be connected.
Security is the thing thatkeeps it safe.
(30:06):
So if you don't elevate thoseroles to the area that they
should be and given the abilityto actually engage at a senior
level, that's going to be tough.
You're going to have to rethinkthe way you budget for roles
and head count and those things.
That's something there and seethe value in those things.
And the boards need to besupported so that they can see
the things that you're doing.
Yes, I'm a champion for everyCIO, cto, head of IT that needs
(30:28):
a budget right now.
You never get enough and youshould get more yeah, fair
enough.
Michael van Rooyen (30:31):
Fair enough, that's a.
That's a good point for thoselistening.
Uh, take that, take that adviceon board.
When I was in the us last yearthey were talking a lot around
that even boards are now needingto have a size or a security,
cyber security role on the board.
Maybe it might be by a certainsize of business in the us, but
I think they're mandating thatnow as part of their asset or
their, their federal policy.
(30:51):
You think something like thatshould be not necessarily
mandated, but really encouragedby ASIC or maybe even one step
further, to help with thatjourney.
Darren Hopkins (30:59):
I'd like to think so.
I saw that change in the US aswell.
It made sense.
Boards should have someonewho's got expertise around
accounting and finance.
Someone should have expertisearound legal.
You should have just somepeople that can support business
operations, and IT is just sucha fundamental driver to all of
those things.
To have someone without thatexpertise is severely lacking,
(31:20):
and in the US they acknowledgethat, because a lot of the risks
that businesses were trying toaddress were technology risks,
and I would expect that in somepoint in the future there would
be either guidance orencouragement that we need to
make sure that we havetechnologists on the boards.
I'm actually seeing it in manybusinesses we support now.
(31:41):
I'm actually seeing boardmembers being selected based on
their CV around their technologyand their security capabilities
to support and augment theskill set the board has.
That's encouraging.
Michael van Rooyen (31:51):
Whether or not it's mandated, who knows, it
wouldn't be a bad thing tune innext week for part two of my
ongoing discussion with darrenhopkins.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.