Posted in:

Face-to-Face with… Ben Russell, NCA

At the Cyber Crime Unit in the National Crime Agency, Ben Russell leads the UK’s fightback against the digital criminal adversaries. By James Hayes.

As part of the UK’s National Crime Agency (NCA), the National Cyber Crime Unit (NCCU) leads the UK’s response to cyber crime, supports partners with specialist capabilities, and co-ordinates the national response to the most serious of cyber crime threats the country faces.

Working closely with the Regional Organised Crime Units (ROCUs), the Metropolitan Police Cyber Crime Unit (MPCCU), partners within industry, Government and international law enforcement, the NCCU has the capability to respond rapidly to changing threats.
The NCCU works with partners to identify and understand the growing use of cyber as an enabler across all types of crime, so that the most effective ways of countering threats can be determined. (The NCA plays a leading role in the investigation and prosecution of cyber criminals. Most recently (April 2019), the NCA played a leading role in the conviction of UK-based Zain Qaiser, the cyber criminal who targeted hundreds of millions of computers with locking ransomware. The investigation found that Qaiser received more than £700,000 through his financial accounts for his role in this global campaign of malware and blackmail.)

As Head of Cyber Threat Response at the National Cyber Crime Unit, Ben Russell holds responsibility for the UK’s cyber intelligence, strategy and capability development.

CSE: Do you encounter much reluctance from commercial organisations when it comes to engagement with law enforcement for cyber security matters?

Ben Russell: Not when they understand what our role is. What’s unique about the National Crime Agency’s National Cyber Crime Unit is that we are here to find out who is carrying-out cyber attacks. That is what we are specifically focused on and understand. Essentially, we are law enforcement. We’re cops. We want to catch the bad people. The message we want to send to the business community is, yes, we do work with the National Cyber Security Centre (NCSC), to help them get messages out to business leaders, so that they can make properly-informed decisions about how to protect their organisations. But our primary remit is to catch cyber criminals.

CSE: Does that mean the Cyber Crime Unit also proactively opposes cyber attackers?

BR: What we want to do in the law enforcement space is simple: to stop cyber attacks recurring by catching the people behind them. That applies both inside and outside targeted organisations. So if there’s an insider threat, for instance, we want to stop a rogue employee – or employees – from moving to another company and repeating their attacks.

CSE: Commercial entities will, understandably perhaps, be concerned about the wider impacts of being the target of a cyber attack should news of that get out in an uncontrolled way?

BR: Companies can be nervous about what it means to work with law enforcement. We understand that. We do want to help protect them, and do that in a way that’s sensitive to confidentiality. But we need to know something about their internal processes to do that. There are misconceptions around how law enforcement operates, and also around what it means to support law enforcement in a cyber investigation.

CSE: What sort of misconceptions?

BR: Well, we are not going to walk into an organisation that’s been breached and wrap ‘DO NOT CROSS LINE’ tape around their servers that could be running line-of-business applications. Nor are we going to unilaterally release information about an attack to the media, which I suspect is another concern that some companies have. Our obligations are to the victim. It’s the same in cyber crime as they are with any other type of crime. Naturally, if we do bring a person to court, we might need a company involved to provide a statement, but that happens quite far down the process. If the source of the attack is overseas that may not happen at all.

CSE: The world of enterprise IT and information security is now subject to a range of legislation, such as the General Data Protection Regulation (GDPR), along with the European Parliament’s Directive on Security of Network and Information Systems (NIS Directive). Do you see signs that GDPR particularly has had an effect on how businesses now manage their cyber security strategy?

BR: It’s too early to tell, but it cannot be a coincidence that there’s been an increase in reporting of significant cyber incidents since GDPR came into effect [in may=”” 2018=””][/in]. Look at the number of incidents referred to the NCA (as a subsection of the overall cyber crime reporting mechanism) in the month after GDPR came into force, and you’ll see a step-change in the number of notifications received: it grew steeply through June 2018. That can’t be coincidence. GDPR does not mandate reporting to law enforcement – but my guess is that organisations think, ‘OK, if we’re reporting the incident to the regulator we might as well inform the police at the same time’.

CSE: More c-suite and board-level executives, and other non-technical chief officers, are being drawn into cyber governance decision-making. Is this change having a discernible effect on cyber defensive strategy, in the NCA’s experience?

BR: Yes, I think that it is. Part of the key to good cyber security is a multidisciplinary approach. You need to bring diverse skills and expertise together to try and better understand the threats being faced. What I’ve seen work really well is when you have Threat Intelligence (TI) professionals and an organisation’s Security Operations Centre (SOC) completely joined-up and working in tandem. This is key.

CSE: Why is that so important, in your view?

BR: It’s important that the threats the SOC deals with on a day-to-day basis, and the further-out analysis by TI of cyber threats coming down the line, need to be aligned – because otherwise senior management will get two sets of reports that say different things. So it needs to be connected. The other related mindset that’s also absolutely critical is how communications around cyber incidents are managed.

CSE: In terms of the sharing of post-incident information between parties?

BR: Yes. One of the key critical success factors I see is good stakeholder management through well-planned stakeholder communication. When I’ve seen incidents go wrong, it’s often because people are not communicating effectively.

CSE: How can that be addressed?

BR: We need to bring cyber professionals and communications professionals together to think about how, in the event of an incident, the communications strategy would work. I believe that’s very important, particularly around the area of how targeted companies then engage with their customers, partners, the media, and so forth, following an attack. Once there’s a story out there it can get out of control, as we know. Following a cyber breach incident, cyber criminals will exploit concern that follows media coverage to conduct secondary fraud aimed at people who might have been affected by the initial incident. If in anticipation of this eventuality organisations have already formally advised their customers to ignore any attempt to get them to divulge sensitive details – using phishing attacks, for example – it can prove effective in containing further incidents.

CSE: Given the range of incidents that the NCCU/NCA monitors, do you see any shift in attack types or patterns over time?

BR: There are certainly still traditional attacks where threats actors hack into a network, hide there for a while, and then exfiltrate valuable information. Those attacks are not going away. But the threat actor remains as hidden as they have always been. But there has been a shift. Cyber crime has become more confrontational. For instance, we’re seeing more denial-of-service with extortion incidents. What we are also now seeing is other threats who are not trying to hide – in fact, they are trying to be as much in a target’s face as possible – trying to get hold of money in as aggressive, assertive, upfront a way that they can. And that applies to both ransomware or extortion models.

CSE: So are the people behind these more confrontational attacks new to the scene?

BR: Not necessarily. What we’re seeing is, I think, cyber criminals adjust their methodology. Organised cyber criminals are agile and flexible – no different from other criminals, in fact.

CSE: Are there indications that what we might classify as ‘traditional’ criminals gangs are moving into cyber, attracted by gains from defrauding commercial entities?

BR: Yes, there are. We’ve predicted that trend: more traditional organised crime ‘enabled’ by cyber technology adoption. There have also been some instances of traditional organised crime using the services of cyber criminals for specific types of unlawful activity – but it’s not as widespread as some feared it would become.

CSE: There have been some very high-profile incidences of ransomware victims paying cyber criminals for decryption keys to recover their ‘locked’ data, because it seems to be the most expedient course of action in the circumstances.

BR: What I think is important to say about ransomware payments is that there a lot of fake threats where people pay when they don’t actually need to. I would also advise victims to first check to see if their encryption keys are freely available from a benign source, or use decryption tools such as those available from Europol or No More Ransom. There is also quite a lot of ransomware where people have paid and still not been given the decryption key, so it’s not a sure-fire solution. But I absolutely have a huge amount of sympathy for organisations that find themselves in this situation.

CSE: Are businesses as communities – by vertical sector, say – now doing enough to protect themselves against cyber threats?

BR: We welcome any sector that reaches out to us to. These kinds of co-operative mechanisms are always more effective when they are driven by organisations themselves, but we are putting effort into engagement with industry bodies, trade associations, federations, consortia, and so on. I’ve seen some of those organisations take a strong role in supporting their members in terms of commending best practice, standards, and advice around cyber security. Some of these organisations show strong leadership – and that’s really positive. Organisations that also bring people together across sectors to share intelligence about cyber threats are also making a tremendous contribution, I believe.

CSE: Lastly, what the National Cyber Crime Unit team’s objectives for 2019?

BR: Well, we have already brought several successful prosecutions so far this year, such as the British cyber criminal sentenced to two years and eight months for conducting attacks that disrupted a Liberian telecommunications provider.* His actions resulted in losses estimated at millions of dollars. We’ve had arrests of several high-profile individuals involved in cyber crime, and I think this could be the year that we really hit the highest levels of cyber crime hard. But we can only do that if we get real buy-in and support from industry, from the cyber security world – those who know these threats better than anybody. Countering cyber crime has got to be a team effort.

* Editor’s note: expert cyber criminal Daniel Kaye was hired by ‘a senior official’ at Liberian network provider Cellcom to carry out attacks on rival provider Lonestar MTN. From September 2016, Kaye used his own Mirai botnet, made up of a network of cyber-infected security cameras, to carry out consistent attacks. In November 2016, the traffic from Kaye’s botnet was so high in volume that it disabled internet access across Liberia. A European Arrest Warrant was issued for Kaye, and when he returned to the UK in February 2017, he was arrested by NCA officers.

This article first appeared in Cyber Security Europe Summer 2019 Edition.