The recent Petya and WannaCry cyber attacks that paralyzed computers across the globe, demanding ransom money to recover data, drove home the threat posed by hackers. Yet cyber security teams were able to restore most operations in days. And that obscured a bigger danger.
Faced with more targeted spy attacks, companies are often forced to capitulate. Sabotage and spy attacks aren’t just a matter of a couple of hundred euros ransom. They can threaten a company’s very existence. The damage they cause costs an estimated €50 billion ($57 billion) each year in Germany alone.
No wonder sophisticated attacks prompt company boards to call in private task forces. These elite units are like the Paul “Red” Adair of digital security. Firefighter Red Adair was called in to perform such daring feats as parachuting onto a burning gas rig and dropping an explosive charge to smoother the flames. The heroes preventing digital disasters are less spectacular. In fact, they prefer to work in complete secrecy.
When a call comes in to BFK EDV Consulting’s offices on the third floor of a former post office building, founder Christoph Fischer rushes to the crime scene in a rental car. “The attackers could have accomplices within the company,” he says. Keeping a low profile is the first priority.
Mr. Fischer and his team make an initial assessment of the threat level and set up base camp. At this stage, all he needs is a specially prepared laptop to examine the clues.
Once suspicions have been confirmed, a van arrives with portable mainframe computers, printers, photocopiers, fax machines and routers to set up separate, encrypted data lines. Mr. Fischer is careful to ensure he is working completely independent of the victim’s resources.
And he insists on his own coffee machine. “A lot of coffee is important,” Mr. Fischer says, “and it has to be good.”
The 59-year-old is a veteran of the Germany’s small IT-security scene. He founded the first cyber fire department 32 years ago. Since then, he’s responded to 46 call-outs, including just three false alarms. He can’t name his customers. There’s too much at stake.
Intelligence services, most likely from China, have spied on oil rigs for information about new oil fields. Other hackers attack banks on behalf of intelligence services to reveal NGOs’ financial sources. Mr. Fischer has seen too much to consider anything in the data world truly safe. He admits to being “paranoid” and is currently working on his own software for his home. “I don’t trust networked household appliances at all.”
Picking out his most dramatic case is a tough call. Hackers accessed video cameras at a data processing center to see who was going in and out. And there was a Chinese intern who actually sneaked into a company at night to print out thousands of pages of confidential information until the printer drum got too hot and he had to replace it with one from the technical college next door.
“Many companies waste the first weeks with things that could have been planned and rehearsed ahead of time.”
“We are able to determine relatively quickly whether it’s a false alarm,” Mr. Fischer says. If the company is in fact victim to a spy attack, specialists move in and set up their own encrypted connection to a hermetically sealed computer center in Karlsruhe. The company’s entire data stream is recorded in real time and each byte screened. Anything suspicious is compared against a vast data bank of malware, containing 1.1 billion samples from around the world and weighing six petabytes. “I’m a hunter and gatherer,” Mr. Fischer says.
Mr. Fischer and his team aim to isolate and eliminate the attacker as quickly as possible, preferably without being noticed. It’s like an undercover military operation. Mr. Fischer sees himself as the general. And not every company boss is happy with him issuing orders.
Things are toughest at companies that failed to prepare for a crisis. The chief information officer and heads of security run around anxiously waiting for the weak link in their defenses to be identified. Days pass while company lawyers draft contracts with security clauses. Sometimes major investors send their lawyers in too. Even the operators of outsourced server parks get involved, wanting compensation claims ruled out before they pitch in on defense.
“Many companies waste the first weeks with things that could have been planned and rehearsed ahead of time,” Mr. Fischer says. On the other hand, what’s a week? Defense operations can last months, or even years.
Bert Weingarten founded the Pan Amp security firm 19 years ago, specializing in internet investigations. Today, his office has an impressive view of Hamburg from the 18th floor of the Mundsburg Center. You cannot come in without handing over your smartphone first. The conversations that take place in Mr. Weingarten’s office are of interest to intelligence services, which could use a smartphone’s microphone as a bug.
Mr. Weingarten describes how he recently foiled professional hackers working to line up a company as the target of short selling by an aggressive investor, by reveling internal financial figures to make share prices tumble.
Now he’s working on a Forensic Cloud to solve one biggest problems companies face during a cyber attack. It’s difficult for internal and external experts to communicate because every time hackers penetrate a company network, there is the danger of the email server being infected, and communication read or manipulated.
Mr. Weingarten was once working on a case where company employees printed out 240,000 pages of protocols, login data and access codes and wheeled them into the task force’s room stacked on a tea trolley.
The Forensic Cloud allows the task force to communicate — sealed off and safe from the infected IT systems — and bring in additional specialists at any time. Lawyers and auditors are also given a precise overview operation status. “The companies want to see how work is progressing and what it’s costing,” Mr. Weingarten says.
“Companies call us up and we put the team together,” Mr. Weingarten says. “If the board wants to bring in experts on compliance or data protection, we patch them in. Nobody needs to drive out to the company anymore.”
“Attackers from the Far East steal data and damage German industry. We couldn’t look the other way any longer.”
Once malware is detected, that too can be uploaded and dealt with in the Forensic Cloud, without the risk of other computers being infected.
Stephan Kaiser, senior security consultant at BSK Consulting wages battle from an ordinary looking family home with a charcoal grill on the patio. The ground floor is Mr. Kaiser’s command center. The living room is rammed with computers and monitors. At its center is an oval table big enough to accommodate his team of 10.
“Attackers from the Far East steal data and damage German industry,” Mr. Kaiser says. “We couldn’t look the other way any longer, and developed a solution of our own.”
The result is Thor, a “Germanic god” of cyber security. Thor has been on the job since 2016 and can sift out five dangerous fragments from a heap of 20 billion. Nextron Systems, which Mr. Kaiser founded with IT specialist Florian Roth, will operate Thor from September.
“Imagine a Christmas tree with 8,000 little bells,” Mr. Kaiser explains. A couple of the bells mark weak points in IT systems. A few more mark the back doors attackers use to get in if the primary weak point is blocked. Other bells mark tools that help the cautious attackers move through networks and IT systems, and eventually steal or manipulate data.
“The probability of the attacker using tools or methods with every individual step that we don’t yet have a bell for is virtually zero,” Mr. Kaiser says.
Thor first examines concrete suspicions. If fears are confirmed, the search is expanded. And that’s where problems begin. Instead of finding the expected 1,500 IT systems in the network of a globally branched corporation, Thor suddenly finds 3,000.
“We are rarely given complete inventories,” Mr. Kaiser says, “most customers have twice as many IT systems in use than they think.” That makes things a lot more complicated — and frustrating. Many cyber attacks could be blocked, or fended off quicker, if companies had a complete overview of their IT systems. In the future, Thor will provide such a general inventory automatically.
This story first appeared in WirtschaftsWoche. To contact the author: email@example.com