by Michel Klompmaker
We recently had an opportunity to speak together with Nick Palmer who is the Head of Global Business at Group-IB. Group-IB is an international provider of solutions aimed at investigating high-tech crime, detecting and preventing cyberattacks, online fraud, and intellectual property theft. Nick Palmer was also a moderator of Group-IB’s CyberCrimeCon online event held last year in November. Our discussion covered several areas of interest relating to Group-IB’s operations, its recent opening of its European headquarters in Amsterdam, The Netherlands, how organisations in general can safeguard against cyberattacks and what the main risks for organisations are today.
Your portfolio offers solutions for detection and prevention of cyberattacks, prevention of online fraud and IP protection. Can you offer some insight on how much of your focus is on enterprises and how much is governmental?
Nick Palmer: “Our portfolio certainly includes adversary-centric detection and response capabilities to cyberattacks as well as solutions for fraud hunting and digital risk protection services. At the core of what Group-IB does is researching cybercriminals: it is very important to understand who your adversary is, who the person that is targeting your business is. From there you can understand what threats your organisation faces and how to actually prevent against this. If you design technology without this in mind, you’re missing a big component of what can actually help to keep you safe. Only if you know who your adversary is, what tools and techniques they use to attack your business, can you then design solutions to stay ahead of the cybercriminals and prevent attacks from taking place. Over my time at Group-IB, the threat landscape has changed dramatically from only governments or large financial institutions being targeted by cyberthreats to now many organisations in different industries falling prey to phishing or ransomware attacks and online fraud.
The shift to remote work because of the Covid-19 situation has escalated this trend. We have customers within many different areas from large and mid-level enterprises as well as from the government sector all over the world. We also coordinate with international law enforcement to provide them with information about the adversaries targeting businesses within their jurisdiction to ensure that cybercriminals eventually find themselves behind bars. Having our European headquarters in Amsterdam and being close to the Dutch National Cyber Police and the European Cybercrime Centre (EC3), is crucial for us to provide this threat intelligence & attribution data to our customers and law enforcement to ultimately cause a disruption of cybercrime.”
You just mentioned Amsterdam, which leads directly to our next question. Why did you select Amsterdam as a location for the European headquarters?
Nick Palmer: “So, first and foremost we have many of the companies within the Netherlands already working with Group-IB, so being here and being closer to them is essential to us. I would say that we reinvest our efforts and when customers give back to us, we give back to them. Amsterdam is also a good, centralised point to travel to the rest of Europe where we also have many customers.
There is also another very important aspect. Group-IB has been an advisory board member of EC3, located in The Hague, for as long as I have been at the company, so we have been collaborating very closely with them. Last year, we conducted a large case together with Europol and the London police, called Carding Action 2020. We provided about 90,000 bank card details that had been compromised by cybercriminals for citizens in the EU and also other countries. Approximately 40 million euros were saved as a result of this operation, so we were able to make a big impact for European people and for European businesses very quickly after our arrival in Amsterdam. That was a great example of why we came to the Netherlands and how we actually made a big impact in such a short period of time.
Cybercrimes never stop, and neither does Group-IB. It’s just a never-ending process: police issue a warning, cybersecurity companies react and, for example, disrupt an underground communication tool that cybercriminals use. The latter, in turn, simply adjust: they try to do something different and something new. This is a cat and mouse game against the bad guys. There is also state-supported cybercrime activity, so there can be many different types of adversaries that a business faces. That’s why it’s important to understand for each business: who is my adversary; who can target me?
Is it a nation state threat actor that wants to steal information about my citizens, for example? Is it a financially motivated threat actor who wants to get access to a business, to conduct ransomware attacks and make them pay money to get their network decrypted? So, that fundamental question of ‘who is my adversary?’ is right here within everyone at Group-IB, it’s in our hearts and that’s how we fight against cybercrime by investigating threat actors and providing this cyber threat intelligence data to the people that we work with to help better protect themselves.”
How swiftly will you build the team in Amsterdam and what kinds of services will you actively offer from the Netherlands?
Nick Palmer: “We’ll offer all of our portfolio of products and services. In addition to products and services, we also have an educational division at Group-IB. Cybersecurity is not a purely theoretical science. Real world experience is extremely important. So, another important pillar of our company’s business, wherever we do it, is to interact with local and technical communities so that we can provide lectures and curriculums in areas where we have expertise such as incident response, malware reverse engineering, threat intelligence, etc. These are very complex disciplines for us to find people experienced in these domains.
By working with universities, we can pass on the knowledge accumulated by Group-IB experts to local young technical professionals, and eventually hire them. Each of Group-IB’s technology pillars from investigation and incident response to fraud hunting and network security have real people behind them. All of these technical divisions have representatives at Group-IB’s office in Amsterdam, and now they will be in charge of hiring more people through the work that we do at universities or other locals who are interested in working with Group-IB. I would expect that this happens quickly.”
How will the Amsterdam team interact with the rest of the Group-IB organisation?
Nick Palmer: “Naturally we have different areas of expertise in all of our offices, although each of the head offices function as an independent entity with all of our capabilities, etc. Sometimes, however, our European headquarters needs to communicate with other regional offices to rely on their expertise. For example, we can ask the analysts at our Singapore office if they know something about an adversary that comes from APAC, but targets the Netherlands. This way our Amsterdam-based analysts can collect the information from our Singapore office and share that with the concerned institutions in Europe.”
In December last year, you informed us that Group-IB TI&A was found to be compliant with the US Justice Department’s recommendations on threat intelligence gathering. Will that milestone impact your activities for the European market?
Nick Palmer: “We see that it is essential to have different compliance, regulation and security to ensure that everyone is acting in a manner that is in coordination with everyone else. The audit carried out specifically examined how we operate the dark web, and particularly, with gathering cyber threat intelligence data. The audit showed the market what steps Group-IB takes to ensure that the company is compliant with these regulations. From a business perspective, the successful audit helps build the trust and relationship in the cybersecurity community. This represents Group-IB’s continued practice to be in coordination with the rest of this community from a global, private company, government and law enforcement perspectives.”
Do you also hold similar credentials from European governments or other similar bodies?
Nick Palmer: “Europe has different regulations, for example, the TIBER-EU Framework, which has been widely adopted by central banks across the European Union. The TIBER-EU Framework is a set of regulations designed to provide guidelines on how to run offensive security tests and how to make sure banking or critical infrastructure is defended against advanced threat actors that may target their businesses, because the problems are real. Security teams may understand how to defend against threat actors in theory, but are unprepared to do so in practice. Attackers never sleep.
Threat actors don’t work on a schedule and aim to launch unexpected attacks when the company is most vulnerable. So the companies and government institutions need to hire Red Teams (Red Teaming is a full-scope, multi-layered attack simulation designed to measure how well a company’s people and networks, applications and physical security controls can withstand an attack from a real-life adversary) for security testing. We follow the TIBER-EU Framework while conducting different offensive security tests to be compliant with the regulations required by European authorities. So, the answer to your question is yes, of course, we strive to do this everywhere.”
Risk & Compliance professionals operating in international enterprises have to deal with multiple IT systems and platforms, all with their own specific security environments, restrictions and often limitations due to either technical standards or human factors. How does Group-IB advise and support these professionals to help safeguard their organisation against attacks and from the harm they cause?
Nick Palmer: “Businesses are calculating risks, judging from possible consequences of a real life cyberattack. ‘If I am taken offline for two days, how much would that be painful to my business to not be working?,’ is what they think. Understanding that goes back to the core about how Group-IB operates as a cybersecurity company, and that is first to understand who your adversary is. If you don’t know that, then you’re kind of trying to protect your castle with blind eyes because you don’t know what types of horses they use, you don’t know if they have a big gauntlet to throw huge rocks at your castle, etc.
At the fundamentals of protecting your organisation and understanding existing cybersecurity risks, you have to have a full grasp of who your adversary is and what tools and techniques they use. Based on that, you then develop a plan which links to number two – to understand the estate of your company’s network infrastructure, the security tools you use, the specialists you have and the processes you run.
I think understanding these fundamental points is essential for organisations to establish before they go down this journey of investing into various preventative measures and cybersecurity solutions. If you invest into different products blindly without understanding your adversary and what they might do to your business, then you may be misplacing that investment into areas where it would be better served.”
What are the key risks these days? What threats should senior professionals in larger organisations be most concerned about today?
Nick Palmer: “It leads back to my point about understanding who might want to attack you. One business cannot fight against the same threats that another business faces, based on the type of work that they do. Although, there are general trends as well, during COVID-19 times, threat actors followed some common patterns, for example, sending out phishing emails or setting up a fake webpage with a COVID-19 themed look to try and giveaway information. We saw attacks against different research companies with the aim of collecting information about the vaccination programs, etc.
Another big topic for many security professionals is ransomware cases, which touch a lot of businesses. New threat actors are entering the ransomware market, which is fuelled by a drastic increase in the number of sellers of access to corporate networks on underground forms. An example of this can include buying the access to a company’s network. From here, ransomware gangs might start a campaign to infect the network, and then make the company pay a ransom and cause disruption.
It’s noteworthy that cybercriminal groups are also becoming much more organised from a business perspective, joining each other in affiliate programs. Ransomware operators buy access and then encrypt devices on the network. After receiving the ransom from the victim, they pay a fixed rate to their partners, from whom the access to the network was purchased, under the affiliate program. This means that more and more of these types of attacks will take place. That is probably a couple of the overarching trends that we see.”
You have already given us some information on your professional background. Is there anything else you would like to add?
Nick Palmer: “I think I mentioned before that I used to be a product marketing manager for a telecommunications company in Canada before I went on my journey and eventually ended up in Amsterdam. I have always had a technical background, but not specifically in cybersecurity, and I have really learned everything from all of the great people that we have at Group-IB. I had such an amazing opportunity to learn everything about incident response, malware analysis, threat actors and so on just because we have great people at the company. I’m happy with my technical capabilities at this point in time and I don’t think I’ll ever leave the cybersecurity arena because threat actors and adversaries will never rest. I just have a very big passion now within me to work with people who are disrupting cybercrime worldwide and have a big impact on real people.”
About Nick Palmer
Nick Palmer is the Head of Sales at Group-IB. Born and raised in a small city in Halifax, Canada, he grew up with a strong passion for technology and an intolerance to injustice. The mix of both of these elements became his passion and fuelled him to drop a successful career in the telecom sector in Canada to fly over the Atlantic Ocean to join the hunt for cybercriminals at Group-IB in 2014. Driven by his inborn passion for IT and an appetite to change the game, Mr. Palmer progressed through the Group-IB company from a key account manager to now lead Group-IB’s Global Business with teams reporting to him from Singapore, Malaysia, Vietnam, Spain, South Africa, Italy, UAE, the UK, and the Netherlands. Mr. Palmer is a regular speaker at major industry events like RSA, INTERPOL World, FS-ISAC summits, CyberCrimeCon and many others. What he enjoys most about his job is to investigate threat actors that cause a problem to the world and bringing them to justice by working closely together with international law enforcement agencies.