Chris Hurst (right) and Iain Johnston from the cybersecurity company, Blackwired spoke to Archives of IT about the dark web, cyberwarfare and building defences against it. Blackwired applies military cyber countermeasures and adversity disruption to the enterprise sector. It’s currently engaged with the UK government and leading law enforcement on the future of oversight and attribution in crypto markets and cybercrime.
Chris is Blackwired’s Chief Information Officer and Chief Information Security Officer with MD responsibility for Blackwired’s Products and Markets, while Iain is founding partner and Managing Director of Blackwired in the UK and Europe.
Chris was formerly Head of Security Services and Principal Architect in Identity and Federated Identity in the BT Global Security Enterprise. He is the inventor of BT FedCore (World Wide Patent Granted) that has become the model for the UK Government Identity Assurance Programme. He writes, consults, and presents at events including Identity and Federation, Payments, Future of Banking, Security of Financial Services, protecting the City of London Plc and socially responsive technology innovation.
Iain was formerly Chief Operating Officer for payment security company Semafone. He is a dynamic and engaging leader with decades of experience in high-pressure operational leadership roles and a track record of building highly effective and successful teams. He has held diverse roles: Officer in the Army, large enterprise, consultancy and latterly early life, early adoption, and fast growth companies. With Blackwired, the full breadth of Iain’s experience is brought to bear as the team establishes a new category in cyber with Intelligence-led cybersecurity modelled on USMC, Combat Hunter programme “Left-of Bang”.
Interviewed by Jane Bird on 17 May 2022.
“I also got here by meeting some great people along the way, some from the information technologists’ group; Vint Cerf, for example, the inventor of the internet, and Tim Berners-Lee, the inventor of the worldwide web. I spoke to Vint about the identity FedCore programme and how that would be the next organising principle for the internet’s whole identity. I’m always pushing the outside edge of the solution space or the edge of the mind map.” Iain explains how he started in technology, saying: “I got into technology later than Chris. I became involved after being in the military and have been working in technology for twenty years, increasingly towards payment security, ID security and cyber. Chris and I worked together for twenty years and he coaxed me out of the military in the first instance. It’s very interesting what we’re doing has shades of military tactics now applied to the cyberspace.” Starting in technology
Explaining the dark web, Chris says: “The dark web and the light web almost started at the same time. The light web began in 1989 with the worldwide web which Vint Cerf developed for DARPA, which was ARPAnet, and was a military application. It was a joint project with academia including UCL London and also the US Navy. That’s where we get our internet protocol from.” “Basically, the light web is open, it’s searchable, you can use a standard browser, it’s indexed and it’s robust. It was the robust part that Vint Cerf was looking for, because he wanted to make sure that if there was any attacks or disruption against communications in the US, then that communication would still be delivered by different routes around the network, the internet.” “The dark web is effectively a closed, unsearchable area of the same sea, an ocean of ones and zeros, but it’s closed, it’s not indexed and it is cloaked. All communication within the dark web is encrypted, enciphered and as there is no indexing or no searching in the dark web. You have to have certain bulletin boards for reference where you can go to access the dark markets. The dark web is an industry, it is an ecosystem that exists in a parallel world to the light web, or the world that we actually live in. It’s a parallel universe to do certain things, there’s marketplaces, there’s communications, there’s messaging and so forth, but it’s all obscured.” The Dark Web
Asked why the dark web is dangerous, Chris adds: “You could say that both the light web and dark web are dangerous in and of themselves, because it enables very rapid passing of ideas and at the same time it enables a certain attack surface.” “For example, social networking and so forth, the internet, they’re all on the light web and they are dangerous because anybody in the light web can access them and for example, look at your baby monitor etc.” “The danger is all about the difference of purpose of the two networks. The purpose of the light web is to provide access to content, access for commercial purposes, legitimate reasons. It also has a side however which has recently come to the fore where it’s actually being used to do different things, such as websites for people trafficking, child grooming, sex trafficking.” “To participate in the dark web, you have to have an onion browser tool, you can’t browse the dark web with Google Chrome or Microsoft Edge for example. There are some legitimate things conducted in the dark web, such as crypto transactions. There is however an abundance of illegitimate things related to cybercrime, terror, drugs, weapons, etc that you would not see marketed on the light web.” “All cyberviolence is planned and prepared in the dark web, out of sight, unobserved and encrypted, so there is little or no identity or attribution within the dark space and effectively there is no transparency over it. On light web we have transparency, it’s in the sunlight so we can see who’s doing what to whom. In the dark web we do not.” “The most significant thing is what I see as a huge escalation in the crossing of the Rubicon between the dark web and the light web. Bad Actors have to break cover from the dark web and come into the light web to attack. Most of the cyber violence is planned and prepared in the dark web, most of the execution of that violence and the effects of that violence is felt through the light web, the internet, networks and so forth. So, in effect, there is a pernicious element which has become an industrialised element of the dark web. That is where organisations are industrialising their attacks; they’re creating weapons, they’re buying, selling, renting and trading weapons, cyberweapons, zero-days. They are also creating the infrastructure to launch those attacks. In the light web you have a public facing IP address from which a cyberweapon is being launched, malware is being delivered, or ransomware attacks are being commanded and controlled.” “We need transparency in the dark space, which is what I’m involved with. We also needed that transparency in the light space. Transparency forces a number of questions on us; what ethical, moral questions and human questions do we have to have about privacy, surveillance, all those kind of things in the light web, but also, what if we don’t have transparency on the dark web. That’s a critical issue for modern times.” “Blackwired specialises in the observation of the dark web. We look for bad actor groups, the construction of infrastructure, bases and cyberweapons, including malware and phishing, phishing attacks and so forth.” The dangers of the dark web
Chris goes on to discuss what he means by ‘crossing the Rubicon’. He says: “What’s generally attacked from the dark space and by bad actors is the systems and processes of management control. The three things that are attacked are production, distribution and exchange, i.e. Banks, Stock Exchanges and so forth. This Rubicon was crossed in August 2010 and the Pentagon declared that there was a fifth domain of war fighting and that was cyber (land, sea, air, and space are the other four domains in the US concept).” “The Pentagon recognised, contemporarily with the genesis of the ideas that became Blackwired, that all the preparations and planning for cyber attacks is done in the dark space and they said ‘we’re being surprised too much in the light space, we need to organise around and create a cyberwar fighting capability’. That was in response to the fact that they couldn’t see what was going on in the dark web.” Chris also points to the Stuxnet event of 2013, which saw one nation state attack another with a cyberweapon at a time of peace, which destroyed national infrastructure, as another moment the Rubicon was crossed. He explains: “This was the first time that questions were raised by Michael Hayden, the Director of the NSA at the time, who questioned the morality, ethics and the possible consequences of the use of cyberweapons. Transparency forces you to question what you’re doing. Having declared that fifth domain of Cyber warfighting in 2010, this effectively opened the door to all of those questions about transparency, certainly on the dark space, and the need for it.” Chris is interested in what the next organising principle of the internet is; he believes it is identity, he explains: “I firmly believe that once we’ve made that leap from worldwide web, the next leap for the internet will be identity and transparency which will force a number of questions into the open. For example, how much of your identity are you fragmenting and throwing out into the light web? There are some big questions to be answered here, however if you look at it in terms of the dark web one of the biggest issues is going to be attribution and any kind of enforcement.” “We have a number of issues that are really at the heart of where we go with these things. I think the dark web and the crossing of the Rubicon between military grade fifth domain Cyber war fighting and bringing the battle into the Enterprise sector, because the enterprise sector is producing things it’s become a target for cyber violence.” Crossing the Rubicon
Chris highlights three types of violence that he sees; instrumental violence such as extortion or ransom, expressive violence, and statement violence. He adds: “Expressive violence is looking beyond the instrumental violence of say a ransomware attack or an extortion attack at what was the expression behind that attack, was it control over distribution (Fuel Pipelines) or production (Energy), for example. An example of statement violence is the Sony Pictures attack. North Korea attacked Sony Pictures in retaliation of the release of the film The Interview. Again, this is a Rubicon that’s been crossed, North Korea state attacked a public company, Sony Pictures, in response to a movie. Another example was in 2016 when the Australian defence and government was attacked via a private company called NewSat Ltd. Again, that attack was one called out by Michael Hayden as a crossing of the Rubicon; where private companies and enterprise have become part of a cyberwar.” Tackling these attacks Asked what can be done about these attacks, Chris says: “Indeed, what can be done about something that is planned, prepared in a dark space that you can’t see, and then it appears as a surprise with some gory headlines? What we can do is take the stuff that’s been learned in the last twelve years from the cyber warfare battle space. Those lessons have been taken on by the Five Eyes (the military intelligence for the UK, US, Canada and others), the intelligence community globally, and they called out last year that the biggest threat is actually going to be to those private organisations that produce, distribute and or exchange things. They have become targets for that expressive and statement violence by other states.” Three types of violence
Chris explains that around 2016 Blackwired witnessed a huge increase in the development of weapons and the preparations to act. He adds: “In the preamble to the Ukrainian War we saw cyberweapons created for the first time in 2022 at a rate of five per day. Those weapons were aimed at either spyware, disruption, denial of service or that statement violence. We’ve seen that used on both sides in that conflict. We saw dark space actors switching software controls to open their weapons for use against former CIS states. In December we saw weapons used in preparation for the gathering up of forty-five million Ukrainian identities. We’ve also seen the development of polarised groups, Russia and Russian groups reforming, forming, making alliances, and creating a development pathway for their weapons and their infrastructure to do a number of things.” “I’m not singling out the Russians, there are other nation states that are doing that, but obviously they are private groups within those nation states that actually earn money from this. So, we can see that money developing, but we can also see changes in their planning and their preparation that indicate that things are going to be attacked, we can see that directly from our platform and we’ve seen that uptick of Zero Days.” Explaining ‘Zero Day’, Chris adds; “It is something developed in the dark space as an integrated weapons system rather than just a piece of code. It enables you to automatically launch a ransom attack or a denial-of-service attack, a spyware attack, or an attack on exchange, a bank or any other type of attack. These are industrialised, robust, working weapons that are continuously developed at a speed that our light web capabilities or our enterprise capabilities cannot possibly hope to achieve parity with.” “What I’m looking to do is to redress that balance. There is a particular direction of travel that I’ve taken with Blackwired and Zero Day Live focussed on prevention as opposed to response detection.” “If we look at why does the world need new concepts it is because the old concepts are worn out, we haven’t adjusted them, we haven’t looked at them since 1989, 1990. My interest in regulation and compliance from my role as a CISO, is that we need to develop better regulation, but the only way we can do that is to get oversight of the data space, certainly in the dark web and also in the light web. We need to know what the data space is, otherwise we can’t develop compliance notions, enforcement and we can’t deliver consequences to those people that perpetrate the crimes in the dark space.” He goes on to add: “It’s a very interesting, complex, fast moving, difficult and hyper-connected space. The light and the dark web is the same ocean of ones and zeros, which makes that whole space interesting. Sometimes I talk about a red ocean of ones and zeros. We can only see and experience less than fifty per cent of it, which is what the light web looks like, the other fifty per cent we don’t see and experience.” Chris says that it is counterintuitive that we cannot see all of the bits and bytes travelling through fibre optics and it’s something that he has been considering in a series called ‘In the Future’. He adds: “In 2017, I wrote ‘In the future extremely complex tightly coupled systems and ecosystems will suffer the equivalent of a force ten storm that will destroy it. The high-speed volatility we’re experiencing are the harmonics that precede that storm.’ I was looking ahead to how can we get transparency, how can we develop preventative capabilities, how can we prevent identity attribution and so forth.” Asked if it’s similar to climate change and the potential threat to the end of the world, he says: “It is, and another big problem which requires you to observe a huge dataspace, and to look at what determinism you can allocate to those changes.” “For example, in climate change you have weather systems and so forth and you also have geological systems that might cause problems. So, what do you do with that information, what do you gather up, what do you learn, how do you create it?” He continues to describe how rather than going into a volcano to see what is going on, we use geological sensors to gather information. He adds: “Why not apply that kind of philosophy to the dark web? I think that we’ve got concepts of operations that were good for 1990, or 1989. They’re not good for 2022. There’s a lot of space between 1989 and 2022 for stuff that happened at midnight when you weren’t watching or you could not observe, and that’s what’s happening in the dark space. The spontaneous flash of disruptive insight that we’re providing with Blackwired Zero Day Live, we term ‘Left of Bang’.” “The reason we did this is that we knew that traditional military doctrine and methods, processes and management of battles was failing in Afghanistan. The US Marine Corps Combat Hunter program looked at what are the fine grain things that we can find out, e.g. who’s standing where, who’s watching what, who’s building what, who’s buying plastic tubing to put IEDs in, who’s buying different electronic components and mobile phones, who’s doing that. So, these are all preparations that we couldn’t see before and the Combat Hunter program brought those things into the sunlight so the real actionable intelligence could be created.” “I looked at that geophysical/climate change philosophy and spun it round to look at cyberspace. Just because the dark web is closed and unsearchable, not indexed and cloaked does not mean that you can’t get inside the dark web. You don’t have to see inside the volcano to see what’s going on, you plant a sensor and it tells you what you need to know.” Zero Days
Iain adds: “The thing about the Afghanistan example, despite the fact there were clandestine tactics, it was still very much in the light.” What Chris is illustrating is the sheer scale of the dark web, these are bad actors with industrial scale operations. Yet because most don’t see the bad activity and its scale, I think there are those that still have a perception that it’s largely amateur. It’s not amateur. The pace at which they operate means that if we don’t react in the same way, at the same pace, we will be overtaken by events. During Covid, for eighteen months the level of resource that was assigned to working in the dark web tripled because people were working from home, they weren’t getting paid, so they went and did other things.” Asked if that means that more resources need to be applied to the issue of the dark web, Iain adds: “Resources need to be applied to countering this with equal measure. The cyber teams cannot be recruited fast enough, they can’t build capability fast enough to match the scale of the technology that’s coming in the other direction.” “There needs to be a real recognition that we’re in an arms race, and we’re not producing responses at the pace at which the adversary is operating. The other element is that the enterprises who are hacked or attacked in some ways, often don’t fully declare the picture. Two things are happening; we don’t fully see what’s coming in our direction from the adversary and we also don’t have a fully declared position on breaches. Only a fraction of what’s happening in cyberspace is being declared today.” The lack of declaration following an attack is often because companies do not want to expose their vulnerability. Chris adds: “There is no black box flight recorder in businesses to tell you what’s actually happened. Again, it comes down to transparency and how much you can observe of what’s going on in the dark space and how much you can observe of where what goes on in the dark web is actually caused or is causal of violence in industry.” Chris says that as a data scientist there are several things that this creates that he is interested in: “How much do we know about the size of the infosphere that is actually in the dark web and what data is there that we can use? The approach we’ve taken is to look at in the same way that we looked at the human genome project, or the human protein project, mapping that and providing data and information from it.” “We have looked – what are the components, what are the things that we need to see, how do we get to see them and how do we monitor them and how do we turn that knowing into two kinds of action? One is to inform regulators and authorities about the size of risk that they have, and the other one is to defend enterprise, because the enterprise is largely on its own.” “Enterprise is spending an awful lot of money at a time when there’s not an awful lot of money to be had. Traditionally, organisations have regarded cyber attacks, cyber problems as the government’s problems, law enforcement’s problems, but we’re not doing that well. So, we’re looking to provide that oversight, that observatory and that dataspace necessary to deliver that view on which you can make better regulations and understand what’s going on, because as I said, ‘In the Future’, series countries will legislate on data accountability transparency and reporting, that’s compliance with enforcement. Right now, we don’t have much of either.” “We’re approaching a very interesting period in cyber and information technology where the technology is moving so fast. For the majority of time that technology is driven by economic means, and that includes cybersecurity. It’s become applied economics because businesses cannot afford to continually invest at the level. What we’re trying to do is create a sea change in the way that people look at things and bring that thinking to the enterprise. That force ten storm is coming and I believe this is the portent of it, but what we’ve done is created something that actually looks at it from a different way. You have to understand the dataspace that you’re dealing with, you have to observe what’s going on, you have to know the enemy, you have to know those enemies, and we have to get business and enterprise to realise they’re on a cyber battlefield.” With transparency one of the top priorities, Chris says that via Blackwired, they are beginning to see what’s going on in the dark web and achieving transparency, he adds: “We achieve the transparency and the results of that transparency is intelligence leadership and intelligence direct to enterprise. So, at the pace at which we see those preparations, planning, weapon development in the dark web, we’re already putting the prevention required into enterprise, and that’s a big difference over traditional approaches.” “We break down the methods of attack, identify where the adversaries break cover into the light web via public-facing IP addresses, they use certain types of weapons tactics, they’ll use certain types of malware. What we do is immunise customers against those things as they develop at the pace that at Zero Day.” They saw just under one thousand Zero Days in 2021, Chris adds: “Almost forty-five per cent of those were subsequent malformations or developments on that weapon as they add components and buy and sell and trade those weapons as if they were arms sales.” Iain adds: “A weapon in a cyber sense still has characteristics that break down into some key elements, let’s call them the detonator, the firing pin, the barrel. Jeremy Samide, our founder, has applied those military analyst tactics to identify those in the weapons before they’ve broken cover, before they’re targeting particular vendors, the vendors don’t even know about them. By knowing how they’re constructed, he can basically immunise by making sure the equivalent of the firing pin doesn’t work, the barrel’s twisted, the detonator doesn’t work etc. In cyber terms it’s made up of Hash, URL and Bad IP.” The scale and pace of the dark web
Asked if they can measure their success and demonstrate a return on investment, Chris says: “I think we are the first organisation to demonstrate that quite clearly. Not only can we demonstrate a return on investment, we can demonstrate an uplift of efficiency in preventing you joining the victim pool for a cyber attack. The company does ‘mark to market’ to compare itself to sixty to seventy different providers and measure itself against them using a clearing house to look at virus total.” Chris adds: “It’s the first time I’ve been able ever to be able to measure my effectiveness of getting my organisation off the Zero Day victim list.” Companies signing up to Blackwired services include those that Chris calls ‘vaulting companies’. “Vaulting companies are buying because they want to protect against the evolution of weapons and because they’re being targeted very much because they’re a great big honeypot of information. As people move to the cloud or they become hybrid organisations, those are the kinds of organisations that are starting to realise that their detect and respond stance isn’t working.” Asked about competition in their area of expertise, Chris says: “I’m going to make a statement that we are the only organisation doing what we do, because what we have has been developed from the original cyberwarfare programs in the US. It is a platform that has been machine learning and refining that intelligence aided by cyberwarfare analyst experts, those people briefing the world on what this, on what the dark web is and what’s going on in the dark web, those are the people we’ve hired.” “For eight years that’s been their tradecraft and their capabilities have been embedded in our machine learning platform called Zero Day Live. Zero Day Live looks out in an observatory to see what’s going on, the development of the weapons, we take the weapons, we deconstruct them, we create indicators of compromise.” “Each of these weapons has a signature and we obtain the signature and we inject that into security architectures before that weapon is weaponised against you. We also sense the changes in the way that forward operating bases are created, infrastructure’s created, and we also send that information of those intentional assets that are being used as part of the attack alongside the weapon. We create a single pane of glass through which you can observe Zero Days activity in English language. We also send the protective data elements, those individual pieces of cyber DNA that are injected into your firewalls, your end point protections, your security, SIEM, information management systems, and your cloud computer architectural firewalls. It’s precision, high comfort and it’s military the grade.” Asked if competitors are doing it wrong therefore, Chris adds: “We’re not saying what they’re doing is wrong. What we are saying is that all of those companies; Darktrace, Cisco, Symantec, CrowdStrike, etc, they’re only as effective as the cyber intelligence they use and consume. We can measure an uplift on Cisco, CrowdStrike, Microsoft, Darktrace, we can measure the uptick in performance. Many of them are sharing, buying and trading different types of intelligence. Oftentimes that job of managing that threat intelligence to get the effect of prevention, as opposed to detect and respond, is expensive in people and money and is not working, evidenced by a huge uptick in victims over the past number of years. We’re not saying that these guys are wrong, we’re just saying that they may need to consume our intelligence to perform better. And that is the return-on-investment upgrade that we think that enterprise needs.” Iain adds: “There’s a lot in cyberspace who make bold claims, we make bold claims, but we can back up what we say through our effectiveness in actual support of security decisions made. So, all the competitor brands mentioned, we provide uplift on their cybersecurity because we’re looking in a different direction. We’re looking towards the adversary. We can evidence notable attacks over the last two years, we can look at the anatomy of those attacks and show that our clients are protected against the Zero-Day weapons that hit others. “LockBit 2.0 is a notable example of last year which hit a number of organisations quite significantly. We could show the anatomy of the evolution of that weapon where our customers were protected against that weapon, because at the time of the evolution in the June, July and August where these really got nasty and stealer components were added, we were the only company in the world that was looking at them. “The thing about the weapons is that when they become really potent, they are used within a few days to weeks, so the timing of being able to provide immunisation is so critical.” Asked if Government, intelligence agencies etc should be running this kind of system, Chris highlights that they are making their technology available to defence and law enforcement services. He says: “We need to defend them first, because they are also victims and targets for the attacks that are being launched out of the dark space. Most of governments have cyber war fighting capabilities however they need additional intelligence to protect themselves.” Iain explains how the company has gained the position it currently holds, saying it’s methods could not be easily copied in a short timeframe. He continues: “They cannot be copied readily because these are eight years in the making. The algorithms that form the basis of what we do is representative of how the military analysts would operate and they’ve been built up, and enhanced, and refined provides us with a powerful proposition to now bring to the enterprise sector. Intelligence is perishable, so you can take the intelligence one day but it’s less use six weeks later, particularly in that cycle. Our strong belief, and what we’re hearing also from the marketplace, is that the work that we have done would take years to replicate.” Asked if this is the silver bullet for cybercrime, Chris says: “Nothing is a silver bullet in the world, because you don’t know how the world changes.” Asked if hackers will always be one step ahead, Chris says: “By definition, weapons always defeat defence, but if you start with the weapons, as we do, that one step becomes maybe half a step.” Iain adds: “We both study the military, and this is the equivalent of getting behind enemy lines, it is finding out what the adversary is doing, it is watching what they’re doing and going to do next”. Chris highlights how there is continual activity by cyber criminals looking for opportunity, he points to the multi-factor authentication which has was introduced recently by EU and British banks and which has already been compromised. He says: “We see that a number of weapons have been produced that defeat multi-factor authentication, an example is Okta, one of the biggest multi-factor authentication providers, service providers on the planet. What we see is that development happened in real time and then we set up a defence for that into our organisation. So that’s an evolution. There’s another evolution around Zero Trust. Everybody talks about Zero Trust but they don’t understand it. Unfortunately, Zero Trust authentication and authorisation is also severely compromised.” “I’m not saying this to be scary in any way, but you have to listen to what’s going on, you have to have observation on what’s going on to see how your future is already being compromised by folks whose only job it is, is to attack you. They’re not supporting a business, they’re not supporting a balance sheet, they’re not supporting shareholders, all they’re doing is building and spending twenty-four hours a day, 365 days a year working out how to attack you, attacking you, and getting that job done.” “I told former director of the NSA that we work with that this is asymmetric guerrilla warfare against the enterprise. Asymmetric being a small force with knowledge superiority, weapons and tactics superiority, attacking a bigger enemy and being successful at it. You have to decide whether or not you’re going to persist with detect and respond, as it’s very, very wasteful and increasingly unsupportable going forward, or you’re going to screen as much of those attacks out using Blackwired technology.” “Our technology is also being used in the recovery phase where somebody has been cyber attacked. The same information, the same data that we send to them for defence can also be used in dark trace and so forth to illuminate where fragments of the weaponry, the malware and so forth, are hiding in the client’s estate. We also see that once you’ve been cyber attacked, you’re highly likely to be cyber attacked again.” Return on investment
Asked about they see things developing over the next five to ten years, Chris says: “The key things are transparency and oversight of two particular areas; one being cyber and the other one being crypto. They are the two most significant problems in the world today because we have no oversight, no transparency on those areas, but also we have no means to control them, no means to apply enforcement and we don’t have effective standards in place, and even if we did, we couldn’t enforce them. “What I can see in my crystal ball is that there will be investment in two things: being able to achieve transparency in those two environments from which regulation will be developed; and the regulation and compliance and enforcement will be in flow of transactions as opposed to bolted on the side.” Of the Future
Interview Data
Interviewed by Jane Bird
Transcribed by
Abstracted by Lynda Feeley