Inside Group-IB’s cyber security playbook

Just over three years since Group-IB moved its global headquarters from Russia to Singapore, the cyber security company is expanding its footprint in Southeast Asia, offering a range of cyber security products and services to enterprises across the region.

Earlier this month, it opened a Digital Crime Resistance Centre in Thailand, which is expected to house around 50 cyber security experts when fully launched.

Group-IB has also teamed up with nForce Secure, a Thai technology distributor, to establish an incident response (IR) team in Thailand, supported by the former’s incident response (IR) experts, with over 70,000 hours of IR operations experience worldwide.

In an interview with Computer Weekly in Singapore, Group-IB’s CEO and co-founder, Dmitry Volkov, speaks about the company’s growth opportunities in Southeast Asia, the global cyber threat landscape, as well as its work with the Interpol’s digital crime centre in Singapore to combat cyber crime.

What is Group-IB’s go-to-market strategy in the region, which has varying levels of maturity in cyber security?

Volkov: It’s different across the region, but it’s largely centred around the three branches in our portfolio: cyber security products, which include endpoint protection and network security; digital risk protection, which is about protecting brands against impersonation and scams; and anti-fraud.

In anti-fraud, it’s not so much about analysing payment details, which are useless because the victims are the ones who’ve authorised the transactions. Instead, we use technologies such as behavioural analytics to detect fraudulent activities, or if a particular victim is under the control of a fraudster.

We have different go-to-market approaches for each of those branches. For example, for cyber security products, our main strategy is to rely on channel distributors and partners that support our presence in the region.

It’s different for our anti-fraud solution, where we work very closely with central banks and regulators because we need visibility of the fraudulent activities that are going on in financial services, and what banks can do to protect customers against cyber threats.

In Asia-Pacific, we’re more focused on banks, and we have technical staff here, so we can collect information about local threats and what’s relevant to local markets. Our technical staff produce threat intelligence for academia and enforcement, with whom we work very closely. We also use the same knowledge to improve our products and services.

Could you talk about the work Group-IB is doing with Interpol in Singapore, which I believe was also one of the reasons the company moved here?

Volkov: Yes, this is the reason why we’re based here in Singapore, as well as in Amsterdam, where our office is 30 minutes away from the Europol office there. It’s been part of our mission to fight cyber crime since the company was founded.

“If we just talk about threat intelligence, there will always be players that collect general data from the sensors they deploy, which is useful but most of our clients need a more tailored approach”

When you do IR, you will see that no matter what kind of technology you have and what your processes are, there’s always a chance that you will be compromised. To be able to stop these cyber criminals, you need to know who they are and work with law enforcement, because only law enforcement can arrest and prosecute these actors.

That’s how we differentiate ourselves from competitors. When we provide security products and services to clients, we share the data we collect with law enforcement to identify threat actors wherever they are located. That’s how we provide value to customers – we don’t play the cat-and-mouse game, we just stop the actors, and the number of incidents gets reduced significantly.

We will never say that we will solve all your problems, but with our technologies and our ability to work with law enforcement, we can help protect our clients. That sends a very powerful signal to cyber criminals because they will think twice about whether they still want to attack the same organisation.

Before you became CEO, you were in a technical role running the threat intelligence and cyber investigations team. How are you adjusting to the new role and leveraging some of the expertise on the technical side to take the company forward?

Volkov: When I was responsible for investigations, I was purely a technical expert. Then I moved into a position where I was responsible for threat intelligence, which was a combination of management and technical expertise. My next position was chief technical officer, a position I held for several years.

Being a CEO has been transformative because I have to go much deeper into areas like sales and marketing, which I’ve never done before. But it’s really interesting, because now I have to talk to a completely different group of extremely smart people. I’m learning more about how to develop the business and they have given me huge support.

You’ve mentioned threat intelligence. With the acquisition of Mandiant by Google Cloud, we’re seeing hyperscalers trying to bolster their security capabilities. How can Group-IB augment the security capabilities that hyperscalers like Google and Microsoft are trying to build up?

Volkov: If we just talk about threat intelligence, there will always be players that collect general data from the sensors they deploy, which is useful, but most of our clients need a more tailored approach. They don’t care what happens in other regions – they want to know who attacked them, the threat landscape and the malware they need to guard against. They also want to use the information to know if their cyber security programme works well.

This is where we come in. Because we are a smaller company compared to Google and Microsoft, we can provide a technical team that is responsible for collecting information only for your organisation, and answering any questions that you may have today or tomorrow.

The second thing we have is our unique coverage of data sources, which most of our competitors don’t have. They may have other advantages, but from a data standpoint, most of our data resources are unique, and that’s why our customers see huge value in us.

We’ve also built a unified platform that offers cyber security, fraud protection and brand protection, as enterprises have to deal with many disciplines in security. But some companies only focus on one area, so what if you need to protect against fraud? For us, one of the main verticals we work with is banks, and that’s where we can provide a more efficient solution.

Let’s talk about the threat landscape. We’ve seen more advanced persistent threat (APT) groups targeting the region in the past year or so. How do you see the threat landscape evolving? And what advice would you give to a CISO or CEO on how to guard against cyber threats?

Volkov: I would say APT is not the top threat for everyone. Of course, those threats are very dangerous, but it depends on the goal the threat actors want to achieve.

“To be able to stop these cyber criminals, you need to know who they are and work with law enforcement, because only law enforcement can arrest and prosecute these actors. That’s how we differentiate ourselves from competitors”

I would say the number one threat is scams and phishing because they affect everyone. The reason why they became so popular is because threat actors have found a model to scale their business very quickly. It’s not an individual threat actor, nor a simple syndicate that consists of 10 people. They’ve created a platform that allows them to onboard thousands of people who want to be involved in this activity in many different countries. It’s a huge threat to everyone.

Another rising threat is ransomware, but it’s more dangerous in the US and Canada because the threat actors are targeting many companies in different verticals there. Here, there is less activity, but it’s still pretty dangerous. That said, even though there aren’t as many ransomware incidents in the region, the impact of the incidents is very high, sometimes crossing $100m for large enterprises.

Finally, I’d say nation-state actors are also posing a threat. They are very advanced and hard to detect. Their goal is usually espionage, so you don’t have direct financial losses. That’s why even if they are inside your network, you don’t feel it unless you’re a government organisation or big finance organisation, because you need to be able to detect these kinds of actors. But it’s not so critical, at least for business decision-makers.

And finding APTs is the bulk of the work that you do with governments?

Volkov: Yes, and this is where threat intelligence helps. This is also the reason why we’ve been successful. Many cyber security companies rely on detection technologies like network traffic analysis and endpoint protection that are deployed in the customer’s environment, but in our case, even if we don’t have anything deployed inside a corporate infrastructure, we’ll still know if there is a threat actor operating from China, India, or Vietnam. We can see who they attacked, not 100% of the time, but when they do attack, we can notify companies in advance. So, the intelligence helps a lot to improve our predictive technologies and protect our clients and partners.

From what I understand, it’s getting harder to do attribution these days. What are your thoughts on that?

Volkov: I wouldn’t say it’s harder. There are techniques that threat actors apply to mislead attribution, but the experts responsible for attribution are also improving. They have better knowledge and technologies to help them do attribution faster and more reliably.

But unfortunately, some cyber security companies will attribute an attack to a specific threat actor but don’t describe exactly how they did that. This has a snowball effect because the next cyber security company will say something similar. They will read a report and say that another company has attributed an attack to a specific threat actor and will not invest a lot of time in doing the attribution themselves. And if the original attribution was wrong, a whole chain of threat researchers would have been misled, and that’s a problem.

There are some vendors, such as Mandiant, that do it well, but not many follow strict rules for attribution.

What are your thoughts on the implications of generative AI tools in cyber security, such as making it easier for threat actors to craft the perfect phishing email?

Volkov: It isn’t tough to create a phishing email. Sometimes, threat actors hire copywriters and native speakers who can help them to create nice emails. ChatGPT and other language models will just make it easier, faster, more reliable and cost-effective.

It will also help cyber security experts in their jobs. First, you don’t need to write complex queries, and second, it helps to ease the workload of analysts who could spend 60% of their time writing reports. For example, if you reverse engineer a piece of malware, decrypt it and extract some key strings and configuration files, you can feed the model with the initial inputs to generate a report. Instead of spending six hours describing your findings, you just need to spend 20 minutes proofreading the report and fixing it if something is wrong.

We can also use generative AI in customer support. We spend a lot of time talking to our clients, and in many cases, their questions are very simple, but we still need to answer them. Such models will help a lot to provide the answers faster with more context and fewer mistakes.

What about the possibility that such tools could be used for nefarious purposes, like creating malware, maybe not today, but in future?

Volkov: Not now, but in the future. Right now, the code that’s created is too generic, to the extent that I’d say it’s dummy code. It could be helpful to junior developers, but definitely not for writing something complex and effective.

But we see the technology evolving quickly, so I’d say in the next three to five years, it will be very popular, and the quality of code generated by these models will be much better. I’ve heard a lot about how it can be used to write malware, but when you analyse the code, you will see the malware can be easily detected by basic security controls in Windows and antivirus software.