You only know the best method of defence when you understand more about your opponent

Christian Doerr conducts research into cyber threat intelligence and also devises ways of preventing new attacks.

Your research field is digital security and you and your team explore how cyber criminals operate. Why is this necessary?

“ICT plays a huge role in our society. It ensures that we have water to drink, that there is food in the supermarkets and that electricity is available from the wall socket. All of this runs faultlessly because almost everything is digitised. But we have become so dependent on ICT that it’s also making us vulnerable. Imagine someone wants to do harm and attack an electricity plant or our water supply. We would be facing a major problem.”

Why are these ICT systems so vulnerable?

“Because many of the innovations we are now using were originally designed for another purpose. The internet is the best example of this. It was devised as a network between computers that could trust each other. This means that security was not built in at the design stage. No one predicted that we would use it to connect together so many computers, in a situation in which not every user can be trusted. Besides, it’s always much more difficult to integrate security retrospectively. It should have been thought of much earlier in the design process. Unfortunately, that’s often far from being the case.”

How can you defend yourself against cyber attacks?

“First of all, you need to know what an attacker is doing. Imagine someone breaks in to your neighbour’s house. You don’t want it also happening to you. It’s likely that you’ll head to the DIY store and buy an extra lock. But by doing so, you’re assuming that the burglars will come through the front door. They may however throw a brick through the window or the criminal could have a passkey to open all locks. You only know the best method of defence when you understand more about your opponent. Because if your neighbour had a brick thrown through the window, you may be better advised to invest in some bars for the downstairs windows.”

Is that how it also works in your field of cyber threat intelligence?

“Understanding how criminals operate is an important part of my work. What skills do they have and how do they apply them? Have you been targeted by a criminal sending out phishing e-mails in the hope that someone clicks on a fraudulent link? If so, you’re a random victim. But if you have a Picasso painting on your wall at home and a burglar tries to steal it, you’re dealing with a different approach. That person will do everything possible to break in and you need to protect yourself accordingly. It’s a different threat profile. It also works like this with cyber threats, for example if a company has important corporate secrets.”

“We investigate how the attackers operate and how you protect against that. If, for example, you discover that someone always uses a crowbar to break in but never throws a brick through the window, you will take that into account in the protection. Our work is similar to that.”

Christian Doerr studied Computer Science and Cognitive Science in Boulder (Colorado). While most of his work focuses on technology, he also integrates the socio-technical aspects of cyber security into his research.

Since 2008, he has been assistant professor in the Cyber Threat Intelligence Lab in the Intelligent Systems department of TU Delft's Faculty of Electrical Engineering, Mathematics and Computer Science.

What do you learn from analysing criminals?

“We are currently working with a major telecom provider on a project. The internet is all made up of networks connected to each other. Providers ensure that these connections happen and an important part of that involves the so-called BGP. This Border Gateway Protocol ensures that different networks are connected to each other by exchanging information about accessibility. It is the glue that holds together all the networks, so to speak. Criminals can attack the BGP in a way that causes internet traffic to be redirected to them. Currently, there is therefore already monitoring to see if anything strange is happening, but we don’t yet know what exactly is going on.”

Of course, you will want to find that out. Have do you approach that in practice?

“We are now working on a tool that not only monitors if something is going wrong, but also assesses how serious it is. For example, our algorithm may notice an attack on a bank that has already been tried on three other banks and it's targeting accounts in Western Europe.”

You recently conducted research into how hackers operate by looking at attacks on TU Delft. What did you find?

“Our discoveries included an attack by 27,000 computers all targeting TU Delft. These computers come from more than a hundred countries. They transmit information intermittently. There may be just a few hours in-between, and then several days. It just looks like random noise, but when you put it together, it’s a coordinated attack. Noticing this enables us to defend ourselves more effectively. You can’t stop it, but it can be blocked.”

Obviously, in the future, you will also want to stop this kind of attack. How do you do that?

“One of my students is currently researching this. It is all about whether we can predict what an attacker will do. If he first tries this door to see if he can enter, we know that he’ll move on to another door after that. You therefore install a firewall. Even better is when we put a so-called honeypot in that place, enabling us to capture the attacker in an environment we control. This means it’s not damaging to our system and we can see what the person is doing in the honeypot. The problem is that advanced attackers, who worry us the most, have techniques that tell them they are in a honeypot. They then share that information with others. We are currently doing a study to test how they discover this. Interestingly, attackers are often better at sharing information with each other than we defenders are.”

Why is it so important for companies to share information with each other?

“It enables them to warn one another. For example, attackers may be specifically targeting several banks or the transport sector. Research shows that criminals often attack many companies in a specific sector simultaneously. They also often try out attacks in Germany and France first before moving onto smaller countries, such as the Netherlands and Belgium. If German companies have already shared information about a phishing e-mail or hack with Dutch companies, the chance of them falling for it is much lower.”

Are companies actually willing to share information with each other?

“They can sometimes be concerned that competitors will see who they are doing business with or what they’re planning for the future. This deters them from showing other companies in the same sector what type of e-mails they are receiving from hackers, for example if they’re pretending to be customers. There is a solution for that. There are already ways of securing e-mail while still informing others that it may involve an attempted hack.”

How do you encourage a corporate culture in which employees share information?

“By offering extra training to make them aware of threats and security. You need to reward an employee who reports a phishing e-mail. The IT helpdesk then sends round an e-mail praising the employee and warning the others. You should arrange free cake for everyone in the staff restaurant. That makes it a talking point and rewards good behaviour. People are always the weakest link. We shouldn’t blame them, but enlist their help instead.”

Why are you so fascinated by your specialist field?

“I was mad about computers as a young boy. I found it amazing to see how a computer sends information and it suddenly appears somewhere else via a cable. It’s almost like magic! When I started studying, I became more interested in security and how attackers operate. How do you send data securely? As we have become ever more dependent on computers, this field of work, still in its infancy, has only become even more important. I hope that I can do my bit to combating the cyber threat.”

Text: Robert Visscher | Photography: Mark Prins