“Stan sees little windows, while we are watching all the doors”

Published on: 9 April 2021

Group IT Officer Frans van Kessel and ethical hacker Stan Hegt about cyber security at APG

 

Cybercrime: in 2021, you cannot get around it, especially as an organization with a lot of loot. And that applies to a pension administrator like APG too, of course. How do we protect 568 billion Euros worth of assets? How do we protect desirable and sensitive information? One way is to have the systems attacked by hackers on a regular basis. Ethical hackers, that is. A conversation with Group IT Officer Frans van Kessel and ethical hacker Stan Hegt about honey pots, the kill chain and simulating hacks. “We get to prepare for a real-life hack for months. For us, these kinds of assignment are the cherry on the cake.”

 

When APG systems are visited by hackers, no one in the organization knows if it is being done by malicious intruders or if it is a simulation – except for a handful of people, including Frans van Kessel, who is responsible for APG’s cyber security. Everything is done to make an exercise like that seem as real as possible. And in a sense, it is a real hack, which has been extensively prepared for a long time and executed by a team of ethical hackers, also called white hat hackers. Whizz kids who have made it their profession to try to infiltrate into the systems of companies and governments. Their goal is to help these organizations to keep their IT security intact or bring it up to snuff.

 

Stan Hegt from the IT security company Outflank is such an ethical hacker. Van Kessel hired him specifically to put APG’s IT security to the test. “Our people look at the cyber security primarily from a defensive perspective at APG. But hackers use an offensive perspective. They are always thinking along the lines of: what is the easiest way for me to get to the most interesting parts of the system? Someone from outside sees very different openings than we do. People like Stan and his team bring that perspective to the table. Stan sees all kinds of little windows while we are watching all the doors.”

 

Information services

In collaboration with the team from Outflank, Van Kessel and Hegt prepare a hack like that meticulously. It starts with mapping out the parties to whom APG could be an attractive target. Van Kessel: “We don’t just let a team of ethical hackers fire a load of buckshot into our systems. We try to get them to work in as focused a way as possible. First, we look at what kind of actors we might have to deal with. Then we map out which ‘crown jewels’ those parties might be interested in and what tactics, techniques and procedures they would use to get in. For foreign military information services, the participants’ files for defense could be very useful, for example. Information that shows certain investment flows could also be an interesting target for a foreign power.

With other actors, you expect more interest in access to the part of the system used to make payments. APG invests hundreds of billions for its clients. There are always parties that are interested in a big financial like that, including geopolitical interest.  Certain kinds of intellectual property – for example about the organization of the Dutch pension system – and models could be very valuable for a country like China. All in all, we are therefore dealing with a very diverse threat assessment. Based on that assessment, we map out the most likely targets. We then ask Stan and his team to focus on attacking there.”   

 

Once everything is prepared and the attack is ready to take place, Van Kessel takes a step back and Hegt goes to work. With a group, very consciously. Hegt: “The most dangerous hackers are always part of a team. They are strongest when they work together. The hacker sitting alone in a room in the attic is more of a TV cliché.”

 

What kind of hackers present the biggest threat? Hegt: “The last few years, the groups that have been the most dangerous are the ones that are active with ransomware. The best known of these is TA505, a hacker group from Russian-speaking countries. This group was also behind the attack on the Maastricht University.”

Kill chain
When it comes to the modus operandi of a hacker, you can distinguish several standard phases, Hegt explains. “A hacker works with the so-called cyber kill chain: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective. So, the first step is exploration: what are the possibilities for entering a system? Who works at the organization, who could be interesting to use for access? Then, a hacker will try to enter in one spot. For example, through a recruiter’s workplace, or through a server that is not well-protected. This is usually done with the help of malware. The third step is then to find a way to the crown jewels, for example, access to the system for making payments. That path is kind of a maze for the hacker. There are many ways to find a path. You could look for weak password of employees, for example. The last step is to carry out the actions on the crown jewels: a malicious payment by the system, or sending certain information in a way that leave those actions unnoticed.”

Honeypots

If a relatively large organization like APG only protects itself from cyber attacks from the outside, that is not enough, Van Kessel says. “It is no longer possible to prevent everything; there are always some employees that could be causing weak spot in your defense. Your inner world is a continuous point of attention. You must always assume that a hacker can get in. That is why we also focus a lot on detection and response. For us, the trick is to detect an attack as soon as possible. We do this by placing honeypots in certain places in the system – these are a kind of boobytrap the hacker steps in the moment he enters our network. That work is at least as creative as the hacker’s work. When we get undesired company, we investigate the threat and then move into containment and eradication: preventing the threat from spreading and completely removing the threat.”    

 

Hackers: what types of people should we imagine these are?  Hegt: “You have to be a real “professional idiot” and continually keep up to date. They are mostly relatively young men; you don’t see a lot of them that are over 50. The average is below 35, I think. And you can’t say that there are no successful hackers that are not educated, but many of them are highly educated. There is a lot of demand for them.” Van Kessel: “Even on the dark web you will run into these types of hackers; they present themselves with all kinds of certifications.”

 

Hegt himself, who studied math and computer science at the Eindhoven University of Technology is a “professional idiot” like that himself. “I’ve been hacking since I was ten years old and when I was fifteen, I started to hack by request of companies. Then I worked for KPMG for ten years. I did not expect this from a company like that, but it turned out that a very cool hackers’ club was working there. Five years ago, I got the opportunity to found Outflank with a few Dutch top hackers.”

 

Money laundering

Even though they may often be relatively young men, hackers are certainly not a homogenous group. Hegt: “There are a lot of cyber attack specialists. Invading a system is very different than finding a way to the crown jewels, once you’re in. And there are also hackers that are dedicated to laundering money. That is its own specialty.”

 

By having systems attacked on a regular basis in a way that, for most people involved, is not distinguishable from a real malicious cyber attack, APG is increasing its immunity. Hegt: “We also call that the vaccine effect. A test is like giving an injection, after which the body has an immune response. That is why it is so important that people don’t know that it is a test. They need to get defensive. We therefore only inform parties that could sound the alarm in advance, such as Microsoft. We get to prepare for a real-life test for months. That is great for us, but also for the APG employees that work on detection and monitoring. For us, these kinds of assignments are the cherry on the cake.”