When governments got involved in cyberattacks, the world of security research got much more complicated, Raiu says. “Then almost overnight, nation state sponsored attacks appeared,” he says. I guess the first big one was Aurora, which hit Google, Yahoo and others [in 2009]. Ever since, my job has been getting more and more complex, from all points of view.”
For example, basic questions like which attacks to investigate are tricky. “In my opinion, we are living in a world where our work has an impact, and ethics should be properly set,” says Diaz. “I like to think of ourselves like doctors or scientists, working based only on technical stuff and not letting other factors to decide for ourselves. And that´s not always easy.”
What do these cyberattack experts use to protect their own gear? It’s very personal. “To be honest, each person on the team has their own security quirks,” Diaz says, “ranging from things as simple to tape over the webcam to sniffing everything on your own home network.”
And his advice is for individuals to gauge how likely they are to be a target and how much time and effort someone might reasonably be expected to exert attacking them. “What I mean is: what sort of attackers and attacker resources can you reasonably expect to be spent on you?” he says. “Would I advise to my grandmother to have an out-of-band network tap? No. But if you’re handling sensitive IP, scientific research, gov secrets, etc., it may not be the most outlandish thing.”
Watch out for mobile malware, says Raiu. “Our analysis of high end APTs such as Equation seems to suggest many threat actors have developed mobile implants, which means that sooner or later, they will be found - just like we found the HackingTeam mobile implants for instance,” he says. “Running a security solution on your Android device will definitively help not just with protection against known threats but hopefully catching some new ones.”
And you can kiss privacy good-bye. “It’s important to limit what we post and understand what information we are leaking out … but privacy is a relative term and at a time when every system appears to be designed to divine where you’re going, what you’re doing, what you like, and who with, (and deriving a lot of that information from those you associate with, not just you) it’s unreasonable to consider anything like absolute privacy is possible.”
Sign up for CIO Asia eNewsletters.