Thomas Barton, Senior Incident Response Analyst at Integrity360: “‘Encryptionless ransomware attacks have become very popular”

“There is an overwhelming amount of information, trends and frameworks to choose from when making decisions about cyber security,” says Thomas Barton, a Senior Incident Response Analyst at Integrity360. “This can cause decision paralysis when formulating a comprehensive security strategy.”

Sound familiar? Well keep reading, as Thomas doesn’t just outline the problem in this extensive interview but also the solutions. Which makes sense, as he works to contain, investigate and eradicate cyber security incidents from a wide range of clients in the public and private sectors. Those headlines you never read about ransomware at that huge company? That was due to Thomas, his colleagues and others who do this valuable work behind the scenes.

In particular, Thomas talks about the growing threat of encryptionless ransomware, the danger of “all-in-one” security products that promise to protect you against all attacks, and prevention strategies that actually work.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

My interest in computers began when I was fairly young. In the early 2000s, I taught myself how to use the command shell in Windows to run programs. From there I learnt how to install and configure the Linux operating system and then studied computing at A-Level. I had an interest in security, using BackTrack OS (now Kali) to learn web security testing, Wi-Fi hacking and other things I thought were interesting. However, I was drawn in the end to digital forensics, which I studied at degree level.

During my time at university, I worked for the School of Cybercrime Forensics as a research assistant, examining the forensic artefacts left by mobile devices. I then moved on to embedded devices such as drones and smart technology, which was emerging at the time. I was honoured that my work was recognised and published in some international journals of security and forensics. 

I made a transition to cyber security when I took my first role working as a security engineer for an EDR service. This exposed me to many new concepts around corporate cyber security which were useful in my current role. After around two years I took another role as an incident response consultant, which combined the corporate cyber security I’d learned with my digital forensics background.

Incident response is varied and dynamic – and sometimes can put you under a lot of pressure. But also, I am faced with many technical challenges which I enjoy (when I do actually solve them). It also gives me a chance to help organisations improve their security posture.

“Encryptionless” ransomware attacks have become very popular. Encryption of files is noisy and computationally expensive, and often incident response teams are alerted as soon as encryption begins. This gives responders a chance to contain and eradicate the threat before the encryption is completed. To attack well-defended and properly monitored networks, threat actors are gaining access to systems and remaining, sometimes for months, enumerating and exfiltrating data.

This lowers the risk of the access being interrupted by incident response teams and affords the chance to sell the access or move to a traditional ransomware attack. This can be harder to detect and therefore the extent and damage will be more severe. An example of a compromised administrative account performing what seems to be normal operations can be difficult to detect, especially if third-party SOC/Threat hunters are not briefed with the correct context to distinguish between normal and abnormal behaviour. 


Worth a read: Tech you need to know: Privacy Enhancing Technologies


What are the biggest cybersecurity challenges those in leadership roles are facing?

There is an overwhelming amount of information, trends and frameworks to choose from when making decisions about cyber security. This can cause decision paralysis when formulating a comprehensive security strategy.

Some vendors are aware of this and go to offer a “solve-all” product which promises to take care of an entire organisation’s digital estate. Sometimes these products fail to deliver when put into production, creating unknown risks through a false sense of security.

The challenge of modern cyber security leadership is to draw on real-world experiences to know what the priorities are when defending a modern organisation from attacks. MSSPs can help too through co-operative partnership, recommending how an organisation can undertake security transformations and evaluating their progress against other organisations in the sector.

What is your take on ethical hackers and their role in cybersecurity?

Offensive security is a crucial part of any defensive strategy. The role of the ethical hacker is to adopt the mindset of the attacker and to simulate an incident in a controlled way, providing a safe environment where organisations can learn about the weak parts of their security posture. In my opinion, the offensive security mindset is important for all individuals who wish to work in the cyber security industry.

What are some prevention strategies you believe every business should adopt?

Prevention is about taking control of digital resources and restricting them in a way that allows users to continue their work but prevents or discourages risky or malicious activity. This can be applied to all aspects of a digital estate.

Take first the example of outbound network connectivity. This is my most common recommendation when consulting or post-incident. Often corporate networks have highly restricted network ingress, but outbound to the internet is left unrestricted, allowing arbitrary network connectivity. Most malware C2 channels operate using outbound connectivity, including the abuse of UDP protocols such as DNS. Hands-on attack methods such as reverse TCP shells also abuse this type of connectivity. So, a simple yet highly effective way to stop this is to limit outbound connectivity to trusted locations, for example, Microsoft resources, trusted geolocations etc. Under this state, malware may execute on a compromised host, but it will be limited in connecting to the threat actor’s C2 and will likely fail to run.

Applying this principle of restriction to all aspects of a digital estate, including program execution, email receipt, DNS resolution and more will create a secure and trusted environment to do business, and does not require expensive tools if it can be achieved solely by native system configuration.


Worth a read: IBM expands Watsonx capabilities with open source


Which cybersecurity best practices are being adopted with the most success by companies?

The adoption of monitoring technologies has come a long way. Advanced operating system monitoring through EDR is now a fundamental element of corporate security strategy. These products and services have matured to a state where advanced detection methods are employed as standard which makes the use of malware and hands-on keyboard attacks difficult in properly monitored environments.

What role do you think governments play when it comes to cybersecurity?

The government’s primary role is regulation. This means, for example, ensuring that companies are compliant with GDPR or PCI-DSS in the UK. To operate a digital network legally, certain basic requirements must be met around data governance and security. This creates a base level of security and encourages organisations to take responsibility for their security posture.

Government also takes responsibility for the monitoring and prevention of APTs which pose a threat to national security. 

The focus is to protect critical systems, including telecom networks, water and food supply chains, distribution networks etc. In the UK this is called CNI which is comprised of a mixture of private, public, and military resources. 

Finally, the government must also ensure that the academic study of computer systems and cyber security is strongly encouraged through the education system. This raises the standard of cyber security professionals and therefore the industry as a whole. I am aware in some countries grants are given to students to undertake cybersecurity apprenticeships, which gives great industry experience.

What’s something that has drastically changed about cybersecurity since you first got started in the field?

The awareness around it and its importance in the corporate world. Just ten to 15 years ago it was still a relatively niche topic. Since then, ironically, the threat of ransomware has spurred organisations to take cyber security seriously, prioritise it financially and build it into all areas of IT decision-making.

What advice do you have for aspiring professionals wanting to work in cybersecurity?

My advice is to start by putting the bulk of your effort into learning computer systems, networking and programming. When you are immersed in these topics your understanding of cyber security will naturally grow from a strong fundamental knowledge. This will prepare you to then specialise and apply the concepts of cyber security and you will have a practical understanding of how tools and products work under the hood. Programming and scripting will allow you to create your own tools and test out offensive and defensive techniques using digital resources. Undertake exercises such as designing and building malware, deploying it and then using forensic techniques to detect it within an operating system. 

Also, try not to keep a narrow idea of what you want to be; sometimes you will discover a passion for a type of work only by trying it out. Many force themselves into a role, for example pen-testing or being an incident responder, because they have an expectation. If the reality of this role once achieved does not match the expectation, and sometimes this is the case, it can lead to disillusionment and boredom. Focus on what keeps your mind engaged and understand that your chosen career may be very difficult at times, but remember why you started and what you want from your job.

Avatar photo
Tim Danton

Tim has worked in IT publishing since the days when all PCs were beige, and is editor-in-chief of the UK's PC Pro magazine. He has been writing about hardware for TechFinitive since 2023.

NEXT UP