Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Bulletproof Co-founder & CEO, Oliver Pinson Roxborough, talks us through how hackers hide, the perceived threat from nation states, and what that means for your business. Watch the video here:
Setting the scene for how hackers hide, my story starts in 2018 at the winter Olympics in South Korea. Though 2018 feels like a while ago, the lessons we learn from here are still just as relevant as today, and the story I’m going to tell no less interesting.
There’s a serious amount of IT infrastructure in place at an event like the Olympics. With over 150 site staff coming and going, 24/7 gate and entry systems, a phone app, a ticketing system for patrons, and multiple data centres to maintain, security at the event is a complex process.
On the evening of the opening ceremony, the head of IT is sitting comfortably in the crowd. They’ve done a lot of preparation to get everything operating correctly and he’s looking forward to enjoying the event. At 7.59pm with less than one minute to go his phone starts blowing up, and as he’s looking through the messages, he sees that their domain controllers are being taken offline.
He thinks it’s likely a general issue, so he heads out to where his teams are to help figure out what the problem is, and he’s greeted by a massive disruption as domain controllers are being wiped in their environment by a worm; a piece of malware that is deliberately sabotaging the games.
Everything starts crashing. The domain controllers that are used to authenticate everything on the network are being wiped right in front of them, the ticketing systems start malfunctioning, 10,000 PCs, 20,000 mobile devices, 6,000 Wi-Fi routers and 300 servers across multiple data centres go down in an instant. They’d been preparing and planning for the event for years. The IT team had met up over 20 times to do drills and think through multiple security challenges, yet they’d been hit by an attack.
The team worked through the night rebuilding the domain controllers, which they had to do several times because they kept getting wiped again by the malware (more on that later). In the end they took drastic action and turned off their network. They managed to contain the worm so it couldn’t propagate further, and they were finally able to bring their domain control back online by 8am the next morning.
The team showed resilience and ingenuity under serious pressure, but they still needed to find out what lead to the attack. Analysts and researchers would first try to identify where it came from by analysing the malware itself, pulling the code apart to look for snippets that could be attributed to an individual attacker or nation state based on previous attack data. They found code snippets that suggested links to Russia, North Korea or China, but they also found lots of off-the-shelf components.
The popular perception is that hackers are ‘getting smarter’ by always finding new and interesting ways to attack systems and overcome obstacles, and it’s true that being a hacker involves continuously learning how to beat security controls and exploit vulnerabilities. But as the Olympic Destroyer reveals, it’s not always the most sophisticated technologies that are used in hacking, and you don’t need to be the smartest hacker to carry out attacks.
In cyber security for example, I see the same old attacks being carried out over the years. This suggests that hackers don’t need to evolve their knowledge if we constantly end up falling foul of the same ‘low hanging fruit’ by not getting the basics right. Those obvious, easy quick wins are what attackers will scale the internet for, finding targets to exploit.
Of course, attackers are always willing to find new things and its always a bit of an arms race, but if they can reuse technologies because we're not putting a lot of the obvious, simple controls in place then were leaving the door open for pretty much any amateur with basic coding knowledge to exploit.
When we as businesses follow general best practices around security, like turning on MFA and resetting default passwords, we give ourselves a better chance of fending off the hackers. It’s easy for businesses to ignore security if they haven’t done it from the beginning, as it’s an evolution that continually improves over time. It’s also difficult to scale fast and do things quickly if you introduce security into an environment that has already been established, so it’s a worthwhile endeavour to get security right from the very beginning.
Put simply, get security involved from the beginning and it’ll be easy for it to grow and scale with your business. It’s never too late to plant a tree. And don’t think about security as something that has to be done. It’s not a bolt on; it’s an integral part of your business operations.
One of the ways in which hackers are getting smarter is by making it harder to detect them in the first place. They are testing organisations to see if their detection and response systems try to boot them out of an environment during the early stages of an attack. If they don’t, then they know that it’s a target worth exploring. This is why early detection and response protects a business at the earliest stages of an attack, making them a less likely target. Hackers are also looking for ways to monetise their attacks and obviously still finding new vulnerabilities, but the most interesting thing for me as a security expert is the new approach to attribution linking back to the Olympic Games attack, which at the time was difficult to attribute to any one attacker or hacking group.
Where hackers have previously always used their own custom tools and written their own software, we're not seeing hackers using their custom code anymore because it gives a fingerprint of that attacker, and the attack can be attributed back to the individual.
Instead, they’ve started to use off the shelf open-source tools that anybody can access which makes it very difficult to attribute an attack to an individual or group.
To make attribution even harder, hackers can do things like geolocation spoofing, use anonymous proxies, and bounce off lots of different servers to mask the attack origin. Anyone can legitimately buy access to many different servers, so hackers can register servers hosted anywhere in a country that doesn’t really control who can rent them. An interesting attack vector is also other businesses: hackers can target businesses with weak security, compromise them, and use the compromised company as proxy for the hacker’s attacks. This makes it more difficult to link an attack back to the real perpetrators.
A key part of your security strategy in response to unclear attribution is making use of a managed SIEM to know what normal looks like for you. Even without knowing where an attack is coming from, one of the key things that organisations can do is monitor environments to get a sound understanding of what their profile looks like. Form this you can recognise unexpected actions and requests to systems and servers.
You should also be looking to block traffic from IP addresses that are known to be hostile, which isn’t as straightforward as it should be when so many seemingly legitimate addresses are being compromised. In our cyber security report we found that the honeypots we set up to were attacked by 9,000 different IP addresses, but only 1.7% of those were known to be malicious. This also raises the question that if everything and anything on the internet can become a target, then what intel can you really trust? which again points to the importance of log monitoring and MDR in business security.
While it’s unlikely that most businesses would be attacked by nation states, who tend to go after specific targets, that doesn’t mean that smaller organisations won’t be attacked. Hacking tools get leaked and proliferate down the food chain. So, hacks that were once nation-state end up in the hands of entry-level cyber criminals. The more immediate threat to most businesses though, is opportunistic hackers who are more about making money, focusing on easy wins, and scouring the internet looking for vulnerable systems where they can rinse and repeat the same attack.
Our knowledge of how hackers behave in terms of scanning the internet for weaknesses and the risk this poses to businesses online is another reason why looking at basic security measures such as default credentials is so significant. This too is backed up by our study which revealed that just three usernames and password combos accounted for 85% of attacks against our honeypot servers; the reason being that they tend to work! Opportunists are using default credentials to successfully exploit systems on the internet and continue to use them because they haven’t been secured.
Targeted attacks by nation states are no different to an attack on a smaller business in that hackers will still use common techniques if they can get away with it. Returning to the story, the Olympic Games hack used a phishing attack to deliver the malware, which of course is a tried and tested approach that we have also seen increase according to our data.
The use of simple techniques, off the shelf tools and open-source technologies in hacking shouldn’t really surprise us when we consider that they continue to work. In the case of using off the shelf malware, hackers have an opportunity to test the security of an organisation while remaining anonymous. If they get detected, they can move on to another target with their anonymity intact, and if they don’t get detected then they can not only attack, but they are harder to identify because the malware being used cannot be attributed.
The best approach is of course to start by getting the basics right, following best practices to solve general security problems and ensure that you are protected. Beyond the basics, take a risk-based approach to make sure your security investment is actually mapped to threats.
If you can invest in security, then finding a trusted security partner who can really understand your business requirements and become an extension of your team will also greatly bolster your position.
As for what the basics are? I consider regular penetration testing and vulnerability scanning to be the most elemental, as this will provide an ongoing understanding of what their security posture and attack surface looks like. Alongside this is proactive log monitoring with SIEM as I mentioned earlier, to gather intelligence data and build a picture of your infrastructure. Again, if you don’t have the expertise within your business to understand threat intel, then investing in a cyber security partner can help you to know what you should be doing with threat data and ensure that the intelligence you are collecting is relevant to your environment.
Being proactive about security will also really help you to spot the early signs of an attack to make sure that you can deal with threats as early as possible, whether you have a security team of 1 or 150 as seen at the Olympic Games.
Despite extensive investigation analysing every piece of code, the IT team could never fully attribute the attack to any one nation state purely based on the malware. One smart researcher went back to look not just at the malware but also at the delivery mechanism and found that it used a technique that had previously been attributed to Russia in a similarly styled attack.
This previous attack method created phishing emails that had a word document containing heavily obfuscated macros built using an off the shelf commercial tool, which were very difficult for anti-malware to detect. When analysing the method of delivery for the previous attack the analyst managed to find a specific domain name that matched a domain linking directly to the US election attack of 2016, which has been widely attributed to Russian interference. Interestingly, that exact domain name was also linked to the attack on the 2018 Winter Olympics, and the US government have since openly stated that the believe that Russia sabotaged the Olympic Games. So, whether you believe their statement, the matching domain name is a telling piece of evidence which the hackers forgot to hide after all.
Information security wizard, evangelist, and guru – not to mention co-founder of Bulletproof. Oli’s always sharing deeply interesting and insightful things on this blog and on his LinkedIn. With many years’ of experience in understanding information security and innovation, Oli’s blogs are always a highlight.
Learn how penetration testing is a fundamental cyber security component, from startups to enterprise.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.