Light Dark
October 12, 2018 By Security Intelligence Staff 4 min read
Incident Response
Security Services
Threat Hunting
Threat Intelligence

It took a group of Spain’s best hackers to awaken Francisco Galian’s passion for cybersecurity.

Francisco was in his last year of university in his native Barcelona, and as he was looking for a topic for his final thesis project an unforeseen opportunity presented itself: A security startup based on campus was developing a new threat intelligence platform. Though Francisco — then studying telecommunications engineering — didn’t intend to enter the security field at the time, he thought it could be a good learning opportunity.

“To me, it was incredible seeing what the hackers were doing, learning from them,” he says. “I just totally loved it. I was learning a lot and hearing all these battle stories.”

From In-House Intelligence to Security Consultant

Those “battle stories” must have been inspiring, because Francisco dove headfirst into security. He worked in cyberthreat intelligence before moving in-house, combining his telecommunications degree and newfound love of security by working with the likes of Cellnex and O2 Telefonica as the security lead.

Those days, he says, were “massively different” from his current work as a security consultant at IBM X-Force Incident Response and Intelligence Services (IRIS) EMEA. Working for just one company requires an intimate understanding of its infrastructure, and it adds the complications of navigating the internal politics that can make life tough for security teams. It can also lead internal teams to become complacent, Francisco believes.

“If you’re a company, you should be receiving attacks every single day just because you have public assets,” he says. “That doesn’t mean that these are very naughty attacks and everything is wrong, no. You just have to see them because you are exposed to the internet.”

Nowadays, Francisco worries when he hears that a customer hasn’t had an attack in a while. He remembers his own days in-house and knows it’s just when you think you’re safest that attacks hit you hardest. Too often he’s spoken with customers who think they’re fine, only to have the threat hunters tell them they’ve been fully compromised for months.

The Secret Subway System of Cybercrime

He explains it with an analogy. Let’s say you work in a bank in a city with an underground transport network. Now, you walk along the streets and you walk into your office, and you don’t think about the network operating underneath you; it’s invisible to those above ground. But underneath the streets, the bad guys are moving all the money out of your bank accounts.

“The thing is, you were blind — you were not looking for it, both in processes and infrastructure,” Francisco says. “That’s the big reality. People working just in one company, sometimes they struggle to understand that.”

Francisco now spends his days on-call to be parachuted in when times are tough for IBM clients. He jokes that Friday at 5 p.m. is the busiest time, as the weekend looms and internal teams haven’t been able to crack the problem.

Francisco uses his vast knowledge of cybersecurity to help with incident response, to find the issues and to help rectify and protect. He talks about one banking client that found its website defaced by threat actors; he needed to investigate the incident to determine whether it was a compromise in their infrastructure or the DNS provider’s. Remarkably, he had that one solved in three hours.

Cryptojacking Is This Year’s Big Threat

The major threat trend this year has been in cryptojacking, wherein a system is compromised not to lock it with ransomware, but to use its computing resources to mine cryptocurrencies. The largest incident Francisco has worked on saw thousands of machines compromised within one company. That attacker was clever: They set a low threshold for the zombies, which meant the CPU wasn’t maxed out, making it harder to detect.

“The thing is, if for whatever reason they get pissed off, they can just shut down a huge part of your network,” he laments. And he’s seen that — threat actors who get annoyed and start to play around, or worse.

“Our day-to-day is just once a year for most companies,” Francisco says of the team focused on incident response and digital forensics. Customers come to the team when they have a severe incident they can’t handle internally. Every week it could be a new incident, a new threat, a new investigation — and when there are no new cases, the team is preparing customers via simulations and scenarios to help them be ready when the time comes.

“My aim is always to push for the efficiency, to find clever ways of doing stuff, automating tasks,” Francisco says. “That’s what I learned from my sensei from my early days. He was crazy about that — he automated everything even when he was pen testing, attacking, defending, and I’ve embraced that fully.”

‘The Answer Is Not Always in the Coffee’

And yet Francisco is not tech-obsessive. When he’s finished saving networks, you’ll find him outside playing sports — far from the computer’s glare. It’s a need to “disconnect,” he says; to have an escape. He jokes that he learned he had to have his “own life” after his first few years working in security.

And he finds staying fresh makes a big difference when you’re in the midst of responding to a big incident. “I’ve learned this from bad experiences,” he says. “You just have to find your own ways of disconnecting, and to me, sport is one of the best. If you can go and be outside, it’s going to be always better.”

That fresh mind is key when he’s in the midst of a situation and trying to work out his next move, battling the threat actors that inspired his career so many years ago. Laughs the Spaniard, “The answer is not always in the coffee!”

Meet IBM Master Inventor Rhonda Childress

 |  |  | 
Security Intelligence Staff
Security Intelligence Staff

More from Incident Response
May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature