October 12, 2018 By Security Intelligence Staff 4 min read

It took a group of Spain’s best hackers to awaken Francisco Galian’s passion for cybersecurity.

Francisco was in his last year of university in his native Barcelona, and as he was looking for a topic for his final thesis project an unforeseen opportunity presented itself: A security startup based on campus was developing a new threat intelligence platform. Though Francisco — then studying telecommunications engineering — didn’t intend to enter the security field at the time, he thought it could be a good learning opportunity.

“To me, it was incredible seeing what the hackers were doing, learning from them,” he says. “I just totally loved it. I was learning a lot and hearing all these battle stories.”

From In-House Intelligence to Security Consultant

Those “battle stories” must have been inspiring, because Francisco dove headfirst into security. He worked in cyberthreat intelligence before moving in-house, combining his telecommunications degree and newfound love of security by working with the likes of Cellnex and O2 Telefonica as the security lead.

Those days, he says, were “massively different” from his current work as a security consultant at IBM X-Force Incident Response and Intelligence Services (IRIS) EMEA. Working for just one company requires an intimate understanding of its infrastructure, and it adds the complications of navigating the internal politics that can make life tough for security teams. It can also lead internal teams to become complacent, Francisco believes.

“If you’re a company, you should be receiving attacks every single day just because you have public assets,” he says. “That doesn’t mean that these are very naughty attacks and everything is wrong, no. You just have to see them because you are exposed to the internet.”

Nowadays, Francisco worries when he hears that a customer hasn’t had an attack in a while. He remembers his own days in-house and knows it’s just when you think you’re safest that attacks hit you hardest. Too often he’s spoken with customers who think they’re fine, only to have the threat hunters tell them they’ve been fully compromised for months.

The Secret Subway System of Cybercrime

He explains it with an analogy. Let’s say you work in a bank in a city with an underground transport network. Now, you walk along the streets and you walk into your office, and you don’t think about the network operating underneath you; it’s invisible to those above ground. But underneath the streets, the bad guys are moving all the money out of your bank accounts.

“The thing is, you were blind — you were not looking for it, both in processes and infrastructure,” Francisco says. “That’s the big reality. People working just in one company, sometimes they struggle to understand that.”

Francisco now spends his days on-call to be parachuted in when times are tough for IBM clients. He jokes that Friday at 5 p.m. is the busiest time, as the weekend looms and internal teams haven’t been able to crack the problem.

Francisco uses his vast knowledge of cybersecurity to help with incident response, to find the issues and to help rectify and protect. He talks about one banking client that found its website defaced by threat actors; he needed to investigate the incident to determine whether it was a compromise in their infrastructure or the DNS provider’s. Remarkably, he had that one solved in three hours.

Cryptojacking Is This Year’s Big Threat

The major threat trend this year has been in cryptojacking, wherein a system is compromised not to lock it with ransomware, but to use its computing resources to mine cryptocurrencies. The largest incident Francisco has worked on saw thousands of machines compromised within one company. That attacker was clever: They set a low threshold for the zombies, which meant the CPU wasn’t maxed out, making it harder to detect.

“The thing is, if for whatever reason they get pissed off, they can just shut down a huge part of your network,” he laments. And he’s seen that — threat actors who get annoyed and start to play around, or worse.

“Our day-to-day is just once a year for most companies,” Francisco says of the team focused on incident response and digital forensics. Customers come to the team when they have a severe incident they can’t handle internally. Every week it could be a new incident, a new threat, a new investigation — and when there are no new cases, the team is preparing customers via simulations and scenarios to help them be ready when the time comes.

“My aim is always to push for the efficiency, to find clever ways of doing stuff, automating tasks,” Francisco says. “That’s what I learned from my sensei from my early days. He was crazy about that — he automated everything even when he was pen testing, attacking, defending, and I’ve embraced that fully.”

‘The Answer Is Not Always in the Coffee’

And yet Francisco is not tech-obsessive. When he’s finished saving networks, you’ll find him outside playing sports — far from the computer’s glare. It’s a need to “disconnect,” he says; to have an escape. He jokes that he learned he had to have his “own life” after his first few years working in security.

And he finds staying fresh makes a big difference when you’re in the midst of responding to a big incident. “I’ve learned this from bad experiences,” he says. “You just have to find your own ways of disconnecting, and to me, sport is one of the best. If you can go and be outside, it’s going to be always better.”

That fresh mind is key when he’s in the midst of a situation and trying to work out his next move, battling the threat actors that inspired his career so many years ago. Laughs the Spaniard, “The answer is not always in the coffee!”

Meet IBM Master Inventor Rhonda Childress

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything.But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists in…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today