It took a group of Spain’s best hackers to awaken Francisco Galian’s passion for cybersecurity.

Francisco was in his last year of university in his native Barcelona, and as he was looking for a topic for his final thesis project an unforeseen opportunity presented itself: A security startup based on campus was developing a new threat intelligence platform. Though Francisco — then studying telecommunications engineering — didn’t intend to enter the security field at the time, he thought it could be a good learning opportunity.

“To me, it was incredible seeing what the hackers were doing, learning from them,” he says. “I just totally loved it. I was learning a lot and hearing all these battle stories.”

From In-House Intelligence to Security Consultant

Those “battle stories” must have been inspiring, because Francisco dove headfirst into security. He worked in cyberthreat intelligence before moving in-house, combining his telecommunications degree and newfound love of security by working with the likes of Cellnex and O2 Telefonica as the security lead.

Those days, he says, were “massively different” from his current work as a security consultant at IBM X-Force Incident Response and Intelligence Services (IRIS) EMEA. Working for just one company requires an intimate understanding of its infrastructure, and it adds the complications of navigating the internal politics that can make life tough for security teams. It can also lead internal teams to become complacent, Francisco believes.

“If you’re a company, you should be receiving attacks every single day just because you have public assets,” he says. “That doesn’t mean that these are very naughty attacks and everything is wrong, no. You just have to see them because you are exposed to the internet.”

Nowadays, Francisco worries when he hears that a customer hasn’t had an attack in a while. He remembers his own days in-house and knows it’s just when you think you’re safest that attacks hit you hardest. Too often he’s spoken with customers who think they’re fine, only to have the threat hunters tell them they’ve been fully compromised for months.

The Secret Subway System of Cybercrime

He explains it with an analogy. Let’s say you work in a bank in a city with an underground transport network. Now, you walk along the streets and you walk into your office, and you don’t think about the network operating underneath you; it’s invisible to those above ground. But underneath the streets, the bad guys are moving all the money out of your bank accounts.

“The thing is, you were blind — you were not looking for it, both in processes and infrastructure,” Francisco says. “That’s the big reality. People working just in one company, sometimes they struggle to understand that.”

Francisco now spends his days on-call to be parachuted in when times are tough for IBM clients. He jokes that Friday at 5 p.m. is the busiest time, as the weekend looms and internal teams haven’t been able to crack the problem.

Francisco uses his vast knowledge of cybersecurity to help with incident response, to find the issues and to help rectify and protect. He talks about one banking client that found its website defaced by threat actors; he needed to investigate the incident to determine whether it was a compromise in their infrastructure or the DNS provider’s. Remarkably, he had that one solved in three hours.

Cryptojacking Is This Year’s Big Threat

The major threat trend this year has been in cryptojacking, wherein a system is compromised not to lock it with ransomware, but to use its computing resources to mine cryptocurrencies. The largest incident Francisco has worked on saw thousands of machines compromised within one company. That attacker was clever: They set a low threshold for the zombies, which meant the CPU wasn’t maxed out, making it harder to detect.

“The thing is, if for whatever reason they get pissed off, they can just shut down a huge part of your network,” he laments. And he’s seen that — threat actors who get annoyed and start to play around, or worse.

“Our day-to-day is just once a year for most companies,” Francisco says of the team focused on incident response and digital forensics. Customers come to the team when they have a severe incident they can’t handle internally. Every week it could be a new incident, a new threat, a new investigation — and when there are no new cases, the team is preparing customers via simulations and scenarios to help them be ready when the time comes.

“My aim is always to push for the efficiency, to find clever ways of doing stuff, automating tasks,” Francisco says. “That’s what I learned from my sensei from my early days. He was crazy about that — he automated everything even when he was pen testing, attacking, defending, and I’ve embraced that fully.”

‘The Answer Is Not Always in the Coffee’

And yet Francisco is not tech-obsessive. When he’s finished saving networks, you’ll find him outside playing sports — far from the computer’s glare. It’s a need to “disconnect,” he says; to have an escape. He jokes that he learned he had to have his “own life” after his first few years working in security.

And he finds staying fresh makes a big difference when you’re in the midst of responding to a big incident. “I’ve learned this from bad experiences,” he says. “You just have to find your own ways of disconnecting, and to me, sport is one of the best. If you can go and be outside, it’s going to be always better.”

That fresh mind is key when he’s in the midst of a situation and trying to work out his next move, battling the threat actors that inspired his career so many years ago. Laughs the Spaniard, “The answer is not always in the coffee!”

Meet IBM Master Inventor Rhonda Childress

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…