Over the next few months we will be profiling individual threat hunters to give you a flavor of what they do, how they do it, why they love it, and how it all comes together to help our clients secure their organization. Connor Morley is a threat hunter at Countercept. We sat down with him to ask about his long love for programming computers to new specifications why he chose Countercept from a range of other options, and how large-scale attacks like WannaCry still have much to teach us about attacker methods and motivation.
Connor, thanks for taking the time to talk with us today. As a threat hunter, you are fairly new to the cyber security industry. Can you tell us what the road to get here was like?
I was a teenager when I began finding my way around with computers. I started with trying to work around the CMD command, writing batch files and VBScripts, and things of that nature. It was very low tech, but at that time it was extremely interesting to see what a computer could do.
My first full-time position was in a refurbishment company as an apprentice, taking apart secondhand devices and replacing components and software for re-sale. I began experimenting with the systems as they went through the refurbishment process and found I really enjoyed investigating a system and making it do something it wasn’t necessarily meant to do.
You studied computer security and forensics at university. How did that contribute to becoming a threat hunter?
My degree was focused on a mixture of offensive techniques and forensics analysis, which played well for pursuit into both red and blue team positions. I did courses in penetration testing, forensic analysis, enterprise server management and security, and more. Although valuable to one type of team, collectively they paved the way to working in a purple team, which threat hunting embodies.
I had a placement year at an enterprise monitoring solution company in their client services team, which primarily revolved around solving client issues with their proprietary software. I once again deeply enjoyed taking information off a system and seeing if I could configure or tailor it to a specific need. I graduated with a First Honors degree and was offered to do a funded doctorate at the University. However, while searching for jobs at a large number of companies, ranging in size, I was contacted about a possible position at Countercept to do research-led active defense.
What made Countercept stand out for you as a place to work and threat hunt?
I had a number of offers for placements, many of which focused on either defense or offense exclusively, but Countercept offered an amalgamation of both while also providing the freedom to research new techniques and technologies in the industry. It was not something I found anywhere else. Their work ethos and social environment made them extremely appealing and after reading up on the work they did and meeting the team in person I was certain this is where I wanted to work.
You started working here right when WannaCry kicked off. How did that set the tone for the work you’re now doing?
WannaCry put me right into the deep end from the start and since then I have been part of the team dealing with and researching well-known malware, such as NotPetya, CCleaner, and the Bad Rabbit ransomware. I have also been involved in detection during penetration testing and TAS operation, which has not only demonstrated some of the extremely interesting and novel ways attackers gain persistence; but also the steps taken by our team to detect them, research their capacity, and assist in developing solutions to the issue – either universally through published research or on a by-client basis.
I have taken part in projects relating to the team’s internal systems in order to improve the detection capacity of some components and have also researched a number of attacker frameworks and techniques. I am also currently in the process of completing qualifications both in offensive and defensive security.
What do you enjoy most about working here?
Countercept has continuously given me the freedom to grow as an individual while providing all the support needed in an industry as complex as computer security. The ability to pursue research and projects with the backing of an expert team has encouraged me to take on a number of projects and qualifications, even within the short six months since I started.
The team I work with is very social and the entire company is always within instant contact and happy to answer questions or input on active projects. Innovation is valued here and openly distributed and contributed to from across the company, including other MWR sectors.
Follow Connor and read his piece on how Last year’s hack could be next year’s cyber attack. Check back here for more interviews with our threat hunters.