It’s a typical day for principal threat intelligence analyst Gavin O’Gorman, who works on STAR’s Attack Investigations Team.
Gavin is sitting in front of a screen showing a world map tracking cyberthreats at the Security Response Center in Dublin, Ireland. The flashing red dots on the map are visible signs of major cyberthreats in real-time.
Working closely with law enforcement agencies such as Europol, the FBI and the Secret Service, Gavin and his team of exceptionally skilled security analysts are constantly monitoring hundreds of cybercriminal groups to gather intelligence on them.
Today, the targets are the criminal masterminds behind a botnet, a network of malicious software used to spy on computers and steal information such as banking and social media passwords.
Gavin says he knew something was up after data analysis showed a spike in computer infections around the world. This immediately raised suspicion.
The particular strain of botnet he is investigating, named Ramnit, is a notorious and dangerous threat known for stealing passwords and draining bank accounts.
“It does this by spreading malware through what appear to be trustworthy links sent via phishing emails or social networking sites,” explains Gavin.
“One click of the seemingly harmless URL by users, and the malware is installed. Computers are then under the control of the hackers, allowing them to access personal information, steal passwords and disable antivirus protection.”
Each red dot on his monitor represents the location of the infected computers. With this data, he obtains IP addresses and discovers that the compromised computers are used to connect to the attackers’ command-and-control servers located in various countries. Criminals use these special command-and-control servers to run their attacks.
Further investigation reveals that commands from these servers are being issued at certain times of the day.
“This is important because it points to certain locations as being the possible home of those in control of the botnet,” explains Gavin.
Now that he has all the pieces of the puzzle, he puts them all together to see the full extent of this threat. Armed with these technical clues, as well as data pertaining to where the infrastructure behind Ramnit is located, Gavin shares this security intelligence with Europol’s Cybercrime Center as part of the investigation.
Europol wastes no time in obtaining warrants and maintains constant contact with Gavin. They are already coordinating a plan of action with Internet service providers to shut down the command-and-control servers, redirect hundreds of Internet domain addresses used by the botnet's operators and seize their infrastructure.
“Takedowns are often dramatic,” says Gavin, “with raids on multiple locations where servers are housed.”
For the intrepid threat intelligence analyst, it’s business as usual as he touches down at The Hague, en route to Europol’s headquarters where, in a joint operation with law enforcement agencies in The Netherlands, Italy and Germany, he will help take down the malware network.
The group behind Ramnit has been in operation for at least five years and in that time has evolved into a major criminal enterprise, contaminating more than 3 million computers worldwide.
One takedown at a time, security intelligence analysts like Gavin and law enforcement agencies strike a significant blow against cybercriminals.
Keeping up with the latest threats requires unfailing attention, passion for computer technology, top-notch education, intellectual prowess and, of course, insatiable curiosity.
Gavin began his career as a security response engineer with the Norton team over four years ago, before going on to become a security intelligence analyst. He has a Masters degree in Computer Security.
When he is not on the frontline, traveling to Europol to assist in the latest botnet takedown or gathering intelligence on organized cybercriminal groups, Gavin is attending major security conferences around Europe to keep ahead of the curve.
“The best thing about working for a company like Symantec is the people,” he says. “I work with a really good team of world-class security experts. Some of them are, literally, the best in the world at what they do, which is great to work with.
“I am inherently nosey; I am always poking around and finding things. It’s what I love most about my job, that and seeing attacks all over the world and tracking the attacker groups. It could be China one week, Russia the next.”
The one thing threat intelligence analysts all have in common — besides a natural inquisitiveness — is the satisfaction of knowing that they are keeping customers safe.
“That’s our ultimate goal. Our security intelligence and investigations into cybercriminals not only helps catch the bad guys, it helps build better security features back into our products and services — for our customers.”
We have an extensive security history and our pioneering spirit continues today. Our digital world is constantly changing, so at Norton we never rest. We’ve protected our customers and their data for 25 years — and we’re going to keep doing just that.
With a team of over 1,700 customer care experts dotted around the globe, Norton ensures easily accessible support no matter your location. In fact, we’re so confident in our award-winning protection and quality support services that we offer a money-back guarantee.
Over the last 25 years, we’ve built a rich and widespread intelligence network, constantly gathering data on threats from over 40 million endpoints in over 150 countries. That data is what drives our protection, enabling it to stop even emerging threats that nobody’s ever seen before.