Chris co-founded Cosive seven years ago, alongside Kayne Naughton and Terry MacDonald and serves as the company’s CTO.
In this interview we sit down with Chris to cover many different topics, like:
In the early days of the company I was very hands-on in all the projects, building software and managing systems, but as the company’s grown my role’s grown more into overseeing the direction of how things we’re building are progressing and being applied, although I still do as much consulting and technical work as I can get away with. Lately I’ve been investigating the explosion of progress in AI and large language models as they can be applied to cyber threat intelligence, building on top of the ChatGPT ATT&CK analysis experiments I did soon after ChatGPT’s release.
I started out doing what you might call more “classic IT” in the late 90s after I graduated from university. I started out working in a Network Support team, working in desktop support and network troubleshooting as a graduate. From there, I started to build a Web team within that company. This was back in the days of Perl and very much in the infancy of dynamic websites. And that was something that really interested me.
After a few years doing that I started to really think deeply about the fact that we were building programs that anybody could run on the internet, friend or foe. I had studied information security in university; I particularly loved learning about classic cryptology and cryptanalysis. I started to think about whether someone could use what I was building to do something bad. I started to teach myself everything to do with information security and that's what really lit a fire under me to move into the field.
I was in Brisbane at the time so I interviewed with AusCERT, who were Australia's National Security Response team in those days. It was based out of the University of Queensland for historical reasons, because there was an attack on Australian universities in the early 1990s and they decided to stand up a joint response team with a national and international focus.
I became a Security Analyst at AusCERT. I really loved doing that sort of work. It was a chance for me to take my previous software development experience and use that to build automation and tooling for incident response and threat intel. That kind of automation of cyber security work has ended up being a theme throughout my career.
It was the mid-2000s, and phishing was just starting to be a thing that people were experiencing and thinking about. We often felt like attackers used Australia as a test bed because they could take successful ideas and transport them to the US, the UK, and Canada which have bigger populations. This was our theory, at the very least.
It was a really exciting time to do battle with the phishers and learn how they were doing things and build tooling to try to automate our response. There were some particularly creative phishing crews at the time where unpicking their infrastructure and backend ‘kits’ was a white whale for many of us in Australia. We had a close-knit community of people across different organisations working on this stuff at the time and sharing lots of data and findings.
A particularly interesting challenge was a credential-stealing “Man in the Browser” piece of malware that also encrypted the credentials stolen. They employed something custom for their encryption, so using classic cryptanalysis we were able to work out they were using two character combinations to represent every single character of plain text, and then by using a “crib” (known plaintext being the URL) and then character frequency analysis to work out the decoding table. I wish I still had a copy of the paper I wrote at the time!
One thing often talked about today (still!) is the Whack-a-Mole game of phishing response, where we try to take down phishing sites as fast as the phishers can put them up. This was my first experience with the Whack-a-Mole game in its infancy. We were all learning, both the phishers and those of us trying to take down all these phishing sites. The way that game is played is fundamentally very similar today to what it was almost 20 years ago, so I’m also passionate about other ways we can disrupt phishing sites and scammers.
People can come into cybersecurity from all sorts of other disciplines and still be very effective in the field. I’ve seen people come across from networking, software development, fraud investigation, R&D, law, humanities, and civil engineering. I think that's a really exciting thing about the industry.
It's such an immature field in so many ways and we're all still working it out. There’s something kind of refreshing about that, even though there's a lot of challenges associated with it too. As a society, I think we’re still working out the balance of securing systems versus making them available and putting all these services online. Obviously we're struggling with that, at the time of us talking about this, with so many high-profile data breaches.
Often, it’s where we focus our energy. We need to make sure we don’t get too jaded or discouraged with progress we make. From earlier in our conversation, there are things about cybersecurity that haven’t changed much in almost two decades. With phishing, we still play the Whack-a-mole game. We know it’s ineffective, but it often feels like the only option. Meanwhile, there are now better active defences we can use to tackle that problem, like canary credentials. For various reasons, active defences against phishing haven’t seen the adoption that I think they deserve - something we’re working on. We can sometimes get stuck attacking problems in the same reactive way we’ve always done.
There are definitely some big changes.
In the mid-2000s, every government swore black and blue that it would never attack another country using cyber attacks. In actuality, they were doing exactly that, but they’d never admit it. I saw that just the other day the New Zealand government or one of their government security agencies publicly admitted to carrying out cyber attacks on other nations. The response from people was basically “Well, of course you do”.
Today, it's almost as if a government would be seen as negligent for not having such a capability. It'd be almost like saying, “We don't have an army, how dare you accuse us of that”. That's been one big change.
Another big change has been how seriously organisations take security and how it’s budgeted. AusCERT, for instance, was formed by several universities back in the 1990s because nothing like it existed. Prior to that the government had, let's say, DSD (now ASD)… they did a great job at what they did but definitely had a culture of secrecy. In contrast, AusCERT was this very deliberately public facing organisation handling requests from the public.
Obviously that is totally different these days. The government spends a lot of time and energy in having public facing cybersecurity organisations and policies, which has been a big shift. We can’t do all of this behind closed doors. It takes lots of cooperation and shared learning.
Within companies, much higher awareness and bigger budgets for security have absolutely become a thing. It goes all the way up to the board level. In the mid-2000s security was often the side job of someone in the network team who happened to be that way inclined. Today, bigger companies have huge teams solely dedicated to security with many specialisations within them.
After I'd been at AusCERT for about two years I went and visited our counterpart in Japan, JPCERT. They were hiring a Malware Analyst. It's not something I'd ever entertained, but I was loving being in Japan as a tourist and decided to apply.
It was a big move. I only knew one person in that country, the person who had offered me the job, but I decided to go for it because I figured that I’d never get another opportunity in my life to do something like that.
I worked in Japan for four years and it absolutely had its ups and downs. It was definitely a net good, but there were very trying periods, most of which had to do with language. I had done a few months of night school before I left for Japan and was barely able to string a conversation together when I started at JPCERT. I was learning Japanese literally on the job to get to the point where I could survive in meetings and emails. But I got to work in all sorts of different teams within JPCERT and they're a lovely bunch of people. They supported me very well given my communication peculiarities and differences.
When I speak Japanese now, I can explain malware analysis but I couldn't explain the weather better than a primary school kid. My vocab became very specialised to what I needed for my job.
I was a bit burned out by the end of my time in Japan. Again, I had all the time in the world for the people at JPCERT. It was more the struggle to do day-to-day things without relying on other people to help with the language barrier. After four years of that I felt very weary so I decided to go in a new direction.
I'd always wanted to have a go at running my own company. When I moved back to Australia I hung out my own shingle. I started developing tools for incident response teams and decided that would be the mission of my solo company. I wanted a break from the reactive work of incident response and to focus on building tools to help.
I worked with a lot of the teams I had previously been a part of or worked with, and I had also built a lot of international contacts as well during my time in the international incident response space. I started building software and doing consulting to incident response teams, and although I really enjoyed it, it had its ups and downs.
While I had the classic dream of being my own boss, I was also the only employee of the company. That gets tough when you want to take holidays or take a mental break. I remember going on my honeymoon with my wife and feeling like I needed to take a laptop with me just in case a system I had built for somebody had an outage and the client needed my assistance. I enjoyed the freedom of working for myself, but it meant I could never be entirely off the clock.
In 2015 I went to the AusCERT conference in Queensland and happened to get chatting to Kayne and Terry, the other two co-founders of Cosive. I knew Kayne, who knew Terry. They were both doing somewhat similar things. Terry, I think, was solo, Kayne had maybe a couple of people working for him, but we were all finding that the idea of scaling was hard past one or a few people.
It was at that point we decided to pool our resources (as a side thing to begin with) and to explore this idea of building something together. We founded Cosive to break out of the limitations of being a solo operator and give ourselves some redundancy.
I definitely subscribe to the adage that picking business partners is very much akin to finding a marriage partner. You're going to spend a lot of time with these people, so as well as having an idea and a common mission you personally need to be able to get on with them and work well with them. We're seven years in at this point and we're still around, so obviously that bit of it is working.
We’re very excited about the prospects for CloudMISP, our managed MISP service. It's been getting some really good reactions. Cosive actually started out as a threat intelligence consulting company, and we’ve worked with threat intelligence platforms for a long time. But in retrospect, we were just a few years early for that mission in Australia. These days there's some big scale Australia-wide projects talking about threat intelligence and how all organisations can cooperate.
It's really exciting that we can help organisations that are just starting on that journey of a threat intelligence function with some of the initial tooling to be able to do that. We’ve dealt with threat intelligence platforms, with MISP, with STIX, with all those technologies for many years now. Working on CloudMISP gives me a sense of satisfaction because we’ve made it less painful to get started with threat intelligence.
More broadly, we have quite a stable of products and services that we offer, and that’s besides all of the consulting work we do. I find it very rewarding to go into companies and talk about what we can do over the next year to make things more streamlined, more reliable, more efficient, in terms of incident response or operations centre, or threat intelligence.
I have a big one at the moment. One frustration I have about cybersecurity and software development more generally is how abstract the things you build are. If I build a data processing pipeline to construct STIX packages, that's not something I can show my son and say “Hey, look what I built”. The idea of building something tangible is really enthralling.
So, the thing I've gotten into recently is LEGO Mindstorms, which is robotics using LEGO. It comes with a hub unit, which is a programmable controller. You can write Python code or you can write Scratch-like code using visual code blocks. The hub comes with ports for plugging in servo motors. You can also attach all sorts of arms and wheels. You can build robots that drive around the floor and have distance sensors. You can write an algorithm to back off and rotate 90 degrees when the robot reaches a wall and try going another way, for example.
People have done some amazing stuff with Mindstorms. You can attach a pen to your motors, so they’ve built robots that can draw pictures on a piece of paper. People will post blueprints online of their own builds and I enjoy recreating those as well as coming up with my own creations.
We talk a lot about STEM learning these days and teaching kids about technology. To me, robotics is a fantastic way to do that because for a kid, programming numbers or text output can be a bit underwhelming. But when it's like, “Hey I did a thing and this robot crashed into a wall and exploded into parts!” That's exciting. Whenever that happens my son thinks it’s the best thing. Then we go “All right. What did we do wrong? How are we going to fix that?” It’s a really great feedback and learning cycle. It’s really exciting to do that with my son as well.