One of the most ridiculous portrayals of cyber security experts comes from the TV show NCIS. As soon as the characters see that hackers have broken through the NCIS firewall, two of them jump onto one keyboard. I imagine nobody has ever successfully typed an email – never mind stopped a cyber-attack – by inviting someone else to type with them simultaneously on the same keyboard.

As silly as this example is, cyber security is a collaborative process. We work closely with health and care organisations to provide a range of specialist services so they are prepared and ready to respond to cyber threats. These services include a cyber security support model, assessment and support, and threat advice and intelligence. We’re also promoting our Keep I.T. Confidential campaign to embed good cyber security habits as an everyday part of the behaviour of staff in health and care.

We also have a number of strategic partnerships. One of these relationships is with the National Cyber Security Centre (NCSC), who provide threat intelligence related to the health and social care sector and a key supporter to incident management when it becomes widespread. They also provide advice, guidance and best practice guides which help organisations, including NHS Digital, to strengthen their security posture.

For example, in the 2003 version of The Italian Job, one of the characters hacks into the traffic control centre in Los Angeles, takes control of the traffic lights in the city and causes chaos. Then, as quickly as the attack begins, it’s over.

In real life, our projects keep us busy over long periods of time. If it all happened like it did in the movies, we’d have very little to do in between dramatic cyber attacks.

We use threat hunting activities to proactively search through networks for cyber threats every day and apply blocks to ‘indicators of compromise’ (unusual activity or data that indicates a potential cyber attack).

The Cyber Security Operations Centre (CSOC) at NHS Digital has detected and blocked a number of malicious malware and trojans over the past few years using these techniques. Recently, we detected the TrickBot trojan, a powerful credential stealer originally developed in 2016 as a trojan for banking applications. Since its creation, TrickBot authors armed their malware with many additional capabilities (modules) that allow silent propagation across the network, evasion of anti-virus, and communication with command and control (C2) servers, to harvest and exfiltrate a range of sensitive data. Our early detection work helped prevent further infections to reduce the impact to the NHS estate.

In Jason Bourne, an attacker seemingly ‘walks into’ the CIA’s computer system to steal data with little to no effort, downloading everything she needs in one go.

Real-life organised crime groups play the “long-game” – they generally use a slow-burner approach to remain undetected. Of course, this doesn’t create the high impact drama that viewers want to see on television or in the movies, but copying large volumes of data in one go is much too obvious.

Real criminals know this, so they go for small amounts of data which could go unnoticed more easily. For example, they might start a phishing campaign which contains a malicious file that is downloaded on to an end user’s computer. It could sit dormant for weeks or months before someone takes a simple action, like opening a particular file, which then causes the malicious file to execute and either:

How do we stop them? We also have a slow-burner approach at the CSOC. This is partly due to limitations in capability, visibility and resourcing – criminals spend all their efforts looking for one weakness to exploit, whereas we need to take a holistic view of the overall system. We also have to “play by the rules” – everything we do needs to be legal and ethical. Criminals do not care about either of these things.

Our team is full of highly-skilled personnel to provide protective monitoring. We have threat hunters that look for indicators of compromise each day, We also have a multi-view of the NHS estate which is fed into the Security Incident and Event Management Tool (SIEM), and end point protection (different from anti-virus software), a vulnerability management tool which scans against known vulnerabilities that have the potential to be exploited.

Cyber security professionals are problem-solvers and investigators, and we do most our work behind the scenes to ensure the systems on which our patients and healthcare professionals rely on run safely and securely.