Steve Benton, BT Deputy CSO, GM Cyber and Physical Security Operations and Programmes,
I’ve been talking to hackers, to get into their mindset so I can work out how best we can help businesses protect their end users and sensitive data. And the first thing that comes out is that, generally, a cyberattack is nothing personal; you’re not being specifically targeted.
Most phishing, ransomware or vulnerability scanning attacks out there are widespread sprays, hoping for a pay-out. It’s a numbers game; test the defences of enough organisations and you’ll find one that will let you in. It’s like walking down your main shopping precinct and having a flyer thrust into your hand - you’re a target, but you’re not being specifically targeted. Most people will bin the flyer without reading it, but a few will read and act upon the information, bringing in enough return to make the whole flyer operation profitable.
So, if it’s rarely personal, why do hackers attack? What’s in it for them? By understanding the level of investment they’re willing to make and the danger they’re willing to risk, we have a better chance of disrupting their operating model or putting a stop to it altogether.
The five core ‘wants’ of cyber attackers
My research unearthed five main elements attackers are looking for. Once you understand them, you have the basis for a robust defence strategy. You can filter an attacker’s wants into the following:
#1 Your bandwidth
They want to use your networks and IT for targeted attacks against others or as part of their DDoS attack infrastructure.
#2 Your money
This can take many forms, from mining bitcoin through to extortion or manipulating your stock price. A whaling attack could trigger fraudulent money transfers, or they could steal funds through capturing credit card and banking details.
#3 Your data
Attackers can monetise your data through extortion with or without ransomware, either threatening to delete or leak your data. They can also obtain funds by stealing your intellectual property.
#4 Your storage
They might need somewhere to store something illegal and/or non-attributable on your systems. Think pirate software and illegal images.
#5 Your identity
Although your identity may well only be worth pennies if harvested and sold on, it might bring in a greater return if used in attacks against your social network or employer. Think whaling.
Layer and combine your defences for maximum effect
Understanding the many ways you could be an attractive target can be daunting, but use it to focus your defensive work on making access to your assets as difficult as possible. Multiple, overlapping layers of security are the key to deterring, disrupting and frustrating cyber criminals. For example, taken in isolation, security controls are fallible and can be rendered useless by human error or software vulnerabilities or misconfigurations. I’d go so far as to say that attackers can get around even the best security controls in some situations.
But the defensive power of security controls lies in a combination of layers, bringing together deterrents, preventative measures and detective activity. It’s very hard for an attacker to dodge them all at the same time. Think of it like protecting your home. If the locks on the doors and windows and outside lights don’t keep the burglars out, the alarm, CCTV and large, barking dog might do the trick!
Make your business unviable for attack
Most cyberattacks are based on sound financial principles. Attackers look to spend as little as possible and only as much as will yield a healthy return. You can best defend your business by strengthening your cyber hygiene factors to the point where you’re not a viable target for an attack. Don’t give yourself away cheaply!
Start with a realistic assessment of your hardware and software; obsolete and end-of-service-life IT is dangerous. Bite the bullet and replace it before it costs you a lot more from being exploited. Then work methodically through your estate, securing as you go. Include your physical infrastructure and your perimeter, including Wi-Fi, cloud and any partnerships. With that in place, get familiar with your security environment, so that you understand the significance of any flags your security measures raise. There’s little point in having anti-virus, anti-malware, intrusion detection systems, and endpoint detection and response if you don’t react to their alerts.
Beware the one-size-fits-all security policy and restrict access to the lowest level of privilege that’s functional. Consider the access needs of departments and user groups on a case-by-case basis and separate out duties and functions. Train your people to default to the lowest level of privilege necessary to perform an action and so minimise times of vulnerability where individuals are logged in with admin rights. Reinforce the rule that credentials must never be shared. Simply put, there should be a different, strong password for each account a user has, and it should never be one they use outside work. It’ll make auditing and identifying leak points easier.
Put ‘honey-accounts’ into your domains. These accounts are never used legitimately and are monitored with a hair-trigger/rapid-response that could tell you someone is compromising your organisation. Plus, always apply patches as soon as they’re available. Failure to patch makes it cheaper and easier for the attacker to exploit common vulnerabilities. Push them to the expense of developing or buying a zero-day exploit.
Know your cyber enemy
I’m reminded of the Sun Tzu quote: “If you know neither the enemy nor yourself, you will succumb in every battle”. If you want to stay secure, get familiar with the attacker mindset and establish a clear view of your defences. And don’t do this as a one-off. Get obsessive about understanding your vulnerabilities and the latest ways malicious actors are seeking to evade detection.