Know Your Enemy: Who Are You Protecting Yourself From?A Chapter of the Upcoming Book 'Heuristic Risk Management' by Michael Lines
Learn about an effective approach for setting up a risk-based information security program from CyberEdBoard executive member Michael Lines.
Michael Lines is working with Information Security Media Group to promote awareness of the need for cyber risk management, and as a part of that initiative, the CyberEdBoard will post draft chapters from his upcoming book, "Heuristic Risk Management: Be Aware, Get Prepared, Defend Yourself." The first chapter we published is here.
Know Your Enemy
Before you can seek to protect your organization from cyberthreats, you need to know who and what you are fighting. To build your defenses without a clear picture of who your adversaries are is the same as swinging a sword in a dark room, hoping to parry your enemy’s attacks. Yes, you can get lucky, but then luck is the measure of your program, not skill.
Why do you need to know your attackers? Isn’t it enough to know their methods - phishing, malware, etc.? "Aren’t we wasting time?" you may ask, when it often seems impossible to attribute an attack.
It matters because without knowing who your likely attackers are, you will not pay proper attention to news or reports concerning them. This is a vital component of your threat intelligence, a function that you need to have as part of your information security. Keeping abreast of how your attackers are evolving their attacks, targets and techniques is key to helping you ensure your defenses are evolving as well to protect your organization against them.
Types of Threat Actors
In risk terminology, those you are seeking to defend your organization against are called threat actors, or those who are behind the threats that your business faces. In the world of cyber risk, there are three main threat actors groups you need to defend against: nation-states, criminals and hacktivists.
No company can consider itself immune from being targeted by nation-state attackers.
Nation-state refers to those threat actors who are directly or indirectly backed by or who represent an individual nation. All developed nations have offensive and defensive cyber warfare operational groups, either as a part of their military or their intelligence agencies - or both.
These agencies are tasked with carrying out defensive and offensive cyber operations as directed by the state to advance their national interests. This can include everything from intelligence gathering to defensive measures intended to protect the nation from attackers to offensive actions against those who are determined to be threats to the nation by its leadership. These offensive actions can range from digital-only attacks to cyberattacks supporting kinetic military actions.
For most commercial businesses, the focus of most nation-states actors is either espionage, which is the gathering of useful intelligence on the enemy, or sabotage, which is disruption or destruction of the enemy’s infrastructure or economic interests. Some nation-states are also engaged in what are normally considered criminal activities to help fund the nation and its military operations while also damaging those it perceives as enemies.
Some major nation-state cyber players - Russia and China in particular - have a strong relationship between their official cyberwarfare agencies and quasi-independent criminal organizations operating within their borders that are the main source of cyberattacks globally. These groups act as either a proxy for attacks or perform intelligence-gathering operations, feeding information back to the state agencies that they discover as part of their criminal activities.
The bottom line: No company can consider itself immune from being targeted by nation-state attackers.
The only way that any business could consider itself immune from criminal attacks would be if it had no assets, no bank account, no computers, and no staff.
Criminal activity, which is directly attacking businesses for financial gain, can range from the acts of individual hackers and criminals all the way up to those of large-scale enterprises, which are organized to the same degree as commercial businesses. All of these activities are focused on making money via illegal means.
In contrast to the media image of hackers as lone wolves operating from a dark basement, cybercrime has become a multibillion-dollar global business, and it operates as such. Lone hackers can sell their services on dark web emporiums, buy ready-made malware for purposes ranging from ransomware to credit card theft - with on-call technical support available, rent botnets to conduct distributed denial-of-service - or DDOS - attacks against companies for extortion, or use money laundering services to help hide and deposit the money they have stolen.
Considering how many ways a criminal can steal money from a business using cyber means, the only way that any business could consider itself immune from criminal attacks would be if it had no assets, no bank account, no computers, and no staff. In that case, it would also not exist as a business.
Besides external criminal threats, you also need to consider potential or actual criminals you may already have inside your organization, such as:
- Disgruntled employees, who can sabotage systems or processes as a way of striking back at their employer because of perceived or actual harms to themselves;
- Malicious insiders, who are employees in your organization who work either on their own or in support of an external group to perform criminal acts of theft, sabotage, or espionage.
There is somebody who is pissed off by what your company does or represents, and if they have the requisite technical skills, they can do something about it that can cause harm to your company.
Hacktivists organizations, such as Anonymous, are groups that use technology, hacking, and other cyber techniques to bring about political or social change based on their cause. Typically, they seek to gather sensitive information that can be used to harm or pressure organizations to change their activities.
Any company that is in the social spotlight because of its product or services, its leadership, its positions or statements, or due to the sensitive nature of the information that it collects or processes can be a target of a hacktivist group.
These days, that can be just about any company, from the smallest retailer to the largest global corporation. Somehow, somewhere, there is somebody who is pissed off by what your company does or represents, and if they have the requisite technical skills, they can do something about it that can cause harm to your company.
Rank the Threats
Now that you know which individuals or groups are most likely to cause you harm, rank them in the order that you feel is most applicable to your company.
For commercial companies not involved with the government, the top-down ranking could be criminals, hacktivists, and nation-states. For a company that is involved with the government or defense or any company involved in critical infrastructure, the ranking could be nation-states, criminals, and hacktivists.
There is no right answer - simply the answer that makes sense to you and your company’s leadership when you use this information to present your program.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Michael Lines is an information security executive with over 20 years of experience as a Chief Information Security Officer, or CISO, for large global organizations, including PricewaterhouseCoopers, Transition and FICO. In addition, he has led several advisory services practices, delivering security, risk and privacy professional services to major corporations. Lines writes, blogs, speaks at conferences and webinars, and provides interviews on a wide variety of information security topics, primarily concerning what it takes to develop and run effective information security programs and why so many companies continue to suffer security breaches due to ineffective risk management.