At a recent seminar I was asked a question on how and where do we begin preparing for a cyber attack. Another individual who interrupted my answer insisted that controls was the way to go. He said something that sounded like “I got all my 20 controls under control, implemented and monitored. I am fine."
Although I partially agree with the answer that controls are important and must be implemented correctly. Oh, they also must be monitored regularly. However, I am of the opinion that the better way to begin the journey of setting up an effective cyber security posture is to begin by understanding your enemy. Put another way, for those who don’t believe in the concept of enemies and adversaries, begin by understanding the threat actors relevant to your business.
Note: I know, some of my readers may be thinking “He completely forgot about the R (risk) word.” Understanding your threats and threat actors should go hand in hand with an effective risk management program.
ISACA describes four main types of Attackers:
- The Unsophisticated Attacker: More often called script kiddy, this individual is a rookie, a newbie and primarily attacking blindly. A pure opportunist.
- The Sophisticated Attacker: Able and more mature then the script kiddy this individual has time and will attack specific targets. Motivated.
- Criminal or Corporate Espionage type attacker: Organised elements intent on defrauding your business. These criminals are often assisted by a grieved former or current employee.
- State Sponsored Advanced Attackers: The most serious, well trained, superbly organised and capable, these attackers are sponsored and backed, directly or indirectly, by nation states. You are only in their crosshairs because you have something they want.
Hold on - there is the Fifth Attacker?
Although technically, the privileged insider can be slotted into any one of the above categories it deserves its own classification as very often it is the employee or groups of them that end up causing the biggest disruption and damage to the business that is their employer. Reasons range from bribery, job dissatisfaction or loss of employment.
The privileged attacker is a special kind of attacker as he/she is well versed with the culture, the technology, the technical architecture and most importantly has the explicit trust of his/her employers. In most small to medium organisations the privileged user or groups of them end up taking on multiple roles such as the 'IT guy', 'the email guy', 'the laptop does not work call him now guy'. You get the point.
In addition and in almost all instances this privileged user has the administrative user details including passwords to all the critical systems and that is why this type of user is also sometimes called the 'god user' or 'superuser'.
Did I forget the Hacktivist?
I have not forgotten about the “hacktivist” or cyber activist. The hacktivist can be from anyone of the five attackers described above. More often than not, the unsophisticated and the slightly more able ones fit the hacktivist bill. Needless to add that the insider is often the cause of many unreported attacks.
We could be here all day talking about what is next. Most organisations readily dismiss the nation threat, correctly, I must add. To their detriment, however, they also completely ignore the other threat actors. There is a constant phrase I hear from many small and medium enterprises. “Why would they want to attack us? We only produce widgets.” However, it is important companies take a realistic, pragmatic and practical approach when discussing their attackers. Most nation states are not after the run off the mill company producing widgets. Yes, if you are a defence contractor for example, you need to put the nation attacker at the top.
You Will Be Attacked!
The reality is, regardless of size and product, your company can and will be attacked. If you are “cyber boring” you will be attacked so that the attackers can use your IT systems as a launchpad for another target.
You will be attacked just because someone, on planet Earth, disagrees with your product, your service or even your geographic location. Activists are passionate about their cause and belief system and will go to any lengths to “teach them a lesson".
Remember the insider attacker? An employee with a grievance who has super user rights to your IT systems can be far more dangerous than a nation state attacker. Why? Well an insider already knows your systems, your loopholes and has all the access necessary to cause maximum damage.
Know your attackers so you can start planning on how to best defend your organisation.
This article has originally appeared in the KuppingerCole Analysts' View newsletter.