Before you can seek to protect your organization from cyber threats, you know to know who and what you are fighting. To build your defenses without a clear picture of who your adversaries are is the same as swinging a sword in a dark room, hoping to parry your enemy’s attacks. Yes, you can get lucky, but then it is luck that is the measure of your program, not skill.
Why do you need to know your attackers? Isn’t it enough to know their methods (phishing, malware, etc.)? “Aren’t we wasting time?” you may ask when it is often impossible to even attribute an attack to who is behind it?
It matters because without knowing who your likely attackers are, you will not pay proper attention to news or reports concerning them. This is a vital component of your threat intelligence, a function that you need to have as part of your information security organization that I will discuss in the Appendix — Assemble Your Team. Keeping abreast of how your attackers are evolving their attacks, targets and techniques is key to helping you ensure your defenses are evolving as well to protect your organization against them.
In risk terminology, those you are seeking to defend your organization against are called “threat actors”, or those who are behind the threats that your business faces. In the world of cyber risk, there are three main threat actors groups you need to defend against:
Nation-state refers to those threat actors who are directly or indirectly backed by or represent an individual nation. All developed nations have offensive and defensive cyber warfare operational groups, either as a part of their military or their intelligence agencies (or both).
These agencies are tasked with carrying out defensive and offensive cyber operations as directed by the state to advance their national interests. This can include everything from intelligence gathering to defensive measures intended to protect the nation from attackers to offensive actions against those who are determined to be threats to the nation by its leadership. These offensive actions can range from digital-only attacks to cyber-attacks supporting kinetic military actions.
For most commercial businesses, the focus of most nation-states actors is either espionage (gathering of useful intelligence on the enemy), or sabotage (disruption or destruction of the enemy’s infrastructure or economic interests). In addition, some nation-states are also engaged in what are normally considered criminal activities, to help fund the nation and their military operations while also damaging those they perceive as enemies.
It is also important to note that some major nation-state cyber players, Russia and China in particular, have a strong relationship between their official cyberwarfare agencies, and quasi-independent criminal organizations operating within their borders that are the main source of cyber-attacks globally. These groups act as either a proxy for attacks or perform intelligence-gathering operations, feeding information back to the state agencies that they discover as part of their criminal activities.
The bottom line, no company can consider itself immune from being targeted by nation-state attackers.
Criminal activity (directly attacking businesses for financial gain) can range from the acts of individual hackers and criminals, all the way up to large-scale enterprises, which are organized to the same degree as commercial businesses. All of these activities are focused on making money via illegal means.
In contrast to the media image of hackers as lone wolves operating from a dark basement, cybercrime has become a multi-billion dollar global business, and it operates as such. Lone hackers can sell their services on dark web emporiums, buy ready-made malware for purposes ranging from ransomware to credit card theft (with on-call technical support available), rent botnets to conduct Distributed Denial of Service (DDOS) attacks against companies for extortion, use money laundering services to help hide and deposit the money they have stolen, etc.
Considering how many ways a criminal can steal money from a business using cyber means, the only way that any business could consider themselves immune from criminal attacks would be if they had no assets, no bank account, no computers, and no staff. In that case, they would also not exist as a business.
Besides external criminal threats, you also need to consider potential or actual criminals you may already have inside your organization, such as:
- Disgruntled employees, who can sabotage systems or processes as a way of striking back at their employer because of perceived or actual harms to themselves.
- Malicious insiders, who are employees in your organization who work either on their own or in support of an external group to perform criminal acts of theft, sabotage, or espionage.
Hacktivists organizations, such as Anonymous, are groups that use technology, hacking, and other cyber techniques to bring about political or social change based on their cause. Typically they seek to gather sensitive information that can be used to harm or pressure organizations to change their activities.
Any company that either is in the social spotlight because of its product or services, its leadership, its positions or statements, or due to the sensitive nature of the information that they collect or process, can be a target of a hacktivist group. These days, that can be just about any company, from the smallest retailer to the largest global corporation. Somehow, somewhere, there is somebody who is pissed off by what your company does or represents, and if they have the requisite technical skills, they can do something about it that can cause harm to your company.
1.4 Rank the Threats
Now that you know which individuals or groups are most likely to cause you harm, rank them in the order that you feel is most applicable to your company. For commercial companies not involved with the government, it could be Criminals, Hacktivists, and Nation-States. For a company that is involved with the government or defense, or any company involved in critical infrastructure, it could be Nation-States, Criminals, and Hacktivists. There is no right answer, simply the answer that makes sense to you and your company’s leadership when you use this information to present your program, as will be described in Chapter 6 — Marshall Your Forces.
This is a draft of the content from my upcoming book on Heuristic Risk Management. The anticipated release is Q1 of 2022 and it will be available through all major book retailers in both print and ebook. Reference links are not included in these drafts, and all drafts will be removed from this forum when the book is published. Comments are welcome if there are areas that you feel are unclear or missing information. Since these are drafts, spelling and grammar issues are likely and will be corrected in the final release.