And the first thing that comes out is that, generally, a cyberattack is nothing personal; you’re not being specifically targeted.
Most phishing, ransomware or vulnerability scanning attacks out there are widespread sprays, hoping for a pay-out. It’s a numbers game; test the defences of enough organisations and you’ll find one that will let you in. It’s like walking down your main shopping precinct and having a flyer thrust into your hand — you’re a target, but you’re not being specifically targeted. Most people will bin the flyer without reading, but a few will read and act upon the info, bringing in enough return to make the whole flyer operation profitable.
So, if it’s rarely personal, why do hackers attack? What’s in it for them? By understanding the level of investment they’re willing to make and the danger they’re willing to risk, we have a better chance of disrupting their operating model or putting a stop to it altogether.
My research unearthed five main elements attackers are looking for. Once you understand them, you have the basis for a robust defence strategy. You can filter an attacker’s wants into the following:
Understanding the many ways you could be an attractive target can be daunting, but use it to focus your defensive work on making access to your assets as difficult as possible. Multiple, overlapping layers of security are the key to deterring, disrupting and frustrating cyber criminals. Taken in isolation, security controls are fallible and can be rendered useless by human error or software vulnerabilities or misconfigurations. I’d go so far as to say that attackers can get around even the best security controls in some situations. But the defensive power of security controls lies in a combination of layers, bringing together deterrents, preventative measures and detective activity. It’s very hard for an attacker to dodge them all at the same time. Think of it like protecting your home. If the locks on the doors and windows and outside lights don’t keep the burglars out, the alarm, CCTV and large, barking dog might do the trick!
Most cyberattacks are based on sound financial principles. Attackers look to spend as little as possible and only as much as will yield a healthy return. You can best defend your business by strengthening your cyber hygiene factors to the point where you’re not a viable target for an attack. Don’t give yourself away cheaply!
Start with a realistic assessment of your hardware and software; obsolete and end-of-service-life IT is dangerous. Bite the bullet and replace it before it costs you a lot more from being exploited. Then work methodically through your estate, securing as you go. Include your physical infrastructure and your perimeter, including wi-fi, cloud and any partnerships. With that in place, get familiar with your security environment, so that you understand the significance of any flags your security measures raise. There’s little point in having anti-virus, anti-malware, intrusion detection systems, and endpoint detection and response if you don’t react to their alerts.
Beware the one-size-fits-all security policy and restrict access to the lowest level of privilege that’s functional. Consider the access needs of departments and user groups on a case-by-case basis and separate out duties and functions. Train your people to default to the lowest level of privilege necessary to perform an action and so minimise times of vulnerability where individuals are logged in with admin rights. Reinforce the rule that credentials must never be shared. Put simply, there should be a different, strong password for each account a user has, and it should never be one they use outside work. It’ll make auditing and identifying leak points easier. Put ‘honey-accounts’ into your domains. These accounts are never used legitimately and are monitored with a hair-trigger / rapid-response that could tell you someone is compromising your organisation. Plus, always apply patches as soon as they’re available. Failure to patch makes it cheaper and easier for the attacker to exploit common vulnerabilities. Push them to the expense of developing or buying a zero-day exploit.
I’m reminded of the Sun Tzu quote: “If you know neither the enemy nor yourself, you will succumb in every battle”. If you want to stay secure, get familiar with the attacker mindset and establish a clear view of your defences. And don’t do this as a one-off. Get obsessive about understanding your vulnerabilities and the latest ways malicious actors are seeking to evade detection.
If you’d like some help in establishing the subtle layers of security you need to cut the chances of attackers succeeding, please contact your BT account manager.