Internet Terrorism, Cyber Security Attacks, electronic terror, “bad guys”…whichever term you may use still means the same thing…groups of people perform targeted attacks on resources to cause harm or disruption for their own gain. No matter what label we give them, they still want what you have so they can meet their black market sales quota for the month. Do not be lulled into complacency; their threats are real and still very much alive today. You may not read or hear about them as much as you did a few years ago, but available reports are showing us that the attacks are more frequent, organized, complex, and less transparent to the public at large. This may be by natural design or it may be in response to how your organization advertises itself before, during or after an attack. Is your organization the next Internet target to the “bad guys”? It may be as simple as to how your organization deals with targeted attacks in the public eye.
As a quick background, organizations have spent millions billions of dollars formulating frameworks, designing security controls and building complex operations to track and prevent threats that may cause service outages or brand damage. They have implemented best practices that have either been good point solutions or kept us on the hamster wheel spending more funds and not gaining any traction or value for our stakeholders and customers. As the trend of attacks targeting businesses and governments continue to increase, we quickly start to gain a sense that our current methodologies in security are just not working effectively. This should not come as a surprise to anyone who has served as an information security professional, but can cause some head scratching from our shareholders and customers. One would think that the amount of time and money that has been invested into security would correlate to our industries being in a much better position to deal with targeted attacks. But all to often, organizations wind up being tool rich and execution poor.
Every facet of information security involves people, no matter if they are “good” or “bad” from a protection standpoint. If you or your business have been targeted or held hostage by a band of electronic thieves, you can relate to the mixed emotions of anger and helplessness while trying to overcome the threats you are facing. The “bad guys” know this and try to leverage this to their advantage. If they take the time to research your capabilities and test your security, they can determine your capability to respond or even your ability to detect their presence. They can read up on your recent tool purchases and search for events like reduction in force, reorganizations or simply probe the environment to gauge your response.
In addition, the “bad guys” know that the information security world is in a perpetual catch 22 with their businesses, which make targeting much easier. The catch is that every other profession relies on open, honest communication to discuss issues for quick and timely resolution. The information security community is not always allowed to discuss organizational issues openly and honestly within their community due the fear of disclosure, legal liabilities or future eDiscovery issues. The irony is that the same laws that are suppose to help customers, businesses and the governments quickly become a hindrance due to legal fears in disclosure or business liability. These limitations can keep brewing issues isolated from the community at large and create silos of thought and resolutions, making it easier for the bullies to control their turf. The notion of isolation, helplessness, anger and the lack of a true community create a void that the “bad guys” can fill very quickly.
With all this working against information security, it is easy to understand why targeted attacks remain successful. But there are other drivers at play that we must consider to completely understand who is attacking us and why. First, we need to understand how business and government reactions are viewed from the outside world and what security models they potential reflect. Second, we need to learn about the different classes within attackers and their history to gain some understanding of their predicative behavior.
From my perspective, there are three basic security models that are represented in the business and government industries: DNA, Legal and Accountability. The chart below helps describe the main characteristics of each model:
|DNA||Security principles are woven into the organizations fabric.||Security is a property that must be identified and mitigated in each endeavor. The goal is to treat security as an equal and not only a checkbox.||Products and services may be slower to market. Functionality may be limited compared to competition due to risk adverse strategies.|
|Legal||Security and the deliverables are considered potential liabilities||Endeavors are tightly reviewed and mitigated for legal liability first. Branding implications and eDiscovery are in the forefront.||Legal group are the only successful sponsor of security initiatives. Deliverables, such as metrics, analysis or reports are considered liabilities, labeled as privileged and not able to be disseminated to increase security posture.|
|Accountability||Security is transparent in the organization and everyone is responsible for a portion.||Everyone has a stake in information security. Distribution of security ensures that a limited few have the complete security picture.||Hinders the ability for the organization to understand the big picture. Promotes thinking in silos and emphasizes skills as a commodity.|
Every business possesses one of these three core models deep within their structure/culture. In certain situations and industries, businesses and governments can use a mixture of the models, which can result in internal conflicts and friction points. Examples include the famous communication breakdowns, leadership conflicts and occasionally a disruptive reorganization due to political shifts. The thought process surrounding an organization’s chosen security model can indicate how threats are perceived and how the organization will respond, both privately and publicly. If an organization experiences a successful attack, the way it responds to the attack can help the “bad guy” formulate what their next move will be. For example, the DNA model may try to fix the issue properly, gauge the exposure from a consumer perspective and openly communicate the remediation. In the Legal model, the issue may disappear behind the business laws, begin to leverage employee confidentiality agreements, seek change with its security model privately, and not communicate publicly for fear of unwanted consumer reaction. In the Accountability model, the issue could result in a political witch-hunt, reduction in force before reorganizing under a different model, and further separation of duties. Of course, there are many other ways that an organization could respond that we have not covered but the point is that the behavior exhibited can provide a great deal of information to the “bad guys”.
Let’s not forget about the customers in all this. For most customers, the Legal and Accountability models can cause them to end up holding the bag over the long-term effects of a targeted attack. In our example above, if a Legal or Accountability based organization “appears” to be fine, healthy and no pain is ever felt in the short term due to and undisclosed breach, the customer could find that that their identity has been stolen 4-6 months after the breach that supposedly never happened. The customer now has to fend for themselves to resolve the issues since there is no way to prove that a theft was tied to a particular organization, especially if the breach was never made public. A key thing to remember is that the “bad guys” that took the information know how they got the information in the first place!
Drawing upon many privacy case records made public, it appears that most of the privacy laws appear to protect the organizations from harm (based on certain conditions) and the outlet from that protection ends up on the consumers’ shoulders. The “bad guys” seem to know this and play the game better, more efficiently and with fewer resources. From the “bad guys” perspective, they know which organization the information on the black market comes from. They know about the weaknesses the organization has and will continue to pump data out as much as they can until something prevents them. The organizations dirty little secrets that are, in some cases, swept under a rug in the public view are not so secret in the communities that terrorize organizations for a living. It is their job (and livelihood) to know these things about your organization. Many times, tactics such as waiting to see the public response by the organization helps the “bad guys” determine how soft a target really is. If they are prevented from continuing their attack by use of security controls, they may move on to softer and less organized targets. If they are not stopped and they see no signs of disclosure, they may determine that they organization is saving face publicly and internalizing the attacks which tend to promote further abuse later on. The irony here is that the “bad guys” make sure that security is implemented in their attacks to prevent their disclosure too quickly.
The second element that we need to understand is the categories of groups that make up a certain percentage of the underground community. I have observed five types of groups that have emerged as the ringleaders in conducting targeted attacks:
1). Political/Religious activists
2). 80’s generation hackers
3). 90’s generation crackers
4). Current/former employees and contractors
5). Combination of 1-4 serving the black market
Each group has a unique history and has evolved by learning and leveraging each other’s strengths and weaknesses. To learn about future tactics and trends one must understand the drivers in human behavior for each group and to gain a perspective on the history of each type.
Political and religious groups that sponsor or conduct terrorist behavior seem to make the headlines daily. Normally, they are the easiest to understand since they carry a message and target the direct opposite of what they represent. They strongly believe in their mantra and can deliver attacks that help extort money/resources or send a message to a wide audience.
Groups that seldom appear in the media are the 80’s generation of hackers. During the 80’s, this group was dedicated to extending functionality of programs and technology. The group originated from clans that hung out on bulletin board systems (BBS) and focused on stretching the boundaries of software and hardware for increased performance and “hidden” capabilities. As the Internet became popular, the interests of hackers expanded into extending systems beyond what the community already owned. They began to look at testing the limits of organizations and government systems that were available online. Their community slowly eroded by the emerging Internet technologies that propelled the formation of a different breed called crackers.
Crackers could be considered the next generation born from the basic concepts and principles that hackers honored. The similarity ends there though, since the crackers began to extend “free” commercial software to the public. Many times, trial-ware and demonstration/time limited software are cracked by weakness in license keys, serial numbers or actually rewriting headers of the compiled code. At the same time, a sub-culture seemed to form that began to use hacking as a means to create problems in technology so that products and services could be sold to fix them. In contrast to the 80’s generation hacker, the overarching message in the 90’s group has been in two parts: software and information should be free from corporate tyrants and being able to build a revenue stream by creating problems in technology to sell products and services.
Former employees in every facet of business may feel that something is owed to them or that part of their identity has been taken from them through lay offs or terminations. They may have felt that an organization treated them badly or that they were not appreciated. Current employees may feel the same way but the big difference is that they still have the inside scoop into your organization. They may be in your IT, Compliance and even information security teams sharing your internal responses and reactions to “bad guys” on the outside. This behavior can be exhibited for thousands of reasons, but primarily it serves as an additional revenue stream if the information or data is of value on the black market.
The last group is one that serves the black market communities, usually through a foreign business or money-laundering scheme. Their objective is to find information or data that has a monetary value which can be sold at a premium price. During times of economic prosperity, customer data such as credit cards contain a great deal of value by the shear number of issued card and the available credit limits on each one. The collected data is sold in bulk to the highest bidder to provide the purchaser the ability to acquire goods or for resale. During the current economic recession or depression, there tends to be fewer active cards available and the credit limits available can be much lower. This can pressure the group into taking more chances in attacking a greater number of systems to yield a result that is considered profitable. To hedge against this risk, attacks are becoming more automated, sophisticated and less transparent in order to harvest a greater number of systems to improve the odds.
Now that we can see how an organization may respond and some of the groups that can implement targeted attacks, certain “behaviors” can be assumed based on the way each other operates. How your organization reacts can and will provide a foundation for the “bad guy” reaction that is certain to follow. If you find that your organization is locked into one of the three security models, it should be determined how you are perceived from an outside perspective when attacks occur. It may be prudent to investigate what information is mentioned in SEC filings, audit reports, and press releases to begin to walk a mile in the “bad guy” shoes.
One way to deal with this issue would be to treat security as you would treat any other element in your organization that has a competitive advantage. Everyone does not need to know your capabilities, critical projects on the horizon or even the proposed budget of your security area. To be clear, I am not promoting security through obscurity, rather I am recommending that your organization should begin to treat your security objectives as a competitive advantage and proactively map out your response to events that may occur before they happen. In the business world, I do not believe you would announce a new product or service to everyone before it has been implemented or tested, so in the security world you may want to treat your security response the same way. Remember the “bad guys” watch and wait for signs of weakness and instability. They watch your press releases, mergers, acquisitions, divestitures, and new products being launched. They read your breach notifications and reorganization/R.I.F announcements. They can strike if they feel your organization or current state is weakened, especially if you have data that retains a value on the black market. Even if you or your leadership do not believe your company has anything of black market value, your organization could simply be used as an expensive diversion to some other profitable criminal activity.
At the very minimum, remember the motives and drivers of the “bad guys”. The “bad guys” get their paychecks by extracting valuable information from your business directly or indirectly. Something as simple as a letter sent to your customers about a previous breach or issue can contain enough information to demonstrate your business security model and how you deal with security issues internally. Take the time to ensure that security has been proactively built into whatever action/event you announce internally or to the public at large…the “bad guys” may take the hint and move on to greener pastures.
Rick Lawhorn CISSP, CISA, CHP, CHSS
Copyright © 2010 Digital Outpost LLC – Rick Lawhorn