In mid-August of this year, the CHSF Hospital Centre in Paris found itself under attack. Emergency services and surgeries were put on hold while the hospital debated paying a $10M ransom. A Twitter data breach from earlier in August affected 5.4M users. JBS beef plants were shut down a year ago when ransomware took over their system.
When thinking about cyberattacks, we frequently lump all attacks into one general category – cybercrime. That’s not to say we don’t differentiate between types of attacks. The FBI and other international law enforcement agencies have mountains of statistics, placing attacks into neat categories like ransomware, DDoS, or data breaches. However, when organizations think about protecting themselves from nation-state-grade cyberattacks, they don’t consider the reason behind them.
In reality, there are four main motivations driving cyberattacks – money, warfare, theft, and thrills. Understanding where and why your organization is vulnerable is instructive in developing a defense that protects your virtual perimeter, data, and assets.
Financial gain is the most obvious motivation. Our CEO, Ret. Brigade General Ran Shahor told a packed auditorium at Cyber Week in Tel Aviv, “Cybercrime is very profitable and involves almost no risk to the attacker.”
These attacks often rely on phishing or other social engineering tactics. After manipulating employees to click on corrupted links or even turn over login credentials, cyber criminals access systems, insert malicious code, and can trigger ransomware attacks or steal what they are after.
According to the FBI, criminals stole $2.4B in 2021 by compromising business email accounts. Using the fraudulent accounts, they could pose as business partners and initiate wire transfers to their personal accounts before disappearing with the funds. That’s in addition to ransomware payments, where businesses with data encrypted by cybercriminals paid an average of $812K per attack.
In a world of nation-state attackers, there are several motivations here. Supply chain attacks like SolarWinds may be motivated by the need to steal government secrets, while attacks on the Colonial Pipeline are attempts to cause chaos and disruption.
The four states most associated with cyber warfare and nation-state attacks have their own motivation. According to Shahor, China is most interested in stealing intellectual property, while Russia is much more interested in creating panic and disorder. Iran and North Korea started as online terrorists and have advanced to cybercrime.
Iran and North Korea are quite instructive in understanding the evolution of nation-state attackers. Both are shut out of the world’s markets due to sanctions, and each has changed the focus of its attacks to simple cybercrime. The money they steal funds a significant portion of their national budgets. With Russia under sanctions following its attack on Ukraine, Shahor expects Russia to follow the example of Iran and North Korea and “move to intensive cybercrime.”
Stealing data offers tremendous leverage over victims, which can be used to extort money from companies or individuals. Like other cybercrimes, data theft often is about money. However, some companies may be targeted due to their political stance or product lines, and attacks are dedicated to stealing data alone.
Last year, a hacker named God User scraped LinkedIn’s 700-million-user customer database. While LinkedIn claimed that no private personal data was stolen, the data sample God User posted included email addresses, phone numbers, geolocation records, gender identity, and social media details, which could be used to create future social engineering attacks.
Even in the world of cybercrime, some hackers break into systems just because they can. Some purchased nefarious software on the dark web, while others are just skilled hackers capable of accessing systems.
Thrill seekers deploy ransomware, steal data, and perform other cybercrimes, but their motivation is usually accessing forbidden areas.
Does Understanding Why Help to Defend a Network?
According to Shahor, “The only way to deal with this level of aggressiveness and sophistication of nation-state backed attacks is to think like the attacker.” Organizations that want to protect their assets and prevent cyberattacks need to view their organization the same way an attacker would look at them.
For example, a health care facility with patient records needs to recognize that its most desirable assets to cybercriminals are those patient files. Its cyber efforts need to center around protecting those files from being compromised. That could include advanced security measures, enhanced encryption, backups, and cyber training to help employees recognize social engineering attacks.
Viewing your organization through a proactive, offensive perspective should provide the insight needed to set up the proper defenses.
An industrial factory may be vulnerable to nation-state attacks against its connected machinery, while a university research center may need to protect its findings. A television production studio is susceptible to its programming being released online.
The approach to protecting any of these assets is the same, although the execution is different. Organizations need cyber security practitioners capable of recognizing the attacker’s perspective and figuring out the most likely methods attackers would use to breach company networks and user accounts. A professional defense approach is necessary to take a holistic view and to deal with the system and its supply chain, use darknet intelligence, and deploy as much automation as possible to improve efficiency.
The Principles of Defense
According to Shahor, “you can’t be fully protected. Anyone who tries to defend everything is defending nothing.” Networks are too vast, and virtual perimeters are too spread out for a cyberteam to close every possible vulnerability.
However, following Shahor’s guiding principles puts organizations in a strong position.
- Begin by defending what matters most (what can’t the organization afford to lose or be broken into?)
- Prioritize those areas that need to be protected
- Take calculated risks (prioritize areas and which tactics to use)
- Be practical (consider budget, Business Impact Analysis, and what the organization’s risk appetite is).
- Deploy advanced defensive technology and automation
- Take a holistic approach to security
This defensive approach begins by first understanding what motivates attackers and then acting to protect the targets you possess.
Preparing for the Next Attack
Developing a practical cyber defense plan provides the organization with the best chance for success when attackers come to attack. Red team blue team simulations offer a complete understanding of the vulnerabilities and demonstrate the organization’s level of protection and security posture.
During red team vs. blue team simulations, have security experts attempt to penetrate your defense through multi-staged attacks that target critical assets, including financial information and customer data.
HolisitCyber can help you run your red team blue team simulations. Our team will identify threats, plan and execute offensive and defensive simulations, and present results in a clear report that prioritizes critical vulnerabilities against all nation-state attack motivations.
Learn more about our proactive red-team-blue-team simulations. Reach out to us today!