Cybersecurity is one of the most topical problems faced by individuals, communities, organizations, states, and international community in the modern world. On a regular basis, significant financial as well as human resources are streamed towards alleviating the negative consequences of cybercrime. Yet, prevention and forecasting techniques used by the overwhelming majority of individuals, organizations, and states fail allowing adversaries to successfully hit more and more sophisticated and valuable targets. Why haven’t we yet found an antidote to cybersecurity problems? One of the most important reasons for this is the mismatch between the methodological approaches of adversaries and those who are trying to prevent and stop cybercrime.
Let us think about this: over the last few decades adversaries became progressively sophisticated and successful in offering personalized “on demand” dis-services to their victims. In other words, through the years, adversaries learned to use important principles of modern marketing to target and execute their criminal visions. Consider for example ransomware attacks. A ransomware attack usually involves targeted and tailored compromising of victim’s computer in exchange for monetary payment. Historically, the first ransomware attack was not personalized: in 1989 Joseph Popp, a post-doctoral researcher who studies AIDS distributed over 20,000 floppy disks with malware to his peers in science laboratories around the globe. The malware was masked as a risk assessment software allowing to estimate the propensity for an individual to contract AIDS which activated after the computer terminal was powered 90 times. After activation, malware demanded a monetary payment for “software lease”.
Since that time, ransomware attacks became increasingly sophisticated: adversaries are using latest personalization and marketing techniques to profile potential victims, design phishing and spear-phishing techniques to compromise targets, demand different amounts of ransom dependent on the victim’s financial abilities, as well as provide targeted “customer support” by carefully explaining to the victims how the ransom should be paid and maintain frequent contact with the victims.
Sophisticated Criminals Facing Outdated Prevention Mechanisms
So, adversaries are using complex marketing techniques which include personalization and segmentation to target victims. Yet, when we talk about prevention and forecasting of cybercrime, we seem to observe little progress in the development of tools and mechanisms to address potential threats. Specifically, while adversaries use personalization targeting, and tailoring, our cybersecurity defenses are still building higher and thicker walls trying to apply the same “one-size-fits-all” tools to stop cybercriminals. These tools could be roughly partitioned into (i) technical solutions and (ii) social marketing and (iii) testing. Our technical solutions are primarily targeted at ensuring robustness of cybersecurity, i.e., making sure that cybercriminals are unable to enter the system. In other words, we build gates with more and more sophisticated locks. Yet, cybercriminals are becoming progressively successful in either avoiding the gates altogether or using social engineering to knock on the gates and wait§ for someone to open them. In terms of social marketing, many organizations conduct large-scale marketing campaigns to inform customers of potential online risks associated with cybersecurity. Yet, these campaigns are rooted in social marketing theory, i.e., all consumers usually receive exactly the same information.
The third model is testing - i.e., using hacker tool to try and break into own systems in order to understand what adversaries are capable of and how much damage they can cause. The codebreaker model refers to a process when organizations engage hackers ("white hats") to understand their cyber vulnerabilities, capacity, and capabilities. The famous example of Bletchley Park British Code breakers in World War II, among its many firsts, including constructing the world’s first programmable digital computer Colossus, used surveillance of the messages being sent to decipher the Enigma and Lorenz German enciphering code machines and skills of the German coders. This approach is very useful as in the cyber world, we often deal with unknown unknowns and hackers working "on your side" are probably the best sensors of the threats, which have not been seen before or vulnerabilities, which may be exploited by adversaries in the future.
When Testing Becomes a Threat
Yet, the codebreaker model may not be useful if you (as a business) let hackers in and if it is made public that hackers got through your computer system, creating irreparable damage for your organizational reputation. This is a paradox: on the one hand, "ethical hackers" help uncover zero-day vulnerabilities, yet, publishing their testing results may (and most probably will) cause serious harm. This is why companies often need to make weighted decisions about how to respond to different levels of cyber threats, carefully considering the difference between compromising and victimizing. Inefficiencies in the organizational roles and responsibilities across the organizational resources is a part to this important challenge as it often has an impact on the effective cyber security strategy. How can finite human cyber security resources be best deployed to enable the focus and attention of effective responsibilities across the IT estate to manage threats and responses? This involves not only fixing several security controls but also having the ability to adapt and focus on areas, where the threats may evolve. Assuming the attackers will behave in the way we expect them to behave is a fundamental error in organizational cyber security thinking.
While it may work in finance or accounting, in cyber security, making assumptions about adversarial course of action is not always beneficial. It may improve some level of posture and resilience, but this is a grey area - there is a fragile balance between understanding organisational risks, business goals and potential harm from publicity. Having something that you can measure and analyze; and, importantly, having metrics you can confidently say you understand, is part of the solution. When employing the "white hats", it important to clearly understand the KPIs, deliverables and measures of success of the testing team in order to make sure that testing delivers important benefits without inflicting harms for your company.