Corporations are increasingly aware of two types of actor in the war against cybercrime. The first is the state actor such as China, Iran, North Korea and Russia who have been targeting western governments and private companies. The second is the cybercriminal who can operate anywhere in the World.
State actors are sponsored by their governments to pursue political strategies. For example, North Korea is financially motivated, using cybercrime to generate its primary source of foreign income. China has stolen trillions of dollars of intellectual property to help kick-start its own industrial revolution. Russia is keen to disrupt political processes amongst its neighbours such as the Ukraine. Iran pursues aggressive acts of military aggression against its enemies such as Saudi Arabia and Israel.
According to FireEye, companies should be aware of both types of actor, but pay greater attention to cybercriminals who operate with high degrees of agility and speed compared to state actors who tend to be more regulated.
Cybercriminals are motivated to ‘go where the money is’. In the early days they focused on credit cards and retail transactions that were a relatively soft target. Activity soon progressed into the mainstream of financial services such as bank account fraud, ATM theft and supply chain disruption. More recently, criminals have engaged in ransomware as exemplified by the attack on large corporates such as Maersk and government organisations such as the NHS. Such attacks have now filtered down to small companies and individuals on a global scale.
The ’attack lifecycle’ is also evolving. Cybercriminals conduct reconnaissance on their targets, looking to achieve initial compromises that often go undetected (the average dwell time to detection is still over 70 days in Europe). Email is an effective form of first attack, targeting low level staff who are likely to click on unauthorised links. Once established within a corporate network, the cybercriminal can progress rapidly to more aggressive tactics such as the breach of critical commercial data, as seen in the recent BA malicious attack on its website where 380,000 customer records were removed.
Context is important in assessing cyber risk. For example, the Russian attack on Maersk was motivated by a family connection in the Ukraine. Iran has directed much of its energy towards Aramco as a principle Saudi state asset. Organisations need to evaluate where attacks would make most sense to both state actors (focusing on disruption) and cybercriminals (focusing on financial gain).
The need to invest ahead of cyber attacks is often difficult to justify to main boards. Even today few companies recognise cyber on their corporate risk registers, and cyber insurance is often understated compared to potential commercial damage to brand as well as operations. The BA data breach incurred a penalty of £180M. The ransomware attack on Reckitt Benckiser’s manufacturing operations cost the company over £100M in lost production.
One approach to quantifying risk is to develop ‘worst case’ scenarios each of which represent specific losses to the business. In the private sector these can be connected to loss of trust in the brand, disruption of operations and theft of intellectual property. Within the public sector, risk may relate to social and economic breakdown, as well as potential life and death situations as illustrated by the NHS WannaCry attack this year.
How can organisations mitigate cyber attacks? What should be the next steps for CIOs and CISOs? Learn more in the full article available in our app exclusively for CIONET members and join the conversation!
This article was written by Roger Camrass, director of CIONET UK and a visiting professor of the University of Surrey, and is based on the conversations during a dinner in October, 2019, on Fighting Cybercrime – who is the adversary, sponsored by Phoenix Datacom and FireEye.