Why thinking like a criminal is good for security

When planning an attack, criminals study their target victims looking for the weakest links.

Focusing too much on protecting only the crown jewels of the enterprise might leave gaps in security for criminals who are seeking other valuable assets. The hackneyed expression, “One man’s trash is another man’s treasure,” serves as a reminder that what the enterprise values is often different from what a criminal values.

Defending a network and the critical assets of an enterprise is a lot like safeguarding a home. There are layers of security in homes just as there are in the enterprise. From the windows to the doors to the locks and alarm systems, home owners know the vulnerabilities and put protections in to keep criminals out.

Ryan Stolte, CTO, Bay Dynamics said, “The big idea is that people are very specifically and deliberately attacking organizations.” The intent of those attacks, however, is not always the crown jewels. In order to defend the expanding network and everything that connects to it, “You need to put yourself in the shoes of bad guys."

In planning their attacks and seeking their victims, criminals look for the easiest access point, whether that is the organization that has, “Minimal security tools, lax security policies and/or exploitable employees and third party vendor users,” Stolte said.

“They collect their own social intelligence, gathering information about the victim business regarding what its surface areas look like, where it stores its most valuable data, which third-party vendors have access to their network and how they gain access, and which employees log in remotely and how they gain access to the network,” Stolte said.

In most breaches, organizations are being hacked by individuals. “It’s not just people sitting in China,” said Stotle. What most criminals want is data and their goal is to get access to credentials to get that data. “After they have breached you and gotten inside, they do it all over again, but from a different layer, to continually get deeper into an organization,” Stolte said.

The easiest ways for outsiders to gain access is by trying to compromise a particular person or to sneak in through an open door. “Technical engineering and social engineering go hand and hand,” said Stolte.

Social engineering is made a lot easier by the extensive use of social media platforms. Increasingly criminals are patient and take a longer and windier road to reach the final destination of their intended target.

Tim Erlin, director of IT security and risk strategy, Tripwire said, “Shodan allows anyone to search for vulnerable things. They are scanning company networks and gaining access to internal networks by probing the individuals who interact with customers or the public. The one that is increasing is the supply chain attacks. Instead of attacking directly, they are going after their vendors and contractors to gain access.”

Public information provides a gold mine of useful tidbits for criminals. Will Gragido, head of threat intelligence at Digital Shadows said, "Gleaning career and relationship information, like the names of colleagues, mentors and friends from sources like Facebook, LinkedIn, and alumni sites helps establish cover for spear-phishing and other social-engineering campaigns.”

While these commonly used social media have much to reveal, there are others that can be more revealing of information about software and code that is really useful to criminals.

[ ALSO ON CSO: US cyber criminal underground a shopping free-for-all ]

Gragido said, “Online profiles that might be easily misconfigured, such as GitHub accounts, frequently leak other types of information publicly, such as the identities of specific software developers in targeted organizations and snippets of the code they are working on, which, taken together, yields a lot of useful intelligence."

This extensive information that is often leaked unknowingly is particularly threatening to the security of an enterprise. "The challenge is that this information leaks from third-party sources far outside of organizations' own security boundaries, meaning they are almost blind to these exposures and cannot act in time to prevent them from fine-tuning attacks, like a precision attack on a specific software developer,” said Gragido.

The expanded network has posed many challenges to security teams, and Gragido said, "Other sources of reliable attack intelligence are exposed storage devices and cloud platforms.” In Gragido’s experience, he has seen instances of sensitive corporate information, such as strategy documents and board meeting details from a health insurer, that were publicly 'over-shared' by being posted in cloud sharing sites with inadequate password controls.

Gragido said, “Likewise, we have seen sensitive files pertaining to banks' ATM networks, for example, accidentally broadcast to the Web because employees have placed them on misconfigured remote storage drives in their homes."

Whether they are after credit card data, payment data, customer information, or any other kind of credentials from user names, to passwords, and healthcare records, criminals are gaining access even with extensive security measures in place, which begs the question how do security teams stop them?

If only there were an easy answer that didn’t require time and resources beyond those which are already stretched and limited. The first step is recognizing that it’s important to prioritize what is secured.

All of this exposure creates avenues for criminals or other hostile groups to find an organization’s weak points for more targeted and efficient cyber-attacks, said Gragido. “There is a greater premium on getting in front of these exposures with better situational awareness today, so that affected companies can recognize and eliminate these leaks at the source, outside their walls," he continued.

A combined focus on technical and human surveillance is good security practice. “Have employees be aware. Lock doors and windows. There are a lot of technology things you can do. Bad guys have as good of technology as the good guys. We scan and find, but bad guys do too, but they act before the hole is fixed,” Stolte said.

A slight shift in language when talking about security and data can also help security teams think like a criminal. Erlin said, “It’s a very common best practice for organizations to identify sensitive data. Using the term valuable instead twists perception away from what organizations feel is sensitive to what might be valuable to a criminal.”

Regardless of what other information criminals might find valuable, the crown jewels will always remain sensitive and top priority. Stolte said, “Organizations do the surveying, but one thing they fail to do well is protect the crown jewels. They need to know where they are and use that information to close off and fix the highest priority stuff.”

Think like a bad guy. Stolte said, “Take an inside-out approach to vulnerability management. Ensure that you are patching the right servers and that people don’t have more access than they should to layers of the network. Only the right people should have access to sensitive information at the application level.”

Erlin said, “Threat modeling should be a continuous exercise. Threats change and evolve. It’s valuable because no one has infinite resources, so you have to focus on the most probable and impactful threats.”

Criminals are always after the weakest link, and they search for anything on the internet that might provide some kind of access. Information is out there, and security teams who use what criminals learn as part of their strategic security plan might be lucky enough to act before a breach.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOFacebookTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place