The Wall Street Journal recently published excerpts from an interview with David DeWalt, FireEye’s CEO. As I read through his comments, one in particular got me thinking:
“We’ve watched over the last two or three years significant occurrences of just outright destruction. Attempts to really hurt companies or countries with Internet weaponry. You don’t have to wipe out the company. All you have to do is release the information about the company. I think you’ll see a lot more of these wipe and release models, or maybe even just the release model, forget the wipe.”
I don’t disagree with DeWalt’s assertion that we will see more “wipe and release” types of attacks in the coming years. The method proved very effective for the Sony saboteurs (whoever they are), as it achieved the (presumed) primary goal of embarrassing Sony. But that is the key: their primary goal wasn’t financial in nature; it was to embarrass and hurt a company “they” felt had done something wrong.
Not all cybercriminals are looking to damage the reputation of a company. Many are motivated by good old-fashioned greed. Understanding the motivations of cybercriminals can go a long way in helping create strategies for preventing a breach.
From my perspective, there are basically two motivations — financial and cause. Under each of these two categories, there are subcategories:
- Cause-related attacks are those like the Sony breach. The perpetrators aren’t looking for money; they are looking to punish or embarrass an organization for some perceived wrong. The perpetrator could be anyone from an individual hacktivist (think Stuverville) to a nation-state looking to steal state secrets from another country, or commit an act of cyberwar or cyberterrorism.
It is much more difficult to block these types of attacks as they are targeted specifically at one organization, and the hackers are typically more persistent. Although they are more persistent, and the breaches are highly publicized, the volume is less than that of financially motivated hackers. Also, I assume that if a country attacked the United States via a cyberattack, we have the means to attack it back — and this fact has put us in a Cold War scenario. Cyberterrorists, on the other hand, are a different story. Like physical terrorism, they aren’t concerned with retaliation.
- Financially motivated attacks are those like the high-tech bank heist I blogged about last week. The perpetrator could be a crime syndicate trying to steal consumer data or a nation state/corporation trying to steal intellectual property so it can sell or use the information for its own profit. These attacks aren’t typically as targeted; rather, they seek out the path of least resistance into an enterprise: a vulnerability in a third-party application, a forgotten web application that hasn’t been updated, and a vulnerability in a commonly used component are all typical ways hackers breach an enterprise.
Forrester recently predicted that in “2015, at least 60% of enterprises will discover a breach of sensitive data.₁” I think the vast majority of those breaches will be from financially motivated hackers, not cause-related hackers. And, as a result, I think these are actually more dangerous to our overall economy. While a cyberterrorist attack is possible, I think the sheer volume of financially motivated breaches is going to have a huge impact on enterprises and individuals. Ponemon estimates the average cost of a breach is $3.5 million — that is a huge hit to most enterprises, and if 60 percent of companies will suffer a breach in 2015, that is a lot of money being siphoned away from innovation to cover the cost of a breach.
So the question is, how do you protect against financially motivated hackers? To start, make sure you are covering the path of least resistance. Make sure you have a secure software development lifecycle, a third-party application security program and that you are securing your web applications — the attack vector the 2014 Verizon Data Breach Investigations Report says makes up 80 percent of breaches.
What do you think, which is more of a threat to our economy: cause-motivated or financially motivated hackers?
For more information about strategies for securing the application layer, listen to this webinar with Joseph Feiman from Gartner. In it, he discusses how application security testing can help enterprises secure their business applications.
₁Planning for Failure, Forrester Research, February 11, 2015, John Kindervag, Rick Holland and Heidi Shey