Motivation is key in assessing the risks of cyber-attacks and what to do about them for defense companies as well as government and commercial entities, a key official said at Stroz Friedberg LLC, a global digital risk management and investigations firm.
“I think a lot of it has to do with the question, ‘what is the motivation,’ what are these individuals after,” said Bret Padres, director of Incident Response at Stroz Friedberg.
“Are (cyber attackers) they there to do sort of a smash and grab or do they want to sort of set up shop, and live there undetected for a long period of time, or if detected, do they want to quickly reestablish that connection?” he said. “I would say for that latter group there’s certainly the challenge at least the motivation of the attackers against not only the military and government agencies, but also the defense industry as well.”
Consider what those looking for below-the-radar access actually want, he said, relating an incident his company was involved in with an unnamed defense company.
“The executives at the company couldn’t understand why the attacker didn’t take all of the data that he had access to and why it was more of a targeted pool of data,” he said. “In that incident, and it’s common in others, we strongly believe that the motivation of the hacker was not to grab as much as they could, because that might raise some concerns, pique somebody’s interest…but to have access and maintain it, even for years.”
The attacker could look on that pool of data as something like Google, to provide an answer to a question or questions, look for specific data, he said.
State sponsored cyber-attacks tend to come from countries competing against the United States and looking for intellectual property to gain an advantage in direct competition, deal with some military capability issue, or searching for a defense against a military capability.
Joint ventures between an American company partnered with a company in another country can offer vulnerabilities. In one case, Padres said a large company going through what he called a ‘transaction’ had a foreign partner, and in responding to intrusion activities found the attack was aiming at data related to the transaction.
“It’s helpful to bring in an outsider to look and objectively say, here some industry standard things you should probably be considering,” Padres said. “It’s hard for a company to look at itself.”
If there’s a significant data breach, learning can be painful, but the lessons can be passed on.
“We’re like firemen, risk consulting services receive information from other incidents, recommend companies do things, run table top exercises, run through disaster plans, and work to get companies to consider if you have an incident and it looks like this, how do you respond,” he said. “There are always vulnerabilities.”
Companies do a good job on the basics such as anti-virus systems and policies on passwords are getting better, he said. “Where we typically make recommendations are at the next level up, what to do with all this data…it’s one thing to have it, and another to look at data and know how do I need to respond to it.”
System administrators need to know what ‘normal’ is, he said, so they can take immediate action when something is out of whack. Cyber-attacks are very sophisticated and hard to detect with the attacker knowing lots of ways to hide. They can usually get past normal intrusion detection or anti-virus systems, “but they can’t get past a person.”
A huge part of what he sees in the military and defense industry is “spearphishing,” targeting a person or set of people, and it requires doing some social engineering.
For example, against a defense company, an attacker might use Google to find a conference, an attendee list, e-mail addresses, and then craft an e-mail to seem as though it’s coming from someone who was at the conference. A click and malicious software is installed on the company’s system, allowing that entity access to a perhaps critical program. For a state sponsor, if it wants the technology to solve a problem it can spend millions to hire engineers and wait years to solve the problem, compared to spending less money and time to steal it.
Padres’ unit examines “indicators of compromise, or, what things show on the system and then get that attacker off the network, find out what was compromised, apply remediation, turn around and start detection again.”It’s not uncommon that after remediation, within 48 hours, the attacker is back on again,” he said.
“It’s all about risk tolerance,” Padres said. Allowing the attack, watching what the attacker is doing and taking allows the company to learn what outsiders were after, what their capabilities were, the tools they were using and then could cut access, being better prepared for future attacks.