Cyber criminals and certain foreign nations are not only at the door; they are inside our walls, and often have been for quite some time. Defending our most valuable information should be of paramount importance for our citizens, businesses and academic institutions.
While I am not a cybersecurity practitioner, I have spent the last 30-plus years interacting with victims, security professionals, international law enforcement and criminal actors themselves across a wide range of crimes, including cybercrime. My years with the Secret Service and the National Cyber Forensics-Training Alliance (NCFTA) have provided an opportunity to see the most critical security issues faced by companies, governments and cybersecurity professionals.
To be sure, the threat to our cyber ecosystem is real. While cybercrime is a relatively underreported event, consider that over the last five years the Internet Crime Complaint Center (IC3) received more than 1.7 million complaints and, in 2019 alone, reported losses exceeded $3.5 billion. Cybercrime threatens the very fabric of our society. From inauthentic online behavior to the theft of our personal information to the theft and use of our hard-earned intellectual property, our valuable data is under a constant barrage.
Foreign cyber actors who seek our precious information are well funded, experienced and highly motivated. They hail from all corners of the globe, are intimately familiar with our society and business practices and often easily exploit our weaknesses. The stark reality is they are winning, and collectively, we are letting them win.
Believe it or not, the current threat landscape has not changed all that much. Phishing, business email compromise, domain spoofing and exploiting known vulnerabilities (unpatched systems) continue to be the bread and butter for cyber actors, including nation states. If anything has changed it is a shift towards specific targeting. While spray and pray tactics are still used by lower level actors, they are not as effective; neither in successful deployment nor ultimate financial gain. Instead, highly sophisticated actors are becoming more targeted in their attacks in order to ensure success and reap a high dollar reward. They conduct methodical, long-term reconnaissance against a target, be it a high-value C-suite individual, a business with valuable intellectual property or an academic institution that may be conducting valuable research. The keyword being value, something the actor or group can monetize in a significant way. And they can monetize just about anything.
…in 2019, the Internet Crime Complaint Center (IC3) received 2,047 complaints identified as ransomware with losses in excess of $8.9 million.
How are we letting them win you ask? Today’s actors know our weaknesses. They exploit our inclination to click on a link and give away our personal information or credentials. They exploit our lack of password discipline to gain access to accounts with the same login credentials. They use our own personal information against us, which they easily glean from our online footprint. They take advantage of weak internal controls and direct billions of dollars to their own accounts through business email compromise schemes. They also leverage known vulnerabilities to access unpatched systems. Cyber criminals know our vulnerabilities; they share that information with each other. On the nation state side, governments leverage their substantial resources, R&D and intelligence support. They have information superiority, and we are handing them the keys to the kingdom.
We, the victims, stand in stark contrast to our adversaries. Our information security budgets are limited and may be more limited in the future due to the economic backlash of the current pandemic. We have established a culture of defending ourselves, by ourselves. We are handcuffed by regulations (or our interpretation of regulations) and a corporate risk culture which leans heavily towards silence when it comes to information sharing and incident reporting. We don’t approach security and awareness as a community effort. All of this adds up to information inferiority.
Cyber threat information sharing amongst peers is a quick and cost-effective way to increase one’s threat awareness and at a basic level can be accomplished at little to no cost and with little additional risk. To address the presumed risk with information sharing, the government gave us the Cybersecurity Information Sharing Act of 2015. CISA authorizes the sharing of threat information, indicators and defensive measures (as long as it is for a cybersecurity purpose) with the Federal Government and/or other non-federal entities, i.e. with each other. This is an especially important and vastly overlooked government protected activity.
What happens to one of us should only happen to one of us.
Take for example the case of ransomware. Instances of ransomware are vastly underreported, yet in 2019, the Internet Crime Complaint Center (IC3) received 2,047 complaints identified as ransomware with losses in excess of $8.9 million. Without robust reporting, law enforcement cannot develop the expertise and information superiority needed to pursue and disrupt the actors. Not reporting cybercrime, or sharing information with others, plays right into the attackers’ hands. They are relying on the fact that their victims will circle the wagons and keep quiet which only ensures their tactics and techniques will continue to be successful on others.
One attribute not mentioned yet is how complicated and technical the attacks are. For all the money spent on securing our systems (money typically well spent, by the way), most cyber events start with unsophisticated tactics. For example, a targeted phishing attack that successfully obtains the credentials of key company personnel (CFO, CEO) and parlays that into a $200,000 pay day via a business email compromise scam or, armed with admin credentials, Chinese nationals leverage an old, unpatched vulnerability to dive deep into a network to steal a company’s intellectual property and replicate products in their own factories.
Avoid being on the “Tree of Low Hanging Fruit.” Establish a relationship with federal law enforcement agencies, conduct continuous employee awareness training starting at the top of the chain of command and seek information superiority that enhances your current investment in security.
National Cyber Forensics-Training Alliance
The National Cyber Forensics-Training Alliance (NCFTA) is a nonprofit corporation founded in 2002, focused on identifying, mitigating and disrupting cybercrime threats globally.
The NCFTA was created by industry, academia and law enforcement for the sole purpose of establishing a neutral, trusted environment that enables two-way information sharing with the ultimate goal to identify, mitigate, disrupt and neutralize cyber threats.
Learn more at www.ncfta.net.