“Keep Your Friends Close…Your Enemies Closer”

What does this phrase mean from a cybersecurity perspective? The phrase is often used in warfare and if you’ve read Sun Tzu’s The Art of War, you’ll surely understand it from that perspective. However, if you pay attention to the news, you’ll see that cyberwar has become a real global concern. Nation-states like China, Russia, Iran, and North Korea are constantly trying to gain the upper hand, whether from an economic perspective or a strategic governmental power play.

It makes sense when we’re talking about global powerhouses, war, and politics. But what does it mean when we’re talking about organized cybercrime, sophisticated hacking groups, or even the small player trying to make a name for themselves?

Know Thy Enemy

As governments rely on the art of intelligence gathering to learn what their enemies are up to, so should we rely on the art of cyber intelligence gathering to better understand our adversaries. To prepare and be expected to defend against an attack, we must first understand the attacker—their motivations, methods, and capabilities.

What if?

Suppose we own a large law firm. What might we want to protect? Ourselves, from the criminals we put behind bars? We might purchase a gun… maybe, but that’s not the point. What about the people who require our services to help close on a home, collect on defaulted rent payments, settle a divorce, or litigate a domestic abuse case? All those individuals are, by law, protected by lawyer-client privilege. What would happen if those client records were stolen, exfiltrated and put up for sale on the dark web? It could potentially put clients in danger of retaliation, identity theft, or worse.

The Consequences

After a data breach, the consequences are usually far more reaching than most people think. Whether you’re a law firm, retail shop owner, manufacturer, bank, or hospital, the list goes on. Here’s what to expect if a data breach were to be successful, from the perspective of the threat actor:

• Financial Implications (Primary Loss)
  • Employee non-productive hours paid
  • Time and effort spent triaging the problem
  • Third-party forensics investigations
  • Time spent re-imaging devices
  • Equipment replacement

• Financial Implications (Secondary Loss)
  • Fines and judgements
  • Damage to reputation or loss of customers
  • Loss of competitive advantage
  • Identity monitoring services paid
  • Cybersecurity infrastructure rebuild 

While reputation and competitive advantage may not result in immediate financial loss, the long-term effects may be equally damaging. Here are a few examples:

– Target incurred over $200 million in settlements, legal fees, and fines. Foot traffic also declined in the days following the 2013 breach.

– Equifax spent approximately $1.4 billion in legal fees, settlements, and regulatory fines following its 2017 breach. It also faced lawsuits and loss of customer trust. 

– Sony incurred around $35 million in remediation costs and suffered from reputational damage among Hollywood professionals.

Getting Closer to the Enemy

Who, what, when, where, tactics, techniques, and procedures:

Who
Get to know who the adversaries are. Are they state-sponsored hackers? Are they organized and well-funded due to extortion or ransom payments over the years, like LockBit, REvil, Conti, Lapsus$?

What
What are their motives behind the attacks? While the ‘Anonymous’ group may be motivated by all the wrongdoings in the world, aiming to disrupt society or governments through hacktivism, North Korea’s state-sponsored ‘Lazarus’ group might be looking to steal military secrets. LockBit, on the other hand, might simply be in it for the money—rumor has it their leader enjoys fancy cars and yachts.

When
When are they coming for me?  Wouldn’t you like to know?  There may be an indication from industry competitors or partners. If one of them gets breached, you may be next on the list. Time to cross your t’s and dot your i’s, close the gaps, and patch your systems.

Tactics
What are they trying to achieve? Are they purchasing access through an access broker to steal your customer database, or are they trying to maintain persistence, moving laterally and gathering up as many usernames and passwords as possible to sell on the dark web?

Techniques
Does the threat actor or group like to use phishing emails in hopes that you’ll be tricked into clicking the link to re-log into a fake Microsoft account? Or are they watching and waiting for a new vulnerability to emerge in Apache so they can gain access to your web server?

Procedures
The attacker may use phishing techniques to create fake login pages to harvest user credentials or send spear-phishing emails with malicious attachments, directing victims to websites hosting exploit kits.

Conclusion

There are tools available that monitor the dark web so you don’t have to. These tools help you develop virtual relationships with the enemy, keeping you better informed and ready when they start peeking around the corner at your building. Tools like Recorded Future help us understand who the active criminals are, what tactics, techniques, and procedures they rely on, or whether they’re targeting your industry—enabling you to be proactive, not just shooting in the dark.

By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA