The individual breaching your cyber security may be on the other side of the world or inside your own company, but it is possible to profile them and how they might attack
The UK is the most cyber-attacked country in Europe, says global security company Symantec in its 2015 Internet Security Threat Report. Cyber attacks were up 40% last year and a third of attacks are directed against small and mid-sized businesses. But spotting the perpetrator isn’t easy. Invisible, undetectable, the invasion of your personal computer or business may have been going on for years before the damage is finally revealed.
Inside the mind of a hacker
Dr Stanton Samenow, author of Inside the Criminal Mind, believes that those who commit cyber crimes are indistinguishable from ‘bricks and mortar’ offenders. He contends that criminal activities are driven by the same personality traits, whether they’re carried out digitally or physically.
Technology just affords them more opportunity to do what they do, he says. “If you were going to be a bully, that was something you did in person. Now, you can bully and intimidate a larger number of people and you never have to confront them.”
The same may go for those who break into an organisation’s systems online: they may have always had the inclination to intrude, but the ability to do it from a distance could be what pushes them into action.
Types of cyber criminal
Kevin Brown, General Manager for Threat Intelligence and Investigations at BT Security, identifies four kinds of hacker:
- criminal enterprise
- nation state.
“The motivations of a cyber criminal will vary from someone wanting to claim kudos through ‘hacktivism’ to someone working a regular 9-to-5 role,” says Brown.
‘Knowing the motivations of hackers can be useful in justifying a budget for defence’
The aims of a cyber criminal will affect their operating patterns and even their targets. “In a general sense, knowing the motivations of hackers and how likely you are to be a target can be useful in justifying a budget for defence,” says Joe Stewart, who directs malware research for the Counter Threat Unit research team within Dell SecureWorks, the security division of PC giant Dell.
What motivates a hacker?
Ollie Whitehouse, Technical Director of IT security consultancy NCC Group, breaks down cyber crime motives into ideological, financial and revenge-driven.
Those tasked with corporate espionage – especially nation states with virtually unlimited resources – could conceivably have all three of those motives. Criminal enterprises are driven by money as a motive. Both will tend to play a long game, staying inside a network for months at a time and pilfering data – including credit card data – on the quiet.
Conversely, hacktivists are often driven by ideology, which leads them to grandiose acts of cyber intrusion designed to be highly visible. Such was the case with Jeremy Hammond, part of a hacktivist group called LulzSec, who was sentenced to 10 years in a federal US prison for stealing data from private intelligence firm Stratfor and posting it online.
In 2004, the then 17-year-old Hammond had given a talk on ‘electronic civil disobedience’ at the Defcon security conference. He called hacking “a practical application of network insecurity skills … as a means of fighting for social justice by putting direct pressure on politicians and institutions”.
There’s another kind of cyber attacker: the cyber insider. Employees who use their privileges to wreak damage on their employers’ systems can cost companies millions. In the 2014 US State of Cybercrime Survey, 28% of respondents blamed insiders – including employees, service providers and contractors – for data breaches, while almost a third (32%) said that cyber crime perpetrated by an insider was more damaging.
Insiders are perhaps easier to profile and predict, because they are already known to an organisation.
“There is a psychological element to it,” says NCC Group’s Whitehouse, “for example, identifying those individuals who are prone to stress, pressure, radical changes in behaviour or have a personality type that exhibits riskier behaviour. However, companies always need to look at this element in the wider context and ensure they don’t discriminate.”
Predicting how you might be attacked
So how can you defend yourself? Start by thinking outside the box – because hackers will. In fact, many IT security consulting companies employ ‘white hat hackers’ for this reason. One such company is Core Security, a security advisory company that runs a research division called CoreLabs.
“It’s safe to say that hackers – whether we’re talking about white hat or black hat hackers – are usually creative, curious people who like to think outside the box,” says one white hat hacker from CoreLabs, who asked not to be named. However, hackers tend to follow a basic path to get what they want: that of least resistance. “That understanding can help you predict how you might be attacked,” they concluded.
How to protect against hacking
You can only determine the path of least resistance if you understand what a cyber intruder might be looking for. Harry Sverdlove, CTO of IT security firm Bit9 + Carbon Black, advises organisations to carry out a risk assessment. Decide which assets are of the highest value, he suggests, then think about who might want to attack them, in order to highlight what’s most at risk.
Once you’ve analysed the risk and worked out what you want to protect the most, it’s time to implement that protection. Here, a technique known as ‘defence in depth’ can be useful. Rather than implementing one means of protection, such as an internet firewall, it makes sense to use many.
Cyber intruders will try to breach your defences in multiple ways, including everything from sending malware-infected emails through to telephoning employees and trying to fool them into giving away account credentials (a technique known as ‘social engineering’).
A healthy selection of technical measures can complement other protective steps, such as a mature process to IT management, in which software is probably patched with security updates at regular intervals. And cyber security awareness training for employees can also help to thwart potential attackers.
In the world of cyber attacks, there is never such a thing as 100% security. Organisations have to get their protection right every single time, whereas attackers only have to succeed once. But understanding where your risks lie, and allocating the finite resources at your disposal to protect them as best you can, will give you a head start in the game.
Illustration: Denilson Medeiros