- Who are you trying to defend your organization against?
- What are the attackers after?
- Where is the attack emanating (or going to emanate) from?
|Time Period||Typical Attackers||Typical Goals / Motivations||Examples|
|Mid 1980’s to Early 2000’s||Mostly “one-man” shows or small teams||Disruption / Defacement||Worms (Morris, Nimbda, Code Red, SQL Slammer), Activism / Hacktivism|
|Early to mid 2000’s||Organized groups of cybercriminals||Steal money / conduct fraud||Phishing, Identity Theft, Data Theft, Click Fraud, Pharming|
|Mid 2000’s to present||Nation-states||Steal intellectual property, Identify dissidents, Disrupt nuclear arms development||Operation Aurora, Stuxnet, Watering Holes|
Summary of attacker types and motivations from mid-1980s to presentToday, organizations also face the threat of nation-state attacks, in which governments or groups hired by governments are the “who” behind the attacks. Such groups are typically very well-funded, patient (may conduct their attacks over a period of years), and sophisticated (may manufacture zero-day vulnerabilities as well as new technology to conduct their attacks). They have a variety of motivations, of which corporate espionage is one. Stealing the intellectual property of foreign corporations and replicating products without having to incur the cost or time involved in R&D may be a quick path that a government could pursue to enable its constituents to compete. Operation Aurora, in which Google as well as three dozen other corporations were targeted, as well as APT1, in which over 150 organizations were victimized over a 7 year period were examples of “advanced persistent threat” types of attacks in which corporate espionage was a suspected or likely goal. In these types of attacks, spear phishing, malware drive-by-downloads, social engineering, and watering hole websites are common mechanisms used as part of the attack. In addition to corporate espionage, nation-states may also conduct attacks to attempt to degrade an adversary’s capability to manufacture weapons. In the Stuxnet attack discovered in 2010, for instance, malware that targeted centrifuges that could be used to enrich uranium infected 60% of the computers in Iran. By speeding up or slowing down centrifuges, the malware interfered with the enrichment process that could be used to develop weapons-grade uranium and manufacture nuclear weapons. Note that as time has progressed, attacks have only gained in volume, diversity, and sophistication giving truth to the saying that “attacks only get better.” It is also interesting to note that malicious software, or malware, has been a common thread across attacks and has been used as a key tool used in conducting progressively more sophisticated attacks over time. In this article, while we have focused on the “who” and “what,” the “where” is equally important. Attacks on the Internet can, of course, emanate from anywhere, and often cannot be prevented from emanating, but the “where” can be extremely important for detection, containment, and recovery. It is important to prevent attacks whenever possible, but preventing every possible form of attack is usually cost prohibitive. Corporations need to determine what their highest, most significant risks are, and invest resources to prevent those, while, at the same time, investing in countermeasures that allow them to detect, contain, and recover from medium and low priority risks. (Corporations also need to invest in detection, containment, and recover for high priority risks, just in case they don’t get prevented.) The origin from which web traffic, emails, phone calls, and other communications emanate from can often provide a signal of how suspicious the communication is. Even when attackers “proxy” their communications or obscure their actual source, any signal that indicates that the original source is being obscured can also serve as a signal. In this article, I have mainly discussed general security trends in the “who” and “what” that have affected many organizations over the past few decades. That said, each organization is unique and must put in the appropriate effort to determine the “who” and “what” they need to be the most concerned about as a paramount step in their cybersecurity strategy formulation.