Cybersecurity

Cybersecurity Strategy

Developing a multi-pronged Cybersecurity strategy is a critical job for CSOs today.  Neil Daswani shares his perspective on this important topic.  He is currently at Twitter, serves on the faculty of Stanford’s Advanced Computer Security Program, and is a friend of BGV. Chief Security Officers (CSOs) have a tough job.  They need to protect an organization against many, many different forms of attack, and need to do their best to close as many vulnerabilities as possible if not all of them.  Attackers, on the other hand, need to find just one vulnerability to get their foot in the door.  As such, it is important for CSOs to employ a well-thought-out, multi-pronged strategy based on an understanding of what are the most significant risks and threats to their organization.  Just as Anik Bose mentions in his blog post on more general Strategy in Start-Ups, thinking about the “who, what, and where” is just as important for the CSO as it is the CEO  — in particular, for the CSO, strategic questions that need to be tackled are:

  • Who are you trying to defend your organization against?
  • What are the attackers after?
  • Where is the attack emanating (or going to emanate) from?
The typical profile of the attacker (“who”) has changed over the decades, as well as what they are after and where the attack will emanate from.  The attacker profile has shifted from being teenagers who just wanted to experiment or make a name for themselves, to cybercriminals who were out to make money, to now nation-states that have corporate espionage and military goals in mind.  In the mid 1980’s to the early 2000’s, relatively unsophisticated “one-man” attackers (e.g., graduate students, hobbyists, amateur programmers) would write worms, such as the Morris, Code Red, and SQL Slammer worms.  Worms were simply viruses that would copy themselves onto other machines over the network (a process that occurred quickly and sometimes with a payload that could do something worse), but mainly generated a lot of traffic and productivity disruption in the process of copying themselves.  For instance, SQL Slammer was the first such worm that the White House was notified of due to its disruption of ATM machines and travel reservation systems.  However, these attacks weren’t targeted at any one particular organization. By contrast, cybercriminal attacks that grew through the mid- to late- 2000s were conducted by teams of attackers whose goal was more focused — specifically, focused on making money for the attackers.  Such groups of cybercriminal attackers structured themselves in a manner that resembled legitimate, for-profit corporations, and within just a few years an “underground economy” arose.  The operations of cybercriminal groups were in some cases more profitable than physical crime, not to mention could scale faster, and presented less harm to the attackers as they could be thousands of miles away from their targets and victims, evading law enforcement.  Examples of cybercriminal schemes included charging ransom to banks to stave off DDoS attacks that would take their sites offline, conducting large-scale botnet-based click fraud to defraud advertisers and search advertising networks, and selling fake anti-virus software en masse to consumers whose machines really were not infected.
Time Period Typical Attackers Typical Goals / Motivations Examples
Mid 1980’s to Early  2000’s Mostly “one-man” shows or small teams Disruption / Defacement Worms (Morris, Nimbda, Code Red, SQL Slammer), Activism / Hacktivism
Early to mid 2000’s Organized groups of cybercriminals Steal money / conduct fraud Phishing, Identity Theft, Data Theft, Click Fraud, Pharming
Mid 2000’s to present Nation-states Steal intellectual property, Identify dissidents, Disrupt nuclear arms development Operation Aurora, Stuxnet, Watering Holes

Summary of attacker types and motivations from mid-1980s to present

Today, organizations also face the threat of nation-state attacks, in which governments or groups hired by governments are the “who” behind the attacks.  Such groups are typically very well-funded, patient (may conduct their attacks over a period of years), and sophisticated (may manufacture zero-day vulnerabilities as well as new technology to conduct their attacks).  They have a variety of motivations, of which corporate espionage is one.  Stealing the intellectual property of foreign corporations and replicating products without having to incur the cost or time involved in R&D may be a quick path that a government could pursue to enable its constituents to compete.  Operation Aurora, in which Google as well as three dozen other corporations were targeted, as well as APT1, in which over 150 organizations were victimized over a 7 year period were examples of “advanced persistent threat” types of attacks in which corporate espionage was a suspected or likely goal.  In these types of attacks, spear phishing, malware drive-by-downloads, social engineering, and watering hole websites are common mechanisms used as part of the attack.  In addition to corporate espionage, nation-states may also conduct attacks to attempt to degrade an adversary’s capability to manufacture weapons.  In the Stuxnet attack discovered in 2010, for instance, malware that targeted centrifuges that could be used to enrich uranium infected 60% of the computers in Iran.  By speeding up or slowing down centrifuges, the malware interfered with the enrichment process that could be used to develop weapons-grade uranium and manufacture nuclear weapons. Note that as time has progressed, attacks have only gained in volume, diversity, and sophistication giving truth to the saying that “attacks only get better.”  It is also interesting to note that malicious software, or malware, has been a common thread across attacks and has been used as a key tool used in conducting progressively more sophisticated attacks over time. In this article, while we have focused on the “who” and “what,” the “where” is equally important.  Attacks on the Internet can, of course, emanate from anywhere, and often cannot be prevented from emanating, but the “where” can be extremely important for detection, containment, and recovery.  It is important to prevent attacks whenever possible, but preventing every possible form of attack is usually cost prohibitive.  Corporations need to determine what their highest, most significant risks are, and invest resources to prevent those, while, at the same time, investing in countermeasures that allow them to detect, contain, and recover from medium and low priority risks.  (Corporations also need to invest in detection, containment, and recover for high priority risks, just in case they don’t get prevented.)  The origin from which web traffic, emails, phone calls, and other communications emanate from can often provide a signal of how suspicious the communication is.  Even when attackers “proxy” their communications or obscure their actual source, any signal that indicates that the original source is being obscured can also serve as a signal. In this article, I have mainly discussed general security trends in the “who” and “what” that have affected many organizations over the past few decades.  That said, each organization is unique and must put in the appropriate effort to determine the “who” and “what” they need to be the most concerned about as a paramount step in their cybersecurity strategy formulation.