Who Is Hacking Who – and Why You Need to Know
Will knowing who is attacking them help enterprise security pros mount a better defense?
If doing battle with a masked attacker, do you gain any advantage by learning his or her identity? Maybe. While you wouldn't normally worry too much about getting hurt by an attacker's feet, you would if the attacker was Jackie Chan, a martial arts star known for his dangerous kicks.
In the same way, organizations may be able to better protect their digital assets by knowing which types of attackers are likely to target them.
As researchers from Intel Security were putting together its McAfee Labs Threats Report for August 2015, it occurred to them that most attacks fit into one of three major categories: hacktivism, nation-state attacks or organized crime.
The three types of malicious actors have very different motivations, said Steve Grobman, Intel Security CTO.
"A nation-state tries to get information for espionage or influence purposes or tries to better understand the technology being used in an environment," he said. "That is very different from organized crime, which has a financial motivation. They want to steal something they can sell on the black or gray market to achieve financial gain."
Hacktivists are interesting, in that their objective is often to embarrass an enterprise, Grobman said. IT organizations should be aware that content such as email between executives – long seen as a relatively low security priority compared to materials such as intellectual property or personally identifiable information about customers – "can be immensely damaging" in the hands of hacktivists.
For example, email from Sony Pictures executives appeared on WikiLeaks following last year's attack on the entertainment company. The messages included scathing notes from Amy Pascal, who resigned her position as the company's co-chairman two months after the communications were leaked. While the North Korean government was widely believed to be behind the Sony hack, some security researchers think pro-piracy hacktivists may have been involved as well.
"Hacktivists are going after information that was never thought of as being overly sensitive before," Grobman said, noting that this means organizations need to "start thinking more about the attributes of their data."
The three kinds of attackers are also different in how they exfiltrate data. Nation-states typically want to remain below the radar as long as possible to obtain as much data as they can, Grobman said, while hacktivists "do not always mind running a dump truck through the door and doing a smash-and-grab, to use a physical world analogy."
Organized crime is "kind of an "in-betweener," he said. "If they can get the entire database in one fell swoop they might be willing to do a dump truck through the front door, but if they can trickle it out while remaining undetected they can milk the information for quite a long time, as we saw with some of the big retail breaches last year."
Of the three groups, nation-states tend to be the most sophisticated and well funded attackers, he said, although organized crime is no slouch in these areas. "In the industrial underground hacking economy, you can acquire the right technology for advanced attacks even if you do not have the technology to develop it from scratch."
Increasingly, these groups of attackers borrow techniques and methodologies from each other, he said, noting that while the North Korean government remains a top suspect in the Sony incident, the release of email was an action more characteristic of a hacktivist.
Understanding which attackers will be most interested in your organization's data will help you triage, Grobman said. That is increasingly important, as it is easy to get overwhelmed by the sheer number of attacks – which is illustrated by some of the statistics in the McAfee Labs report.
For example, more than 6.7 million attempts were made every hour in the second quarter of 2015 to entice McAfee customers into connecting to risky URLs via emails, browser searches and other techniques. Also every hour in Q2 more than 19.2 million infected files were exposed to McAfee customers’ networks, and 7 million potentially unwanted programs (PUPs) attempted installation or launch.
"If you are a big retailer and you process financial transactions, you will likely be a target for organized crime. If you are a policy group, hacktivists would likely find you an attractive target," he said. "You will want to think somewhat differently about your environment. You know you cannot do everything; you want to put the right levels of investment in the right areas. If you map your data sources and understand the techniques used by different groups, you can set up your defenses so you can better identify when different methodologies are occurring."
The McAfee Labs Threat Report for August 2015 also spotlights several trends in different types of attacks. Among them:
- Ransomware is growing rapidly, with McAfee Labs seeing a 58 percent in ransomware in the second quarter. The total number of ransomware samples grew 127 percent year-over-year. Researchers attribute the increase to fast-growing families such as CTB-Locker and CryptoWall.
- While the total number of mobile malware samples grew 17 percent in Q2, mobile malware infection rates dropped in every region but Africa. Infection rates decreased by almost 4 percent In North America, while other regions declined about 1 percent.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
By Jeff Goldman
September 16, 2015
The scheme, which caused more than $300 million in losses, is the largest ever prosecuted in the United States.