Why thinking like a criminal is good for security

When planning an attack, criminals study their target victims looking for the weakest links.

data breach hacker
Credit: Thinkstock

Focusing too much on protecting only the crown jewels of the enterprise might leave gaps in security for criminals who are seeking other valuable assets. The hackneyed expression, “One man’s trash is another man’s treasure,” serves as a reminder that what the enterprise values is often different from what a criminal values.

Defending a network and the critical assets of an enterprise is a lot like safeguarding a home. There are layers of security in homes just as there are in the enterprise. From the windows to the doors to the locks and alarm systems, home owners know the vulnerabilities and put protections in to keep criminals out. 

Ryan Stolte, CTO, Bay Dynamics said, “The big idea is that people are very specifically and deliberately attacking organizations.” The intent of those attacks, however, is not always the crown jewels. In order to defend the expanding network and everything that connects to it, “You need to put yourself in the shoes of bad guys."

In planning their attacks and seeking their victims, criminals look for the easiest access point, whether that is the organization that has, “Minimal security tools, lax security policies and/or exploitable employees and third party vendor users,” Stolte said.

“They collect their own social intelligence, gathering information about the victim business regarding what its surface areas look like, where it stores its most valuable data, which third-party vendors have access to their network and how they gain access, and which employees log in remotely and how they gain access to the network,” Stolte said.

In most breaches, organizations are being hacked by individuals. “It’s not just people sitting in China,” said Stotle. What most criminals want is data and their goal is to get access to credentials to get that data. “After they have breached you and gotten inside, they do it all over again, but from a different layer, to continually get deeper into an organization,” Stolte said.

The easiest ways for outsiders to gain access is by trying to compromise a particular person or to sneak in through an open door. “Technical engineering and social engineering go hand and hand,” said Stolte.

Social engineering is made a lot easier by the extensive use of social media platforms.  Increasingly criminals are patient and take a longer and windier road to reach the final destination of their intended target. 

Tim Erlin, director of IT security and risk strategy, Tripwire said, “Shodan allows anyone to search for vulnerable things. They are scanning company networks and gaining access to internal networks by probing the individuals who interact with customers or the public. The one that is increasing is the supply chain attacks. Instead of attacking directly, they are going after their vendors and contractors to gain access.”

Public information provides a gold mine of useful tidbits for criminals. Will Gragido, head of threat intelligence at Digital Shadows said, "Gleaning career and relationship information, like the names of colleagues, mentors and friends from sources like Facebook, LinkedIn, and alumni sites helps establish cover for spear-phishing and other social-engineering campaigns.”

While these commonly used social media have much to reveal, there are others that can be more revealing of information about software and code that is really useful to criminals. 

[ ALSO ON CSO: US cyber criminal underground a shopping free-for-all ]

Gragido said, “Online profiles that might be easily misconfigured, such as GitHub accounts, frequently leak other types of information publicly, such as the identities of specific software developers in targeted organizations and snippets of the code they are working on, which, taken together, yields a lot of useful intelligence."

This extensive information that is often leaked unknowingly is particularly threatening to the security of an enterprise. "The challenge is that this information leaks from third-party sources far outside of organizations' own security boundaries, meaning they are almost blind to these exposures and cannot act in time to prevent them from fine-tuning attacks, like a precision attack on a specific software developer,” said Gragido.

The expanded network has posed many challenges to security teams, and Gragido said, "Other sources of reliable attack intelligence are exposed storage devices and cloud platforms.” In Gragido’s experience, he has seen instances of sensitive corporate information, such as strategy documents and board meeting details from a health insurer, that were publicly 'over-shared' by being posted in cloud sharing sites with inadequate password controls.

Gragido said, “Likewise, we have seen sensitive files pertaining to banks' ATM networks, for example, accidentally broadcast to the Web because employees have placed them on misconfigured remote storage drives in their homes."

Whether they are after credit card data, payment data, customer information, or any other kind of credentials from user names, to passwords, and healthcare records, criminals are gaining access even with extensive security measures in place, which begs the question how do security teams stop them?

If only there were an easy answer that didn’t require time and resources beyond those which are already stretched and limited. The first step is recognizing that it’s important to prioritize what is secured. 

All of this exposure creates avenues for criminals or other hostile groups to find an organization’s weak points for more targeted and efficient cyber-attacks, said Gragido.  “There is a greater premium on getting in front of these exposures with better situational awareness today, so that affected companies can recognize and eliminate these leaks at the source, outside their walls," he continued.

A combined focus on technical and human surveillance is good security practice.  “Have employees be aware. Lock doors and windows. There are a lot of technology things you can do. Bad guys have as good of technology as the good guys. We scan and find, but bad guys do too, but they act before the hole is fixed,” Stolte said.  

A slight shift in language when talking about security and data can also help security teams think like a criminal. Erlin said, “It’s a very common best practice for organizations to identify sensitive data. Using the term valuable instead twists perception away from what organizations feel is sensitive to what might be valuable to a criminal.”

Regardless of what other information criminals might find valuable, the crown jewels will always remain sensitive and top priority. Stolte said, “Organizations do the surveying, but one thing they fail to do well is protect the crown jewels. They need to know where they are and use that information to close off and fix the highest priority stuff.”

Think like a bad guy. Stolte said, “Take an inside-out approach to vulnerability management. Ensure that you are patching the right servers and that people don’t have more access than they should to layers of the network. Only the right people should have access to sensitive information at the application level.” 

Erlin said, “Threat modeling should be a continuous exercise. Threats change and evolve. It’s valuable because no one has infinite resources, so you have to focus on the most probable and impactful threats.”

Criminals are always after the weakest link, and they search for anything on the internet that might provide some kind of access. Information is out there, and security teams who use what criminals learn as part of their strategic security plan might be lucky enough to act before a breach.

This story, "Why thinking like a criminal is good for security" was originally published by CSO.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.