HPE Publishes Cybersecurity Business Primer
While largely shorthanded and underfunded, cybersecurity professionals defend against the escalating threat environment on a daily basis, but apparently there is a significant knowledge gap when it comes to business leaders, according to Chandra Rangan, Hewlett Packard Enterprise. This gap became apparent in ongoing discussions with business leaders, he told IT Trends & Analysis, as did a second cybersecurity truism: the attacker — i.e. organized crime, corporate espionage, hacktivism, cyber warfare/terrorism, and those just looking for pure monetary gain — only has to be right only once.
The potential victim has to be right every time. “There’s a lot of truth to that… but business leaders ask is this a bottomless pit…?”
To help address this, HPE has released “The Business of Hacking,”, a cybersecurity primer for business leaders that analyzes ‘the motivations behind the attacks adversaries choose to pursue, and the ‘value chain’ illegal organizations have established to expand their reach and maximize profits.’ The report also offers a gameplan on how to mitigate risk through disruption of these adversary groups.
The bad guys — adversaries — fall into multiple categories, but the biggest threat appears to be coming from criminal organizations, said Rangan. “Hackers are not criminals… but criminals are becoming hackers.”
There are certain kinds of attack you can protect against and other kinds that you can’t. “But for the most part, businesses are being hacked by criminal organizations.”
Although HPE says a broad response is required — from regulators and law enforcement, in addition to enterprise security leaders — the adversaries are frequently creating a formalized operating model and ‘value chain’ that is very similar to legitimate businesses in structure, and delivers greater ROI for the cybercriminal organization throughout the attack lifecycle. This evolution is much more understandable by business professionals, said Rangan.
“This businesses can understand.” And it offers an opportunity to “take away the easy, low-hanging fruit” that criminals tend to prefer, he added.
According to HPE, the critical elements to the attackers’ value chain models typically include:
-Human Resources Management – includes recruiting, vetting and paying the supporting ‘staff’ needed to deliver on specific attack requirements; the skills-based training and education of attackers also falls within this category;
-Operations – the ‘management team’ that ensures the smooth flow of information and funds throughout the attack lifecycle; this group will actively seek to reduce costs and maximize ROI at every step;
-Technical Development – the front-line ‘workers’ providing the technical expertise required to perform any given attack, including research, vulnerability exploitation, automation, and more;
-Marketing and Sales – these teams ensure that the attack group’s reputation in the underground marketplace is strong and the illicit products are both known and trusted among the target audience of potential buyers; and,
-Outbound Logistics – this encompasses both the people and systems responsible for delivering purchased goods to a buyer, be it large batches of stolen credit card data, medical records, intellectual property or otherwise.
“Cybercriminals are highly professional, have robust funding, and are working together to launch concentrated attacks,” said Chris Christiansen, Program Vice President, Security Products and Services, IDC, in a prepared statement. “The HPE Business of Hacking Report offers key insight for legitimate organizations to better disrupt adversaries and mitigate risks by understanding how they are operating and maximizing profits.”
HPE’s list of disruptive techniques — some very basic, and some ‘far-fetched’ — include: reduce their profits; increase their risk; reduce their target pool; increase time to value; reduce their talent pool; and increase the cost of doing business. With the bad guys becoming more corporate-like, it becomes easier to disrupt their activities and marketplace, said Rangan, with the objective of making it more expensive for these businesses to operate and/or increase the risk beyond acceptable levels for the attackers.
Shining the spotlight on the bad guys can only help, he said. If the adversaries are exposed, the law can go after them. “They are very worried about exposure.”