There’s something wrong with the way we think about threat actors.
Speaking at the NCC Group’s Security Summit in Cheltenham, England, this week, security experts took turns challenging the preconceptions they say many organizations hold about cybercrime groups and the attacks they carry out.
“Talking about specific actors can lead to this hype cycle around them and people tend to think ‘It’s X attacker attacking us, we don’t have a chance to defend ourselves,'” Matt Hull, global head of threat intelligence at NCC Group, told ITPro.
There’s a tendency in the security industry to lend weight to threat groups whose attacks are successful, Hull said. This is often counterproductive, in his view, as it can result in groups being viewed through the lens of being sophisticated or “scary.” It’s also unfair to groups that do great work but don’t publish it publicly, he added.
Hackers are people too
Hull’s comments were echoed by several speakers at the conference. Kevin Sheridan, head of security consulting at NCC Group, said many firms and stakeholders in the cyber space have developed a tendency to “put an astronomical level of kudos” on ransomware threat actors.
This poses a problem, according to Sheridan, as viewing these groups as supremely powerful takes away from the defensive effort.
“I think when we discuss ‘Oh no, there’s been another attack!’ we give too much credit to a ransomware actor, and not enough credit to a good defensive outfit,” he said.
To do this, Sheridan argues that security leaders need to start thinking of hackers as human, rather than omnipotent, omniscient supervillains.
Doing so makes it clearer that they can make mistakes, that they’re not always going to behave rationally, and importantly, that what they are doing is illegal.
“It’s weird how we don’t apply human psychology to these threat actors,” he said. “And we don’t know why – they are ultimately people. And I think as soon as you realize that they’re people, they make mistakes – this helps a lot.”
Organizations, Sheridan said, often tend to view cybercrime groups as a “phantom menace” that can strike at any time, whereas in reality many are less like the Star Wars Sith Lord and more like the Phantom of the Opera, a more human figure in a mask who appears threatening but is also capable of making mistakes.
Of course, Sheridan acknowledged that applying human psychology to attackers opens up a whole other can of worms. Two big variables that contribute to humans acting irrationally, he said, are money and pressure.
Ransomware attackers are subject to both of these variables, Sheridan said, which could lead to some erratic behavior. In the case of Scattered Spider, part of the motivation behind its attacks on Marks & Spencer and the Co-op in the UK could have been that it needed more money, he added.
Reframing the problem
With this human element in mind, Sheridan argued that organizations should try to reframe the problem of cyber threats. It’s worth keeping at the forefront of your mind, he said, that ransomware attacks are a crime.
Being on the receiving end of one often puts defenders and the organizations they protect in the mindset that they’ve done something wrong – that they failed to prevent the incident. This, he argues, is the wrong way of looking at things.
The reason this framing is problematic is that it shifts the burden of blame onto the victim, akin to asking someone who’s been pickpocketed why they didn’t have a better chain for their wallet.
“What I’m saying here is that attackers are generally wrong for doing what they’re doing, and there’s ultimately a sense of empathy we need to have with our organizations,” he said.
“We are not at fault; it is ultimately a crime that is being perpetrated against an organization.”
Source
It’s time to stop thinking of threat groups as supervillains, experts say
There’s something wrong with the way we think about threat actors.
Speaking at the NCC Group’s Security Summit in Cheltenham, England, this week, security experts took turns challenging the preconceptions they say many organizations hold about cybercrime groups and the attacks they carry out.
“Talking about specific actors can lead to this hype cycle around them and people tend to think ‘It’s X attacker attacking us, we don’t have a chance to defend ourselves,'” Matt Hull, global head of threat intelligence at NCC Group, told ITPro.
There’s a tendency in the security industry to lend weight to threat groups whose attacks are successful, Hull said. This is often counterproductive, in his view, as it can result in groups being viewed through the lens of being sophisticated or “scary.” It’s also unfair to groups that do great work but don’t publish it publicly, he added.
Hackers are people too
Hull’s comments were echoed by several speakers at the conference. Kevin Sheridan, head of security consulting at NCC Group, said many firms and stakeholders in the cyber space have developed a tendency to “put an astronomical level of kudos” on ransomware threat actors.
This poses a problem, according to Sheridan, as viewing these groups as supremely powerful takes away from the defensive effort.
“I think when we discuss ‘Oh no, there’s been another attack!’ we give too much credit to a ransomware actor, and not enough credit to a good defensive outfit,” he said.
To do this, Sheridan argues that security leaders need to start thinking of hackers as human, rather than omnipotent, omniscient supervillains.
Doing so makes it clearer that they can make mistakes, that they’re not always going to behave rationally, and importantly, that what they are doing is illegal.
“It’s weird how we don’t apply human psychology to these threat actors,” he said. “And we don’t know why – they are ultimately people. And I think as soon as you realize that they’re people, they make mistakes – this helps a lot.”
Organizations, Sheridan said, often tend to view cybercrime groups as a “phantom menace” that can strike at any time, whereas in reality many are less like the Star Wars Sith Lord and more like the Phantom of the Opera, a more human figure in a mask who appears threatening but is also capable of making mistakes.
Of course, Sheridan acknowledged that applying human psychology to attackers opens up a whole other can of worms. Two big variables that contribute to humans acting irrationally, he said, are money and pressure.
Ransomware attackers are subject to both of these variables, Sheridan said, which could lead to some erratic behavior. In the case of Scattered Spider, part of the motivation behind its attacks on Marks & Spencer and the Co-op in the UK could have been that it needed more money, he added.
Reframing the problem
With this human element in mind, Sheridan argued that organizations should try to reframe the problem of cyber threats. It’s worth keeping at the forefront of your mind, he said, that ransomware attacks are a crime.
Being on the receiving end of one often puts defenders and the organizations they protect in the mindset that they’ve done something wrong – that they failed to prevent the incident. This, he argues, is the wrong way of looking at things.
The reason this framing is problematic is that it shifts the burden of blame onto the victim, akin to asking someone who’s been pickpocketed why they didn’t have a better chain for their wallet.
“What I’m saying here is that attackers are generally wrong for doing what they’re doing, and there’s ultimately a sense of empathy we need to have with our organizations,” he said.
“We are not at fault; it is ultimately a crime that is being perpetrated against an organization.”
Source
Share
Related Posts
Microsoft Works to Patch New Defender Zero-Day “RoguePlanet”
FortiBleed Leak Exposes Credentials for More Than 73,000 Fortinet Devices
Microsoft Ships Largest Patch Tuesday on Record