Cyber crime as a service forces changes in information security

Cyber crime has been commercialized. Infecting computers with ransomware or using an advanced persistent threat to pilfer intellectual property no longer requires deep technical knowledge. Just use Google to learn how to access the Dark Web, and you can find hackers who, for a price, are more than happy to write malware, create highly effective spear phishing campaigns and develop bogus websites for harvesting login credentials.

+ Also on Network World: DDoS-for-hire services thrive despite closure of major marketplace +

Major companies (think Fortune 500 organizations) understand that cyber crime as a service has changed how they handle defense. But for organizations still maturing their defensive measures, here’s what the transformation of cyber crime into an industry means for how you approach information security.  

You’re enemies aren’t script kiddies

Security and IT professionals need to accept that they’re not facing inexperienced hackers. The good guys typically realize that adversaries are skilled but don’t fully realize their technical prowess. Script kiddies are still out there, but I’d argue that they’re not going after enterprises.

The real threat is from the group of hackers who worked for the Russian government, realized their skills could command a high price in the private sector, and now sell their services on the Dark Web. For them, hacking isn’t a pastime. It’s their profession. Often times they get paid only if the mission is successful, giving them an incentive to make sure the goal is achieved. If you’re a defender, adopt the perspective of the enemy. Think what points you would try to exploit if you were on the offensive side.

Better walls doesn’t lead to better security

With professional hackers behind the keyboard, infiltration is guaranteed. Security and IT professionals should accept that attackers will eventually find a way in, regardless of how great your defenses are. This can be hard for companies (even major ones) to understand. There’s a belief that better information security means building higher and thicker walls. So, you add firewalls and antivirus software. When those aren’t enough, you add next-generation antivirus, intrusion prevention systems and some other next-generation technology.

But adversaries will figure out how to get around all of those products. You build a bigger wall; they just dig a tunnel under it. You can’t fight every threat or the entire internet. This realization isn’t meant to discourage information and IT professionals who are diligently trying to protect their companies. Instead, I hope they’ll adopt a different perspective on how to handle advanced adversaries.

Use a security incident to your advantage

If the bad guys are destined to infiltrate your company, what kind of defense can you mount? To start, have a current incident response plan in place. This means updating it to include any major changes at a company and reviewing it to make sure key personnel are included.

For example, does your incident response plan include notifying public relations staff to handle media inquiries or contacting a government agency due to regulations? And make sure the people involved in the plan know how to use it. The first time people see it shouldn’t be during an incident. Run through the incident response plan at least once a year.

Next, look for adversaries who are already in your environment. As sophisiticated as attackers are, they’re not invisible. They will always leave some trace, no matter how small. As defenders, your job is to discover those tiny clues and use them to figure out the attacker’s complete plan.

Try to learn how the attackers evaded your defenses, what they’re after and what systems have been compromised. Your goal here is to stop the entire attack, not just one component of a much more elaborate campaign. Partial remediation means the attackers still have a foothold in your environment.

Don’t focus on attack attribution. That doesn’t do much to improve your security. If you’re in the midst of a crisis, your priority should be helping your organization return to normal business functions as quickly as possible, not figuring out whether the Russians or Chinese stole your intellectual property.

When and if you find evidence of attackers, don’t treat this discovery as a defeat. Security incidents—even major ones like a data breach—are an opportunity to improve your defenses. Security budgets typically aren’t increased as a result of everything going right in your organization. Knowing the gaps in your defenses gives you the opportunity to plug them.

Cyber crime as a service means the good guys must change their approach to information security. Defense is no longer a zero-sum game, with every breach equalling a defeat. And winning doesn’t mean stopping all the attackers. If the enemies are bound to get in, use this to your advantage by treating it as an opportunity to discover their full plan and improve your defenses.