For years, major businesses have contended with hackers attempting to break in to their networks and steal their data. In the recent past, that threat mostly emanated from China. Now, a new threat has emerged that companies must address: a savvy, resource-rich and risk-taking gang of hackers with ties to Russia. How does the Russian cyber threat affect your business and what can you do about it? The first step to any defensive approach is to determine which assets must be defended. Hold your cybersecurity team accountable for ensuring compliance with fundamental standards for information security. But while compliance remains crucial, it is entirely insufficient to address a threat landscape that rapidly evolves. You can’t build perfect walls and there is no silver-bullet in cybersecurity, so don’t let your CIO or CISO tell you otherwise. You’ll need a diversity of approaches, and those approaches will have to evolve over time.
For years major businesses have contended with hackers attempting to break into their networks and steal their data. In the recent past, that threat mostly emanated from China. Now, a new threat has emerged that companies must address: a savvy, resource-rich, risk-taking gang of hackers with ties to Russia. If the Chinese were the drunk burglars of cyberspace (to quote former FBI director James Comey), these Russians are stone-cold sober thugs.
On the geopolitical stage, Russian hackers have been busy: Their targets have included Estonia (using overwhelming denial-of-service attacks), Georgia (supporting ground operations with cyber operations), Germany (achieving unauthorized access to servers in the legislature), and the United States (stealing data from the Democratic National Committee and emails from John Podesta). But with the U.S. Department of Justice’s (DOJ) indictment of four Russian hackers for breaching Yahoo, the U.S. government is now on record that Russia’s targets are not just geopolitical — businesses are very much at risk as well.
How does the Russian cyber threat (regardless of the Russian government’s involvement) affect your business, and what can you do about it?
The motivations behind Russian hackers are the most diverse of any team with government connections. In recent years, the Chinese frequently stole sensitive commercial data, such as intellectual property, to gain competitive advantages for their state-owned enterprises. The North Koreans lashed out against Sony Pictures to protest a not-quite-Oscar-worthy film that featured the dramatic death of Kim Jong-un. As noted above, the Russians have attacked in cyberspace to further their geopolitical interests, but their hacking activities also form an integral part of a more sophisticated criminal enterprise, bent on extortion and profiteering. The Russian security services have extensive ties with the criminal underworld, and whether their hackers are working for the government or the mob can at times be a meaningless distinction. As highlighted in the DOJ indictment, sometimes the Russian government will target businesses to further its intelligence activities. Other times, it will work with criminal elements for criminal purposes. As a result, businesses and governments are both targets. The upshot: Your business can become a target not because these hackers see intrinsic value in your data, but because you may be a comparatively easy target.
After breaches at Target and Home Depot, boards were put on notice that cybersecurity was a cost to be internalized going forward. Credit monitoring for victims was only one of a myriad of expenses for which to account. Other expenses included hiring outside cyber forensics experts to expel hackers from networks, and recruiting experienced chief information security officers to keep the business secure. But the Russian attack on Yahoo revealed how these kinds of attacks can have severe indirect costs as well: Verizon reached new terms for its acquisition of Yahoo and exacted a $350 million discount toward its purchase price because of the Russian hacks. These hackers also modified Yahoo’s search engine results to further their own criminal goals. Such a significant M&A haircut and risk to Yahoo’s core product, all because of a cyber intrusion, should motivate businesses to double down on proactive efforts to improve cybersecurity before incidents occur.
The techniques in the Russian hacker tool kit are diverse. But just because Russian hackers can bring their A-game to a cyber fight does not mean they always need to. Even the most sophisticated hackers will default to unsophisticated techniques if those prove the easiest and cheapest way in. In their breach of Yahoo, they employed the delicious-sounding tactic of “cookie minting”, a way to gain access to an account without being challenged for typical authentication checks, like a password, as one part of their operation. Yet the tried-and-true junior-varsity tactic of spear phishing once again seems to have positioned the attackers for success. Your business already should have been focusing on blocking junior-varsity attacks for the last several years; now it will also need to account for more creative, varsity-level attacks, which will require experience, patience, and vigilance to counter.
Protecting your business from this evolving threat will not be easy, but it need not require magical defensive prowess. Consider the following approaches:
Get your priorities straight. Trying to protect all your data, systems, and networks from all forms of malicious cyber activity? Forget it. The first step to any defensive approach is to determine which assets must be defended. What data is so critical to your company that unauthorized access to it would be a disaster? What data must be available 24/7/365? What data do you need to store? If your answer is “all of it,” you’re doing security wrong.
Presume you will be breached. You should hold your cybersecurity team (you know who they are, right?) accountable for ensuring compliance with fundamental standards for information security. But while compliance remains crucial, it is entirely insufficient to address a threat landscape that rapidly evolves. Assume that compliance is imperfect and that an adversary is already exploiting this imperfection. Investing in your company’s resilience in the face of cyberattacks that target your top priorities will be critical. What resilience looks like depends on the type of work you do and on your priorities. For example, if there is a particular system whose availability is required 24/7/365, have you tested fallback mechanisms and backups?
Have a strategic communications plan. When you confirm that your company has in fact been breached, you will need to determine what to say, to whom, and how. Plan this ahead of time. Do not wait until you are in the midst of a cyberattack to brainstorm how, what, and when to communicate with your board, your shareholders, and your clients. You need not account for every contingency, but you can begin by ordering research on how other companies have managed (or failed to manage) the strategic communications aspect of a cyberattack.
Know that there is safety in numbers. You are not alone. If criminal hackers are victimizing your company, chances are good that they are after others proximate to your company as well. Information sharing has long been a talking point for cybersecurity evangelists. But most of the time the shared information is untimely and unhelpful. So look at how participation in initiatives like Facebook’s Threat Exchange service can help your company not just gain access to relevant and timely information but also act on it before it is too late.
Form relationships with law enforcement. Working with law enforcement is not a short-term solution for most companies’ cybersecurity challenges. Businesses often describe their relationship with law enforcement on cybersecurity as “give-and-take” — the companies give information, and law enforcement takes it and then disappears. But we can see a change in its approach to cyber criminals: The U.S. Justice Department has worked with victims on multiple indictments, even against state-sponsored and resourced hackers. And in certain situations the FBI can tip off a company to a threat the firm may not be aware of. Never bet the farm that the government will protect your business from a cyberattack, but be open to and prepared for the day when it might give you some news you can use to protect yourself.
What’s a business to do, given the threats described here? Believe it or not, the information security issues associated with cybercrime are not all that new, even though the Russian connection to it is now more overt. Don’t freak out. But do get serious. Gone are the days when the only risk was having sensitive data stolen. Progress begins with you — what data and which systems are most important to your company? Prioritize from there. You can’t build perfect walls, and there is no silver bullet in cybersecurity, so don’t let your CIO or CISO tell you otherwise. You’ll need a diversity of approaches, and those approaches will have to evolve over time. If you didn’t believe it already, believe it now: The cyber threat has arrived as a clear and present risk to businesses today, and addressing it will become a growing cost of doing business.
Powered by WPeMatico