Think back to the last time you watched Law & Order. At the start of the episode, you may have witnessed a robbery at a local business.
Cut to a crime scene with trace evidence left behind (think: footprints, fingerprints, DNA). After connecting the dots, the detectives embark on a manhunt to arrest the criminal, with the goal of keeping the area safe from future crimes. Sure, one business will enhance its security posture and plug any glaring security holes, as they would a broken lock, but that does not get to the root of the problem – identifying and putting the culprit behind bars.
Much like a physical crime scene, the digital world uses forensics, too – IP addresses, crypto wallets, usernames and passwords, etc. – to track the breadcrumb trails between the point of compromise to the threat actor. When it comes to cyber espionage, adversary intelligence is particularly difficult to identify due to the nature of the crime. The threat actor is essentially stealing data for the sake of achieving a competitive advantage against their adversaries. Once the data is gone, the crime is usually “complete” and can go unnoticed. However, compare this with more common cybercriminals looking to convert whatever it is they stole into money: the classic art thief looking to sell stolen goods. Just as cybercriminals use personally identifiable information (PII) to piece together an individual’s digital footprint, security operations leaders can do the same, leveraging breached data, to track nefarious actors.
With more than 1,200 cybersecurity companies offering their services, you would think we are equipped to prevent nearly all data breaches. The technology is evolving, but human error remains. Your organization could leverage the best cyber solutions, but breaches will still occur because the biggest cyber threat to an organization is its people. Common entry points to breaches, and an organization’s data, include: phishing attacks and weak passwords, which sit at the end user; accidental leaks, poorly configured or unprotected servers and cloud-based tech; and vulnerable third-party supply chain vendors and partners that lack basic security protocols.
To mitigate breaches, from an enterprise perspective, a company can find success through draconian measures – restricting access to social networking sites, whitelisting certain apps, etc. – or by taking an Orwellian approach to the entire infrastructure and monitoring what every employee does within its network. However, both have major drawbacks, especially for employee morale, which is why they are difficult to implement successfully. So instead of focusing on what is happening within an organization, it is also necessary to anticipate and defeat external threats, which you can accomplish via identity attribution.
Enterprises should monitor open sources on the surface, social, deep and dark web for exposed identity information, which can help security teams understand employee and executive digital footprints. This can also aid in developing an understanding of an enterprise’s adversaries. In addition to assisting law enforcement in prosecuting and building a case, attribution for disruption is beneficial to financial services, cryptocurrency markets and social media platforms, among many other industries. Imagine if your corporation were able to identify bad actors in order to assess the risk an individual or entity poses. This would allow your organization to create a competitive counter strategy.
Simply put, as security analysts continue to learn and evolve, so do the malicious actors, who are always looking to stay one step ahead. This leads to a game of defensive whack-a-mole. The key is to understand there is a real person behind the attack; security operation leaders must adapt and, just like Detectives Benson and Stabler, take a more proactive approach. More than figuring out what occurred, you will understand who was behind the attack, and what their motives were.
About the Author
Amirah Saad is Sr. Manager, Intelligence at Constella Intelligence, a leading global Digital Risk Protection business that works in partnership with some of the world’s largest organizations to safeguard what matters most and defeat digital risk.
Featured image: ©joebelanger