And the road to recovery is to plan, plan and plan again
When it comes to cybersecurity, knowledge is the first step in protecting yourself.
Knowledge of your enemies, and of your own vulnerabilities.
That was the message from Philip Ingram, a former senior officer in British Military Intelligence speaking at the Cybersecurity Festival last week.
"If you know what they're after, that means you understand whether you're going to be targeted," he told delegates.
"The thing that drives China is economics, money, intellectual property. if you can save billions of dollars by stealing someone else's development work, and then you just have to manufacture it, you've saved yourself billions of dollars and you can then use that to get out into the market in a much quicker way and get economic advantage. So, everything that drives China's attacks is economic advantage."
In a similar way, Russian cyberattacks are driven by influence, both political and military, while North Korea is motivated purely by making money - mostly through cryptocurrency to avoid sanctions - to fund the ruling class's lifestyle.
"I have a problem with Kim Jong Un. How can a country that doesn't allow its citizens to go to university...become a Tier 2 player? There are only two internet pipelines into North Korea. One of them...goes to China; the other one...goes through Russia."
Ingram believes Russia and China are using North Korea as a patsy, launching attacks their victims will attribute to the isolated state to gain plausible deniability. Again - good knowledge to have, or even suspect.
Why is knowing what attackers are after relevant for a defender? For the same reason knowing about attack vectors and methodologies is important: to defend against them. Knowing what the threat is and, just as importantly, what the attacker is after will immediately tell you if you are a target of interest.
If you determine that you are a potential target, the next step is to identify "your vital ground or key terrain - the bit you cannot operate without."
"If you can't identify it you're wasting a lot of effort," said Ingram.
And, of course, you can't forget about your vulnerabilities: your people, systems and network. Ingram showed off a device called Flipper, a multi-device hacking tool built using open-source tech, small enough to fit in a pocket.
"How many of us have policies that would actually look for devices like this on our employees?"
The road to recovery
So, you've identified your main threats, your vulnerabilities and your vital ground. What's the next step? To prepare for the inevitable breach, because even if you know everything about your network, no-one can ever be 100% sure they're safe.
Have a plan for recovery, and then have a backup plan for when the first falls through. It sounds like a lot of work, but preparing to manage the reputational fallout will pay dividends.
"You can recover from the technical side of a cyberattack relatively quickly, but trying to recover a reputation can take years."
Hacking groups like Anonymous, realising how damaging it can be, have moved on to attacking companies' reputations directly by releasing data from companies they have breached, or calling them out online for what are seen as shady practices (for example, continuing to operate in Russia).
Thank you for reaching out. Bridgestone is suspending manufacturing and sales activities in Russia until further notice. You can read more about the company's actions here: https://t.co/VUQGN36ByZ.— Bridgestone Tires (@Bridgestone) March 21, 2022
Knowledge, Ingram reiterated, is the key to it all. Determine if you're a target and use that to refine your preparedness - rather than just thinking about what a threat vector is.