When a company suffers a data breach or is targeted by a ransomware attack, of course it creates a negative impact on its bottom line and reputation. The greatest and under-discussed effect of these attacks, however, is the risk they pose to our democracy. This year, it’s more important than ever, as experts are predicting a rise in cybercrime leading up to the 2020 U.S. presidential election, just like we saw in 2016.
Mitigating risk begins and ends with response time. Organizations can mitigate their financial and reputational risk through a speedy response, because the longer a threat goes undetected, the more damage the incident can cause. Given the high cost associated with cyber-attacks, companies can’t afford to continue playing defensive whack-a-mole, reacting and defending without understanding the source of the attack. The old standby, “The best defense is a good offense,” applies to today’s global cyber war. The need for identity attribution to keep up with modern adversaries is more apparent than ever.
Who attacked your organization? Was it a hacktivist? A nation-state actor? Insider threat? If your house was burglarized, would you be able to sleep comfortably at night not knowing who committed the crime, and why? The cyber world is no different. Defending your enterprise is easier when you know your opponent and what they know about you.
While in the past, nefarious actors successfully obfuscated their identities to create uncertainty in attribution, they are much less anonymous today. Across the surface, social, deep and dark web, credentials from prior leaks or breaches are circulating and could hold clues to an attacker’s identity. Despite their best efforts, cybercriminals do leave breadcrumb trails of their own identities. The world of cyber is riddled with human error – bad actors will make mistakes, leaving themselves vulnerable. Criminal groups often go after the same types of targets and use the same vectors, tools, techniques and infrastructure across multiple attempts at intrusion. Understanding cybercriminals’ motivations and capabilities puts companies in a better position to both respond to and prevent future attacks.
With adversary intelligence, companies around the globe are collecting credentials – leveraging breached data – to fuel and shorten cybercriminal investigations. Getting a jump on the adversary matters because, as we know, speed of response matters – organizations can render compromised data obsolete once the passwords of employee and customer accounts are reset, preventing additional takeovers and reducing the value of exfiltrated data on dark markets.
If you know your adversary, you can not only report them to law enforcement but immediately begin an internal audit to identify threat vectors the adversary was most likely to employ, which ultimately helps safeguard intellectual property and sensitive data. Given that cybersecurity is naturally a collaborative field, you can also inform other affected organizations to help them jumpstart their investigation and mitigation processes. You will be able to develop more context (such as the adversary’s capabilities and intent) in the wake of a cyberattack and anticipate – and be better prepared to thwart – future attacks using sophisticated endpoint detection technologies.
Imagine equipping your organization with tools to effectively disrupt cybercriminal infrastructure so quickly that when your organization’s data surfaces on the dark web, criminals already know it’s likely outdated. Organizations can actually become known for acting quickly upon data compromise, making any information from those organizations impossible to sell on the dark web.
Today, we employ a plethora of strategies to mitigate cybercrime, such as the more obvious best practices of using unique, complex passwords and implementing mandatory cyber training in the workplace, and some are contemplating more polarizing strategies, like “hacking back.” Controversial as it may be – and let me be clear, I am not here to advocate for hacking back – experts in the past have agreed that one of the pitfalls of this strategy is trying to engage without proper adversary attribution. For instance, what if you retaliate against the wrong entity? While hacking back (and a new bill in Congress that would add to its legality called the Active Cyber Defense Certainty Act) may not be in most organizations’ best interest yet, should the time come when organizations choose to engage with their attackers, adversary intelligence can be depended upon. When, if at all, will that time come? Who knows. But one thing is certain: informed decision-making begins with uncovering the real identities behind criminal activities – a reliable and modern approach to crime fighting. The conversation shifts from what happened or how it happened and draws attention to who made this happen and why.