-optimized.jpg){kind=avatar}
Eric Milam, VP, Research and Intelligence at BlackBerry writes of how to get into the mindset of a hacker, to protect your organisation from the greatest threat.
โฏ
Behind every hack thereโs a human. Itโs easy to forget it when systems go down and an anonymous email arrives demanding you pay ransom in untraceable cryptocurrency, but hackers are people, too.
I say this not to humanise them, but to defeat them. In the eternal battle against cybercrime, we need to understand hackersโ weaknesses – as the old adage goes, to โknow your enemyโ. While thereโs no honour among thieves, cybercriminals often operate according to moral codes of conduct which, while twisted, are not always so far from our own.
Just look at the Colonial Pipeline cyberattack. DarkSide, the ransomware group responsible, issued a statement claiming its goal was not to cause disruption and that it would introduce moderation to avoid social consequences in the future. Similarly, the hacking group responsible for the cyberattack on Irelandโs Health Service Executive (HSE) offered to provide the decryption tool for free to help get the system back up and running.
In the murky moral universe of hackers, the line between good and evil intentions is often blurred. But the more we understand about the different types of hackers, their motives, and their tactics, the better we can prepare for, and prevent, future attacks.
Choose your hacker
Itโs true that some hackers are motivated by ethical or activist considerations, while white-hat hackers probe organisationsโ defences to highlight (and fix) security vulnerabilities. But letโs be clear: cybercrime is a vast, multi-billion dollar industry, and businesses need to get a firm grasp on it if they have any hope of preventing future attacks.
In the UK alone, the cost to the economy is estimated at ยฃ27 billion, driven by lucrative and largely risk-free profits. For many individuals and hack-for-hire organisations, hacking is a long-term business strategy. You only have to look at the transcripts of the conversations between Conti Ransomware Group and their victims to see how they appropriate the language of business, referring to themselves as โcustomer service agentsโ.
Strange as it may seem, hacking organisations worry about their reputation just as much as legitimate businesses. They want to encourage businesses to negotiate with them, and that requires maintaining at least a facade of morality.
Nation-state backed hacking campaigns, on the other hand, arenโt motivated by profit. They operate legally in their countries of origin; their purpose is to protect national security interests (including espionage and the propagation of fake news). As such theyโre often resourced directly by governments.
But not always. BAHAMUT is one of the latest hack-for-hire organisations uncovered by BlackBerry and an example of a mercenary group that provides hacking outsourcing for governments. Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but BlackBerry researchers also revealed that BAHAMUT is behind several extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics, and more.
The criminal mindset
Itโs one thing to know who hackers are, but itโs just as important to understand how they think. And though thereโs no single criminal mindset, certain patterns of behaviour do crop up time and again.
For example, it is commonly observed that malicious actors target seasonal events, such as the fourth of July, other national holidays, or major news events. These provide a perfect opportunity to strike when organisationsโ efforts are concentrated elsewhere.
We shouldnโt be surprised, then, that the pandemic has provided the perfect breeding ground for cybersecurity attacks, as companies simultaneously dropped their guard and opened up new potential security vulnerabilities as they facilitated remote work.
Hackers are also keen students of human nature. For example, they understand that one of the best ways into an organisation is by exploiting peopleโs curiosity. Phishing has become far more sophisticated in recent years, with increasingly plausible emails that look like they come from stakeholders and colleagues, surreptitiously luring recipients into clicking a link and giving attackers access to corporate systems. This has been a particularly successful tactic during COVID, with vaccine (mis)information a particularly compelling, clickable subject for phishing emails.
The human factor
Far too often organisations think about security purely in terms of systems and technologies. These are critical, of course, but we must never forget the role of people – both those within the organisation, and those trying to get in.
Organisations should be establishing a prevention-first security approach. This approach begins with understanding the nature of the threat, the motivations for those behind it, and the common tactics and patterns used by hackers. It also includes being aware of the vulnerabilities within the business, not least from employees.
The moral of this story is โknow your enemyโ, organisations must first have a thorough understanding of their adversaries and appreciate that, for all the harm they do, they are human too.
