“Understand what a criminal is looking for, why they're going to attack you. Is it because of status, cash, ideology? Understand who the attackers are, why they're attacking you, what they're looking for, information access, data cache. And then you'll understand the persistence of the attack. You'll understand what you need to do to design security to deter that type of attack.” - Brett Johnson, Shadow Crew, the first organized cybercrime community. “Scale To Zero” Episode 2.
Several members of TM Connect and I have had this long-running conversation (really, disagreement): Must we understand attackers or not? Mr. Johnson, former and foundational attacker clearly validates my position that attacker knowledge is essential to understanding the following:
- Attack surfaces
- Lateral movements (steps of the attack towards attacker’s objectives)
- What will be compromised and how (not every successful attack ends in a data breach. consider bot nets)
- Rating impacts properly
Take for example a diversity training platform that does not require financial information. There’s some sensitive personal information (PII), sure. Names of customers. Company trade secrets. All obvious.
But when we think about potential attackers for this, very specific case, should we also consider those who fight to create monocultures? Facist activists who despise all talk, certainly any training that might involve exploring minority disadvantage, systemic racism? One of these activists’ explicit goal is to create their supposedly “pure” region and government? Are they going to allow an alternate viewpoint to exist, much less teach and advocate?
I would argue, “absolutely”: one must know one’s potential attackers. The attackers I just described may have little interest in any of the obvious targets (impacts). DDOS will not be enough, I suspect.
Know your attackers!
I perhaps I dare to open one of TM’s nastier can of worms? Let’s go for it!