“Understand what a criminal is looking for, why they're going to attack you. Is it because of status, cash, ideology? Understand who the attackers are, why they're attacking you, what they're looking for, information access, data cache. And then you'll understand the persistence of the attack. You'll understand what you need to do to design security to deter that type of attack.” - Brett Johnson, Shadow Crew, the first organized cybercrime community. “Scale To Zero” Episode 2.
Several members of TM Connect and I have had this long-running conversation (really, disagreement): Must we understand attackers or not? Mr. Johnson, former and foundational attacker clearly validates my position that attacker knowledge is essential to understanding the following:
- Attack surfaces
- Lateral movements (steps of the attack towards attacker’s objectives)
- What will be compromised and how (not every successful attack ends in a data breach. consider bot nets)
- Rating impacts properly
Take for example a diversity training platform that does not require financial information. There’s some sensitive personal information (PII), sure. Names of customers. Company trade secrets. All obvious.
But when we think about potential attackers for this, very specific case, should we also consider those who fight to create monocultures? Facist activists who despise all talk, certainly any training that might involve exploring minority disadvantage, systemic racism? One of these activists’ explicit goal is to create their supposedly “pure” region and government? Are they going to allow an alternate viewpoint to exist, much less teach and advocate?
I would argue, “absolutely”: one must know one’s potential attackers. The attackers I just described may have little interest in any of the obvious targets (impacts). DDOS will not be enough, I suspect.
Know your attackers!
I perhaps I dare to open one of TM’s nastier can of worms? Let’s go for it!
Knowing your attackers is not the same as knowing all the attackers. If we take the very specific case you present about DEI classes/training and change the organization to an outspoken transphobic group, the attack vectors, complexities and vulnerabilities all stay the same, but the attackers change.
In this way, I think it’s important to know who’s out there and what they are willing to do -- are they a DDoS nuscience meant looking only for attention and disruption or are they suicide attackers looking to expel as much damage as possible with little/no regard to themselves?
I think you make a good case for knowing what’s out there, but I’m not sure it opened any worms. There is always a chance for another 9/11 but is it our biggest threat and where our TMing should start/focus? I’m not so sure. It’s good awareness, it makes a good TMer better, but even if you knew nothing of the possible attack-ers, knowing the attack methods, vulnerabilities, capabilities and how to prioritize them is much more important. IMO
Thanks for the thought exercise (even if I disagree). r/
I would argue that knowing something about your attackers (not attackers in general, but those who have an interest in the system to be protected) provides important, perhaps critical dimensions to priority.
Let me unpack how attacker knowledge affects risk, which then affects priority.
Considering targeted nation-state vs. cyber crime, these operate at vastly different frequency of activity and huge difference in effort. For criminals, “time is money”. While nation states have resources, persistence, and patience. Really quite different. If any nation-state, cyberwar affects are entirely collateral (we’re all potential collateral damage), maybe I can disregard well-resourced, sophisticated attacks in favour of raising the cost of compromise high enough that criminals “try the site next door”?
Understanding the difference between botnet renters, XXS misusers, and hacktivists who want to disrupt a system’s functions allows me to think through various frequencies of attack, differing sophistication, skill, and effort, which will lead both to better prioritization, but also aligning defence with need.
It’s all about valuable input into that risk rating, which, in the absence of actuarial tables, needs as much data as it can get, in my experience. Prioritizing must be based upon whatever risk rating we can manage in a world of incomplete, usually poor quality information.
Can’t defend against everything; can’t close every vulnerability.