At RISKWORLD 2023: More Than Just a Black Hoodie — What Organizations Are Up Against When It Comes to Hackers
When picturing the typical hacker or cyber bad actor, we tend to imagine a faceless person donning a black hooded sweatshirt, perhaps hunched over a computer. This image has become ingrained as the standard when thinking about hackers, but it couldn’t be further from the truth.
“For hackers, this is their business and their livelihoods; this is how they feed their children,” said Joey Sylvester, area senior vice president with Gallagher and a 2020 and 2022 Risk & Insurance® Cyber Power Broker.
A hacking business operates just as any legitimate business would. Hackers have quotas they must meet — at the expense of the systems they will ultimately breach.
“They’re constantly innovating, finding new, interesting ways to exploit vulnerabilities, compromise systems and get money,” Sylvester said.
Sylvester, along with John Lundgren, CEO and cofounder of BreachBits Inc., discussed the thought processes behind a bad actor’s attempt to hack into a company system — and how to thwart any type of attack — at this year’s RISKWORLD conference.
The session, entitled “Ransomware Postmortem: The Anatomy of a Cyber Breach,” brought attendees through the mind of a hacker, how exactly they play on the weaknesses of their targets and what companies can do to avoid suffering losses.
Hackers: They’re Just Like Us
For companies and businesses to truly understand how they can defend themselves from cyber threats, they must first step into the mind of a hacker. Luckily for attendees, Lundgren served as the portal into the inner recesses of a hacker’s brain.
Lundgren’s company, BreachBits Inc., was formed to research and understand the technologies hackers use every day in order to help companies discover which cyber risks were most prominent for them.
“Most of my experience has been thinking, acting and working from an attacker’s standpoint,” he said.
Lundgren then touched on the importance of understanding the enemy: “[Companies] need to know where [the hacker] is coming from in order to use that information against them.”
What can be striking to know about the operations of hackers is that they function according to a similar organizational structure as any other company. They follow a very standard business model, according to Lundgren, in which there is a hierarchy of positions that are goal- or metrics-driven.
In fact, hackers can work during normal business hours, be offered compensation packages and even complain about their bosses and colleagues in Teams chats. Sound familiar?
Sylvester interjected to note that the business model hacker organizations follow proves how sophisticated they actually are. It’s not as simple as the faceless persona in a black hoodie.
“[Companies] aren’t up against just one person; they’re up against an entire industry,” Sylvester said.
And because hackers believe that a company’s insurance policy will cover any loss from a breach of security, they view infiltrating a company’s systems as a “victimless crime,” Lundgren said.
The Attack Cycle
Before a hacker jumps on the next task on their to-do list, it is important to distinguish what their motivations could be. In many cases, a hacker’s motivation will stem from financial gain, but there could be times in which breaching an organization’s systems could take place for strategic reasons.
Lundgren then broke down what he referred to as the attack life cycle that hackers will use to conduct their jobs successfully.
To start, a bad actor will target an organization, or their “customer.” To find an optimal target, hackers will begin by reviewing organizations’ revenues, recent acquisitions or big investments. They’ll also investigate, looking for opportunities that will allow them to infiltrate an organization’s systems.
Then, a hacker will transition to the reconnaissance phase.
“What they’re looking for here are attack or threat vectors,” Lundgren said. “It’ll be a combination of an opportunity [to attack] that you’re presenting to this group, where they can pair that with the capabilities they have.”
Once a hacker organization has completed the reconnaissance step, the “easy” work begins. They’ve found a way into a company’s systems, and they’ll want to ensure that they can maintain their access.
To do this, a hacker will install malware onto the hacked company’s server so that information can be shared between computers. Lundgren said that, often, hacker organizations are merely using malware codes and capabilities that are free and open to the public.
“These organizations have margins; they’re trying to maximize their profit while limiting their expense,” Sylvester said. “So, the really cheap thing to do is send a phishing email and use an exploit that they can download from a dark web forum.”
Once a hacker has initial access and establishes their foothold, they increase their account privileges, which allows them to access the information and data that would hurt a company, should it be released. They continue to expand their access until they achieve their objective, which is typically extorting a company’s information for ransom.
“[A hacker] is not going to try and extort [a company] for ransom until they think they’ve achieved that leverage imbalance, or they’re going to fake it,” Lundgren said.
Once a hacker has achieved their goal and met their quota, the attack life cycle begins again, searching for its next customer.
How to Ruin the Hacker’s Day
Hacker organizations are smart — there’s no two ways about it. But it’s imperative that companies can readily prevent or fight off any bad actor attempt.
Sylvester discussed how organizations can do just that.
“[Hackers] are constantly innovating and finding new ways to exploit vulnerabilities,” he said.
“There’s no system that is 100% secure, but there are a lot of very simple basic hygiene steps that [a company] can take to thwart a large majority of attacks.”
As mentioned, a main priority for a hacker is to keep their margins low. To be an unfavorable target, Sylvester mentioned the notion of becoming an expensive target.
Sylvester noted a slew of methods a company can use to protect itself prior to a breach, and perhaps to prevent one altogether. These tactics included performing risk assessments, investing in controls that will disrupt a hacker’s progress and educating team members on how to do this as well.
Establishing and practicing a plan to enact in the event that a breach does occur, Sylvester said, is the optimal path to take. Alerting authorities such as the FBI and CISA after a breach is also advisable. &