Tim Grieveson, chief cyber strategist at HP gave a lecture at IP EXPO 2015 as well. Then, he predicted that 2016, this year, would be the year of the industrial control attack. That prediction has at least borne some fruit, if the BlackEnergy attacks in Ukraine are anything to go by.
He did the same at IP EXPO 2016, saying today/yesterday that 2017 would be the ‘year of the data bandit'.
No longer, said Grieveson, would the illicit data market be so reliant on the sale of massive tranches of data clawed from breaches on large organisations.
He told SCMagazineUK.com that, “The bad guys have changed their mode of operating from stealing individual pieces of data to actually packages of information about an individual”.
More and more, cyber-criminals would be attempting to piece together detailed individual profiles, taken from multiple sources and thefts, allowing customers to thoroughly exploit the identities of their victims.
“The bad guys will start to target individuals as opposed to organisations. Organisations are getting better, so why don't they attack that CEO in their personal life. For example, social engineering of their children, of their wife, where do they go to play golf, which car do they drive?”, he added.
It's not hard to imagine what the reasons could be for this migration. A full dossier on the CFO of a Fortune 500 company is surely more valuable than the chaotic mess of partial details so often on offer on darkweb marketplaces.
By doing that, said Grieveson, “and packaging it up they are increasing their likelihood of selling it and their margin to sell it. So I think it changes the mode of how we have to think as a security person to protect and value and understand the data so you can actually protect it.”
This is all just part of the nascent sophistication of cyber-crime. Increasingly, hackers are not acne-ridden recluses, but suited and booted professionals, with all the business savvy of those they're trying to exploit.
In the last few years, we've seen ransomware outfits with support departments, generously helping their victims pay to get their data decrypted. Like any business, they want to limit risk and maximise profit.
For defenders there is often, “an artificial barrier between technology and security at the moment because we don't talk the same language”, Grieveson told SC.
Considering the adversaries are no longer paying heed to that artificial barrier between business and technology, it seems strange that defenders should as well:
“Stop talking about technology and start talking about value”, added Grieveson. Security teams will need to start understanding how to break that down for executives and board members. Arguments about cyber-security, and especially when pitching for more budget should be positioned as arguments about business risk.