Grandmothers, Gangsters, Guerrillas and Governments

I recently flew to Knoxville Tennessee to visit Oak Ridge National Laboratory (ORNL) and deliver a talk at the 11th Annual Cyber & Information Security Research (CISR) conference. The title of my presentation and this blog – Grandmothers, Gangsters, Guerrillas and Governments – is an analysis of the four primary threat actor groups: insiders, cyber criminals, hacktivists and nation-states.

The legendary Gene Spafford and I. It was great to see him present on changes in the security, from the first transistor developed at Bell Labs in 1947 to today.

Delivering a presentation on specialization within the cyber crime community.

This was a Department of Energy sponsored event. The attendees were primarily from federal civilian agencies or supporting those agencies so my focus was on the threats most relevant to civilian agencies. For those of you who are interested, here is a high-level summary of the presentation I delivered.

Grandmothers (insiders):

Insiders are the Grandmothers of threat actors – we trust them and often fail to identify them because they don’t look threatening. Indeed, insider threats do not always act with malicious intent. Just as often they are simply careless or even exploited by external foes who hack their credentials to carry out a larger, targeted attacks. In my presentation, I discussed the problem of identifying low contrast threats with traditional security measures that are unlikely to detect nefarious behavior by an insider who acts with legitimate credentials. This is especially relevant for privileged accounts. Vormetric published an insider threat report in 2015 citing that 93 percent of the survey participants felt vulnerable to insider threats and more than half stated that privileged user accounts are their highest risk.

Gangsters (cyber criminals):

Cyber criminals have now had decades to mature, build organized crime rings and specialize. Some examples of that specialization include: spammers, carders, bot herders, money launderers, document forgers and malware developers. I discussed the maturity of these cyber gangs. I also discussed the safe harbor that many cyber criminals receive from host countries by agreeing not hack within that host country and to be available assist with nation-state activities when called upon. The line that separates cyber criminals and nation-state actors in these countries is opaque.

Guerillas (hacktivists):

I talked about some of the recent hacktivist operations and the power of having a fast and loose approach to crowdsourcing attacks. I also explored the very active hacktivist community in Latin America and how some of their attacks have evolved from cyber to physical attacks.

Government (nation-states):

Cyber war has emerged as an alternative to traditional domains of war and conflict –land, sea, air and space. Generally speaking, nation-states can leverage cyber with the following advantages:

  • Cyber is inexpensive, anonymous and easy
  • Cyber compresses space and time unlike traditional weapons
  • Two of the areas where cyber offers strong capabilities, although not as definitive as a kinetic approach, are sabotage and espionage
  • Non-states and minor actors can also leverage cyber with or without nation-state support

Finally, we had multiple discussions following this talk about the critical role that security analytics plays in mitigating threats across all threat actors. For example, identity correlation, anomaly detection across users, applications and networks and visibility at the intersection point of data with users, clouds and endpoints are relevant to the mitigation of all threat actors. Today’s threat mitigation is all about context, but it must be the right context and that’s what security analytics delivers.