When we talk about espionage, most thoughts would be of spies from old cold war flicks, infiltrating top secret government facilities to retrieve sensitive information capable of gaining an edge over each other. These traditional espionage techniques still exist and are employed all state intelligence agencies. However, advancements in information technology alongside an international progression towards getting all our data digitized, we are seeing an emergence of a new typology of espionage. Cyber Espionage.
Advancements in information technology currently excels in capturing and storing large quantities of data. This directly contributes towards expediting the most laborious step within the intelligence process, collection. As more organizations in both the government and private sector are digitizing their data, espionage operations can be executed without moving a single step out of an office building.
As technology continues to advance, hyperconnectivity, big-data and advanced machine learning has come to revolutionize how organizations operate. The same benefits can be seen in the intelligence community and with espionage operations. Moving forward, what are the four key things enterprises need to know about cyber espionage?
Know Your Adversary
The first thing enterprises need to know is about their adversary, as knowing thy enemy is the primary step towards securing your organizational operations. However, when discussing cyber-espionage is its constant association to state level threat actors. This classification may soon be obsolete.
With the recent number high-level data leaks containing sensitive information and digital toolkits once used by state intelligence agencies, many malicious groups or actors are rapidly upgrading their arsenal and strategies.
As a result, advanced cyber espionage is no longer reserved for traditional state level threat actors, operating on behalf of a government objective, organizations are also increasingly exposed to cyber-espionage conducted by hacktivists, patriotic hacker groups, and other criminal entities. There are even ‘hackers for hire’, where anyone can enlist the services of a professional hacker for a small monetary fee.
As more of society continues to familiarize themselves with technology, one should only expect malicious groups to adjust to the times and update their tactics. Whilst most enterprises focus on integrating new technologies and operational procedures, a similar amount of effort should be devoted towards learning about their own vulnerabilities.
Dissect the Threat
The second thing enterprises need to understand is about the nature of cyber espionage as a threat towards their overall cyber security. A key misconception about cyber-espionage is the over emphasis on the ‘cyber’ portion, and the lack of a holistic understanding about the threat itself.
Espionage will always be a human challenge, and whilst technology plays a critical role in the cyber-espionage process, most incidents are usually enabled through social-engineering campaigns that focus on exploiting human complacency. This problem however is not exclusive to cyber-espionage but is reflected across how cyber security is primarily understood by the general public.
To dissect the threat, enterprises need to understand that cyber-espionage is a complex process requiring expertise in multiple areas ranging from understanding human-behaviour to being capable of repurposing malicious software to achieve certain objectives. When seeking protection from cyber espionage, enterprises need to empower both the technological and human elements within their organization.
Securing your Foundation
The third thing enterprises need to know, is the need to secure the people and technologies, such as routers, that form the foundations of an enterprise’s structure.
In cyber-espionage operations, attackers might consider targeting the weakest links in an enterprise. As executives are broadly targeted, they might also have resilient security procedures or tools in place to ensure their survivability. Therefore, attackers might conduct social engineering campaigns on base-level employees, leveraging off their potential lack of cyber security awareness to gain an initial foothold into an organization’s network. When seeking to secure an enterprise from a cyber-attack, the organization framework is that of an inverted triangle and that you only need a singular employee – regardless of rank – to be compromised.
When securing your organization, enterprises need to secure both the technologies and the staff at the foundational level. This means ensuring that all levels of staff members are equipped with a secure mindset, and that pan-organizational tools/equipment are regularly maintained with updated security protocols.
Outside the Office
The final thing enterprises need to know about cyber espionage is that the campaign is not restricted to the organization’s human or technological network. Like conventional espionage operations, everything and everyone is fair game. What does this mean?
Attackers will do research on their intended targets, and when they fail to compromise their targets, they can always target their associates. Protection from cyber-espionage is not the sole responsibility of an individual or an organization, but of an entire community. Total security from cyber espionage is a joint effort across an entire community. Remember, just because your organization is secure does not mean ‘you’ are secure. Attackers might target partner enterprises or known clients with weaker security systems and utilise them as a trojan into your operational networks.
To ensure pan industry protection from social engineering, enterprises are encouraged to raise awareness among internal employees and close partners. Whilst technological assets can be protected with consistent patches and regular security checks, the only way to strengthen the human element is to raise awareness collectively.
Moving forward, the next step can be summarised into one phrase, be aware. Organizations can achieve this either through reviewing your organization’s security strategy to ensure that the four key areas are addressed, or to outsource key areas to professional cyber security organizations capable of providing a holistic security package of tools and services to address your vulnerabilities.
Cheng Lai Ki, CyberOps Consultant, Horangi Cyber Security technology