When looking to better understand the hacking community, there are a number of stereotypes and misrepresentations that run rampant amongst the OT security community. The danger here is that these outdated concepts can produce misguided defense strategies that often underappreciate the depth of a hacker’s knowledge, education, motivations and, perhaps most importantly, their resources.
So I’d like to offer a look at what I feel is the best outline of your current adversary on the industrial cybersecurity battlefield:
- They are not Kevin Smith from Live Free or Die Hard. This is not a disgruntled nerd in a hoodie typing away furiously from his or her mother’s basement. The industrial hacker is a professional, and usually part of a larger organization. They have bosses, a corporate structure and expectations that they must meet. You are not necessarily their adversary, you’re simply the next task on their agenda.
- They like money. While some of the attraction to the hacking lifestyle stems from the ability to be their own boss and not avail themselves to the normal corporate gig, most hackers choose this route for the economic benefits. With many originating from countries with fewer job options, or IT training for careers that couldn’t come close to matching their hacking pay day, their criminal activities have purely financial motivations.
- They are specialists. Some will focus exclusively on accessing your accounts or networks, i.e. initial access brokers. Others will focus on creating or delivering malware. There are phishing experts, Ransomware as a Service (RaaS) organizations, credential brokers and more. Just like any manufacturer with a similar go-to-market strategy, this specialization makes them incredibly good at their jobs and very difficult for law enforcement to identify, prosecute and shut down.
- Easier is always better. Remember, the hacker’s time is valuable, too. If your system is hardened enough, they will move on to a softer target. And unfortunately, the industrial sector has proven to be a target-rich environment. The ability to quickly infiltrate, extort and then dwell in the system to repeat the attack months later has made the industrial sector extremely popular. Also, because they know you have to get up and running as quickly as possible, they go back to the well as frequently as possible, i.e. the constantly increasing frequency of ransomware attacks and the escalating amount being paid each time.
- They will lie. You have to appreciate the approach of many RaaS groups. Once the attack has been initiated, the customer service segment of the business will send you a note laying out the process and ensuring access or keys for encrypted data will be provided without any further or nefarious actions. While this is yet another impressive area showcasing the level of sophistication and specialization of the hacking community, a well-scripted, even-toned communication should not provide reassurance of their honesty. There are countless reports showing that less than half of these “guarantees” are actually realized.
The goal in sharing these observations is not to further frustrate, scare or criticize the industrial sector’s cybersecurity plans. Rather, we need to continue to have these conversations and share our knowledge about vulnerabilities, hacking groups and the hackers themselves in order to continue the impressive levels of improvement that have been realized over the last five years. At the end of the day, we need to know ourselves, our environment and our enemies, but they certainly know you.