The research phase
It is no use spending huge amounts of resources, time and money on a cyber-attack when there is nothing to steal. Although the hum of automated systems that flood the Internet may get lucky, these are normally the first level of attack. In most cases, an attack on a business or industry is premeditated and planned.
The research component is what the criminals use to “case” the target. Typical research will start with information from the company website: what they do, what they manufacture, whom they employ, and whether anything of interest is there to be stolen.
The next thing to investigate will be the people: who they are and what position they hold. This is where social media comes into it—the digital version of dumpster diving. The older generation are more cynical about social media and less inclined to put their life story on a Facebook page, but anyone under 25 generally has their life’s history as a show and tell to the world.
Finally, there are the systems that the organisation uses to do what they do (like electronic communication and storage). Once again, the bad guys are looking for vulnerabilities. And once again, in most cases we help. They can learn basic information about what email system is used, what database system is used, or what website system is used. They use simple scanning software to do this.
Initial attack phase
Once they have all of the information generated in the previous phase, they tie it into an attack strategy. They need to know what information they’re trying to get, and what form of malicious software they will use to get it. They then figure out the tactics to get their attack systems inside the defensive perimeter. Once again, they have a number of ways of doing that.
These methods will include targeting individuals through email, targeting organisations through watering holes (popular sites that are used by members of a certain industry), or targeting vulnerabilities through straight-out hacking. The attack phase is about getting in without being noticed. It doesn’t always work, but out of a thousand attacked, it just takes that one that goes unnoticed to produce a success. When that happens, the old adage of “the system is no longer yours” really comes into play.
“Look what we have found” stage
That one thousandth online attack system that has not been discovered is now doing its job. It is looking at the organisation and sussing out where all of the juicy information is. This includes financial information, intellectual property, and personally identifiable information on your clients, users, staff and management.
Once they discover this information, they go back to planning for the next two stages: getting the information, and getting out without being discovered.
“What do we want to steal” stage
Prior to this stage, nothing has been stolen and nothing has been removed from the system. That’s good, but this phase takes the theft from the hypothetical to the reality of “everything is about to leave.” In most cases, the information is copied or flagged as information that is going to be stolen.
During this stage the organisation’s critical data could be copied to another location within the business ready for extraction. The entire operation might have taken 12 months to get to this level, but this phase will go down in a matter of hours. The goal of removing that valuable information is what has made the organisation a target.
Data out stage
They have got in unnoticed, determined what needs to be taken, and organised it so that they know where all that information is. The final phase is to get the information out.
There are three ways they can do this.
- They remove the information very carefully. They raise no flags that the information has been removed, and they leave themselves access to the systems for another attack. It could take weeks before the loss of intellectual property is discovered. An Australian company had their IP stolen, and it wasn’t until replica equipment started appearing three to six months later in their warranty runs that they realised that the IP had been stolen.
- They get out as fast as possible without worrying about getting intercepted.
- They go out with a bang, remove the information and then crash the system to cover their tracks.
It can take hundreds of hours to recover from a crashed system, in most cases the bad guys would have ensured that a full recovery of the system is very difficult. This would make it hard to discover what really happened.
So what can you as an organisation do to protect yourselves?
- At the basic level, set up Google alerts for your business name (you should already have that working for your marketing), educate and train your people, get management buy-in that cybercrime is a problem, and patch your systems.
- At an intermediate level, look into a security audit and follow the required practices to get your business to the required level of protection.
- At an advanced level, invest in technology and high-end administrator training.
This is all an investment in looking after your organisation’s data. A compromised system will not only allow for the information to be stolen, but will have devastating effects on the trust level of your business. No trust translates into lack of clients, drops in revenue, profits and investment, and huge cash-flow problems.
Would you invest in a company that is not going to protect your information? Neither will your customers.