I really don’t like blaming all IT-related intrusions on “hackers”. The elaborate ones aren’t just some kid that’s figured out how to do a ransomware scam. They’re run by criminals and spies, or a mix of both. Being attacked by just hackers has a bit of comfort implied in that wording – hackers only use computers, right? They’re people with poor social skills that never break out of that stereotypical mold, right? But to say that criminals or spies were involved means that the attackers have a wide range of tools at hand to get what they want. They’ll engage in blackmail, murder, deception, all that criminal and spy stuff along with the IT-related intrusions as part of a comprehensive program to gather information.
These guys have zero intention of compromising the target beyond what is needed to gather information. They prefer that there be no ransomware or worm taking things down. They want five nines of uptime as much as the CEO does. They penetrate deep into a network and they require more than just an IPS or DLP in place to keep them from taking secrets out. They need some really paranoid thinking on the part of the target’s employees to minimize what they’re able to gather.
To that end, I’m going to recommend two videos from YouTube about counterintelligence.
Take a look at https://www.youtube.com/watch?v=xbf2I5ObTrk It’s a little harsh, I agree, but it’s also for combat. All the same, it sets up a mindset I’d like users in general to have in regards to security. Don’t write down passwords. Don’t send information over unencrypted, unsecured channels. Don’t think for a minute that LinkedIn and Facebook aren’t unencrypted, unsecured channels… stuff like that…
Another video at https://www.youtube.com/watch?v=27qMsUxmHyo about tracking down and gathering information in a counterintelligence operation. It’s not just a matter of stopping the spies: it’s a matter of making sure that they don’t continue to penetrate one’s organization. If a firewall stops an attacker from getting in one way, it’s not necessarily a success. It just means an attacker will try to find another way in.
Real security is never thinking that the bad guys have given up and walked away. Some will, sure. But the rest? They’re always there, watching and probing. Real security means always watching and maintaining OPSEC .