From the ideologically motivated hacktivists invested in the downfall of terrorists and white supremacists to the disgruntled revenge-driven ex-employees that sell proprietary information to competitors, to the state-sponsored groups bent on collecting intelligence and crippling infrastructure, it can prove immensely difficult to defend against a group as diversely motivated as the cyber attackers. This is because when we consider who are possible targets, the answer would be everyone. And while that is true, not everyone is equally likely to be targeted.
In order to distill what makes a good target, we have categorised cyber attackers into 2 broad groups:
1. Likely targets for those with a specific target
The first group of cyber attackers choose their targets based on personal vendetta. In this case, the choice of target has already been set in stone but there is still more to consider. If the target has particularly good cyber defence, any enterprising cyber attacker would inevitably look for another attack route, which is usually by attacking the target’s weakest link.
This is possible because there is nary an enterprise that can operate in complete isolation. Through the production and delivery of products and/or services, every organisation is inevitably part of a supply chain, sometimes multiple. Given that supply chains rely on the synchronised movement of hundreds of interrelated parts, even a minor disruption can have severe cascading effects on several organisations and the critical infrastructure they support.
Among the many possible targets in a highly intricate and interconnected global supply chain, we posit that the most striking target of all would be those who can be used as a conduit to infiltrate all their clients and partners, otherwise known as managed service providers (MSPs).
An MSP is a third-party that specialises in the provision of select services that businesses may want outsourced. Given their business model, MSPs are inherently highly interconnected organisations whose security failures would give cyber attackers ample leverage with which to bargain, to have their demands be met, all while expending the least resources possible.
2. Likely targets for those without a specific target
The second group of cyber attackers tend not to discriminate; every target is fair game. However, prime targets are organisations that offer the least resistance and whose service failures will inevitably create maximum disruption. By that, we are referring to organisations that are highly interconnected (as explored above) and have a weak cybersecurity posture.
The more vulnerable an organisation is, the less resistance it offers, which in turn greatly improves the chances of success for the attacker. Hence, when presented with multiple potential targets, the least well-defended one will be the first choice nine out of ten times.
This also means cyber attackers may not always choose to go after large organisations. This is because organisational size, in itself, is not a reliable indicator of attack likelihood. Although large organisations typically have deep pockets and can offer bigger payoffs, there may in reality be less successful attacks on large corporations due to their vigilance.
A more fruitful endeavour might instead be to launch mass-impact attacks on a large number of small and medium enterprises – dubbed “low-hanging fruit” due to them being easy prey with fewer resources and less experience in dealing with cyber threats – extorting amounts so small that they are either unnoticeable or inconsequential from each one so the repercussions and scrutiny are kept to a minimum.
However, regardless of size, all organisations – but especially those without any cybersecurity controls in place – could unwittingly fall in the line of attack of random cyber attackers who are simply blindly shooting their shot.
With access to just as many – if not more – scanning and analysis tools as security teams, cyber attackers now have the ability to sieve through various potential routes of entry into a prospective victim’s network. This has been made possible through publicly accessible portals like MITRE ATT&CK and Shodan. For instance, although the latter is officially a search engine for Internet-connected devices, it also lists insecure internet-connected devices.
As Thornton-Trump, an ITIL certified IT professional with 25 years of experience in IT security, so succinctly puts it, “[s]howing up on Shodan with a whole pile of vulnerabilities… is the ‘hit me’ sign of InfoSec”.
Another avenue through which cyber attackers might obtain intel on their target is to glean the data and metrics provided by cyber ratings software which are commonly equipped to flesh out exploitable vulnerabilities such as at-risk open ports, patching cadence, and the like.
In this article, we delved into the factors that determine your attractiveness as a target from a cyber attacker's perspective. Even though any organisation that conducts business online, stores data, or simply uses computing devices to manage their business is at risk of attack, enterprising attackers would understandably prefer targets that require them to expend as few resources as possible and that give them the biggest payoff for the least amount of risk.
Even if your organisation has a strong posture, that is no security guarantee. Often, your downfall may be one of your less vigilant collaborators. By taking care to consider who you work with and adopting risk mitigating steps to reduce your attack surface, you can make the target on your back that much smaller.
Get empowered to make smart, well-informed decisions about your third-party risks with IMMUNE, an AI-powered, automated centralised supply chain risk management system. Built on a third parties risk management framework, IMMUNE will guide and aid your team to ensure that the third parties you collaborate with do not threaten the cybersecurity of your organisation’s digital ecosystem.