The expert view: Inside the mind of a hacker
30 May 2017 |
Just days after the WannaCry ransomware attack infected hundreds of thousands of computers across the world, security experts from a range of industries gathered for a Business Reporter Breakfast Briefing at London's Savoy Hotel. The meeting was held under Chatham House rules but what follows is a summary of the discussion.
The ransomware worm locked computers, threatening to delete their data unless the owner paid a ransom. "I was working all weekend," said one attendee, whose team was called in shortly after WannaCry struck. He said his company had not been affected by the attack but he had to check everything, just in case.
"If people want in, they are coming in via one means or another," said Lee Meyrick, of Nuix, the company that sponsored the briefing. He said that WannaCry was a good illustration that what motivates most attackers is money.
Attendees agreed that money was the main motivation of most hackers, who are becoming increasingly well organised. As with most criminals, one attendee said, hackers will target the most vulnerable so it is important to maintain a sufficient level of defence.
Not all hackers are driven by financial gain. State sponsored hackers seek to compromise infrastructure or map possible weaknesses. Then there are 'hacktivists' who believe they are doing good but, some attendees believed, they can potentially cause more problems by weakening the system.
One key to defending your business is to understand the type of adversary that you face. For example, said one attendee, many attackers are often driven by a grudge. They could be former - or even current - employees who feel that they have been mistreated.
But to get inside the mind of the attacker takes more than just understanding what kind of person might attack you. It also means taking stock of what they might be after. What are the things you don’t want to lose? Are you most at risk from intellectual property theft? Is reputational damage worse? Or is your biggest concern still financial loss? Your answer will affect the kind of attacks you could face.
One attendee pointed out that many businesses tend to regard IT threats as a chunk and attempt to de-risk them as a chunk. That’s not always appropriate since the threats can be quite varied.
The situation is further complicated by the pace of change. In many areas of business, the risks have been the same for decades and they are likely to remain so. However, technology risks change very quickly, which adds to the difficulty when trying to keep decision makers up to speed.
Can you communicate these risks to the board? A CFO in attendance said that he had always felt that the “unknown unknowns” of cybersecurity were quite small but he was coming to realise that they were not.
A CTO at the meeting said that being able to speak the language of the CFO and CEO was one of his most important skills. Another added that his organisation would like to separate the IT and security functions and have both report to the board but had not been able to find someone with security expertise and the necessary communication skills.
Those aren’t the only skills needed within IT. The industry is, as one attendee put it, “embarrassingly male” – and that’s just one area where it is lacking in diversity. He argued that having a diverse team is one way to increase the security of your organisation because homogenous teams tend to think in the same way. Part of getting inside the mind of a hacker means thinking differently.
For one attendee that’s a good reason to hire staff from a wide range of backgrounds. He said that arts graduates often look at technical problems from a different perspective. Another said that, for the same reason, many of the best people in the IT security field tend to be on the autistic spectrum.
“Some people, when you think they will go left, go right,” said one attendee. “But the best people are the ones who, when you think they will go left, do something entirely unexpected. It’s like they’ve decided to turn into a rabbit. When you ask them what gave them the idea to do something so strange, they’ll say that it never occurred to them that they couldn’t.”
Finding people with this kind of lateral thinking skill is not easy, however. The best people in IT security are expensive and, because they like a challenge, tend not to stay in one place for very long.
Unfortunately, the hackers like a challenge too, which is why they keep prodding your defences in search of a weak spot. There is no one way to get inside their heads but a smart organisation will think carefully when planning its defences.