No matter how much the threat landscape changes, there is one constant that will always stay the same: the people. When you hear about hackers or nation state actors, they are portrayed as either technical wizards doing things that no normal human can or as mysterious shadowy figures like those in fireside tales about the Men in Black. The unfortunate effect of this type of glamorization and mystification of malicious actors in the threat landscape is that we tend to forget that behind this are real people with real motivations and real lives.
It is easy to get caught up in the hype of what the latest technology is, and the latest vulnerabilities in that technology – but it’s vital that we remember that the technology is only a tool to assist people in accomplishing their goals. Malicious actors aren’t just “out to get you”, they have motivations and goals that they are trying to accomplish. These goals vary from individual to individual, but most malicious attacks are performed for reasons as old as time: for financial gain, revenge, or to discredit rivals. Even nation state actors have goals that we can understand from a human motive: to further their own nation’s place in the world and to weaken their enemies. Whether that’s performed by introducing malware to affect nuclear centrifuges (Stuxnet) or by creating an army of bots and weaving a web of disinformation (Russian election interference), the motivations still become clear when you consider the people behind them and what it is that they hope to accomplish.
The reason it is so important to remember this: when malicious actors attack organizations, they are actively considering the people in place, their individual motivations. They are leveraging any personal information when building attack campaigns. Will people be more likely to open an attachment in an email from Bob274373982 or one claiming to be from the IRS that says they owe money? This is one reason why IRS scams are so popular each tax season. Does the developer really want to have to enter credentials each time they test an application? Of course not, so they come up with shortcuts. From hard-coded credentials, to passing in credentials automatically, or even removing authentication altogether when testing. While this isn’t something that most people are thinking about when they are just trying to do their job, it certainly is exactly something that malicious actors are considering while planning and executing their attack.
Fortunately, technology has come a long way forward in developing ways to counteract human weakness when it’s utilized properly. Tools that look for hard coded credentials in source code before the code is published can reduce the risk of lazy developers opening a security hole. Email filters and anti-phishing software can prevent the IRS scams from getting to employees in the first place. There are solutions, that when implemented properly, can be used to mitigate the risk presented by an organization’s untrained personnel.
Attackers have a very effective weapon in their arsenal when planning and executing attack campaigns – and it’s nothing technical: they constantly consider and plan around the human element. However, that doesn’t mean that the attackers are immune to human shortcomings. When designing an organization’s security strategy, it’s important to think about potential threats to your organization and what their possible motivations might be. This can help an organization better understand both, how they might be attacked and how to secure against that potential attack. In part two of this series we will explain the human side of the equation from a defender’s perspective and how that fits into an overarching security strategy.