Why The CISO, And Not The Employee, Is The Weakest Link

 

On Friday, in the early morning hours, the world woke up to what will quite possibly be the world’s largest Cybersecurity breach ever.  Many Cyber pundits are merely calling it a “large scale outage”, in my humble view, I think it was a security breach.  Why do I say this?  It is too eerily close to the Solar Winds attack.  Just one vulnerability was exploited, and from there, it had a cascading effect to over 1,000 victims, ranging from the smallest of the SMBs to the Fortune 500 to even the Federal Government.

So of course, a lot of finger pointing has been going around, and unfortunately, it was Microsoft that took the brunt of the blame for it.  However, this is far from the truth.  Microsoft is a client of CrowdStrike, and is heavily dependent upon their services to actually work right for the gargantuan Azure Cloud Platform.  But in the end, somebody will have to take the fall for it, and only a thorough investigation will reveal that.

What happened Friday is also directly related to another hot button topic in Cybersecurity today:  The notion that employees are the weakest link in the security chain.  I will share my views about this at the end of the blog.  But it is true, ever since the COVID-19 pandemic, the need for security awareness training has never been greater.

Many people have written blogs, articles, whitepapers, and even books as to what makes a great security awareness training program.  But it all comes down to three things:

*The training has to be made interesting so that the audience will remember what they have learned.

*It has to be specific to the department, job title, or what roles the employee does on a daily basis.

*There has to be follow-up to make sure that employees are applying what they have been taught.

For this blog, I will focus on the last one.  I know of companies that after having given a training program on Phishing, will actually launch a mock Phishing exercise to see how many employees have fallen prey to it.  For those that do, very often, a warning or a slap on the wrist is usually given, and then it is forgotten about.  But there is where often the failure starts.  For these  employees, a further, personalized approach needs to be taken. 

Here are three tips to get started with this:

1)     See what the employee is doing wrong:

Don’t simply bring him or her into your office, it will be much more intimidating for them.  Rather, take a very friendly, casual approach, such as taking a coffee break, or even take the employee out to lunch.  Tell them what you have been noticing in their Cyber Hygiene, and try to figure out why they are doing what they do.  For example, why are they using the same password over and over again?  Why are they not double checking the emails they get in their inbox?  Or, why are they consistently using apps for their work when they have not been authorized to do so?  And so forth.  This should give you a much greater insight into their ways of doing things.

2)     Create a “Credit Score”:

Once you have figured out what the employee is doing wrong, or why they are not following the security policies that you have set forth, try to create something like a “Credit Score” for them.  However, do not share this with them, it will make your employees feel as if Big Brother is watching them.  Just use this numerical value as a metric, or even as a Key Performance Indicator (KPI) to see just how well they are improving over time (which is hopefully the case).

3)     Give one on one help:

I remember when I was back in high school, I was struggling through Algebra II, and after my parents gave up on helping me, they resorted to finding me a tutor, who could give me that one on one time.  This tutor helped me in the specific areas that I was weak in, and over time, my grades improved.  This is the same approach that you have to take as well with your employee who is exhibiting a low level of Cyber Hygiene.  But, in my view, hire a person that is specially trained in this.  Don’t just farm out somebody from your IT Security team, as they have more than  enough to deal with on a daily basis.    Try to find a contractor that specializes in offering Cyber education, as they will be the most accustomed to offering tutoring sessions.

4)     Reward the employee:

As the tutoring goes on, and  if you see an improvement in their respective “Credit Score”, reward your employee.  This can take place with just a simple pat on the back, sending out positive messages with the right emojis, giving them a gift card, or even taking them out to lunch again.  The bottom  line is that once the employee feels appreciated for the efforts and remediations  that they are undertaking, they will continue with this trend for a long time to come, until you don’t have to coach them anymore.

My Thoughts On This:

You might be thinking at this point:  “I don’t have the time and resources to do this for each and every employee”.  Of course, you don’t.  These strategies are designed to help those employees that display the lowest, or weakest behavior when it comes to their Cyber Hygiene.  There will be some that will get it right the first time after the training, and those that will lie somewhere in the middle.  But the idea is that once other employees see others maintaining strong levels of Cyber Hygiene, they will feel compelled to do the same.

In the end, it comes down to what is known as “Behavioral Analysis”.  In others words, trying to figure out why people act and do things the way they do.  This is becoming a hot sector now in Cybersecurity, and rightfully so, with all that is going on, especially now with Generative AI being so dominant.

So now, to back to that one thing:  I do not think at all that employees are the weakest link to the security chain.  Rather, I find that the CISO and the other members of the C-Suite to be the weakest link.  They do not practice what they preach, and if they did, we would see a much different picture in terms of employee Cyber Hygiene today.

In the end, it takes both people and technology to have a great line of Cyber defense for your business.

How To Avoid In Becoming A Victim Of AI Eavesdropping: 5 Point Checklist

 

Well, it has been an awhile since I have written anything about Generative AI.  It’s still continuing to make the news headlines, and most of the publicly traded companies are seeing their Earnings Per Share (EPS) going to even newer highs, such as the case with Nvidia, even after their recent stock split. 

But despite all of this, and rightfully so, there is still a growing angst amongst the general public here in the United States as to how the tools that have Generative AI baked into them can be misused.

For example, one of them is how the video conferencing platforms, such as those of Zoom, Webex, Teams, etc.  record conversations in a meeting.  For example, when you have a meeting with your coworkers or manager, you often have the option to have a recording of it, to be used as a future reference, if the need arises.

Here are some of the scenarios which pose some of the greatest risks:

1)     Flaws in the transcription:

As I have written about before, Generative AI (and for that matter, all branches of AI) are primarily “Garbage In and Garbage Out”.  Meaning, the output that you get in the end is only as good as the datasets that are fed into the model.  Even if you take the time to make sure that all of these datasets you feed into it are as cleansed and optimized as possible, mistakes can happen, whether it is intentional or not.  For example, if you have a meeting, and choose to have it recorded, there could be flaws in the actual language of the transcript that could convey a very negative connotation.  Thus, before the transcript is ever released to the team, it is imperative that you double this language first to make sure that all is good.

2)     The right to use it or not:

Very often, it is the originator of the meeting that has the option to launch a recording session or not.  Unfortunately, the other members who have been invited to it do not have that option.  Thus, if an employee does not like the idea of being recorded, they still may feel forced to, especially if the meeting originator is their boss and wants to use it.  Although the recording mechanisms very often do notify the employees ahead of time that the conversation in the meeting will be recorded, a quick fix to this is to have the meeting originator actually reach out to each team member to make sure it’s OK that they are being recorded.  If the majority say no, then it will be time to do things the old-fashioned way, by having a professional minute taker present  to take notes.

3)     Data exfiltration:

In today’s world, many online meetings occur in which private and confidential information is very often shared amongst the members.  The thinking here is that since everybody knows each other, all is good.  But unfortunately, this is far from the truth.  For instance, there is the grave possibility the transcript could be the target for a Data Exfiltration attacks.  When we hear about this, we often think of databases being hacked into.  Because of this, we often forget about the other places where data might be saved, especially those in video conference meetings.  The Cyberattacker is fully aware of this, and thus makes this a target.  While there is no sure fix for this, the best thing you can do is to make use of the tools that your Cloud Provider gives you to monitor your AI Apps.  A great example of this is Purview from Microsoft, which is available in any Azure or M365 subscription.

4)     Third party usage:

Many of the vendors that create AI based products and services very often, and covertly, use the data that you submit in order to further refine the AI algorithms that are being used in their models.  This is also true with the recording of the video conference meetings, and the transcripts that come of them.  A perfect example of this is the recent Zoom debacle, where this  occurred.  This led to an 86 million Dollar lawsuit.  More details in this can be found at this link:

https://www.darkreading.com/cybersecurity-analytics/following-pushback-zoom-says-it-won-t-use-customer-data-to-train-ai-models

While you can’t have a direct control over what is collected initially, make sure that you read all of the licensing and end user agreements carefully.  And, if after you start using the AI recording tool and feel that the data is being misused in this fashion, you do have rights under the data privacy laws, such as those of the GDPR and CCPA.  But it is always wise to consult with an attorney first to see the specific rights you are afforded under them, and how you can move forward.

5)     Covert participants:

Back in the days of the COVID-19 pandemic, “Zoombombing” was one of the greatest Cyber threats that were posed to the video conferencing platforms.  While this may dissipated to a certain degree, the threat is still there.  But this time, given how stealthy the Cyberattacker has become, they don’t even have to make an appearance.  They can still listen covertly, and record that way as well, without you even knowing it.  Probably one of the best ways to mitigate this risk from happening is to make sure that your video conference meeting is encrypted to the maximum extent possible, and that you require login password that is long and complex (a good tool to use here is the Password Manager).

My Thoughts On This:

All of that I have described in this blog is known technically as “AI Eavesdropping”.  It is also important to keep in mind that this risk is not just born out of the video conferencing platforms, it can happen on any device that has Generative AI built into it.  A good example of this are the various “fit bits” that you can wear as a watch. 

As Generative AI continues to further evolve at a very fast pace, you, the CISO should also take responsibility for creating a separate security policy that is targeted just towards Generative AI.  Some of the things that should be addressed are how your company uses the data that is collected from Generative AI, how it is stored and used, and the rights that your employees have if they feel they have been violated against.

3 Golden Ways To Overcome The Flaws Of SOC2 Compliance

 

One of the biggest issues today in the world of Cyber is that of Vendor Management.  With the world become interconnected on a daily basis, outsourcing certain business processes has become the norm.  For example, a business can find a third-party supplier overseas, or even here in the United States.  But whoever you choose to work with, it is highly imperative that that vet your partner as much as possible, in order to make sure that their levels of Cybersecurity come up to par with what you have.

In this regard, it is the “SOC” compliance framework that is most widely used in order to confirm just how Cyber strong and resilient a potential third-party supplier is.  It is an acronym that stands for “Service Organization Control”, and there are actually three different versions of it.  It is the second one, officially known as “SOC2” which is the most common standard.

From within this, there are two different types of “SOC2”, and they are as follows:

1)     SOC 2, Type 1:

This focuses strictly on the effectiveness of the controls that reside within the IT/Network Infrastructure of a third-party supplier.  This is primarily used to determine if these controls are enough to safeguard the datasets that you will be entrusting them with.

2)     SOC 2, Type 2:

 

This is a much more exhaustive study, and examines the effectiveness of the controls in the IT/Network Infrastructure of the third-party supplier over a defined period of time.

But there are three short comings of the SOC2 Framework, which need to be addressed:

1)     The Scope:

Unless it is requested by the business that is seeking a SOC2 compliance report from a third-party supplier, not all of the controls will be included.  Therefore, there is no guaranteed way of finding out if all of the controls have been upgraded and/or fully optimized.

2)     The Timeframe:

Most SOC2 assessments only provide a review of the controls at one point in time (unless the Type 2 study is specifically requested).  Therefore, it really has no value afterwards, because the Cyber Threat Landscape is always changing, on a dynamic basis.

3)     The Subjectivity:

Typically, it is the third-party supplier that will perform the SOC2 assessment on those controls that they deem is important.  While the business that is vetting out potential vendors will have input, it is no guarantee that they will actually be honored.

So while the SOC2 framework does offer some benefits, it does have its disadvantages as well.  So what can a business do?  Here are some tips:

1)     Create a questionnaire:

Just like how insurance carriers are now requiring potential policy holders to fill out an exhaustive survey attesting to their controls, you should do the same for the third-party suppliers that you are scoping out.  But, take this even one step further.  After they have filled out your questionnaire, have an outside auditor conduct the validity of it.

2)     Do more exhaustive testing:

In this regard, require that the potential third . ty suppliers conduct both Vulnerability Scanning and Penetration Testing to make sure that all gaps and weaknesses have been uncovered.

3)     Have airtight contracts:

Once you have selected a third-party supplier, it is absolutely critical that the contracts you have them sign are completely “airtight”.  This means that they have attested to, under the penalties of perjury, that all of the needed controls are in place and will be optimized on a continual basis.  Also, your goals and expectations need to be clearly spelled out here as well.  Always get a reputable attorney to draw up these contracts for you, don’t rely on a Generative AI tool like ChatGPT to do this for you.

My Thoughts On This:

Although risks can still happen, it is up to you in the end to select the third-party supplier that not only best meets your needs, but also their levels of Cybersecurity are also on par with yours.  In the end, if they are the victim of a Data Exfiltration attack, you will be ultimately held responsible for it, not them.

Finally, it is also equally important that you maintain a clear and transparent line of communications with them, especially when it comes to the sharing of Cyber Intelligence about potential Threat Variants that could be coming down the road.

How Even The Smallest Of Nations Can Create A Rock Solid Data Privacy Law

 

Just recently, I submitted a book manuscript which covers the tenets and provisions of all of the major data privacy laws, which include the GDPR, CCPA, etc.  The basic thrust of all of them is to make sure that not only are organizations doing their very best to make sure the controls that they have implemented are safeguarding the datasets to the maximum extent possible, but also to give the right to the dataset owners a strong voice as to how they should be used.

Many states here in the US have adopted their own version of a data privacy law, with other countries following suit as well.  The latest one in this addition is the tiny island nation called Papua New Guinea.  I have heard of it of course, but I had to Google where this little country is located at.  Its in in the Southwestern part of the Pacific Ocean, and the largest country within close proximity of it is Australia.

The legislation that they have created and passed is called the “National Data Protection and Governance Policy 2024.  The exact text of the legislation can be downloaded at this link:

http://cyberresources.solutions/blogs/PNG_Data_Privacy.pdf

There are seven major sections to it, but here is a summary of some of the major highlights of it:

The role of data protection does not rely solely on just one entity.  Rather, it is a shared responsibility between government agencies, businesses, academia, non-profit entities, etc.

*The goal of the country is to establish a “Digital Infrastructure” of sorts, which will allow for all digital assets to be connected with another, especially as the IoT revolution sets in with the population.

*Cyberattacks are now happening much more frequently to the smaller nations in the Pacific Rim, therefore strong legislation like the one mentioned here is absolutely needed.

*The need for Cyber resiliency is a must for Papua New Guinea, therefore it is the goal of this new legislation to establish the framework to make this into a reality.

*Transparency amongst the public is a must in order for any kind of data privacy action to take place, and this new law helps to ensure that this actually does happen.

*One of the more macro goals of this legislation is to further enhance the reach of the Cyber frameworks developed by Papua New Guinea into the international arena.  For example, it has joined the following:

Ø  Global Cross-Border Privacy Rules (CBPR) Forum (more details can be found here:  https://www.commerce.gov/global-cross-border-privacy-rules-declaration

 

Ø  The government of Papua New Guinea is also working on a Memorandum Of Understanding with the government of Japan in order to participate in Cyber Warfare games with the other smaller island nations also located in the Pacific Rim.  (more details can be found here:  https://www.darkreading.com/cyber-risk/japan-runs-inaugural-cyber-defense-drills-with-pacific-island-nations

 

*Even the smallest of nations, such as that of Papua New Guinea, can be strong foe against the Cyberattacker groups.

 

Finally, this new piece of legislation based by this tiny country has eight major objectives to it, which are as follows:

Ø  Establish Clear Principles

 

Ø  Strengthen Data Protection

 

Ø  Promote Data Governance

 

Ø  Facilitate Data Sharing

 

Ø  Enhance Data Literacy

 

Ø  Foster Innovation and Economic Growth

 

Ø  Ensure Flexibility and Adaptability

 

Ø  Align with International Standards

 

Further details about them can be found at this link:

https://www.ict.gov.pg/ndgdpp/

My Thoughts On This:

Here in the United States, we are still struggling in terms of the enforcement of the data privacy laws that we have created.  Not only are the local governments slow to act on this, but with each state producing their own version of it, there is way too much confusion about them.  Therefore, we need a central authority to have a federally created and enforced data privacy law.

Seeing how quickly even the tiniest of nations, such as that of Papua New Guinea can do something like this so quickly, we can learn a lot from them.

How To Create Cyber Social Norms: 7 Golden Tips

 

One of the mantras today in Cybersecurity is to create a Security Policy, or even Policies, and make sure that it is enforced.  While this has been true for who knows how long, the catalyst for this was during the COVID19 pandemic. 

For instance, right when it hit, CISOs and their IT Security teams were left scrambling trying to deploy company devices to what has now become the near 99% remote workforce.  Of course, the gravity of the pandemic caught everybody off guard, but another reason companies were so slow in this was that they did not have a good Security Policy in place.

Even if they did, it was probably barely rehearsed on a regular basis.  But now that the pandemic has more or less dissipated, CISOs have hopefully learned their lessons.  Not only is it good to have a Security Policy when it comes time to respond to a disaster, but also it is greatly needed to support a good level of Cyber Hygiene amongst the other employees of the business.

But depending upon how large your organization is, it can be truthfully hard to enforce a Security Policy with each and every employee.  Therefore, it is very important for the CISO, as well as other members of the top brass, to make sure that a proper cadence of “Social Norms” are followed.  You may be asking what this is? Well, here is an informal definition of it:

“Social norms typically are informal, unwritten rules that guide acceptable behavior among members of a group or society.“

(SOURCE:  https://www.darkreading.com/cybersecurity-operations/achieve-next-level-security-awareness-by-creating-secure-social-norms)

In other words, you are taking certain parts of the Security Policy that will help to maintain that level of Cyber Hygiene that you want, but actually acting them out in your daily interactions with others.  So, the idea here is as you practice these “Social Norms”, others will watch it, and from there, take your cue.  This is another subtle way of practicing good Cyber habits.  That’s why it is so important for managers in a business to do this on a proactive basis, because in our society, everything is learned in a top-down fashion.

So to get you started, here are some tips:

1)     Have training:

Yes, this is a topic that has been beaten over many times, but it’s the truth.  You first have to have regular training sessions with your employees in order to instruct them about the value and the importance of the datasets that your company possesses.  It is the lifeblood of it, and if anything is compromised in this regard, your business will be on its knees.  But two key points here are:

Ø  Keep your training engaging and interesting.

Ø  Make sure that it is appropriate for the target audience.  Don’t take a “one size fits all” approach.

 

2)     Know where the data resides at:

Believe it or not, many CISOs to this say don’t even know what is contained in their databases.  So if you want to establish a sense of a “Social Norm” here, know where every piece of data is, and convey that knowledge accordingly (obviously, this is something that an administrative assistant does not need to know about).

3)     Make use of MFA:

As I have written before about this, this is an acronym that stands for “Multifactor Authentication”.  The predecessor to this was the 2FA, which stands for “Two Factor Authentication”.  But since the Cyberattacker has more or less circumvented the latter, the time for MFA has now come. This is where two deploy at least three or more different authentication mechanisms in order to confirm the identity of your employee.

4)     Understand Social Engineering:

Although this is almost as old as Phishing, it is being used quite a bit today.  This is where the Cyberattacker tries to build up a friendly, but cunning rapport with an employee of a company in order to squeeze out details from them about the company’s datasets.  In this regard, also have training programs on this, and even conduct role plays with employees so that they will truly understand the gravity of a Social Engineering Attack.

5)     Implement a Privacy Policy:

While these are mostly prevalent on websites (primarily due to the data privacy laws that mandate them, especially with regards to the use of “Cookies”), it is important to take this and create a Privacy Policy that is internal to your company.  For example, not only does the business have the right to keep their datasets private, but employees and even customers have this right as well. 

6)     Get an Identity Service:

The three main credit reporting bureaus are Equifax, Experian, and Transunion.  Through whichever agency you wish to fo go through, take advantage of their free credit reporting services.  Offer this to all of your employees and even customers.  In case you are ever hit with a security breach, they will be able to contact them immediately to have their accounts frozen in a quick manner.

7)     Use a Password Manager:

Yes, as much as we have tried to get rid of passwords, they are still around, and will continue to be for a long time to come.  They still continue to be one of the biggest nightmares in Cybersecurity today.  Therefore, make use of a Password Manager to further enhance the protection of your datasets.  Thee are simple, but powerful software applications that create ling and complex passwords that are difficult to crack.  Best of all your employees don’t even have to remember them, the Password Manager takes care of all of that.  But if you are going to use it, make sure that you as a CISO, start using it first.

My Thoughts On This:

Creating “Social Norms”, following the tips  just reviewed, should not be an insurmountable task.  But as I have said before, this all has to start from the C-Suite.  If the members here follow it, then other employees, in a cascading fashion, will also follow suit until it becomes a second nature to them.

Outer Space: To Boldly Go Where No Cyberattacker Has Gone Before

 

For the longest time that I can remember, I have always been a huge lover of astronomy.  Even during part of my college days I was a member of a local astronomy club, getting a good detail of the moon and other celestial objects in the universe through our low-tech telescope.  

My passion for that and even space travel continues till today, as I still watch videos on YouTube on the Apollo missions.  In fact, my favorite question that I like to ask of people is:  “Do you think space ends, or if it does, what is beyond it?”  Well, that will be a discussion for a later time.

But since the retirement of the Space Shuttles, it seems like the trend is now for private companies to launch their own kinds of spacecraft, some of the more famous ones that I can recall are those from Boeing and I think even Elon Musk.  But with this privatization, comes a new kind of issue that we thought could never happen before:  And that is, nothing but Cybersecurity.

In fact, people view it as such a serious matter that even top-level researchers at the California Polytechnic State University just released a scathing 95-page report on the specific Cyber related risks that could potentially happen.  The entire report can be viewed at this link:

https://ethics.calpoly.edu/spacecyber.html

One of the primary reasons cited for this heightened level of awareness is that many nations around the globe are also participating in this “space race” of sorts.  Coupled with the fact that some of them could be even rogue states like Russia, China, and North Korea, the problems could now really settle in. 

Another driver for this is the increasing level of interconnectivity between our own wireless devices, and all of the satellites that are up there, orbiting the Earth.  This is has been driven by the explosion of the Internet of Things, also known as the “IoT”. 

A good example of this is your GPS system.  When you make use of a tool, such as Google Maps, it is not the information that is stored onto your wireless device that is providing you with the directions.  Rather, it is the many GPS based satellites that are communicating with your wireless device. 

That is why there is much fear of the evolution of Smart Cars, because in all practicality, a Cyberattacker would just have to launch a threat variant at one of these satellites in order to cause a high level of confusion amongst drivers.

In fact, as much as we do it on the ground here, researchers are now even modelling that specific the Cyber threat variants in outer space.  One such effort is known as the “ICARUS”, which is an acronym that stands for “Imagining Cyberattacks to Anticipate Risks Unique to Space”.  In this framework, the researchers have detailed all  of the hypothetical variables that could lead to a security breach.  Some of these include:

*The attack vector.

*The type of exploits.

*Any potential threat actor motivations and incentives.

*The potential victims.

*Other space capabilities that an attack could compromise.

Through the above and many other of these kinds of variables, the researchers can model over 4 million Cyberattack scenarios (also firmly believe that Generative AI has to be a big part of this as well).  More information about this framework can be found at this link:

https://www.securityinfowatch.com/cybersecurity/press-release/55089421/cal-poly-releases-imagineering-report-to-anticipate-scenarios-for-outer-space-cyberattacks

Also, another driver that is causing huge concern for a Cyberattack in outer space is the increasing number of satellites that are now being launched into Earth Orbit.  For example, it has been estimated that since 2012, there has been an average of 2,600 new satellite launches on an annual basis. 

Yet another catalyst that is providing more motivation for the Cyberattacker to launch a threat variant into Outer Space is just its sheer vastness, and all of the complexities that go along with it.  Because of this, it is now much easier for him or her to hide their tracks, as opposed to launching security breaches down here on Earth.

Finally, another Cyber risk that is posed in the blackness above us is something that is referred to merely as “Space Junk”.  These are merely prototypes of rockets used for testing purposes.  Astonishingly enough, there are over 35,000 major pieces of this “Space Junk” out there, and even 1 million more that are smaller in nature.  In theory, it is feared that a Cyberattacker could target one of these pieces of “Space Junk”, and target it to crash towards an important satellite, such as a GPS location one.

My Thoughts On This:

I am by no means an expert on Outer Space, but IMHO, while its great researchers are starting to model Cyber threat variants in Outer Space, we are still a long way off in seeing a direct attack happening, for example, when one satellite intercepts another.  Rather,  I think the biggest concern right now should be if a Cyberattacker launches a malicious payload into Outer Space, and uses that to cause major damage, such as to our Critical Infrastructure.

With this kind of approach, it would be much more difficult to determine the root cause of a security breach, and produce ways to mitigate that particular from happening in the future.

 

6 Traits That Entrepreneurs And Cyberattackers Share

 

When people conjure up the image of a Cyberattacker, very often the image of them wearing a hoodie, sitting in a dark room hunched over five monitors very often comes to mind.  But, while this could be true to some degree, this is really not how Cyberattackers truly operate.  Of course, he or she will want to keep their tracks as covered as possible, so that they can evade detection.  But believe it or not, the Cyberattacker of today often thinks like an entrepreneur when they plan to launch an attack, or even attempt to form a Cyberattacking group of sorts.

So what goes into their mind, you are asking?  Well here are some clues to it:

1)     They try to find the markets:

In the old days of the hacks, the goal of the Cyberattacker was to launch what is known as a “Smash and Grab” campaign.   Meaning, the goal was to get in by any means that are possible, get whatever they could, and run off into the distance, with hopes of not being caught.  But today’s Cyberattacker takes a very unique approach.  Just like entrepreneurs, they study the kind of market that they can get into.  In other words, what fits the profile of a potential victim?  Once this has been figured out, the Cyberattacker, using open-sourced tools, such as Social Media, then tries to find their victim.  But keep in mind that there are many other tools that can be used out there in the public domain, such as “OSINT”, which stands for “Open-Source Intelligence”.  Also, it may not be an individual that they are trying to target, it could even be a business.  Or worst yet, the Cyberattacker may have even been hired by someone on the Dark Web or through other covert means in order to launch an attacks.

2)     Creating the product/service:

Once an entrepreneur has an understanding of the market that they want to get into the next step is to create or further develop a product or service that will meet the needs and demands of prospects.  In this case, once the Cyberattacker as figured out their victim, their next step is to then determine their weapon of choice.  For instance, will it be a Phishing Attack?  Or one that involves Social Engineering?  Or perhaps even launch a Ransomware Attack to steal information and data?

3)     Getting the funding:

As the entrepreneur is now finalizing the business plan, the next thing on their mind is to now figure out how to get funding to launch their brand-new product or service.  There are two ways they could do this, which are either tapping into their own savings, or reaching out to investors.  In the case of the Cyberattacker, their goal here is to now figure how they will get the means to launch their Attack Vector.  For example, will he or she be joined by other Cyberattackers in an effort to pool resources, or will they go on it solo?  The goal here, just like the entrepreneur, is to keep costs as low as possible, primarily to avoid raising red flags.  So, they could hire a service on the Dark Web that could launch the attack for literally pennies on the dollar (the most popular one in this regard is “Ransomware as a Service”).  Or, the most preferred method is to take the profile of an existing Threat Variant and modify in some fashion so that it will be deadlier.  In other words, building a better mouse trap.

4)     Launching the product/service:

Now, once the victim (the target market) has been selected, and the funding has been secured, the next move is to now launch the actual Threat Variant, in order achieve the desired outcome.  Most likely, it will be an attempt to heist login credentials, or exfiltrate data that can be used to either sell on the Dark Web, or even launch a Ransomware Extortion Attack.  But, just like the entrepreneur, if things are not going as planned or expected on the initial launch, they will shift strategies in order to gain what has been planned.  In the case of the Cyberattacker, it would be to stay as covert as possible.

5)     The continuation of the marketing:

Once the entrepreneur has reached a point of some stability and have actually achieved sales on their new product or service, their next goal is to keep up with the marketing strategies or even tweak them further in order to generate more prospects, which in turn, will lead to more sales.  This is also true of the Cyberattacker.  Once they have launched their Threat Variant, found a way in, and remained as covert as possible, their next objective would be to move across the IT/Network Infrastructure in a lateral fashion to see they can steal.  For example, it could be trade secrets, other sorts of confidential documentation, or even Intellectual Property (also known as "IP”.). 

6)     The next wave:

For the entrepreneur, once they have had a successful launch of their product or service, the next thing for them is to figure out what to produce next.  Most likely, since funding and resources will still be rather tight, they will take what they have already created, and attempt to add more functionalities to it to perhaps even serve a different market entirely.  The same is true for the Cyberattacker.  Once they have achieved what they wanted to get with Threat Variant, they will want to add more stuff to it to not make it only stealthier, but even deadlier as well.  In this case, it is quite likely that they will even target an entirely new victim.

My Thoughts On This:

What I have detailed in this blog is the basic model that a Cyberattacker could potentially follow.  All of the steps may not be followed.  But the bottom line here is that just like when launching a new business, a lot of time is spent these days trying to figure out how to do it right the first time.  The same is also very true of the Cyberattacker.  They now take their time to carefully profile and target their victims, in an effort to strike them at their weakest point when they are the least aware of it.