Monday, 5 September 2011

Cui Bono???

In forensic science, the fundamental question to ask is always Cui Bono? or Who Benefits.

There are crimes where people seek infamy as well as for economic gain. In some instances, the person attacking the system may wish to do this to injure another. What is generally true in any case is that somebody benefits.

There are always multiple possible culprits in any investigation, so if you can narrow down the field by starting with those who benefit from the action the most, it is likely that your role will be simplified.
The primary motivations for attacker to break into systems these days are economic. Some of these include:
1. Theft of trade secrets and other Intellectual Property (IP) for economic gain,
2. Attempting to monopolize a product or other offering in a selected market,
3. To acquire competitive advantage in domestic and global markets.
4. Threats of computer technology,
5. Privacy violations,
6. Damaging ones competitor and hence making them less competitive,
7. Leveraging access to pivot or attack other systems,
8. A false flag operation designed to make another look guilty,
9. To use the system as a form of low cost hosting (e.g. in Pharmacy spam image hosting and in illicit porn), and
10. To bring attention to an individual, group or activity.

Basically, the threats are the same as they have always been; only the media has evolved to make it easier to commit the crime.

Determining why can often come down to seeing what. Even paper can be stolen and any of the following can be a source of an information leak:

  • Documents – whether completed or still in draft, and working notes or scrap paper
  • Computer Based Information
  • Photographs, Maps and Charts
  • Internal Correspondence and email
  • Legal and Regulatory Filings
  • Company Intranet access and Publications
  • Formal meeting minutes or transcripts
  • Casual conservations
  • Conversations at trade shows and events.
A competing organization may also be able to make use of and gain an advantage using the following:
  • Marketing and product plans (esp. prior to release)
  • Source code
  • Corporate strategies and plans
  • Marketing, advertising and packaging expenditures
  • Pricing issues, strategies, lists
  • R&D, manufacturing processes and technological operations
  • Target markets and prospect information
  • Plant closures and development
  • Product designs, development and costs
  • Staffing, operations, org charts, wage/salary
  • Partner and contract arrangements (including delivery, pricing and terms)
  • Customer and supplier information
  • Merger and acquisition plans
  • Financials, revenues, P&L, R&D budgets
With the rise of identity fraud and other related offenses, the theft of proprietary company information and private personnel records is also increasing. PII (Personally Identifiable Information) has become a prime target for cyber criminals. Using these records, they can create fake loan applications, purchase goods or even make a complete false identity.

The records sought include:
  • Home addresses
  • Home phone number
  • Names of spouse and children
  • Employee’s salary
  • Social security number
  • Medical records
  • Credit records or credit union account information
  • Performance review
Threat Agents
Knowing who benefits helps you go a long way to discovering who has attacked a site. A variety of threat agents exist for any organisation and the nature of the information, the systems and the activities of the organisation will determine who will benefit from attacking the computer systems of that organisation. The threat agents exist in several general categories.

Any of the following may be a source of threat to an organisation:
  • Accidental antagonists who cause you harm through ignorance or by negligence
  • Incidental antagonists who seek another target but attack because you are there and obtainable
  • Insiders. They may compromise or steal information assets because of motivations from dissatisfaction to economic gain
  • Competitors may attack to gain a benefit or to achieve market dominance
  • Cyber-Vandals, who could attack because you are there or you have a product they do not like
  • Hackers and Crackers in an attempt to obtain information concerning everything that is denied to them or who might be offering their technical proficiency to another with motives of their own
  • Thieves that may attack to further their own financial wellbeing
  • Terrorists, can attack in order to disrupt the connection linking the general public and critical infrastructure
  • The military involved in information warfare actions
We can simplifity this and summarize the main threats to include:
  • Third World Countries,
  • Organized Crime,
  • Hackers,
  • Hactivists,
  • Terrorist Organizations,
  • Internal Competitors (within a nation),
  • Foreign Competitors, and
  • Foreign Intelligence Agencies
Hostile Nations such as China, North Korea, Cuba and Iran are only one source of remote threat. Friendly Nations have also been known (and caught) in these activities in the past.

What this tells us…
It all comes down to “know thy enemy”. In both responding to an incident as well as in preventing on, it is essential to know who would benefit from attacking your organisations systems.
As Sun Tzu said:
Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle”.
The first party to understanding an attacker is to understand who benefits.

No comments: