In forensic science, the fundamental question to ask is always Cui Bono? or Who Benefits.
There are crimes where people seek infamy as well as for economic gain. In some instances, the person attacking the system may wish to do this to injure another. What is generally true in any case is that somebody benefits.
There are always multiple possible culprits in any investigation, so if you can narrow down the field by starting with those who benefit from the action the most, it is likely that your role will be simplified.
The primary motivations for attacker to break into systems these days are economic. Some of these include:
1. Theft of trade secrets and other Intellectual Property (IP) for economic gain,
2. Attempting to monopolize a product or other offering in a selected market,
3. To acquire competitive advantage in domestic and global markets.
4. Threats of computer technology,
5. Privacy violations,
6. Damaging ones competitor and hence making them less competitive,
7. Leveraging access to pivot or attack other systems,
8. A false flag operation designed to make another look guilty,
9. To use the system as a form of low cost hosting (e.g. in Pharmacy spam image hosting and in illicit porn), and
10. To bring attention to an individual, group or activity.
Basically, the threats are the same as they have always been; only the media has evolved to make it easier to commit the crime.
Determining why can often come down to seeing what. Even paper can be stolen and any of the following can be a source of an information leak:
- Documents – whether completed or still in draft, and working notes or scrap paper
- Computer Based Information
- Photographs, Maps and Charts
- Internal Correspondence and email
- Legal and Regulatory Filings
- Company Intranet access and Publications
- Formal meeting minutes or transcripts
- Casual conservations
- Conversations at trade shows and events.
- Marketing and product plans (esp. prior to release)
- Source code
- Corporate strategies and plans
- Marketing, advertising and packaging expenditures
- Pricing issues, strategies, lists
- R&D, manufacturing processes and technological operations
- Target markets and prospect information
- Plant closures and development
- Product designs, development and costs
- Staffing, operations, org charts, wage/salary
- Partner and contract arrangements (including delivery, pricing and terms)
- Customer and supplier information
- Merger and acquisition plans
- Financials, revenues, P&L, R&D budgets
The records sought include:
- Home addresses
- Home phone number
- Names of spouse and children
- Employee’s salary
- Social security number
- Medical records
- Credit records or credit union account information
- Performance review
Knowing who benefits helps you go a long way to discovering who has attacked a site. A variety of threat agents exist for any organisation and the nature of the information, the systems and the activities of the organisation will determine who will benefit from attacking the computer systems of that organisation. The threat agents exist in several general categories.
Any of the following may be a source of threat to an organisation:
- Accidental antagonists who cause you harm through ignorance or by negligence
- Incidental antagonists who seek another target but attack because you are there and obtainable
- Insiders. They may compromise or steal information assets because of motivations from dissatisfaction to economic gain
- Competitors may attack to gain a benefit or to achieve market dominance
- Cyber-Vandals, who could attack because you are there or you have a product they do not like
- Hackers and Crackers in an attempt to obtain information concerning everything that is denied to them or who might be offering their technical proficiency to another with motives of their own
- Thieves that may attack to further their own financial wellbeing
- Terrorists, can attack in order to disrupt the connection linking the general public and critical infrastructure
- The military involved in information warfare actions
- Third World Countries,
- Organized Crime,
- Terrorist Organizations,
- Internal Competitors (within a nation),
- Foreign Competitors, and
- Foreign Intelligence Agencies
What this tells us…
It all comes down to “know thy enemy”. In both responding to an incident as well as in preventing on, it is essential to know who would benefit from attacking your organisations systems.
As Sun Tzu said:
The first party to understanding an attacker is to understand who benefits.