Know Your Enemy – How to think like the adversary and what you should be doing to outsmart them
What does a hacker look like today? How do they operate, and how can businesses protect themselves against unknown cyber threats? In the second episode of our new podcast “All the War They Want,” GRC Consultant Bradley Barnes joins Carmen Brooks and Jeff Engle to discuss how we can “know the enemy.”
As a U.S. Air Force veteran, Bradley knows a thing or two about policies and procedures. After active duty, he moved into the cyber realm to become an information system security officer. Today he works as a Governance, Risk, and Compliance (GRC) consultant. At Conquest Cyber, Bradley helps organizations build risk-based cyber defenses and achieve compliance with requirements like CMMC, DFARS, GCC High, NIST 800-171, and ISO 27001.
Cyberwarfare in the “Fifth Domain”
Bradley has played a unique role in transitioning from traditional to cyberwarfare throughout his career. His perspective helps connect the dots between where we have been and where we are going.
Overall, cyberwarfare is much cheaper to execute. Countries no longer have to deploy troops abroad; they can now hire individuals to carry out effective attacks from their own soil
“Everything was once novel. At one point, even the rifle was unconventional. Traditional warfare includes sea, air, and land. Recently we’ve added space, and cyber is the Fifth Domain.” – Jeff Engle
This shift has changed the balance of power. Before, only the big dogs like America, Russia, and China had the military power to protect their borders while also deploying troops worldwide. Now everybody can project power globally, but it’s become increasingly difficult to defend our borders. This is a fundamental change compared to even a decade ago.
What does the enemy look like today?
Pop culture invokes a clear mental image of what a “hacker” looks like. Most people expect to see an unkempt, nerdy middle-aged man perhaps living in his parents’ dimly-lit basement. But is this an accurate portrayal of the true enemy?
Today, malicious hackers are less likely to be individual operators and more likely to be employed by nation-states or large criminal organizations. These groups are extremely well organized and well-funded. There are thousands of people around the globe who show up to a regular job every day where they are paid to steal information or sow chaos. They are highly qualified and highly motivated to succeed. They operate without borders at all hours, and they don’t follow the rules.
“It’s almost like ‘The Wizard of Oz.’ You see this big green figure with smoke and lightning bolts and everything, but when you pull that shade away, you never know who will be behind the curtain.” Bradley Barnes
Is there such a thing as a good hacker? Some people will apply their technical skills towards malicious ends, but others will use them for good. Sometimes the best way to “know the enemy” is to find unique individuals with direct experience from the other side.
Today, professionals like those with a surgical Certified Ethical Hacker certification will work with organizations to help them identify vulnerabilities and protect their data.
Independent groups like Anonymous or other “hacktivists” will also apply their collective skills to fight for political and social causes they deem worthy.
How to plan for the unexpected
How can we predict what will happen next? There are many different ways to be attacked, and evolving technologies open new doors every day.
“Prevent what we can predict and adapt to everything else.” – Jeff Engle
Can you predict what’s going to happen on the next zero-day? No. But you can expect you will eventually experience some type of ransomware attack. Will you be ready?
Even if you don’t know how an attack might happen, you can still take practical steps to prepare for the inevitable. If you don’t back up your systems, patch your critical assets, and create a plan with your teams, you will set yourself up to fail.
We understand what type of attacks are being carried out. We know many of the warning signs. By applying the right tactics, techniques, and protocols, you can “prepare for what you can predict.”
Bradley emphasizes that awareness and training are also critical pieces of the puzzle. The majority of malicious attacks still prey upon the human element. Vectors like social engineering and phishing attacks target employees who are unaware — or simply not paying attention. By investing even a little time and effort in culture and training, companies can significantly improve their cyber defenses.
“Not only does the CEO, the CISO, and your information security personnel need to be aware of what your security best practices are, but all personnel within the organization need to have that continuous training … it’s a top-to-bottom perspective that we all need to take.” – Bradley Barnes
The most significant gaps for companies right now
Given the rapidly changing nature of the enemy and modern cyberwarfare, what are the most significant gaps in industry? Bradley proposes a few actions that business leaders can take today to make an impact:
1. Asset management
Do you know what’s operating within your environment? What’s approved and not approved? This is a critical first step toward identifying red flags and catching suspicious activity as early as possible.
2. Asset classification
Do you handle controlled unclassified information (CUI) or other sensitive financial or personal information? Where is that data located? Who has access to it? This critical intelligence will help you protect your critical assets and respond appropriately to high-risk threats.
3. Multifactor authentication
Many organizations don’t implement a “dual boundary” with multifactor authentication or an effective password strategy. This is low-hanging fruit and a major improvement that companies must immediately implement.
4. Risk assessment (and follow-through)
Do you regularly assess your company’s cyber risk? Do you do anything with that risk assessment, or does it gather dust on the shelf? Make sure you continually address risks as they are identified.
It’s time for action
Today with the war in Ukraine, companies and individuals have become much more aware of the reality of cyberwarfare.
Despite the rising threat, many still believe that someone else will solve the problem. Some people assume the government is responsible for nationwide cyber defense, but this is not the case. Over four million organizations across the U.S. provide critical functions every day, and the government cannot protect them all.
“Everybody needs to realize we’re at war and to mobilize to do their part — it’s both our fiduciary responsibility and our moral obligation.” – Jeff Engle
As individuals, we all have numerous items around us connected to the world via WiFi or cell signal. Take the necessary precautions to ensure that you’re creating some form of cybersecurity around yourself, even in your home.
To learn more about compliance, risk, and managed security solutions for highly regulated industries, visit conquestcyber.com.
For more unconventional insights on cybersecurity and business, listen and subscribe to All the War They Want on Apple Podcasts, Spotify, or wherever you get your podcasts. You can also join the waitlist to be the first to get Jeff Engle’s new book All the War They Want.
How do you come to “know yourself?” For over two thousand years, texts like Sun Tzu’s Art of War have expressed the value of this exercise in battle, in life, and in business. In episode 3 of “All the War They Want,” Jeff Engle and Carmen...
Knowing the Environment – Challenges and solutions around protecting what is important to you and your business
How do small businesses defend against cyberattacks? How do they prioritize teams and resources to achieve “cyber resiliency”? Is compliance alone enough to stay safe? In this episode of All the War They Want, Liz Nurse joins Carmen Brooks and Jeff Engle...
Centralized Visibility – Distributed Control: C- Suite leaders and a cyber resilient Ecosystem in critical business sectors
Ever wonder how effective your cyber program is? You definitely should. As senior leaders you have a fiduciary responsibility to manage risk but as leaders in the defense industrial base, state government, energy, critical manufacturing, financial services,...