Cyber Security via Cyber Criminology
By Chris Bullock and Ashley Ferguson – CI2A
CYBERSECURITY IS NOT JUST ABOUT TECHNOLOGY
CI2A consistently writes and speaks about how there is simply too much focus on Information Technology (IT) and not enough focus on cyber criminology in the cybersecurity industry. We have developed a proprietary framework that we deliver through our Executive/CISO Advisory Services as well as our cybercrime response, intelligence, and CyberVIP services using this philosophy. The over-focus in IT becomes obvious if one simply looks back at the debates that have developed over the history of the cybersecurity tradecraft. Debates over the past years include the following: “CISO does not have a seat at the Board table”, “CISO with a title but no authority, “CISO with authority but no title”, “reporting structure musical chairs”, ad nauseum. Sitting in the CISO/CSO seats at various organizations, our team of cybersecurity executive leaders has reported into positions which included the CIO, CTO, CCO, CRO, and General Counsel. This is all reflective that social science components are hard at work in the cybersecurity tradecraft. Unfortunately, CISO’s and cybersecurity practitioners have been wrongfully fused into the false persona that they are just another arm of information technology. We as CISO’s have even been hypnotized to believe this ourselves in some cases. We have observed several CISO’s speak at events and pound the podium that CISO’s have to be uber technical. Wrong! I will caveat this statement with the fact that a CISO certainly must hold a sufficient level of technical acumen but they don’t have to be able to write code, as one example. This is why organizations are and continue to step behind the attackers.
GOOD CYBERSECURITY DEFENSE REQUIRES CRIMINOLOGICAL SKILLS
There was a time when technology crimes were about technology and the typical “hackers” were more comprised of super-smart computer technology buffs who were so intrigued with how technology functioned, how easily exploitable it was, and how unlikely it was for them to be caught that they couldn’t help themselves. Their motives were not necessarily nefarious or criminal. We are certainly not making excuses for their illegal activities but there is a very important point here. The motive and intent of the actor and the profile of the victim the actor chooses are very important elements that must be taken into account for effective cybersecurity. Cybercrime at its roots is the use of technology to commit crimes. The crimes being committed are now both traditional crimes as well as new types of crime that simply could not otherwise be committed without the use of technology. The actor is now an atypical hacker compared to decades previously and more so now a typical criminal. The point being if the earlier computer-related crimes were primarily innocuous, that is no longer the case because the criminal elements within society have seized the opportunity to make use of technology to commit traditional and new crimes for varying motives. We also know that laws and regulatory agencies have been trying to keep pace with the technology that is moving rapidly. This rapid technology development however good and beneficial when used legally is also being exploited in the criminal circles as quickly as they are developed. Cybersecurity not only involves understanding how to segment a network properly or secure applications against exploits but it also involves legal consequences, human behavioral trends, organizational behavioral culture, and traits along with very specific technology offense and defense strategies. It involves the ability to create and maintain a strong and court defensible chain of custody. It involves the ability to use intelligence gathering techniques to locate digital forensics artifacts to determine what happened and how to quickly triage it. To be an effective CISO we must be able to employ both hard-science technical skills along with soft science skills and those soft science skills must include the understanding of criminals and our organization’s place and traits as a potential victim of cybercrime. Yes, organizations have a victimology profile just like individuals have victimology profiles. Why would the organization be targeted for a cyber-attack, who would target the organization, what victimological appeal the organization possesses, and as individuals within the organization what are their victimology-based traits? We know that poor individual behavior relative to password habits, clicking habits, gossip habits, and others can uniquely expose an organization to cybercrime just as we know that the very fact that we are an employee of an organization that is a major target for cybercriminals, such as being employed by a financial institution, can expose us personally to become a target of modular criminality. CI2A refers to this as Cross Technological Reciprocated Indication Behavioral Exposure or X-TRIBE™.
THE GHOSTS OF CISO’S PAST
Having spent over two decades as sitting Chief Information Security Officers and/or Chief Security Officers across many organizations and building successful programs from birth to maturity we have studied the trends within the CISO position. CISO’s continue to be burdened with the reporting structure quandary. They continue to be burdened with the title, no title squeeze. They are still burdened with the small budget predicament. Finally, they are burdened with politics as usual, and the stereotype they are simply another area of Information Technology (IT). Unfortunately, the CISO has followed along with this because it is difficult to break out of an age-old tradition. Many CISO’s originate from IT positions. Few CISO’s originate from a legal or crime enforcement background. The fact that organizations do not understand that the prevention of and response to cybercrime is not all about information technology and involves components that include legal, privacy, criminology, victimology, and criminal intelligence has led to the leader of the organization’s top cybersecurity program being placed in a bad place where their budget and top-down support are immediately associated with a percentage of a small percentage of the organization’s IT budget. Although good strides have been made to associate cybersecurity with risk and now many programs appropriately use a “risk-based” approach, the bright-line connection to cybercrime still lingers in an abysmal location waiting for that critical connection to crime to be made. That risk we are speaking of is the risk of becoming a victim of cybercrime whether at the individual level or the organizational level and the associated cross exposure.
Intelligence Provides the Picture
We often get asked the question of how a particular industry is doing in regards to cybersecurity practices. That is a question that is on the right path to being a very relevant question and it somewhat starts to make the connection between cyber criminology and cybersecurity. Industries themselves havecyber victimology traits. Our unique experience as cybercrime protection, response, and prevention specialists has given us deep insight into this through many of the unique cases and engagements we have been called upon to assist with. As we handle high notoriety individual’s CyberVIP™ protection along with full engagement Executive Advisory and Advisory CISO positions for our clients, we see the unique victimological exposures to cybercrime. We also see the weaknesses that come together from the individual level and organizational level which cross expose one another. Consider a case that may involve an animal by-products organization who is suffering both physical and cyber-attacks from various animal rights activists’ groups that have crossed into the realm of committing crimes. Many of these groups have a cyber presence as well as a physical presence meaning they attack both fronts. The organization in this case has unique victimological exposures and the group(s) attacking them have unique tactics, techniques, and procedures (‘TTPs’) and modus operandi they use to attack. The organization and the executives cross-expose one another to criminal activity and particularly cybercriminal activity. Another great example of industry-level cyber victimological profiling is the latest threats from Iran due to political and military activity that took place between the United States and Iran. Security notices and intelligence briefs have been disseminated reflecting that specific industries have been targeted by Iranian cyber actor groups in a new campaign referred to as the “Fox Kitten Campaign”. The specific victim industries targeted include Telecommunication, Oil and Gas, Aviation, Government, and Security sectors around the world. These are victim industries the Iranian group attributes to providing them with the loudest press exposure and the most damage to the U.S. economy and government they can cause from their cyber-attacks. Enter the cyber victimological profile. The technological and human behavioral exposures of organizations within these targeted industries will be the foundations of these group’s attack success or failure. CI2A has created the CI2A Cybercrime Triangle™ which further illustrates these somewhat traditional criminological concepts now being brought to light and practice within cybersecurity by our firm.
Bringing it All Together
In conclusion, the cybersecurity industry is still in a very infantile state. The industry must mature to realize that the cross exposure from the individual and the organizational levels which result in attackers being successful or unsuccessful is much more significant than is being realized currently within the cybersecurity industry today. This exposure involves components of technology, social science, legal, and privacy. In understanding this, the industry must become more centered between technology and criminological practices and stop placing all of the emphasis on a pure Information Technology (I.T.) approach. There are multiple sciences and multiple disciplines required to effectively protect organizations and individuals from cybercrime. CISO’s, CSO’s, CIO’s, CCO’s, CRO’s, CLO’s and CPO’s must work together to effectively address cybersecurity risks and overall prevention, protection, and response to cybercrime. Also, the shortage of superb talent that has plagued and continues to plague the cybersecurity industry can be alleviated by looking to talented individuals not just within the technology sector but also from within soft science and legal sectors.