Summary Bullets:
- Recent attacks signal a new ‘attacktivism’ era, in which cyberattackers seek to destroy target businesses.
- To survive an attack, at-risk enterprises must conduct advance cybersecurity, business continuity and disaster recovery planning.
Just a few months ago, the November 2014 cyberattack against Sony Pictures Entertainment (SPE) seemed like a one-of-a-kind event. This attack was perpetrated by an alleged state-sponsored group that gained unauthorized remote access to SPE’s computer network, obtaining and publicly releasing many terabytes worth of sensitive intellectual property, including executive emails, employee information, salary spreadsheets, sales tallies and even unreleased motion pictures. The attackers also used “wiper” malware to destroy more than 3,000 computers and 800 servers, a crippling move that placed SPE’s survival in jeopardy.
Recent events have proven that the SPE attack was no anomaly; it was an explosive beginning to a new era of attacktivism, in which savvy, highly motivated cyberattackers target specific enterprises to embarrass them, financially destabilize them, and ultimately destroy them.
It’s a harrowing prospect. To date, cyberattacks against enterprises have been largely motivated by money: attackers seek to profit by stealing payment data or personal information, intellectual property or trade secrets. Occasionally hacktivists would deface a company’s website or compromise its Twitter feed, merely to gain attention or prove a point.
Yet attacktivism is very real, as demonstrated by the SPE attack and two other recent incidents. Earlier this month Italian surveillance software firm Hacking Team was maliciously infiltrated; attackers spilled 400 GB worth of its secrets all over the Internet, drawing attention to its dubious research and the disreputable international governments on its client list. It’s unclear if Hacking Team will be able to recover from the event. Just this week, online dating (or cheating) website Ashley Madison was hacked, with the alleged attackers threatening to reveal the identities, payment data and sexual fantasies of its 37 million customers if the company doesn’t shut itself down.
As a result of these attacks, all three companies were essentially rendered helpless. The value of their intellectual property was immediately and substantially diminished, the reputations of their leaders and customers tarnished, and in the case of Sony, even its capability to conduct basic business functions like send emails and process payroll was decimated – all to satisfy the attackers’ personal agendas.
Unlike run-of-the-mill data breaches, no cyber clean-up squad and no amount of money can undo the damage inflicted by such an attack. More than any other type of cyberattack, cybersecurity, business continuity and disaster recovery planning well in advance of an incident will be critical to ensure the survival of organizations targeted by attacktivism.
What should an enterprise do to prepare? First, it must assess its risk posture. What would happen in the event of an attack similar to the ones mentioned above? How would it respond, what would it cost and could the company survive? Group tabletop incident response exercises help tremendously in answering these questions. Next, has it made enemies or fostered ill will due to the nature of its industry or business activities, conduct of its leaders, or the customers it serves? Think about what law enforcement agencies would want to know during an investigation. Then assess security controls to ensure the worst-case scenario is a difficult objective for attackers to pull off. Finally document all of this in an attacktivism defense plan; if the risk is high, make sure top corporate leaders understand why and how it’s being mitigated.
Attacktivism has proven successful, which is why it will continue, against both enterprises and soon individuals as well. Those entities that understand the risk, and prepare in advance, have the best chance to survive.
IT Connection 