People will always be the weakest link in the battle to protect corporate information and data from attackers. Organisations have been the target of ‘electronic espionage’ for as long as information has been held in data format. As business becomes dependent on technology to process, store, transmit and manage information, electronic forms of espionage have sky rocketed.
Over the past ten years, the internet has kept its appeal as a low risk and anonymous forum for perpetrating espionage attacks against corporations and governments across the globe. As the capabilities of security technology improve, hackers are now targeting individuals to get at the electronic information they want – this raises an intriguing mix of problems and issues for today’s corporate security managers
Where are we now?
Attacks on businesses are increasingly being committed with a similar modus operandi to corporate espionage carried out by foreign states and state sponsored attackers. With the emergence of global markets and global competition, businesses are now the target of espionage, carried out by competing businesses, states or state-sponsored businesses.
In recent years, espionage attacks on private and public sector business have been a dominant feature in the news covering a broad range of subjects from technology houses losing prototype phones to electronic espionage networks dubbed ‘Ghost-Net’, reported to have penetrated the networks of hundreds of organisations worldwide. All of these have raised the profile of espionage to new heights, forcing public and private sector organisations to question whether their most critical information assets are adequately protected from espionage.
Many people assume the threat of espionage has disappeared, however the Director General of MI5 once said that there were more foreign intelligence officers operating in London now than at any time since the end of the Cold war. With the emergence of global markets and global competition, espionage has evolved.
Most businesses assume that espionage is a threat that does not fit on their risk register. They believe that espionage is about stealing state secrets, information about foreign policy, defense or military research; however this is no longer the case.
Espionage may involve covert techniques and sophisticated types of technical and non-technical attacks and as the availability of business and commercial information online increases, this becomes far easier. Attackers can identify particular networks, computers or individuals, often through aggregating numerous disparate pieces of information to target their attacks.
Businesses cannot manage the threat of espionage accurately without understanding the extent of the potential threat they face. As the number of organisations that have been financially impacted by espionage grows, the need to address it becomes ever more acute. Counter-espionage is about identifying the vulnerabilities that might be exploited by a competitor and putting in place the relevant controls to mitigate those risks.
Who’s a target?
Organisations supporting Critical National Infrastructure (CNI) such as water, gas, electricity, financial services and telecommunications are by nature of their national importance at risk from foreign state sponsored espionage, such as Stuxnet, which has now found its way onto the black market.
It is important for industries and organisations with high value intellectual property to understand the risks they face. Espionage succeeds by exploiting deficiencies in physical, logical or personnel security controls. Identifying viable ‘attack vectors’ to use for espionage may be a relatively long term process but in many ways, the most valuable and effective attack vector for an attacker is a person.
People have characteristics that can make them particularly vulnerable and useful to those who want to carry out attacks. The motivation of people who abuse their access to provide confidential information to business competitors is complex and varied; however
Insider knowledge and access can increase the impact of an attack significantly even where the role of the attack vector is only one of facilitation, for example, a cyber attack.
Many types of electronic espionage attacks involve software programs and tools designed to provide an attacker with the capability to gain access to sensitive information. If the stakes are high enough, an adversary will invest time and effort in developing specifically built and coded attack software designed to exploit vulnerabilities in the applications or networks used by their targets. These attacks are unlikely to be detected by commercial anti-malware tools and help ensure that the attackers are able to access information without raising the suspicion of the target.
There are occasions when electronic espionage does not succeed and attackers may need to combine technical and non-technical techniques to carry out espionage. For example, an attacker may target human sources to unwittingly plant spyware or provide confidential technical information to source top secret product designs through existing network security controls. This range of techniques gives the adversary a distinct advantage in targeting organisations that still segregate their physical, IT and information security activities.
Human sources such as disgruntled employees or low wage, temporary staff – who perhaps have less loyalty to their employer – are also more easily convinced to obtain confidential documents as part of elaborate attacks that they may not be fully aware of.
How it’s done
The cultivation of human sources begins with a planned acquaintance with the target, which the adversary will try to make appear as normal as possible. There have been espionage cases in the past where cultivation and recruitment of the target has taken place over a matter of weeks, months and in some cases, years. Through any means necessary, the target will be cultivated and prepared for their role as an agent of espionage.
There have been other cases where the process has been much quicker; “cyber recruitment”, can be almost instantaneous. In some instances the targets might not even be aware that they have been exploited and may become an ‘unconscious’ agent for an attacker. This process takes time, meticulous planning and skill but once ready to assume the role, the human source can provide a rich and versatile source of information and intelligence whether they are ‘conscious’ or ‘unconscious’ of their role.
A typical example would be:
“You are attending an industry conference overseas as a key member of the research team for a large technology company. During the trip you meet an old colleague that you know personally and hold in high regard. At the conference, your colleague introduces you to a friend who shares similar technology interests and is very flattering with respect to your published work. Over the duration of the event, you get to know him well and he is keen to learn more about your technology research at work.”
Question: How can you tell a normal business introduction from premeditated espionage?
For espionage an introduction to the target is often sought through someone with direct access to the target – an access agent – such as the mutual friend cited in the example above. It is far more likely that the target in this example would trust a friend of a colleague more than a complete stranger.
How to avoid it
In a downward market, when employment prospects may be uncertain or rewards less substantial, the risk from insiders being involved in an attack increases if personal income may be under threat. Employees are far more likely to accept cash bribes or gifts as part of a cultivation process. Once proprietary information is in the hands of a competitor, it becomes very easy for them to start eating away at a rival’s profit.
The Achilles heel for most organisations is the network printer, most corporate security systems are rendered useless once a user sends a document containing trade secrets to the network printer where anyone can walk past and pick up the documents before the authorised user.
Employment vetting is arguably the most popular way for organisations to mitigate against insider threats. A detailed employment screening and psychometric profile may help to identify personality traits that suggest an employee is susceptible to cultivation. In the majority of cases however, vetting activities are limited to only basic security checks; conditions for a new employment contract rather than an ongoing requisite for employment.
Aside from vetting, many organisations choose to instate segregation of duty controls that require two or more employees to complete a business task. Whilst this may increase the administrative burden, these types of controls can make it significantly harder for an attacker, by requiring the complicity of two or potentially three people. Whistle blowing procedures are also commonly used in large organisations to detect insider threats.
Clear and concise security policies that are accurately aligned to an organisation’s security risks should underpin all efforts to effectively manage against insider threats and attacks to exploit an organisation’s personnel. Together, with a strong organisational security culture, education, thorough background checks and after care, organisations can develop an effective risk management programme to counter insider and other types of adversarial attacks.