Recently, we released our APT1 report that focuses on the most prolific cyber espionage group Mandiant tracks. The report generated a great deal of awareness around targeted attacks. Phillip Ferraro, chief information security officer (CISO) for DRS Defense Solutions, wrote an article recently in SC Magazine responding to the report stating, "Every CEO, C-level executive and board member must know and understand this risk. Too many businesses are of the opinion that only government organizations or defense contractors are at risk of being targeted by an APT." Ferraro gave us permission to reprint his article on M-Unition.
Almost every week we read in the news about another organization that has been hacked. Cyber espionage is at an all-time high, and businesses across the United States are being targeted and breached. Many of these attacks are nation-state sponsored or otherwise known as advanced persistent threat (APT). However, organized crime and other hacker groups are also responsible for many of these attacks. Their goal is simple: Breach an organization and steal its intellectual property, trade secrets and other business sensitive information to gain economic advantage.
In February, security firm Mandiant released a 60-plus page report detailing its investigations over a six-year period into an extensive cyber espionage campaign conducted by one of the many APT threat organizations inside China. This one particular group, which the firm identified as APT1, allegedly stole hundreds of terabytes of data from at least 141 organizations across 20 industries worldwide since 2006. The point here is very obvious. If your business is connected to the internet, you are at risk. Every CEO, C-level executive and board member must know and understand this risk. Too many businesses are of the opinion that only government organizations or defense contractors are at risk of being targeted by an APT. In fact, it is the modus operandi of APT operators to go after smaller vendors in the belief that their security posture is lower, making them an easier target to breach and then use as a pivot point to reach a larger organization. This was the strategy used against security organization RSA. One of its smaller supply chain vendors was breached. The attackers then sent an email attachment with malware from inside the breached organization to RSA, consequently infecting the security firm. But, even in this example, RSA was not the final target. It too was merely a pivot point used to breach a much larger defense contractor.
CSOs and CISOs must fully understand the threat and the method of operations of these malicious actors. It is extremely important that they educate the executives of their organization on these threats. When presenting to the C-level management or to board members, the CSO/CISO must keep in mind that cyber security is not an IT function. Rather it is a business function. The threat must be explained in terms of the impact that it can have on the business. Not only can the cost of containment and mitigation of a breach be extremely expensive, but the loss of intellectual property, trade secrets, sensitive business information, and years of R&D work, not to mention brand or reputational damage, can put an organization out of business.
About Phillip Ferraro: In his role as Chief Information Security Officer (CISO) for DRS Defense Solutions Ferraro is responsible for all aspects of the cybersecurity program including development of corporate strategic and tactical plans and policies, as well as compliance with the Defense Security Service National Industrial Security Program (NISPOM) Information Security requirements, and represents DRS on the Defense Industrial Base.