Last Updated on January 15, 2024
It’s often said, “Denial is the longest river in the world.” If you still think financially motivated hackers aren’t interested in stealing your org’s assets, you’re on the glass-bottomed boat tour of denial. And cyber crocs are heading your way.
The good news is, after checking out a recent episode of The Virtual CISO Podcast with cyber threat intelligence expert Raveed Laeb, VP of Product Development at Kela, you’re sure to see how wrong you’ve been. Nobody is not a target
When hackers look at exploiting an organization, they think about turning something that org has into money for them.
“Hackers care about assets you have that they can monetize,” states Raveed. “And each and every one of us has something that can be monetized.”
That could include everything from intellectual property to customer data to user credentials to cloud servers to printers to remote cameras, and a lot more besides.
Attacks are opportunistic
Another reason every org is a target is that a large percentage of attacks are what Raveed calls “opportunistic.” Hackers are prospecting for vulnerabilities by automated means. It’s not about your company profile.
“There are many, many cyber criminals that have scanners running perpetually on every new vuln that comes out,” Raveed relates. “They’re like, ‘Hey, there’s a Joomla admin access vuln. Okay, let me set my scanner. Let me go to sleep. Let me wake up in the morning. Oh, I’ve got 50 potential targets.’ And the fact that it’s your organization, they have no idea. They weren’t after your organization. But once they gain that access, now the question is how are they going to monetize the access in some way?”
Host John Verry, Pivot Point Security CISO and Managing Partner, has seen some interesting assets get monetized.
“We’ve seen things like open Amazon S3 buckets where they were sharing pornographic materials that they don’t want to put on their hosts because it puts them at risk,’ recalls John. “But it’s putting you at significant risk. Then there’s the challenge where if you have someone compromise a server that you have sitting in Amazon or Azure, and they’re starting to hammer the hell out of that server… I’ve seen clients ring up some quite big bills with compromised [cloud] servers.”
Not a zero-sum game
A former Israeli Defense Force intelligence officer, Raveed isn’t afraid to wax philosophical on cybercrime.
“The relationship between defenders and attackers is not a zero-sum game,” observes Raveed. “Intuitively we think about being attacked as, ‘Someone is reaching out to my vault and taking my money and the money that I lose is the same amount of money that the bad person in the internet gets.’ And that is not the case at all.”
Raveed cites the cybercrime business model where legit orgs’ mail servers are used to propagate spam. This isn’t costing the compromised organization that much directly, except in incident response activities, server cycles, etc. But what the hacker is monetizing—and also threatening—is the hacked firm’s reputation.
“Even the smallest organizations that have a very small website on the internet, they still have reputation in one way or another that can also be exploited and used to make money for bad guys should it be compromised,” explains Raveed.
What’s next?
To enjoy this podcast episode with cyber threat intelligence expert Raveed Laeb in its entirety, click here.
Here’s a great question every org needs to answer: How Much of Your Attack Surface is Beyond Your Visibility?