When it comes to the cyberthreat environment, Che Bhatia, vice president at Aon Cyber Solutions, Stroz Friedberg, says he’s seeing some common themes.
Primarily, he says there’s been an increase in the sophistication of attackers. These bad actors are paying attention to the thought leadership and security recommendations cybersecurity firms are making, and that’s helping to evolve the threat landscape.
“As a result, the attackers are constantly increasing their sophistication to ensure that the attack that they're going to conduct is going to be successful,” Bhatia says. “They are becoming more creative. They're becoming more thoughtful. And they're evolving their business model.”
While it may sound strange to call what these attackers are doing a “business model,” Bhatia says their strategies are similar to how businesses constantly update their models and plans to adjust to the external market conditions.
Additionally, Bhatia is increasingly seeing repeat attacks on a single organization. After a company has dealt with a ransomware or a business email compromise attack and there's not proper remediation after the fact, the attackers tend to re-attack because they were never really eliminated as a threat.
Bhatia says another trend is that industries that are less regulated — that don’t have stringent compliance or regulations — are more likely to be targeted. Construction and manufacturing businesses, for example, are being targeted because they don't have a lot of the controls more regulated organizations have.
“And so if an attacker can bring disruption to a manufacturing-type organization for days and they can't manufacture, that could be a very bad thing,” Bhatia says. “The leadership team is going to succumb to paying.”
What business leaders might not understand is that attackers hide within an organization for weeks if not months before an attack in order to conduct recon.
“They are gathering victim-host information,” he says. “They're scanning. They're looking to see what they can find on the public internets. They are fishing for information. They're searching the organization's publicly facing website in addition to many other resources. Then they are figuring out how they're going to determine initial access into the organization.”
Once the attacker finds a way in — exploiting a vulnerability within an application, in the supply chain — they determine the best way to attack. They could create accounts or browser extensions, and maintain an opening that allows them to get in and out as need be. With this access, they study the defenses within the company. They want to understand if it has a firewall, endpoint detection and response technologies so they can figure out how to evade them. Then, Bhatia says, they move laterally into the organization, building out command and control capabilities that they leverage to exfiltrate data or intellectual property.
“In order to do all of this, they're taking their time, low and slow, slow and steady,” he says. “Once they have a really good understanding of the topology of the organization, they understand that they've been successful in compromising the backups and everything, that's when they hit the red button.”
Bhatia, along with Aon’s William Shortt and Kathy Weaver, and KeyBank’s Gregg Bach and Christopher Naso, spoke at the recent Detroit Smart Business Dealmakers Conference about cybersecurity and its impact on M&A. Hit play on the video above to catch the full panel discussion.
