You are here

Advice to CISOs: Know Your Enemy

From my first days as a private in the Army so many years ago, it was drummed into me that I needed to “know the enemy.” At that time, my platoon was regularly shown photographs and movies that depicted Soviet and Warsaw Pact soldiers in various states of fierceness. I have memories of the visions of hordes of burly soldiers in Soviet uniforms bounding through the snow and doing aggressive maneuvers. Our unit spent countless hours studying Soviet equipment, identifying tanks and aircraft, and delving into minutiae like a Soviet solder’s daily routine and diet. Yes—we knew our enemy.

As my military service progressed, I became an intelligence officer, and I made a career out of knowing the enemy. From the fall of the Berlin Wall and beyond, that enemy took on many profiles—from terrorists to rogue states to the Chinese hoard. Our intelligence community spent incredible sums of money collecting intelligence and building detailed profiles of the various groups that could harm the United States. The profiles were used to develop new weapons and strategies to counter these threats. Think satellites, drones, special forces units, and the like.

Although I had several computer security roles in the military, I pivoted to commercially focused cybersecurity more than two decades ago. I constantly heard the terms “hackers” and “cybercriminals,” but when I asked my peers who these people were, I was provided high-level descriptions like “Eastern European hackers, Asian cybercriminals, or Russian organized crime.” This did not satisfy my curiosity; I needed to know the enemy. As I progressed into senior consulting roles, I was amazed to see how little senior executives knew about the people trying to steal their companies’ critical data or disrupt their business operations. They only knew about the nebulous “hacker.” In my opinion it can be quite a challenge to convince senior executives to spend money on cyber defenses or on ways to counter such an obscure enemy. But I’ve had relative success in recent years personalizing the threat using individual hacker profiles.

Knowing one’s enemy is by no means a new concept. In Chinese General Sun Tzu’s “The Art of War,” reportedly written in the sixth century, he wrote “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

So, who are today’s hackers? Cyber intelligence companies tend to put hackers into groups with alluring names like “Fancy Bear” and “Stone Panda.” But this still does not reveal much about the motivation and psyche of the individual bent on digital mayhem. I like to use Russian hacker Evgeniy Bogachev as my boogeyman when I speak to executives. He’s dubbed the world's most wanted cybercriminal, and he’s a supervillain straight out of a Bond movie.

He wears leopard print pajamas, has a rare Bengal cat and a collection of luxury cars. He spends a lot of time in his mansion in the town of Anapa in southern Russia or cruising the Black Sea in his yacht. Bogachev is the man behind the infamous GameOver ZeuS malware. ZeuS is credited with infecting more than 1 million computers and causing an estimated US$100 million in financial losses. Bogachev and his team siphoned millions of dollars from victims' bank accounts, and for this he has a US$3 million bounty on his head from the U.S. government. The 33-year-old has been indicted in the United States, and the FBI is watching his every move with the intention of pouncing on him if he ever steps foot outside Russian territory. There are many outrageous photos of Bogachev on the internet, including one of him in his pajamas holding his rare cat. Evgeniy Bogachev and a growing number of cybercriminals are your enemy. 

Take a good look at Bogachev’s history of hacking and peer into his eyes. More importantly, show his photo to your executives so they can put a name to the faceless hacker. This is the first step to personalizing the threat and to knowing your enemy. It may just make your budget discussions easier.

Source: FBI.com