Enterprise cybersecurity programs may have something to learn from an unlikely source—the humble sea slug.
While nature metaphors can border on trite, the behaviors of predator and prey, their hunting strategies and evasion tactics in the wild do provide valuable parallels for the ever-changing cyber risk space. Enter, the sea slug—or more specifically, the Nudibranch.
When Nudibranchs hunt, they leverage a clever strategy. The small but cunning sea slug waits to consume its prey, until after it has eaten its own prey. In doing so, the Nudibranch receives a 2-for-1 special – its prey plus the prey’s dinner. Marine biologists classify this strategy as Kleptopredation – a method of hunting perhaps unique to the ocean world yet increasingly familiar to “hunters” in the cybersecurity domain.
In the business world, enterprises are vulnerable to this same attack strategy during periods of internal change or growth. Organizations depend on a metaphorical “food chain” of data wherein new “meals” are taken at regular intervals. “Data meals” range from byte-size snacks, like onboarding a new client or vendor replete with third-party data into an environment, or a hearty “meal” of fresh intellectual property data, all the way up to “data feasts” consumed in the form of a merger or acquisition.
Notably, even re-integrating an employee base, and their IT equipment, back into a physical office environment after a prolonged period of work-from-home could also present its own form of “data meal.”
Savvy hackers who design and orchestrate targeted cyber-attacks against specific companies—as opposed to arbitrary, open-ended campaigns against whatever victim happens to be vulnerable—can keep an eye on a target’s “data meals” to time and plan their attack, essentially practicing digital Kleptopredation. The type of hacker in consideration here is one that is interested in obtaining, or exfiltrating, sensitive data, for which they may find value in and of itself (eg. Intellectual Property, non-public financial information, PII to sell on the black market, etc.).
For such an attacker, a target that has just acquired another target represents double the prize for no additional amount of effort. Furthermore, in the context of third-parties, like suppliers or vendors, that are regularly “feeding” from multiple data sources at the same time, the potential reward for a single hunt is even greater!
For instance, given the fact that a single Managed Service Provider (MSP) may service a large number of clients, malicious actors may deliberately target these companies so that they can leverage the same vector to carry out attacks at scale and harm numerous other organizations.
Understanding Kleptopredation allows organizations to identify key moments of vulnerability, but in order to adequately protect themselves, they must explicitly and proactively include security considerations in business decision-making. Two ways to accomplish this are by prioritizing Gap and Risk assessments ahead of vulnerable moments.
A Gap assessment’s purview is programmatic and focuses on the differences between a current and target state, typically in the context of a significant change in the enterprise structure. In scope for this evaluation are network and systems security, operations security and continuous monitoring, third-party dependencies, training and awareness, authentication security and access control, together with governance, risk and compliance. Combined, these factors inform business leaders on whether they have the appropriate program capabilities as they move the enterprise into dangerous waters.
Without first understanding a firm’s internal capabilities, and how these might change given a firmwide structural shift, security and business leaders cannot hope to ward off cyber assailants seeking to take advantage of that shift.
In parallel, a cyber Risk assessment begins by identifying IT assets that could be harmed by a cyber-attack and then evaluates the relevance and severity of the risks against those assets and the organization as a whole. “Who exactly are the threat actors we should worry about and what specifically would they target?” “How would they attack us?” “How much damage could they cause?” are the types of questions this assessment can help answer.
In the context of a kleptopredation scenario, a cyber Risk assessment is essential for getting ahead of the granular-level tactics, techniques and procedures an attacker might employ against their target.
Too often, security offices are left out of business-side decision-making processes and forced to play catch-up after the fact. This is precisely what cyber attackers count on!
Hydrozoa may not be savvy enough to outsmart sea slugs, but an enterprise that maintains a proactive, assessment-driven cybersecurity posture can successfully navigate around the Kleptopredators of the cyber realm.