How the justice system deals with cybercrime is still relatively new and finding its footing. How cybercriminals are leveraging the legal system is relatively new, too.
Imagine a world where your organization gets hacked, and then, to add insult to injury, gets reported by the hackers for being out of compliance. Well, you don’t have to imagine too hard because those days are upon us. While the federal government is making its first forays into cyber protection – in 2022, Congress ordered the US Department of Justice to develop categories of cybercrime so that agencies have a shared language to classify malicious incidents – it seems that threat actors are hot on their tail, using the law to their own advantage and wielding it like a club against anyone who doesn’t want to pay a ransom.
It’s a complicated new world, and we’ll go over a few examples that help illustrate the point. But the broader point is this; instead of waiting for zero lag time from the legal system, companies would be best served putting up an immutable first line of defense against attackers now, by knowing how to craft the perfect offensive security strategy.
It seems we’ve been fighting cybercrime in back alleys for too long. Legal redress has always been an option, and the security community is now readier than ever to use it.
When a healthcare organization was breached by a ransomware group, they fought back. Even though they knew the anonymous criminal members would never step up to the complaint, the tactic nonetheless worked, and the cloud storage provider used to stash the stolen data was obliged to return the data, which they agreed to do voluntarily.
In similar fashion, the legal system is being used to come down hard on cybercriminals who have gotten away with blatant copyright theft for too long. When cybercriminals tried to spoof Google’s Bard, telling users they could download the generative AI tool and giving them malware instead, the tech titan took legal action and filed a lawsuit against two separate groups. The result could be precedent-setting: “If this is successful, it will serve as a deterrent and provide a clear mechanism for preventing similar scams in the future,” Google stated in a blog post
While this is encouraging, the nonbiased eye of the law sees both sides. Realizing this, hackers may be the most adept of all at taking advantage of it.
Compliance officers may have a new, and uninvited, team of assistants. As new Securities and Exchange Commission (SEC) rules require companies to report cyber incidents with a “material impact” on stakeholders within four days, cyber group are spotting opportunity and a larger saber to rattle at reticent payees. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” noted SEC Chair Gary Gensler in the announcement’s press release. When it comes to what qualifies, it seems organized crime groups are “erring on the side of caution.”
For instance, a ransomware group took the liberty of reporting one of its recent victims to the SEC after illegally infiltrating its systems and causing a data breach. When the organization refused to play ball, the malicious actors took to the legal system, neatly filing a complaint using Form 8K, under item 1.05. And then they posted it to X (formerly Twitter). What a sudden sense of civic duty!
Jokes aside, this really was a jolt to the cybersecurity community. Not only could these rules become an unintended weapon against soon-to-be ransomware victims, experts have pointed out that this unique use of the SEC rules could open the door to additional unforeseen exploitation of other legal measures.
With a newfound tactic for digital coercion, organizations are under more pressure than ever to comply with the demands of ransomware groups. Even if organizations disclose a data breach and refuse to pay the ransom, they may face legal action from their own customers. However, as has been illustrated, legal routes can also be successful at easing the pain of a cyberattack, and even putting some of the pieces back into place. But wouldn’t it be nice if companies could just avoid all the hassle in the first place?
Organizations can do just that by putting proactive security measures into place before it’s too late, building out an offensive security strategy that takes the fight to them.
Vulnerability Management software continually identifies weak spots within operating systems, software and/or hardware element so hackers can’t find an easy way in. By routinely running automated scans, organizations can ensure they prioritize critical, exploitable vulnerabilities that may provide access to sensitive data or assets.
While vulnerability scans provide a valuable picture of what potential security weaknesses are present, penetration testing software or services can add additional context by seeing if the vulnerabilities could be leveraged to gain access within your environment. Penetration testing uses the same techniques as attackers to determine which risks are the most prescient, identifying the attack paths threat actors are most likely to take. Nowadays, people want to know what a hacker sees before the hacker does. Consequently, pen testing is on the rise—the global penetration testing market is set to clear $5 billion by 2031.
Red teaming is a full-scale simulation puts your defensive controls and team to the test. It’s one thing to know in theory that your defenses are up to par; it’s another to see your team, your systems, your security stack, and your investments working in tandem to bat down an all-out attack in real time – or not. No matter the result, an experienced team with an effective toolset and the right mindset will ensure that a blue team walks with a better understanding of what it takes to protect their infrastructure. This way, organizations are well informed to make improvements so that your security team is equipped with experience and bolstered defenses when a real-world attacker inevitably strikes.
As the old poem goes, “If the cliff we will fence, we might almost dispense with the ambulance down in the valley.” The legal system exists and works when things go awry. It takes a lot of heaving and pulling, hours in litigations and somewhere in the ballpark of $600,000 to $3 million for a corporate lawsuit, but eventually and often, the truth does win out. However, companies can spare themselves a lot of time, headaches and PR costs by investing in proactive security solutions that can block attackers at the door. Now, isn’t that easier?