Flashpoint Releases Inaugural “Business Risk Intelligence” Report on Cyberattacks

Here is one of my favorite one-sentence anecdotes: an elderly woman digging for scrap metal in the Republic of Georgia accidentally damaged an underground cable and cut off neighboring Armenia’s Internet access for five hours. That had happened in 2011. Now, pulling off a similar feat in the U.S., such as shutting off the power grid, would take more than slicing a cable. It would be an unprecedented and impressive cyberattack, but not impossible.

That an attack on our power grid can happen today and that we’re helpless to prevent it was more or less the thesis of a book that the American journalist Ted Koppel came out with two years ago. In Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, Koppel made the case that Russia, China and Iran already have the capability to launch such a cyberattack. (Here’s another great one-sentence story: researching the book supposedly drove Koppel to stock up on freeze-dried food.)

These days, the issue of cyberattacks features pretty prominently in public discourse, at least in the U.S. We speculate endlessly on whether Russia had interfered in the American presidential election. Why did C-SPAN suddenly start broadcasting RT? But this is all a long way of saying that cyberattacks are a hot topic. And it should be part of a company’s risk management agenda.

One of the “Dirty Dozen”

Cyber threats were #10 on our “Dirty Dozen” list of 12 supply chain and supplier risks to pay attention to in 2017, which Spend Matters presented on a recent webinar. (If you want to learn more about the other 11 risk areas on the Spend Matters “Dirty Dozen,” sign up here for the free webinar recording.) And it is the focus of a new report from Flashpoint, a New York-based intelligence firm of “white hat hackers” and “intel geeks” who comb through data from the Dark Web to monitor potential threats from “malicious insiders, hacktivist groups, nation state and cyber threat actors, and radical jihadists.”

Flashpoint uses a six-tier scale, adapted from the U.S. Department of Defense Science Board’s “Resilient Military Systems” report, to gauge threat capability. Tier 1 represents the lowest capability (“the cyber actor(s) possess extremely limited technical capabilities and largely make use of publicly-available attack tools and malware. Sensitive data supposedly leaked by the attackers are often linked back to previous breaches and publicly-available data”) and Tier 6 the highest (“nation-state-supported actors possessing the highest levels of technical sophistication reserved for only a select set of countries… utilizing the full breadth of capabilities available in cyber operations in concert with other elements of state power”).

A second scale gauges potential impact, from the negligible to moderate (some core business functions are disrupted, but critical assets and infrastructure are still functional) to catastrophic (“complete paralysis and/or destruction of critical systems and infrastructure”).

Tier-6 Threat Actors

A graph in the report shows which threat actors pose a risk to which verticals, as well as the “capability” and “potential impact” of each threat actor, using the aforementioned scales. The verticals in the Flashpoint report include financial services, retail, legal, tech and government. Flashpoint’s report is worth checking out for yourself, especially if your organization falls into one of those verticals.

For tech and financial services, for example, China and Russia are Tier-6 threat actors, with potential “catastrophic” impact. Flashpoint considers Russia “a highly active and effective actor in cyberspace and is capable and willing to carry out full-spectrum activities to meet its national objectives, including computer network attack and exploitation.”

China’s recently passed National Cybersecurity Law goes into effect in June, which will hold tech and finance companies to even more restrictions. However, there is a “tenuous consensus” in the intelligence community that Chinese threat actors have become less interested in commercial targets, pivoting instead to traditional espionage for political purposes.

Don’t Forget About the Little Guys

According to the report, “whereas cybercrime has traditionally targeted credit card and bank account holders and online shoppers, one of the most prominent trends in 2016 was a shift towards targeting of organizations themselves for financial gain.”

This was followed by a list of notable financially motivated cybercrime from last year, such as using SWIFT to defraud financial institutions and targeting elite law firms (including ones in Chicago, where Spend Matters is based) for confidential client information. Groups of hacktivists also carried out digital attacks against financial institutions last year to combat supposed corruption, but to much less overall impact.

What to Keep Your Eye On

Flashpoint suggests paying close attention to the following:

  • Evolving U.S.-China relations under the new U.S. administration
  • Potential Russian state-sponsored attacks against Western targets
  • Increasing popularity of Internet-of-Things (IoT) botnets such as Mirai
  • Jihadi cyber actors targeting small businesses with low website security

Share on Procurious

Discuss this:

Your email address will not be published. Required fields are marked *