Recent landmark security breaches across industries like telecom and healthcare have shown us that threat actors don’t discriminate when identifying victims. Rather, they tailor their tactics based on industry characteristics for optimized results.
It’s easy to look at these breaches as a whole rather than individual events, but this is a mistake. While threat actors’ motivations are expected to stay fairly constant — over 80% of external threat actors are financially motivated — the tactics used to achieve these end goals will always change. Notably, it will depend on the target industry’s particular characteristics and weak points.
Every industry has its own threat landscape and exploitable vulnerabilities, and understanding the specifics of individual threat landscapes is critical to prevent future and potentially devastating breaches.
Let’s dive into what industry-specific nuances look like and how organizations can protect themselves.
Threat Actor Motivations Stay Constant Across Industries
At their core, similar things motivate threat actors: financial gain, havoc, and, of course, recognition as the hacking group of the year. Attackers therefore typically search for what they can exploit to make a profit, such as personally identifiable information (PII) and company intellectual property (IP). They also look for specific industries where an attack will cause severe disruption and panic, creating a moment that they can further exploit for greater gains.
When it comes to fulfilling these baseline goals, attackers rely on common tactics. These fundamental strategies include phishing, ransomware, credential theft, distributed denial-of-service (DDoS), malware, and zero-day exploits, to name a few. These standard practices with proven success allow threat actors to avoid reinventing the wheel each time they intend to attack. It saves them time, money, and resources that can instead be used to launch campaigns on additional targets. Threat actors can then tailor these methods to exploit common opportunities of weakness depending on the target’s industry, increasing the likelihood of success.
Tactics Vary Based on Industry
Higher value information comes from certain industries and organizations, which makes them especially lucrative. This is why we see high volumes of attacks on industries like healthcare, financial services, and retail.
That said, each attack is not made equally. For example:
- The healthcare industry relies on legacy and outdated systems that don’t have the proper defenses built in to defend against the latest threat actor tactics.
- Flimsy identity and access management (IAM) policies within the financial sector leave potential gaps for threat actors to access sensitive account information.
- The retail industry has many endpoints that carry out transactions. While you can update those endpoints with built-in defenses, you’ll have to protect a wide attack surface. This leaves potential gaps in infrastructure.
Frederico Hakamine
These are just a few of the countless other examples of how threat actors exploit industry-specific vulnerabilities. Security leaders must ascertain the security drawbacks within their own industries, how those drawbacks may compromise sensitive data, and the status of their own technology stack.
The question then becomes: How do we find these patterns?
Finding Patterns in Your Industry’s Attack Surfaces to Strengthen Defenses
While there is no one-size-fits-all answer to this question, security pros should strategically focus on two areas: learning from previous cyberattacks in their industries and understanding the full breadth of their organizations’ attack surfaces.
Security teams must apply lessons learned from major breaches — like those suffered by UnitedHealth and AT&T — to their own organizations. More importantly, though, is to have full awareness of their attack surfaces and where they are most vulnerable.
By the law of averages, it is likely that you’re weak where other companies in your industry are weak. Awareness is key, so you must know everywhere a threat actor may want to strike. This will help you triage where to dedicate resources and where your most mission critical assets are. Then, you can formulate an accurate mitigation plan for when attackers do strike.
Here are three steps to help you take a risk-based approach to minimizing your attack surface:
- Showcase the value of cybersecurity investments in nontechnical terms to other business units
- Shift to an outcome-driven cybersecurity planning process that identifies risk per business unit.
- Focus on metrics that truly measure the effectiveness of your cybersecurity program (KPIs versus KRIs versus KCIs, where KRIs are your primary method of reporting).
Be Knowledgeable, Be Prepared
The more we learn about the nuances of specific industries and about our own organization’s attack surface, the better we’ll be as a collective security industry.
Frederico Hakamine, technical evangelist at Axonius, describes himself as a jack of all trades and master of none. He has been designing, developing, customizing, and breaking systems for over 10 years.
Featured image: iStock
