In the Crosshairs: 8 Ways to Engage Cybercriminals to Win the Cyber War
Many companies do cybersecurity wrong. They play defense with little to no thought of offense, allowing their weaknesses and vulnerabilities to be the focal point of their cyber strategy. Instead, they should build a program to engage the cybercriminal, allowing their strengths and resiliencies to guide their cyber strategy and win the cyber war.
Why does this happen? What can organizations do about it? And how can changing your position help you build a successful cybersecurity program?
Let’s discuss!
In the Crosshairs, the Series
In this series, we focus on cybercriminals, for they are the largest and most well-known threat bad actor type. We lay out a straightforward framework for how you can ASSESS the likelihood that cybercriminals will attack your business, LESSEN that likelihood, and how to ENGAGE cybercriminals to win the cyber war. Here are the highlights and links to the other articles:
Guiding Principle #1: If you have a lot of money, you need to protect it.
Guiding Principle #2: If you have a lot of data, you need to value it properly to determine the appropriate level of protection it requires.
Guiding Principle #3: If you make it easy for cybercriminals to attack you, they will, and that’s bad for everyone.
Guiding Principle #4: Cyber threats and cybersecurity are constantly evolving cat-and-mouse games.
Tip #1: Don’t shout about your $100 million funding.
Tip #2: Collaborate in the cybersecurity space.
Tip #3: Audit, secure, and reduce your attack surface.
Tip #4: Add a cybersecurity expert to your board of directors.
In the Crosshairs, Part III - ENGAGE
This is the third and final article of our “In the Crosshairs” series. Now we’ll conclude by discussing how engaging the cybercriminal can help you develop and run a successful program. Keep in mind that this is different from conventional wisdom. In this cyber war of you vs. all the cybercriminals, the cybercriminals will always be on the offensive, which means you’ll always be defending… right?
While that may seem correct, it’s ultimately a counterproductive approach. The way to win the war is to be proactive and aggressive. You want to ENGAGE your adversary, not shy away from them.
Counterintuitive thinking is part of good cybersecurity
Before we dive into how you can do this, let’s dig deeper into why you should do this. I can understand why engaging your adversary might feel uncomfortable. If you get too aggressive, you risk inadvertently increasing your vulnerabilities, right?
Let’s back up briefly and state that defensive cybersecurity measures are good, not bad. In the digital world, you need to cover the basics with things like:
Zero Trust: The model where you deny access to everyone until they are properly verified.
Defense in Depth: The concept of always having multiple layers of cyber defense for your business.
Phishing Protection: This involves deploying software to stop dangerous emails and training programs to help employees recognize and prevent those emails.
But the basics are only a starting point. You can’t just say, “I talked to my IT guys, and they said we have defense in depth in place… or something like that. Wait, you want me to engage the cybercriminal? Nah, we’re good.” That sort of approach gets so many companies into trouble.
In my experience, cybersecurity has generally been approached from an excessively defensive posture. It’s like the moment we hear the word “cybersecurity,” we retreat to our bunkers and prepare to be bombarded with a barrage of attacks. We only think about how some faceless cybercriminal with nothing to lose is trying to pry open our systems 24/7. If we build a strong enough firewall and defend every endpoint (or computer at the end of a communication network), we’ll stop most attacks … so keep adding solutions because that’s all we can do.
I am here to challenge that old way of thinking.
Don’t wait for the cybercriminals to make the first move. Proactively deter them from attacking you in the first place. Remember, this is a game that never ends. Cybercriminals will never give up; they will always attack. But you can make aggressive moves that will give you the upper hand.
Think about this from a cybercriminal’s perspective, sizing up two companies. After a quick Google search, the cybercriminal learns that:
Company A generates $50M in revenue.
Company B generates $60M in revenue.
They click around a bit and discover that:
Company A analyzes data from 100M customers.
Company B analyzes data from 150M customers.
After a bit more digging, the cybercriminal learns that:
Company A was founded by a few MBA students in their 20s who met working for a real estate company.
Company B has a board member who’s a cryptography expert previously with the National Security Agency (the foremost experts in cryptography and cybersecurity countermeasures), has a partnership with the FBI’s Cyber Division, and has a stance of creating a safe and secure global business environment by actively working alongside industry partners.
Which business would you attack first? Which one is more likely to have weaker cybersecurity?
When we talk about engaging the cybercriminal, that’s one example of what we’re talking about — engaging the bad actor indirectly and counterintuitively and, in this case, via personnel hiring and outreach efforts. We aren’t talking about “hacking back” or going after the cybercriminals yourselves unless you want to join them in prison someday. We’re trying to arm you with ways to deter the cybercriminal before they act.
Make sense?
Let’s go into specifics.
The Engage Mindset: Build a Solid Cybersecurity Organizational Structure
Engaging cybercriminals starts with a strong cybersecurity foundation at the organizational level. If the right people are in the right places, you’ll have the base for showing cybercriminals that you’re the wrong force to be reckoned with. Here are four things you should do to build a solid organizational structure.
1. Staff your board of directors and leadership teams with cyber experts from industry and government
When you have a cyber expert on your board of directors, they can provide strategic guidance to executives about complex cyber operations. They’ll help up-level your company’s collective security posture so that you can proactively navigate the threat landscape as it evolves. Whenever you encounter a cybersecurity issue, they’ll prove indispensable because they’ll grasp the problem immediately, which means they can explain it to fellow board members and start guiding the executive team asap.
It’s important to bring on the right people at the top. Organizations sometimes reflexively think that cyber is a full-on technical undertaking. But cyber threats are about more than computer vulnerabilities. They involve coordinated efforts from groups of shadowy bad actors. You need leaders with first-hand experience dealing with these groups to understand the threat landscape. More importantly, you want leaders with key industry relationships who are in the loop and can help you stay ahead of the threats. With that in mind, former US government officials in cyber have that experience and those invaluable relationships. They also have a unique understanding of investigating, deterring, and engaging cybercriminals.
You ensure a strong foundation by bringing cyber experts onto your board of directors and key leadership positions throughout your organization. At the highest levels of leadership, connections and relationships in the industry (and government) are some of the most valuable commodities.
2. Ensure your CISO reports to your CEO
Once you choose the right people, you must set them up for success. Do you have a Chief Information Security Officer (CISO)? Great — now empower them. Don’t let them become glorified figureheads: Give them the power they need to be effective. How do you do that? Here are two key ways:
Ensure your CISO reports to your CEO and shares insights with your board.
Give your CISO a meaningful budget, and let them run!
The CISO is an organization's most important cyber hire, as they are responsible for your cyber strategy and budget. As your cyber leader, they identify weaknesses and vulnerabilities, develop plans, and form the tactical security teams that implement and execute the plan. Suffice it to say, this is not a job that can be done within the confines of an IT department under a Chief Information Officer. A CISO needs to have a direct line to the C-suite and the board so that they cut down on miscommunication and have a real stake in decisions.
3. Build a cybersecurity team with experienced experts — even reformed cybercriminals
It’s impossible to overstate the value of having a cybersecurity team with experienced experts rather than a makeshift group of IT individual contributors and junior-level consultants. Ideally, your cybersecurity team will consist of battle-tested cyber leaders, your partners (internal and external, to include experienced contractors), and carefully selected cyber expert individual contributors, with a mandate to work collaboratively and cross-functionally. As you build your team, you’ll likely find that the question of expertise keeps coming up. For instance, should you hire a cybersecurity engineer or risk analyst if you only have a budget for one position? While that answer depends on your existing staff and your specific goals and objectives, there is one quality that needs to be in every hire: experience.
Cybersecurity expertise comes from experience due to how quickly cyberattacks change. Remember that cyber is a never-ending cat-and-mouse game. Last year’s cyber countermeasures were great because they worked… last year. But cybercriminals will catch on, and their strategy will evolve. To put your company in the best position to stand strong against this vicious cycle, you need a well-rounded team of experts with years of first-hand action in the field. You want experts who understand the tech, know the policies and regulations, and can think like your adversary — and yes, that level of expertise includes reformed cybercriminals.
There is simply no better way to access the insights of a cyberattacker than to work alongside one. You need to ensure they’re working on the right side of the law. This can be tricky, so for additional guidance, email us for further insight!
4. Rebuild your legal department, this time with former prosecutors
If you ever feel like your legal department’s job is to stop you from doing things, you’re right — that’s exactly what legal should do. And while it’s generally good to have people who can stop you from getting in serious trouble, it’s not as productive to have a team of risk-averse lawyers shutting down novel ideas for protecting your company. When you start charting a more aggressive course, you can all but guarantee that legal will hit you for being irresponsible and increasing your risk profile by a percentage point on an internal KPI. I want to point out that failing to get ahead of the threat landscape will blow up the business entirely, not just an internal KPI.
Guess what? This isn’t a cybersecurity issue. This is a staffing issue. If you hire corporate attorneys trained in the art of minimizing immediate risk above all, then you’ll never enact any of your proactive cybersecurity strategies. And it wouldn’t be your attorneys’ fault. They lack the depth of experience. They see “the government” as one big blop… a big risk blop, not the nuanced and divided organization it is. The FBI, SEC, and IRS are all distinct and completely separate parts of the US government. They aren’t the same. Much like Google is nothing like Tesla, even though they are tech companies, these government agencies are categorically distinct regardless of commonalities. Corporate attorneys won’t fully understand this, let alone be able to act on it in a proactive manner that keeps you ahead of the threat landscape. But you know who will? The attorneys who prosecute criminals and worked within the US government.
So rebuild your legal team. Bring in some (you just need a few) former prosecutors and investigators who know the difference between a regulator and a law enforcement officer. They understand what is required by law (they used to enforce it) and how to protect your corporate interests. They also see cybercriminals as adversaries to stay ahead of rather than fall behind. With this new approach, you’ll find that you’ll become better prepared for the realities of this cybersecurity war. Instead of constantly taking the path of least resistance, allowing the bad actors to dictate the terms of engagement, you’ll start warding them off from the beginning.
Don’t build a cyber program just to be compliant. Build one to beat back the bad guys before they show up at your doorstep.
Engage and Keep Engaging: Focus on Strategy, Tactics, and Out-of-the-Box Thinking
Once your organization is properly structured, you want to engage in aggressive, preemptive cybersecurity actions! Here are four ways to engage in out-of-the-box thinking.
5. Develop a strong public-facing cybersecurity reputation
A strong internal team needs to be publicly known. How can you do this? Push your people out into the world. Have them join information-sharing groups and societies. Participate in industry roundtables. Go to cyber events in your local area and around the globe. Don’t forget the virtual events too! When your government representatives speak about cyber threats, listen closely, talk to the rep, and share those details with your team. This practice will enable you to harness the knowledge of hundreds of experts. By empowering the team to join and actively participate in these groups. They will return with far more knowledge than they could ever acquire independently.
You also need to share your involvement but in a strategic manner. Don’t just send out a press release and a couple of social posts. Become an active member of the increasingly vibrant cybersecurity community. Work with marketing, legal, and your cybersecurity team to artfully build a reputation as a leader in cyber, even if you aren’t a cybersecurity company. Want to learn more about how to do it? Just email us!
Getting your security team in front of the public gives you an edge in the cyber war. Cyber professionals are used to operating in the shadows, just like their adversaries. This misguided approach makes sharing threat intel more challenging. When we don’t share indicators of compromise or information that help identify and stop the bad actor, we perpetuate cybercriminals’ activities. Instead, collaborate to share intelligence that can protect the community. This will help energize your team with a greater purpose while keeping the criminals from approaching your (and others’) doorstep.
Think of it this way: If you were a burglar, would you target a multi-million dollar house that is owned by a known, active participant in the neighborhood watch with a police car sitting in front of it… or a multi-million dollar house owned by someone who’s not part of the neighborhood watch with no cop car?
6. Build strategic relationships with law enforcement
We discussed the value of bringing former government officials onto your board of directors. That’s a great start, but go further — give them the mandate to build strategic relationships with their former teams, including law enforcement. If you want to fight back, you need to partner with the people whose job is to fight back.
How?
Start with the position that this will never be about collecting business cards. Don’t shake a bunch of hands, exchange phone numbers… and wait until you’re under attack to make that second contact. Trust me, during my time with the FBI, several companies did just that. I remember conversing with a CISO for a major Fortune 500 company; he said, “Hey Michael, when I met with you a year ago, I just wanted your business card to put in our incident response plan. But now we need your help.” They had a data breach and were seeking guidance. It was awesome that they felt comfortable reaching out, but they should have invested the time to cultivate a more meaningful relationship with law enforcement. If they had, they might have avoided the breach altogether.
Instead of merely contacting law enforcement, engage in ongoing, noteworthy activities. You want to tap into law enforcement’s experience and expertise. They are actively engaging cybercriminals, they see things you never will, and they are empowered to share unclassified intelligence. Here are some examples of meaningful activities:
Participate in information-sharing sessions, where you and they come to the event with intelligence to share.
Host yearly (if not quarterly) joint exercises where you do tabletops or simulations.
Ask them to do threat landscape briefings to your C-Suite or board of directors.
Ask them to facilitate awareness training for your employees during large company gatherings.
If you are working with the FBI and you’re a CISO, ask to attend the FBI CISO Academy.
Every one of those activities is an engagement I helped facilitate and oversee during my time as an FBI Special Agent. They were all very impactful!
Back to the 5th point (Develop a strong public-facing cybersecurity reputation), feel free to coordinate with law enforcement to do strategic articles or press releases around these activities.
Bottom line, I'm staying away if I’m a cybercriminal and see that a company is closely aligned with law enforcement. Remember, one of the main objectives of any criminal is to stay out of prison. If they see your close relationship and still attack… that would be like breaking into a house when you can see the chief of police sitting there having dinner. What’s the point when you have other options?
7. Explore the dark web and approach cybercriminals
We’ve also already discussed the value of bringing on a reformed cybercriminal when possible. But don’t just stop there; meet your adversaries on their home turf: the dark web.
The dark web is simply a marketplace. A small, hidden part of the Internet that cannot be accessed through standard browsers where you can buy and sell goods and services. The dark net is primarily used to traffic illegal goods and services, such as drugs, child pornography, guns, and Personally Identifiable Information (PII).
Now, I don’t want my kids exploring the internet's underbelly, but guess what? It’s NOT ILLEGAL to be there! Again, it is a marketplace primarily used to traffic illegal goods and services, but not everything is illicit. So when you want to know how cybercriminals think, what they’re doing with the data they stole, and which schemes they’re cooking up next — the dark web is the first place you should go. What better way to learn about your adversary than to spend time in their world?
Whether you empower someone on your team, dedicate a small group, or outsource it, you should conduct research on the dark web. Your goal should be to find cybercriminals and discover what they can do, which services they offer, and which vulnerabilities they can exploit. Don’t shy away from engaging them in dialog — learn from them so you can get the intelligence to stay ahead of the threat. To properly defend your organization, you need to do it with your eyes wide open.
This is not as easy as it may sound, so if you want more guidance, please email and ask us!
8. Never pay a ransom, period
Ransomware is growing because it’s profitable. According to Veeam, 85% of organizations suffered at least one ransomware attack in the past year. First, pay attention to the “at least one” part — indeed, getting attacked multiple times is possible. Second, this represented a 12% increase from the previous year.
As for the ransom, the attacker always makes out well. Sophos's State of Ransomware 2023 report finds that 46% of victims pay the ransom to retrieve their data. While that number is consistent with last year, the average payment amount has nearly doubled, from $812,380 to $1,542,333, with a median payment of $400,000. That’s a lot of money to retrieve the data they stole from you.
Naturally, these figures cause people to wonder how they would get out of a ransomware attack. Some businesses have enough money to pay up. Others rely on cyber insurance, though premiums have surged 50%, reaching $7.2B in the US last year. And as the Sophos report shows, insurance doesn’t necessarily make a massive difference in recovering data, as 84% of victims without insurance are still able to do so (compared with 96-97% of those with insurance).
Ultimately, the most strategic way to avoid all these headaches is to invest in cybersecurity upfront to ensure you have the proper protocols, like an incident response plan, to guarantee data protection and business continuity. If you are the victim of an attack, you won’t have to pay the ransom as you will be prepared, rendering the attack unless.
Think about it: If every organization banded together and agreed never to pay the ransom, ransomware attacks, rather than plaguing the global business community, would disappear forever. Why? They would be seen as ineffective by the cybercriminals that use them. Ransomware is only in play because organizations continue to pay the ransom.
Conclusion: Engaging the cybercriminal is about protection
Engaging the cybercriminal is an essential part of a successful cybersecurity program. By understanding your adversary and their methods, you can develop stronger defenses and be more proactive in preventing attacks. While defensive measures are important, they are not enough on their own. A truly effective cybersecurity program must be both defensive and offensive. Cybersecurity professionals are often too insular, overly cautious, and lack the corporate support to engage the threat. Let's change that starting today! We must start defending our companies by strategically engaging the threat. Let’s strive to win the cyber war before they fire the first shot; otherwise, we might be engaging in a war we can’t win.
Do you want to use our content for your site or training material, or would you like us to write curated white-label content for you? We can help you! Let’s talk.
I'm not going to stop the wheel. I'm going to break the wheel… and after that, I will share this article with a few besties.
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD