Criminologists say there are three key factors in solving crimes: motive, means, and opportunity. Motive is the reason, means are the tools, and opportunity is the occasion for criminal behavior. With cybercrime, the method also matters. This third M, method, can provide investigators with important clues. For U.S. manufacturers, a frequent target of hackers, the way to avoid becoming a target of opportunity begins with understanding all three M’s – motives, means, and methods – of potential cyber attackers.
Cyberattacks on big companies capture the headlines, but small-to-medium manufacturers are also an attractive target. Some cybercriminals just want your money. Others, such as nation-state adversaries, target the IT systems of smaller companies in order to penetrate Tier 1 suppliers. There are also hacking groups that steal funds from international banks on behalf of a government. Non-state actors such as terrorist organizations steal money to finance operations or intelligence to inform attack plans.
Yet not all cyber attackers are exotic. There are disgruntled employees with a score to settle. There are so-called hacktivists (hacker activists) who dislike a company’s products and have a personal or political agenda. Budding attackers known as script kiddies show off their skills by defacing or taking down websites. There are also unethical advertisers who use adware to boost views of targeted ad campaigns. For them, it’s about views and click-throughs instead of cryptocurrency payments or classified information.
Unfortunately, off-the-shelf tools such as malware-as-a-service are making it easier instead of harder for cyberattacks to occur. On the dark web, there are databases for sale that contain stolen personal information. Even if your password isn’t current, criminals could use your login ID to launch targeted phishing attacks. Now artificial intelligence is being used to carry out automated hacking. Deepfakes, images or videos that are created with machine learning software, may seem real but can be used to deceive their recipients.
These are hardly the only tools that hackers have available. Cybercriminals who consult the Fingerprinting Organization Collective Archive (FOCA) can unearth on-line information about you and then launch social engineering campaigns that are designed to manipulate you into performing actions (such as transferring money) or divulging confidential information (such as bank account numbers). Nmap, a popular hacking tool, lets cyber criminals and other adversaries scan or discover open ports on your company’s network. With so many people working remotely, unsecure home networks are also vulnerable.
Hackers have a variety of motives and means, but their method of attack usually involves opportunity. If your manufacturing company is hit by malware or ransomware, it’s probably because someone in your organization clicked a link that stole passwords or encrypted computers. The effects may be immediate, but that’s not always the case. For example, some cyber attackers observe your online activity before planning their next course of attack. Others steal data slowly over a long period time.
Spear-phishing victims who are targeted by human adversaries may be the victims of especially patient hackers who research everything they can to find weaknesses. Depending on the information these hackers collect, their method of attack could involve login names, email addresses, application versions, or open ports on a corporate network. With the size and scope of this threat matrix, it’s more important than ever for U.S. manufacturers to strengthen their cybersecurity.
Help is Available
In New York State, NY MEP and its partners are helping manufacturers to meet the requirements of NIST SP 800-171, a set of generally agreed-upon best practices for cybersecurity. If your company is part of the supply chain for the U.S. Department of Defense (DoD), you could lose your current contracts and your ability to bid on future opportunities if you’re not NIST SP 800-171 compliant. It doesn’t matter how large or small you are either. NIST SP 800-171 can apply to you even if you don’t hold the DoD contract.