Cyberespionage skills go beyond technical ability

Attackers may write good malware but their skills are worthless if they are not able to deceive employees into unknowingly deploying these programs onto corporate networks.
Written by Ellyne Phneah, Contributor

Cyberespionage perpetrators will need not only technical skills but also a good psychological understanding of how to manipulate their intended targets within an organization as people are always the weakest security link.

Joseph Steinberg, CEO of security firm Green Armor, said having a technical knowledge of writing malware is just one of the many skills needed by hackers to conduct cyberespionage. This is because an attacker may write the best malware but it is worthless if he cannot deploy the program on to the targeted network, he said.

So an understanding of human psychology is necessary as an attacker must know how to "deceive people". This deception involves simulating disgruntled employees to talk about vulnerabilities in the corporate network, for instance, or conducting social engineering that is targeted at specific user behavior, Steinberg explained.

David Harley, senior research fellow at ESET, agreed. He said for cyberespionage to be successful, the attacker must have a talent for psychological manipulation and know what to do to cause employees to make mistakes to give them a way into accessing sensitive corporate data.

These attackers also need to have patience because such operations may extend over a long period of time, as well as a number of vectors, before an attack is truly successful, added John Kindervag, security and risk principal analyst at Forrester Research.

Cyberespionage is more strategic with greater stakes involved as the targets are usually nation states, governments, and industry competitors, Steinberg said. The combination of tools and intrusion methods are likely to be more sophisticated than those used for the usual online data theft, he added.

"It is a long process where the goal is not to successfully breach the system and steal data once, but to [siphon] a continuous flow of secret information from the victim over a long period of time," he said.

Enlisting help of psychologists
Steinberg pointed out that along with traditional security tools, companies would do well to enlist the help of psychologists to help craft their procedures and policies to safeguard their systems. These are not psychologists who help people deal with their personal issues but technology and security experts who understand the roles, weaknesses and limitations posed by people in relation to cybersecurity, he elaborated.

"Since people are increasingly the weakest link in the security chain, such psychologists will be able to make a difference," he stressed.

Beyond these measures, he also called on companies to keep educating their employees and train them on security issues. They should be taught to be "skeptical and have common sense" regarding IT usage, particularly online, because most attack methods such as social engineering may not be easy to spot.

"Employees should always be on their guard," Steinberg said.

Editorial standards