Means, Motive, and Opportunity

Updated: Jan 28, 2019

These three things are what it usually takes to convict someone of a crime, but it's also what is necessary to perpetrate a crime; including the cyber variety. Businesses, CSO/CISOs, and IT or cybersecurity professionals can work on these aspects to reduce their cyber-crime attack surfaces and overall risks.


Means: This aspect is probably the most difficult since you can't control the means and capabilities of the attackers. However, you can control your tools, software, and operations limiting or removing an attacker's options. The following are solid practices for reducing your attack surfaces and risks:

  • Keep your software and infrastructure current; older versions won't have the support and agility you need

  • Rely on industry standard or proven technologies for your cybersecurity capabilities (especially cryptography); there is little security in obscurity

  • Implement via a "lean" technology stack and have an inventory of all software including from 3rd-party open source or commercial vendors

  • Employ IP and domain white/black listing to cover explicitly who should have access and who should not; include the use of "wildcards" (e.g. if an IP isn't from my locale, then its blacklisted)

  • Have the right platforms and tools in place for active endpoint protection, intrusion prevention and detection (IPS/IDS), anti-virus and anti-malware (AV/AM), monitoring and alerting, etc.

Motive: Most law enforcement professionals prioritize on motive in forensics. The adage to "follow the money" or looking at "insiders" first also applies very well to cyber-crime. There are still some attackers with notoriety or vandalism as a motive, but profit is #1. Your data, or ransoms you might pay to recover your data, and transactions are profit centers for attackers. You should work toward making it prohibitively difficult to fully execute and monetize an attack. Without a very good reason (motive) and facing the prospect of a low return-on-investment (ROI), hackers will typically move on to an easier target even after they have found a vulnerability. These practices will help make you a less attractive target:

  • Employ strong cryptography (at rest and in transit); if they can't use it easily, they will be less likely to take it since their profit mechanisms of sale or extortion are limited

  • Create and maintain data mapping, tagging, and segmentation; you should have a deep understanding of your data structures and usage, the relative sensitivity, and storage mechanisms, but keep that information in a different tier or compartment to increase complexity for attackers or thieves

  • Have multiple backups of data and configurations with proven business continuity and disaster recovery plans (BC/DR) and advertise these capabilities; this is a business best practice, but can greatly reduce your attack recovery times and make attacks less profitable for hackers

Opportunity: This is related to means and is probably where you have the most control via your perimeter, operations, and identity management (authentication and authorization) which are the usual attack surfaces. The following provide you a solid baseline that reduces an attacker's means and opportunity:

  • Disable endpoints when not in use or simply don't have them unless it's needed, justified, and tracked (e.g. remote access or RDP)

  • Practice good hygiene on your users and services via periodic audits and scrubbing

  • Employ Phishing education and prevention

  • Require multi-factor authentication (MFA) or hardware keys for users starting with admins

  • Time-bound all accesses whether it be for use or administration, but especially the latter - reference general "just-in-time" (JIT) concepts or features like Azure PIM (e.g. administrators have set time limits for access and only for a specific purpose, or users only have read access outside of business hours)

  • Have good visibility over and into your solutions via tools, monitoring, reporting, and alerting; this is critical for reducing your attack surface and attacker opportunities

Public clouds such as Microsoft Azure and Amazon AWS strive to reduce attack surface and opportunities, so hybrid or migrated solutions get to leverage the implicit security and privacy capabilities. There is still a bit of work left to the constituent (you) in a public cloud, but the capabilities and advantages of these platforms is very good and improving at a fast pace.


See our series on ransomware for more examples and details on the above, then get in touch with Cylidify to see how we can help you with your cybersecurity needs!


#cybersecurity #cybercrime #CISO #CSO

37 views

Raleigh, NC, USA

  • LinkedIn - Grey Circle
  • Twitter - Grey Circle
  • Facebook

©2020 by Cylidify, LLC