P&C the July/August 2022 issue

Katie, Bar the Door

Understanding the motivations and methods of hackers.
By Gordon Feller Posted on July 19, 2022

Building a hack-prevention strategy requires knowing all the holes and determining how to plug them—through employee awareness, credential verifications, continuous monitoring, etc.

Read our feature, Getting the Cyber House in Order

Listen to the podcast, A “TurboTax” for Cyber Hygiene


There are two primary motives for cyber crime: money and operational damage to the target. An organization’s status as prey is fluid.

For example, a company might not be a damage target during times of peace, but it may be a mark for financial crime. That threat condition may, however, change if a political conflict arises or economic warfare has begun. This is especially true for utilities, telecom and energy companies, shippers and other entities vital to the economy or security of a nation.

And though the days of violent business warfare of the late 1800s and early 1900s may be behind us, industrial sabotage and espionage still exist. That means not only nation-states could be sponsoring hackers but also competitors, maybe to cause damage or maybe to steal secrets.

Today, more than 99% of attacks are financially motivated, according to Verizon’s “Data Breach Investigations Report 2021.” Ransomware is just one of the most accessible means to that end. “Ransomware is only a symptom of a larger problem,” says Jeff Palatt, vice president of technical advisory services at Moxfive.

When a ransomware demand is made, the attackers often have limited resources to invest in more resource-intensive monetization strategies. This is the strategy chosen to yield a higher return per day of effort. “As with any other resources, ransomware technology is a commodity available on the black market,” says Jonatan Altszul, CEO of BitTrap. “Suppose our industry as a whole improves—for instance, just doing backups systematically—and we lower the ransom payout rate from, say, 25% to something under 5%. In that case, we will see a switch to other monetization strategies.”

Ariel Futoransky, BitTrap’s chief technology officer, says the company has seen “a significant increase” in ransomware events. “But only the tip of the iceberg is shown here,” he says. “A ransom is fast and noisy. Work from home may expand the susceptibility to operation disruptions on the employee’s computer notebook, but it also improves the chances of hackers accessing more valuable resources through trust relationships or credential-stealing on the corporate virtual network. We’ll see the records of this impact on the 2021 data breach reports.”


Depending on who may attack and why, an organization can identify a probable method of entry and determine protective actions. An organization might flag one type of communication, interaction, location of initial contact, or signature behavior (hackers do have identifiable modus operandi).

Knowing the attacker and its goals helps spotlight several vulnerabilities: the target it chooses; the resources it tries to obtain; and how it will try to modify the victim’s infrastructure.

That kind of insight allows an organization (or its cyber-security company) to beef up defenses in the areas appropriate for the specific anticipated or identified attack. Will the hacker overwhelm your system? Will it phish or scam employees? Will it seek financial transfers or access to company systems? Will it work quietly in one sector or metastasize throughout the corporate network and into external affiliates?

Each anticipated or identified method merits its own response.

Beware the Counter Trey

If this plan sounds simple, don’t be fooled. Hackers today are sophisticated, especially those backed by nation-states or participating in organized crime. Organizations must be aware of decoys, distractions and multi-tactic maneuvers.

Most recently, single-strategy actors have been replaced by (or have morphed into) more versatile operators that execute mixed strategies. Multiple actors may be involved. “Even in the case of malware configured to exploit and launch ransom tools, there is a clear separation between the exploit, the ‘dropper’ who makes the demand, and the ransom payload,” says Altszul.

Add to that bots. A recent study by Cambridge University found the number of human trespassers is orders of magnitude lower than previously assumed. Most of the trespassers are, in fact, automated scripts programmed to evaluate a system’s usefulness by looking for a predefined set of characteristics (such as an exploitable “shell prompt,” part of computer command coding). Human decision-makers are generally present during the second stage of an attack, the monetization strategy.

The biggest problem for organizations is identifying the action and the actor. Research indicates that most data breaches go unnoticed for at least 10 months. Identifying who, how and why can close that gap.

More in P&C

Property & Casualty Hard Market Turns 6
P&C Property & Casualty Hard Market Turns 6
It may not happen immediately, but signs point to softening of P&C rates.
P&C Small Business Cyber Risk Represents a Big Opportunity for Agents
Q&A with Joshua Parrish, Executive Vice President at RT Specialty
Sponsored By RT Specialty
Broker Playbook for Flood Risk
P&C Broker Playbook for Flood Risk
Your clients must take steps to mitigate, prepare for and quickly respond to flo...
Lifestyles of the Rich and Risky
P&C Lifestyles of the Rich and Risky
Affluent insurance customers may not be protecting themselves against increasing...
Farm Bill Idles
P&C Farm Bill Idles
Congress will need to overcome election-year paralysis to fi...
Premium Increases Slowed But Challenging Conditions Remain
P&C Premium Increases Slowed But Challenging Conditions Remain
The Council’s Commercial P/C Market Index for Q4 is here.