BLACK HAT USA – Las Vegas – Wednesday, Aug. 9 – When threat actors breach an organization and steal data, perhaps the worst thing imaginable to victims is the extortion attempts they face from the criminals behind the breach. These days, there is an added threat that hackers like to hang over their victims’ heads: going to the press.
In a Black Hat panel titled “How Hackers Changed the Media (and the Media Changed the Hackers),” Lorenzo Franceschi-Bicchierai, senior writer and editor of cybersecurity at TechCrunch; Robert McMillan, reporter at The Wall Street Journal; and Sadia Mirza, partner at Troutman Pepper, joined Sherri Davidoff, CEO of LMG Security, to discuss the new ways hackers are trying to gain the attention of journalists and shape the narrative of the media when a breach occurs.
Building a Brand
Security incidents typically begin with a criminal group of hackers stealing data from an organization and demanding payment. Whether it be $500,000 or millions of dollars, if a criminal entity is virtually unknown, it’s likely they know few will take them seriously.
The group’s desire to build a name and reputation for themselves prompts what McMillan describes as the professionalization of these criminal groups, where they attempt to gain credibility — and get victims to fear or respect them. These groups are eager for media attention and will use the threat of going to the press against victims to urge them pay up. They often reach out to journalists themselves or to pages on media websites after a breach occurs.
But just because a hacker reaches out to the media about a breach doesn’t mean a journalist is immediately inclined to write about it.
“Sometimes they reach out and they are not telling the whole truth, or sometimes they’re making it up,” said Franceschi-Bicchierai, who noted that while his publication aims to write several stories each week, if an incident is not 100% verifiable, it is fine to skip it or wait until more is known. He emphasized how important it is for journalists to verify claims that are being made — one source, especially one as dubious as a criminal hacker, does not make a story worth pursuing.
Only One Part of the Story
It’s not just journalists who take what a hacker says with a grain of salt. Troutman Pepper’s Mirza noted that a threat to go to the media is just one more factor to consider when advising clients who have been breached. The fact that these hackers want to maintain their brand is another factor to consider.
“An organization would be more inclined to pay a threat actor group that has a reputation to uphold its commitment,” Mirza said. Ultimately, however, the goals of the media and incident and investigation teams are very different.
“We’re not trying to break a story,” she said. “We are trying to get our arms around the full scope of what’s happened so that we can provide organized information about the response.”
Finding a Middle Ground
There are stark differences when media and investigators approach a breach from disparate standpoints. On one end, investigation teams on behalf of their compromised client are tight-lipped, taking time to figure out exactly what has happened. On the other end, journalists feel governed by their commitment to tell the truth and inform the public about what is happening as accurately as possible. All the while, hackers are trying to gain something from each side: getting media attention and extorting victims.
How can both be appeased, while also not falling into the trap that hackers have laid out?
It first starts with understanding what an incident response process looks like, said Mirza.
“A forensic investigation could take weeks,” she said. Victims are not comfortable sharing information as soon as the press may want them to because they don’t have all the information they need or want. Sometimes there are hiccups along the road in response and in figuring out what next steps to take; whether it be negotiating a number for the payment, deciding to pay, figuring out how many people have been impacted, or what information has been stolen.
McMillan said this is why clarity and communication from victims is essential.
“You could communicate that,” he said. “We can understand complicated things. You don’t just have to have a [ransom] number, but you want to engage and explain where you are and why things may be a certain way.”