At the start of the 1992 movie Sneakers, Robert Redford is shown as a youthful hacker, breaking into computer networks and stealing money to give to liberal causes. He avoids being captured and sent to prison only because he is out picking up a pizza. For years, this stereotype of the messy-haired, pizza-eating, solo hacker who often has idealistic motives, prevailed in the media.
My, how cybercrime has grown up. In 2017, cybercrime cost the world $600 billion and business is booming. Some bad actors are working the low end, such as launching ransomware, which cost Merck $300M last year or using synthetic identities to commit financial fraud.
Meanwhile, well-organized criminal gangs and nation-states are working the high end, financing cybercrime networks and investing tens or hundreds of millions and years in attacking top targets including federal agencies, major companies, world leaders and other public figures. A recent long-format piece by Bloomberg provided riveting insights into the North Korean cybercrime operation, as described by an overworked, semi-starved conscripted hacker working offsite in China.
So, what do we know about cybercrime that can help CISOs strategize a strong offense?
Cybercrime, Inc. is big business: Cybercrime syndicates are increasingly run like companies, with strategic direction from a “CEO,” such as a national security agency, criminal head or attack leader. They provide regular working hours and office space and even offer online and call centers for technical support. They’re still anonymously successful in a world of web fingerprints. Infraud, a Dark Web black market, was able to operate undetected for nearly a decade, causing more than $530M in damages to companies and individuals.
The rewards are plentiful: Cybercriminals can make their mark in a growing industry and take home hefty payments. With annual cybercrime revenues soaring to $6 trillion by 2021, there is no shortage of job opportunities for self-motivated top talent. While fat salaries and bonuses are nice, some cybercriminals have other job goals, such as embarrassing and discrediting public figures, revealing corporate secrets, sabotaging political strategies and gaining valuable IP to accelerate copy-cat innovation in national industries.
The stakes are getting higher: With a myriad of well-financed operations around the world, cybercriminals are competing against each other – and time. It’s harder than ever to spoof websites, commit credit card fraud and launch zero-day attacks. The race is on to use AI and machine learning to increase the speed, scope and sophistication of attacks. A recent report forecasts the use of AI for automatically detecting software bugs, selecting individuals for financial crime schemes and sharpening social engineering attacks.
Collaboration is the name of the game: Cybercriminals use the Dark Web to share strategies, post files and pay each other using bitcoin. However, anonymity is everything, and revealing networks or strategies, accidentally or otherwise, is a fast path to ending collaboration or getting killed.
Job resources abound: Cybercriminals have rich treasure troves of personal data they can consolidate, thanks to the Anthem, Equifax, Uber and Yahoo hacks. Spear phishing and social engineering will likely be much easier in the coming years, due to these companies’ information breaches. Bad actors also can rent cybercrime toolkits, such as ransomware kits by the month for $1,000 or Russian DDoS booters for $60 a day or $400 a week. Vendors offering test drives and discounts may also be provided, mirroring enterprise software sales strategies.
Talent development is on the job: Hacking offers abundant freelance opportunities, with no college degree required. While skills development is self-driven, there is no glass ceiling and payments can scale with the complexity of the target or size of the financial takedown. When hackers work for nation-states, the pesky prospect of legal action and jail time also disappears.
CISOs should take note that cybercriminals have co-opted the best of corporate life, while also avoiding its limitations. While enterprise cybersecurity teams must “play by the rules,” reviewing strategies and programs with senior leaders; protecting consumer and public data and making sure initiatives pass muster with regulators and auditors, cybercriminals have no such restrictions.
To mount a stronger defense, CISOs should learn from cybercriminals and push for stronger partnerships with competitors, vendors and public agencies. Companies also need to overcome the shame game and participate in public forums and create online mechanisms for data sharing. While it is understandable that companies want to protect their reputations and programs, they can share information about successful attack strategies to prevent others from being similarly hacked. This isn’t just common courtesy and a civic duty, it’s also good business. Companies are increasingly connected to each other in the digital “platform economy,” while many also use the same vendors.
Similarly, companies must harden and integrate technology. Cybersecurity is too important to be handled by piecemeal solutions, which force analysts to aggregate insights and sometimes mean they miss attacks because they are bombarded by a flurry of security alerts. Co-managed security information and event management (SIEM) systems allow enterprises to see the forest for the trees, providing proactive threat hunting, better threat blocking, automated incident response and expert threat investigation and analysis services to bolster their own services. Cybercriminals have great tools, but enterprises have more: they can actively partner with co-managed SIEM providers to deliver the cybersecurity strategy. Partners can provide people, process and yes, market-leading platforms to help enterprises evolve at the speed of new threats.
In a raging cyber war, it pays to think like cybercriminals and understand how they are organizing and operating as corporations. While enterprises won’t resort to cybercrime, we need to understand, outthink and outplay our adversaries at a strategic, not just tactical, level.
About the author: A. N. Ananth is a co-founder and CEO of EventTracker, Ananth was one of the architects of the EventTracker SIEM solution. With an extensive background in product development and operations for telecom network management, he has consulted for many companies on their compliance strategy, audit policy and automated reporting processes.