Sometimes a new lens can show an age-old problem in a clearer light. At least that’s the thinking behind a new white paper from HP Enterprise (HPE) The Business of Hacking, which puts a new spin on how C-level stakeholders can view the cybercrime community.
There is no question that cybercrime has become an enterprise entity unto itself. As the community becomes more sophisticated, it operates in a mode that is surprisingly parallel to that of a large scale business. It has platform and software-as-a service offerings, 24/7 multi-language customers support, money back guarantees, and even marketing and HR teams bent on hiring the brightest and the best practitioners.
“We’ve been getting a good grip on understanding how they work over the last 18 to 24 months,” said Shogo Cottrell, security strategist, HPE Security, Hewlett Packard Enterprise. “That in turn has increased visibility into the problem at the C-level suite – beyond the security professional perspective.”
This newest report, he said, is an attempt to outline the situation in a way that resonates with executives outside the security realm. Instead of talking firewalls, network layer and perimeter strategies, it speaks to issues that resonate well with the non-IT crowd: profitability and ease of doing business.
As competitive businesses, organizations need to consider security in the language that CEOs and CFOs understand, Cottrell said. “If they can understand the risks and manage that risk appropriately, they can be positioned to put cybercriminal organizations into a more difficult position.”
That “more difficult position” can mean multiple things, from simply making it more costly (and thus less profitable) for cybercriminals to deploy their services, to undermining the reputation they have built within a community where anonymity is a highly-prized commodity.
HPE’s paper spells out a range of disruptive techniques and technologies or processes that organizations can use to cause disruption on multiple fronts in the cybercriminal world. These include:
- Reduce their profits (with end-to-end data encryption)
- Increase their risk (work with law enforcement)
- Reduce their target pool (encrypt data on mobile devices; use password protection and other application security tools)
- Increase time to value (deploy antimalware solutions that increase the time an attacker needs to explore the network and find data)
- Reduce the criminal’s talent pool (by uncovering the attackers’ identities )
- Increase the criminal’s cost of doing business (use deception grids that realistically duplicate a company’s network in order to learn the adversaries’ techniques)
HPE’s business logic is relatively simple, and one that is commonplace in boardroom discussions today: Increasing risk for cybercriminals – either to their bottom line or to their reputations – through disruption will drive attackers’ efforts elsewhere. “Time is a cost to them as it is to any organization,” Cottrell said.
For example, while IT can wax poetic on data encryption techniques, security is more likely guaranteed by adding a proactive, holistic strategy to defensive techniques. One key recommendation is for organizations to take a data-centric approach to security that involves protection of the most sensitive data via end-to-end encryption. HPE’s argument is that by encrypting data at rest, in motion and in use, the information is unavailable to attackers, whose profits are reduced when they are unable to sell the data. “Like any savvy competitor, cybercriminals will take their activities elsewhere, if the cost doing business is too high,” Cottrell explained.
Beyond technology, the human resources and marketing activities of cybercriminals are equally vulnerable to disruption. There’s an army of people behind the technical expertise and prowess of cybercriminal organizations, Cottrell said. “For the most part, cybercriminals build their business on trust and reputation. But it’s a world that thrives on anonymity. So it takes a long time for anyone to establish that trust. At the same time, it doesn’t take long to erode it.”
In examining the value chain in the hacking business, the HPE whitepaper cites primary and support activities involved in the business – each of which will sound all-too familiar. These include:
- Human resource management – most jobs are carried out on a contract basis with some attackers performing multiple jobs. Some add higher value than others and are therefore paid more.
- Education and skills – not all roles require technology skills. There is also demand for people with verbal language skills, social engineering and business acumen. There are in fact online forums, chat rooms, YouTube videos and mentoring to help new recruits learn the ropes.
- Recruiting and vetting – there are guarantors that provide vetting services for participants in order to protect the industry from cheats and swindlers. Some may even recruit for custom services or tools (e.g. malware, zero-day vulnerabilities, etc.)
Another parallel with legitimate business is that cybercrime has its own maturity curve, as do other commoditized industries that have plateaued and are experiencing declining value (e.g. credit card fraud), and have to be able to rapidly shift to new products and services bent on exploiting newer vulnerabilities (e.g. mobile attacks).
The operations side of cybercrime presents an equally interesting picture. Like any enterprise operation, the cybercriminal community is equally vigilant and concerned about location. In the case of cybercriminals, however, it’s not about being close to their markets; rather, they tend to locate in less strictly regulated jurisdictions.
Operational functions provided are support, including warranties and upgrades; disaster recovery and resiliency in the event of a takedown by police or other attackers; cash flow and cyber laundering systems; escrow services for intermediating transactions; technical development; marketing and sales; outbound logistics/distribution channels for delivering products to buyers, including sales boards and online forums.
Understanding the business of cybercrime will not necessarily change the fact that cybercriminal activity continues to rise. Symantec’s 2016 ISTR (Internet Security Threat Report) has calculated that there were 430 million new unique pieces of malware in 2015 – a rise of 36 percent over the previous year – and that the number of zero-day vulnerabilities more than doubled to 54 (a 125 per cent increase). Ransomware attacks increased from 737 in 2014 to 1000 per day; and exposed identities jumped 23 percent to 429 million. Adding fuel to the fire is the rise of mobile hacking.
In Canada, 46.7 percent of targeted spear-phishing attacks on Canadian businesses were aimed at the finance, insurance and real estate businesses, followed by services, wholesale trade, manufacturing and mining. And more these (54.6 percent) have occurred in Canadian businesses with less than 250 employees, as compared to 43 percent on a global basis.
However, once you know how the cyber-economy works, you know what tactics you can apply to disrupt it, Cottrell said. “Some executives may not fully understand the technical aspects of an attack, but they certainly know how to compete – and how to create a profit. It’s a different mindset on how you think about security and protection.
