[BreachExchange] The business of hackers

[Audrey McNeil]

https://www.itproportal.com/features/the-business-of-hackers/

Sales and marketing. ROI. Quarterly performance statements. Reports to
investors. And, salaries, bonuses, expense accounts, and petty cash for
employee birthday parties. It's all part of the day-to-day running of a
business – any business, including those in the hacking industry. And a big
industry it is: Hacking “companies” can be worth many millions, and a good
hacker can earn as much as $80,000 a month – nearly a cool million in a
year! - if they've got the skills.

To pay out that kind of money, a hacker “company” needs financial backing –
it needs investors who will front the cash to pay experts, who in turn will
deliver the goods. You could imagine what a “Bad Guy Hackers Inc.” Board of
Directors meeting looks like: “Guys, we got a big contract to get the
medical records of the clients of X insurance company. The client wants it
done by Y date, and they'll pay us a bonus if we deliver early. The project
is going to cost Z dollars, do we have that, or do we have to go out and
raise it?”

And so on. When a hacker group decides to take on a job, they look at the
costs, the resources, the risks, and anything else a “regular” company
would. And like any other organization, hacker “companies” will seek to
maximize their profit and minimize their outlay – and they’ll do that by
taking the path of least resistance.

For professional hackers, that means, among other things, developing ways
to ensure that they can deliver their payload. In order for hackers to do
their jobs – whether it’s stealing information from company databases, or
inflicting malware on an unsuspecting target – they need to get their code
onto the target's computers or servers. What's the best way to do that?
Statistics show that phishing messages are the most efficient delivery
method for malware. 91 percent of successful malware attacks in recent
years arrived via e-mail that was opened by victims, enabling hackers to
implant trojans that would later install malware.

Meanwhile, over 30 percent of all phishing messages were opened by targets,
despite ongoing educational efforts by companies urging employees to avoid
opening “suspicious” messages – meaning that hackers can rely on phishing
messages (usually with a “touch” of social engineering provided by Bad Guy
Hackers Inc.'s resident psychologist). Those statistics are what makes
hacking such a lucrative career path; victims are so compliant in enabling
hackers to spread their malware, that it's almost as easy as taking candy
from a baby.

Now flip: We've gone over to the victims' side. Knowing what we do about
how Bad Guy Hackers Inc. operates, it stands to reason that the number one
way to protect ourselves from them is to cut off their access to our
inboxes. If phishing and social engineering are so effective in enabling
hackers to succeed, ensuring that they cannot reach targets is the best way
to stop them.

How, then, should we defend ourselves? There are three basic methods that
will prevent poison messages from hitting user inboxes; each has their
advantages and disadvantages:

1. Antivirus/Filters: For years, signature-based filters and anti-virus
programs have been the standard method of fighting malware. The system is
very effective against known malware – but not as effective against
zero-day attacks. In the first quarter of 2017, about  30 percent of all
malware consisted of zero-day attacks – meaning that while e-mail filters
may slow down hackers, it won't stop them. And what professional hacker
worth his or her salt would use “off the shelf” code anyway?

2. Sandboxes: More sophisticated than anti-virus programs, sandboxes have
the capability of examining messages before they get to users' inboxes, so
they could be an effective method of preventing malware from infiltrating
systems. If a message checks out, it is allowed to advance to a user's
inbox; if not, it's trashed.

Unlike anti-virus programs, sandboxes don't require a signature file to
work; if something seems anomalous, the sandbox will keep it out. But often
malware comes attached to legitimate messages – and the sandbox, unable to
differentiate between the elements of a message, will prevent the entire
message from going through. As a result, the flow of work is interrupted.
In addition, sandboxes are unable to examine VBA (Visual Basic for
Applications) macro malware, often part of Word documents. If a message
appears clean, and the attachment is a simple Word file, the sandbox will
wave it through – with targets still providing hackers with opportunities
to earn their pay.

3. Content Disarm and Reconstruction (CDR): A relatively new technology
used by several vendors in the industry, keeps malware away by dissecting
incoming messages, files, or links that try to make their way onto a
server. Located in a buffer area before the company network, CDR systems
examine all incoming files to their lowest data level – and check all files
for any known threats. Thus, any malware, zero-day or otherwise, gets
“arrested” before it finds its way to a user inbox – cutting off the
hacker's “easy pass” entry into the network. Security analyst firms,
including Gartner, have suggested that more and more organizations will
need to add CDR into their arsenal of tools to protect against the
ever-growing threat of cyberattacks as the effectiveness sandboxes once had
in stopping hackers in their tracks has long dissipated. Now, highly paid
hackers have to work a lot harder for their money – which means that they
will probably seek their fortune on some other organization's servers. The
next board meeting of Bad Guy Hackers Inc. is probably not going to be a
pleasant one.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171006/82764785/attachment.html>