[BreachExchange] The Soaring Success of Cybercrime as a Company

Fri Mar 23 22:23:14 EDT 2018

http://www.infosecisland.com/blogview/25047-The-Soaring-
Success-of-Cybercrime-as-a-Company-.html

At the start of the 1992 movie Sneakers, Robert Redford is shown as a
youthful hacker, breaking into computer networks and stealing money to give
to liberal causes. He avoids being captured and sent to prison only because
he is out picking up a pizza. For years, this stereotype of the
messy-haired, pizza-eating, solo hacker who often has idealistic motives,
prevailed in the media.

My, how cybercrime has grown up. In 2017, cybercrime cost the world $600
billion and business is booming. Some bad actors are working the low end,
such as launching ransomware, which cost Merck $300M last year or using
synthetic identities to commit financial fraud.

Meanwhile, well-organized criminal gangs and nation-states are working the
high end, financing cybercrime networks and investing tens or hundreds of
millions and years in attacking top targets including federal agencies,
major companies, world leaders and other public figures. A recent
long-format piece by Bloomberg provided riveting insights into the North
Korean cybercrime operation, as described by an overworked, semi-starved
conscripted hacker working offsite in China.

So, what do we know about cybercrime that can help CISOs strategize a
strong offense?

Cybercrime, Inc. is big business: Cybercrime syndicates are increasingly
run like companies, with strategic direction from a “CEO,” such as a
national security agency, criminal head or attack leader. They provide
regular working hours and office space and even offer online and call
centers for technical support. They’re still anonymously successful in a
world of web fingerprints. Infraud, a Dark Web black market, was able to
operate undetected for nearly a decade, causing more than $530M in damages
to companies and individuals.

The rewards are plentiful: Cybercriminals can make their mark in a growing
industry and take home hefty payments. With annual cybercrime revenues
soaring to $6 trillion by 2021, there is no shortage of job opportunities
for self-motivated top talent. While fat salaries and bonuses are nice,
some cybercriminals have other job goals, such as embarrassing and
discrediting public figures, revealing corporate secrets, sabotaging
political strategies and gaining valuable IP to accelerate copy-cat
innovation in national industries.

The stakes are getting higher: With a myriad of well-financed operations
around the world, cybercriminals are competing against each other – and
time. It’s harder than ever to spoof websites, commit credit card fraud and
launch zero-day attacks. The race is on to use AI and machine learning to
increase the speed, scope and sophistication of attacks. A recent report
forecasts the use of AI for automatically detecting software bugs,
selecting individuals for financial crime schemes and sharpening social
engineering attacks.

Collaboration is the name of the game: Cybercriminals use the Dark Web to
share strategies, post files and pay each other using bitcoin. However,
anonymity is everything, and revealing networks or strategies, accidentally
or otherwise, is a fast path to ending collaboration or getting killed.

Job resources abound: Cybercriminals have rich treasure troves of personal
data they can consolidate, thanks to the Anthem, Equifax, Uber and Yahoo
hacks. Spear phishing and social engineering will likely be much easier in
the coming years, due to these companies’ information breaches. Bad actors
also can rent cybercrime toolkits, such as ransomware kits by the month for
$1,000 or Russian DDoS booters for $60 a day or $400 a week. Vendors
offering test drives and discounts may also be provided, mirroring
enterprise software sales strategies.

Talent development is on the job: Hacking offers abundant freelance
opportunities, with no college degree required. While skills development is
self-driven, there is no glass ceiling and payments can scale with the
complexity of the target or size of the financial takedown. When hackers
work for nation-states, the pesky prospect of legal action and jail time
also disappears.

CISOs should take note that cybercriminals have co-opted the best of
corporate life, while also avoiding its limitations. While enterprise
cybersecurity teams must “play by the rules,” reviewing strategies and
programs with senior leaders; protecting consumer and public data and
making sure initiatives pass muster with regulators and auditors,
cybercriminals have no such restrictions.

To mount a stronger defense, CISOs should learn from cybercriminals and
push for stronger partnerships with competitors, vendors and public
agencies. Companies also need to overcome the shame game and participate in
public forums and create online mechanisms for data sharing. While it is
understandable that companies want to protect their reputations and
programs, they can share information about successful attack strategies to
prevent others from being similarly hacked. This isn’t just common courtesy
and a civic duty, it’s also good business. Companies are increasingly
connected to each other in the digital “platform economy,” while many also
use the same vendors.

Similarly, companies must harden and integrate technology. Cybersecurity is
too important to be handled by piecemeal solutions, which force analysts to
aggregate insights and sometimes mean they miss attacks because they are
bombarded by a flurry of security alerts. Co-managed security information
and event management (SIEM) systems allow enterprises to see the forest for
the trees, providing proactive threat hunting, better threat blocking,
automated incident response and expert threat investigation and analysis
services to bolster their own services. Cybercriminals have great tools,
but enterprises have more: they can actively partner with co-managed SIEM
providers to deliver the cybersecurity strategy. Partners can provide
people, process and yes, market-leading platforms to help enterprises
evolve at the speed of new threats.

In a raging cyber war, it pays to think like cybercriminals and understand
how they are organizing and operating as corporations. While enterprises
won’t resort to cybercrime, we need to understand, outthink and outplay our
adversaries at a strategic, not just tactical, level.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180323/453f2d05/attachment.html>