Sure, the industrialization of attack exploits has made it really easy for virtually anyone to enter into the cybercrime world, but buying any as-a-service attack doesn’t necessarily guarantee success.
Those who excel in the cybercrime world may not be engineers or technicians, but they do know how to run a business, and that’s the new skill that allows these attackers to make a lot of money.
Matthew Gardiner, Mimecast’s cybersecurity strategist, said that the sophisticated hacker of today isn’t so much a hacker by trade but more entrepreneurial.
“They are leaders on the bad side of the economy, but they have the same skills that happen in the good side. They can assemble the people and processes needed to run a business,” Gardiner said.
Cybercrime is now the equivalent of industrial corporations led by start up entrepreneurs who assemble the technology, infrastructure, hosting services, pay offs, and everything else needed for business to run smoothly and efficiently.
“These are money oriented cybercriminals, not hacktivists or nation states. The vast majority of attacks are money oriented. They are technically savvy, mostly men, often from central Europe (though they are all over), and they have some background in technology,” Gardiner said.
These cybercriminal entrepreneurs design a network of technologists from hosting providers to operations, assembling those with similar interest that are loosely related into a financially oriented organization.
“A botnet runner becomes acquainted with someone who wants to run a ransomware campaign. He might say let’s get together and we’ll split the money. They work together to determine the payment processing, support, negotiating the ransom, promotion, and the distribution of the attack,” Gardiner said.
Because ransomware has so many varieties, the exploits need to change pretty regularly, which requires the cybercriminals to get more sophisticated. These entrepreneurs are involved in everything from, “Product development to knowing where it is, how many machines have been hit, the types of machines hit, the kind of data collected, and who the victim was,” Gardiner said.
In terms of ransomware, all of those details are important to figure out in order to determine whether they have a good victim as well as how much to charge them for the ransom.
Because defenders are identifying signatures more quickly, “Exploits need to get more sophisticated in order for the criminals to get more ROI, but defenders are acting right behind them,” Gardiner said.
Starting a technology company 30 years ago was a lot harder than it is now, which is why today’s cybercriminals are more the entrepreneur of the operation than they are highly skilled hackers.
“There’s so many more resources they can draw on in the dark open market to get up and running, and the rise of cybercurrency means they can be paid and safely paid,” Gardiner said.
The good news for security teams is that the average company doesn’t need to know too much about the attackers in order to have strong defenses. “They are exploiting known vulnerabilities, and they are only going to be as creative as they need to be,” Gardiner said.
What will also help to strengthen defense is the ability to have early detection and response. “The attackers share information with each other for money, but defenders are not as good at sharing across industries, vendors, and geography,” said Gardiner.
If victims knew of an exploit millisecond after an attack, that could result in the attackers needing to move faster, which would lessen their profit. Because these are profit motivated criminals, the best way to defeat them is to significantly minimize their potential to make money.