Cybercrime: Much more organized

It is a given that if there is money to be made from illegal activity, organized crime will be a player. So it is no surprise that multiple versions of the mob are active in cybercrime.

But how much of a player the digital mobs are, and whether that has led to a qualitative difference in cybercrime that requires a change in defense strategy is less clear.

To some extent, some difficulty in estimating the penetration of organized crime is inevitable -- criminals don't want to be caught, so they try to avoid scrutiny by law enforcement in particular and the public in general.

But most experts agree that it is a bigger player than it used to be -- that the trend in cybercrime is that it is increasingly more organized, in many cases operating much like legitimate businesses, complete with organizational charts, C-level executives and even human resources departments.

A recent paper sponsored by the RAND Corporation's National Security Research Division, titled "Markets for Cybercrime Tools and Stolen Data," said the increasing size and complexity of cybercrime black markets is because the hacker market, "once a varied landscape of discrete, ad hoc networks of individuals initially motivated by little more than ego and notoriety, has emerged as a playground of financially driven, highly organized, and sophisticated groups."

Author and global security strategist Marc Goodman, in a recent interview, said the old image of a hacker was, "17-year-old kids living in their parents' basements. Today, the average age of a cyber criminal is 35, and 80% of black-hat (e.g., criminal) hackers are affiliated with organized crime.

"In other words, people are choosing this as a profession," he said. "That's a radical shift, and it's led to the creation of increasingly sophisticated criminal organizations that operate with the professionalism, discipline, and structure of legitimate enterprises."

That 80% figure is a matter of some dispute. Goodman was citing the RAND paper, which included a caveat by noting that another estimate is that only 20% of the cybercrime market is operated by criminal organizations, while 70% is "individuals or small groups."

But according to Marty Lindner, principal engineer in the CERT division of the Carnegie Mellon University Software Engineering Institute, it doesn't make all that much difference to the defenders of networks if their attackers are organized criminals or ad hoc freelancers.

"The (good) guys in the trenches don't really care," he said. "Organized or not, they're all using the same tools. That's one of the more interesting parts of the malicious side of all this -- the organized guys buy the same stuff the disorganized guys do."

Jim Anderson, president of Americas for BAE Systems Applied Intelligence, agrees that the same tools are available to all.

"There are websites where a new thief can essentially buy a 'starter kit' that includes malicious code that rookies can use in their first attempts at criminal behavior," he said.

But he also believes that today there is, "no disorganized digital crime. Because of the way criminals have organized, the threat landscape is ever evolving and more importantly, ever growing," he said.

He added that part of that evolution is information sharing. "The rate at which information is shared among the criminal element means that an attack at, for example, one bank, could be replicated by multiple bad actors at financial institutions globally within moments," he said.

Of course, cybercrime has various layers -- not all of it is private enterprise. Nation states are generally more interested in political and economic espionage than simply making money -- stealing state secrets, intellectual property and the personal information of government employees -- the kind of thing seen in the recent hack of the U.S. Office of Personnel Management, which reportedly compromised the information of up to 14 million current and former federal employees. Chinese hackers are the prime suspects.

But for organized crime gangs focused on money, there is little mystery about why they are drawn to cyber -- that's where the money is.

"They recognize it's much easier and less dangerous than traditional criminal pursuits, such as drug trafficking and prostitution," said Phil Neray, vice president of Enterprise Security Strategy at Veracode.

And that points to ways that today's digital mobsters are different from those portrayed in the "Godfather" movies.

Lindner said there is still the potential for violence. "Organized criminals kill off their enemies because they want to make more money," he said. "If someone gets in their way, bad things will happen."

But, those bad things tend to be like the massive DDoS attack nearly a decade ago on Blue Security, a software maker that was going to "out" a number of spammers.

A "hit" in that case meant nobody died in a hail of bullets. "It's a different level of taking them out," Lindner said.

He added that another difference is that the traditional mob generally needed to co-opt law enforcement to operate freely. "That was local. This is not local," he said. "In the internet world, there is no fear of law enforcement."

Still, Anderson warns that just because criminal gangs aren't killing their competitors or demanding "rent" from local businesses doesn't mean their activities won't result in violence.

"There are real concerns about where money is going and what it is funding," he said. "Various anti-money-laundering statutes for financial institutions are in place to limit the income of terrorist groups."

How to confront and defend against the organization and sophistication of organized cybercrime is a matter of continuing discussion.

President Obama, in February, issued an executive order on information sharing between the private and public sectors, calling it, "an essential element of cybersecurity."

Many experts, like Anderson, agree. "Those in law enforcement, security vendors and businesses need to share information about the attacker's tools, tactics and procedures as quickly as possible and collaborate like our adversaries are doing," he said.

Lindner also agreed that, "if you share information about bad stuff, you can defend it better."

But he said the problem is more complex. "Let's pretend I know that this IP address is bad," he said. "Now I'm being asked to share it. But if I don't know who I'm really giving it to and how well they can protect it, I don't know if it will get exposed.

"I also don't know if you have the tools to take advantage of what I just gave you. So those are big questions," he said.

Lindner said other problems need to be addressed first. "Before we worry about sharing, we need to work on best practices and better architecture, to make it difficult for attackers," he said.

"And we also need to educate the human on the value of information. Younger generations have a different sensitivity to privacy than those of us who are older."

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksespionagesecurityRAND Corporation

More about Mellon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts