Cybercriminals and hacktivists face many of the same hiring problems as defending security organizations, but with their own particular twists, according to report released this morning.
There is a lack of qualified candidates for jobs such as malware writers, exploit developers, bot net operators, and mules, according to a report by Digital Shadows.
In addition, cybercriminals are limited in their ability to properly vet new hires, to widely advertise for needed talent, and to find people who are both trustworthy and are willing to break the law.
Plus, time is a significant constraint.
"Cybercriminals have to be very fast," said Rick Holland, vice president of strategy at Digital Shadows. "Their window to monetize is very shallow."
Meanwhile, law enforcement groups, banks, and security groups are all keeping an eye on them, waiting for them to make a mistake.
To find the right candidates, the criminal groups post job openings on underground job boards, conduct Skype interviews, ask for references, and check applicants' reputations on sites dedicated to shaming bad actors.
The Skype interviews are a popular tool, but neither the applicant nor the interviewer can afford to expose themselves to the other, to avoid law enforcement. As a result, the video is turned off, voices are masked, and traffic is directed through anonymizing services such as TOR.
A typical advertisement requires that all communications be encrypted, and payment will be made in Bitcoin.
Some groups also put new hires into a probationary period until they prove themselves.
"But there are opsec trade-offs," said Holland. "If they have so much security that it makes it difficult to recruit people, then that makes it difficult for them to monetize."
Some groups also offer incentives for new talent, such as promising fame and notoriety, profit-sharing, and travel expenses.
However, the more actively the criminals recruit, the more likely it is that the recruitment process will be compromised.
Even if they don't get caught by authorities, just the recruitment process itself can provide valuable information to defending organizations. It provides information about in-demand skills and tools and also potentially about industries and organizations that may be targets in the near future.
For example, one reason many attackers use simple tools and attack methods is simply that those entry-level skill sets are easiest to find.
Those low-level skills include SQL injections and cross-site scripting, Holland said.
And there's a lesson there for defenders.
"If we focus on application security, reduce footprint on SQL injections and cross-site scripting, we wouldn't eliminate all attacks, but we would reduce the attack surface," he said. "It's the simplest things."