Common images of black-hat hackers generally involve basements, pizza, and poor hygiene. Yet as the volume and breadth of attacks continue to soar and ransomware’s continuing success drives cybercrime’s financial rewards to dizzying heights, today’s cybercriminals have more in common with suited corporate raiders than the closeted miscreants of yesteryear.
“The cybercrime world has really shifted from the hoodie and hacker,” Steve Martino, chief information security officer with global vendor Cisco Systems told attendees at the company’s recent Cisco Live! conference in Melbourne.
While there were still people at the high end dedicated to extricating data, causing problems and penetrating targets in focused nation-state attacks, “the middle has grown into a multi billion-dollar industry for cybercrime,” he said.
Recent figures from security firm RSA suggested that phishing alone costed global organisations $US9 billion ($A11.7b) in losses in 2016, with a new phishing attack launched every 30 seconds. One in 20 malware attacks was ransomware, with victims paying an average $US300 ($A391) each.
Some cybercriminals are making money by selling access to ransomware-as-a-service and malvertising-as-a-service offerings that allow attacks to be customised and distributed with a few clicks – and others are making even more money by using those tools to launch ever more-corporatised attacks on victims at dizzying scale.
IBM, for one, noted a fourfold annual increase in spam during 2016, with 85 percent of malicious email attachments incorporating ransomware. This ransomware is not only pervasive, but well though-out. Some strains now come with user-friendly customer service and technical support, for example, while – in a nod to the pricing strategies of conventional retail businesses – progressive tweaks to ransomware code are being used to find out just how much different types of victims are willing to pay.
“These are professional business people running for-profit businesses,” Martino said. “They are looking for ROI and looking for how quickly they can get it, then put the profits back into the business. They are not poorly run companies – and they are, in my opinion, the biggest threat we face today.”
Those are not words to be taken lightly from a man whose responsibilities include securing the networks and operations of a high-profile company with tens of thousands of employees worldwide. Given the volume of corporate secrets that exist in a company like Cisco, any potential breach of its networks could have significant financial repercussions – whether through theft of its intellectual property or a blunt-force social engineering attack targeting ransomware at large numbers of employees.
Show me the money. Other companies are not proving so lucky. The year 2016 has been widely recognised as a watershed in terms of the numbers of records breached and the takings of ransomware extortionists – both of which are KPIs for the professionals running large cybercrime rings.
Those professionals are actively recruiting black-hat hackers to probe and plunder corporate networks for potentially valuable information – creating a particular need for CSOs to engage trusted penetration-testing firms on a regular basis to identify potential weaknesses before the bad guys do.
After all, if recent figures from the Nuix Black Report – based on interviews with 70 professional hackers and penetration testers at the DEFCON security conference earlier this year – are correct, someone is already probing your network whether you’ve asked them to or not.
Some 88 percent of the respondents said they could compromise a target in less than 12 hours, while 21 percent said it takes less than 2 hours to find and exfiltrate their targeted data after the initial breach. Some 69 percent said that security teams almost never catch them in the act, while half changed their attack methodologies with every target.
Fully two-thirds of respondents said their main motivation as a hacker or penetration tester was the challenge, and 24 percent called themselves “a student of technology”. Just 9 percent said it was all about money.
The hackers were well-educated, with 37 percent saying they had graduated from university and 26 percent holding a postgraduate degree. Yet this level of education may also be contributing to the decision by many hackers to join professional exploitation firms, says Nuix CISO Chris Pogue.
“I believe many people end up becoming hackers because so many countries have strong tertiary mathematics and computer science programs, provided free of charge or greatly discounted, but have weak technology job markets,” he writes.
“When these students graduate, they can either look for work outside their country, try to find a local job for what is likely a marginal salary, or work for a cybercrime group – or as professional hackers – making considerably more money and contributing to their local economy.”
Given these dynamics, it’s hardly surprising that attacks by malicious outsiders posted the biggest growth from 2015 to 2016, according to Gemalto’s 2016 Breach Level Index, which noted the number of such attacks had grown from 1082 (comprising 272 million records) to 1223 (comprising 1.05 billion records). By contrast, attacks due to accidental loss and malicious insiders both decreased over the same time.
So many broken things. Those sorts of numbers and motivations are in an entirely different league from the type of activities that enthralled Mark Loveless, a security researcher with Duo Labs who by his own admission spent many of his early years as a hacker named ‘Simple Nomad’ compromising the security of large companies including Disney, eBay, Akamai, and Yahoo!.
In those days, profit was the furthest thing from his mind: cybercrime was mostly about intellectual curiosity, and he recalls conveying details of many of his exploits to the victims so they could be fixed.
“I tried to leave things in a little better shape than when first got there,” he told attendees at the recent CSO Perspectives Roadshow 2017. This echoed the Nuix Black report, in which 64 percent of respondents said their biggest frustration was that organisations didn’t fix the things they knew were broken.
It’s all a matter of perspective, said Loveless. “When you’re doing this sort of stuff you’re on the edges of society,” he explained.
You’re trying new things, and experimenting, and taking things apart to figure out how they work. There is a different kind of ‘normal’ that is associated with it. But from [hackers’] perspective they think everyone else are the crazy ones. You get quite a different view from the edge looking back towards the middle, than the other way around.”
Yet even in those early days, experimental efforts to weaponise cybersecurity exploits were taking hold and ‘grey markets’ were filled with craftier malware that was emerging to challenge corporate security protections. Those exploits, Loveless recalled, were no longer being given to companies to improve their security.
“If you weaponised something it became more valuable,” he said, presaging today’s development of targeted attacks that are customised to support attacks on corporate targets. “If it takes them 2 or 3 months to find an exploit, it’s going to take 6 to 8 weeks to get it to where it’s fully weaponised,” Loveless said, “and these are some really smart individuals that do this stuff.”
Those individuals are increasingly turning over substantial figures as they continue finding new ways to extract money from corporate targets. Whether by selling compromised records containing personally identifiable information (PII) on open markets or locking files and holding companies to ransom, experience has shown that there truly is profit to be had from cybercrime.
Verizon’s 2016 Data Breach Investigations Report was one of numerous efforts that attempted to quantify the toll of cybercrime – and found it to be massive. Fully 89 percent of the 3141 confirmed data breaches during 2016 had a financial or espionage motive, the firm reported.
This changing dynamic means CSOs need to work closely and regularly with the business to inventory and protect the most valuable information assets within the organisation. It also means they need to introduce measures to shorten their time to discovery.
While FireEye threat-hunting group Mandiant’s M-Trends 2017 report noted a decrease in median dwell times from 146 days in 2015 to just 99 days last year, the firm’s researchers posited that much of that was due not to improved security defences but to a shift away from long, lingering compromises to the sort of short-lived, financially-rewarding ransom attacks that have come to dominate the security landscape.
However the attack comes, it’s clear that highly motivated and highly capable hackers are not only already at your door – but that they may very well be watching your TV in your lounge room, while drinking your beer. And if you don’t have the tools to find them – and an action plan for when you do – your critical business data is already as good as gone.