The Dark Evolution of a Burgeoning Economy
Ostra’s Cybersecurity 101 Series is a deeper dive for the non-technical reader who wants to better understand cybersecurity mechanics. This 5-part series covers how the cyber-crime world operates, the evolution of threat generations, why traditional defense models fall short, what a modern attack scenario looks like, and the hallmarks of an effective security platform.
The Cyber-crime Threat
In the not too distant past, computer hacking was a cat-and-mouse game between smart nerds defacing websites for sport, and law enforcement who viewed it as more annoying than devastating. Today cybercrime is a booming economy that generates at least $1.5 trillion in annual revenues. Using popular contemporary business models, cybercrime has become the “evil twin” of the legitimate economy, feeding off its profitability and growth, and in some cases outperforming it. In Part 2 of Ostra’s Cybersecurity 101 Series we explore how the ability of cybercriminals to attack outpaced the ability to defend with “detect-to-protect” security, at the same time that data became a highly valuable — and easy to steal — commodity in the digital era.
Evolution of Methods and Tools
In the early days of personal computing, viruses were carried on discs inserted into computers, and attacks were confined to a singe computer at a time. Connectivity of the internet, which allowed attacks on more computer systems more rapidly, was a game changer. Without commerce, computers connected to the internet were just targets. With the boom of online commerce and banking, computers became a lucrative inroads to theft, and money became the driving force of hacking. Cybercriminals developed internet apps and web browsers that could embed malicious code and perform drive-by download attacks with the purpose of hijacking online accounts.
At that point, threat response was primarily anti-virus software that protected devices (or endpoints), and intrusion prevention devices (such as firewalls) to control network access. This type of defense was adequate to meet the threat because computers, servers and other networking equipment could be placed behind a perimeter. Viruses could be easily detected because each one was catalogued (by a unique string of ones and zeros) that acted as the virus definition. These definitions were continually updated to a database that acted as the core of the anti-virus software.
Next-Generation of Attack Power
As cybercrime advanced, cybercriminals were both innovators and early adopters of technology. To countermeasure anti-virus software, malware became polymorphic, with the ability to constantly change identifiable features to avoid detection. The variety of malware increased to include viruses, worms, bots, trojans, keyloggers — all built to infiltrate, spy, and steal.
Another way that cybercriminals evaded antivirus defense measures were through bot attacks. A bot is malicious software that can invade a computer, then take control and neutralize anti-virus defenses. Bots are difficult to detect since they hide within the computer and change the way they appear to anti-virus software. A bot is designed to connect to a command and control center to receive instructions from the cybercriminal. Instructions can include data theft, sending spam, and attacking other networks, websites etc. Most bots are part of a botnet, or a collection of infected computers controlled by the cybercriminal.
In response to this new attack power, the cybersecurity industry created advanced tools to detect threats that bypass “definition based” anti-virus solutions. Sandboxing products proactively detect malware by executing (or detonating) their code in a safe and isolated environment, observing if intentions are threatful. Anti-bot products identify infected machines and block bot communications to command and control sites to prevent theft and malicious activity.
Cybercriminals also developed technologies to spawn attacks known as Advanced Persistent Threats. These types of attacks use continuous, clandestine, and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time. Often these attacks are multi-staged across several points of entry, across many types of devices, and include both traditional and cloud networks. Even if they are discovered and the immediate threat appears to be gone, cybercriminals may have left multiple backdoors open that allow them to return when they choose.
In response to these types of advanced threats, highly complex integrated security technologies have been developed to block infiltration, detect and prevent sophisticated attacks and extend the reach of security into cloud platforms.
Layered Enterprise Grade Security Solutions provide integrated prevention, detection, and quarantine tools based upon threat behavioral characteristics.
Data is King
Today, data is the raw material that is gathered, mined, sold, and shaped into new products and purposes. Some of the many forms of data used as “goods of trade” in the cybercriminal world are still traditional data such as stolen credit and debit cards. But newer forms of data also posses value: personal identifiable information (PII), health information, stolen login credentials to email, social media or app accounts, and loyalty program points. Stolen credit card numbers can be used to purchase gift cards then used to purchase items to sell through legitimate channels or underground on the dark web. Personally identifiable information can be gathered piecemeal to form an identity used for various types of fraud. Hacked email or social media accounts can be used to distribute spam, run scams against the person’s contacts and connections, and try to leverage the stolen account to break into other online accounts. Stolen credentials can be used to takeover and sell subscription accounts. Loyalty program accounts or points for airline miles, hotel and rental cars can be stolen and sold. There are even communities and forums on the dark web where individuals known as “ratters” take control of webcams with a remote administration tool (RAT) and sell videos and photos of their webcam victims. From filing fraudulent tax returns or submitting false medical claims to hijacking Uber accounts and billing for ghost rides, or holding data for ransom, cybercriminals have figured out how to use or sell stolen data to “monetize the take.”
Transforming Threat Landscape
As discussed in Part 1 of our series, the world of cyber-crime works like any business, except that revenue streams are stolen data and extortion. To truly understand the evolution of cyber threats, keep in mind that the cybercrime economy mimics successful legitimate digital businesses. Those such as Google, Facebook, Apple, Uber and Airbnb have transformed themselves into platforms (hardware and software) for others to operate on. This “platform capitalism” (as termed by Nick Srnicek) is mimicked in cybercrime economy as “platform criminality.” Two ways this is seen within the cybercrime world is in the weaponization of existing platforms; and the development of cybercrime-specific platforms.
As existing platforms such as Yahoo, Google, Facebook became mainstays, they have become primary sources for data hacks to sell personally identifiable information. They also have become prime targets for the distribution of malware and the creation of fake accounts to snare members into sharing information used in future phishing attempts. Commerce sites such as Amazon and Ebay have become popular sites to distribute counterfeit or stolen goods, while sites such as Airbnb and Uber are used for false bookings to launder stolen money.
Cybercrime specific platforms were developed to mimic legitimate business platforms that connect previously unconnected parties for commerce. Some examples of their functions are: to trade in data such as stolen credit/debit cards, personally identifiable information, healthcare information, and credit reports. Cybercrime-as-a-Service (CaaS) platforms have emerged mimicking legitimate business models and platforms, with materials and services for purchase or rent such as: banking trojans, targeted “dedicated denial of service” (DDoS) attacks, botnet infrastructures, known exploits (security holes in systems that allow penetration), hackers on call, duplicated or custom developed look-alike websites for phishing, encryption services, and criminal call centers for banking support or tax inquiry scams. As these platforms evolve, new offerings — such as manipulation of ratings on sites (such as Tripadvisor), changing of essay grades, deleting driver’s license or criminal records, and enhancing product reviews — can all be purchased. Platform owners generate revenue from fees and sales of advertisements and ad space, while YouTube videos and Google guides are abundant to attract cybercrime “buyers.” The crimeware service industry has evolved into an “off the peg warehousing facility where whatever is needed for the commission of cybercrime can be bought or hired.”
Intelligence-as-a-Service organizations have formed in response to the highly organized structure and economic maturity of the cybercrime underworld. These types of services provide ongoing monitoring of the Deep & Dark Web for: brand-damaging activity; compromised credentials or personal threats; asset portfolio exposure; and real-time monitoring of leaked login credentials across various hidden internet communities.
Cybercrime is a burgeoning economic ecosystem that enables, funds and supports criminal activity on a global scale. The number of people participating in cybercrime is predicted to increase because “point and click” interfaces and the availability of “how to” information make it easier to get involved than it was even ten years ago.
Two decades ago, when there was less ability to attack, the trend lines for attack and defend were close. But they’ve since diverged. Large enterprises have the resources to invest in state-of-the-art security systems, but small business are still reliant on old defense technology. This reality has not escaped notice from the criminals, who increasingly target small to medium businesses who are most vulnerable and easiest to attack.
Ostra’s 5-part Cybersecurity 101 series is designed for the non-technical reader who wants to better understand cybersecurity mechanics. Part 3 of the series showcases Technical Features of Traditional and Advanced Cyberdefense Models.
Ablon, L., Martin, L. C., & Golay, A. A., Markets for Cybercrime Tools and Stolen Data. Produced by the Acquisition and Technology Policy Center of the RAND National Security Research Division, with funding from Juniper Networks (2014).
Glassberg, Jason. (2018). 6 Ways Hackers Can Monetize Your Life. Retrieved from https://www.huffpost.com/entry/6-ways-hackers-can-moneti_b_9078224
McGuire, Michael. (2018). Into the Web of Profit. Retrieved from https://www.bromium.com/resource/into-the-web-of-profit/
Pagliery, Jose. (2015). The Evolution of Hacking. Retrieved from https://www.cnn.com/2015/03/11/tech/computer-hacking-history/index.html
Srnicek, Nick. (2016). Platform Capitalism. Retrieved from https://www.wiley.com/en-us/Platform+Capitalism-p-9781509504879
White, Kelly. (2013). The Rise of Cybercrime 1970 thru 2010. Retrieved from https://www.slideshare.net/bluesme/the-rise-of-cybercrime-1970s-2010-29879338
Zurier, Steve. (2018). 8 Ways Hackers Monetize Stolen Data. Retrieved from https://www.darkreading.com/attacks-breaches/8-ways-hackers-monetize-stolen-data———–/d/d-id/1331560
Schedule a Free Consultation
Ostra Enterprise Grade Security
Ostra was founded on the principle of bringing top-of-the-line cyber security tools to small businesses who do not have large IT budgets or an entire division of cyber security experts. Our founders bring years of experience protecting large organizations to provide digital security to small businesses.
18300 Minnetonka Blvd
Deephaven, MN 55391
© 2020 Ostra, LLC