Cybercrime-as-a-service: tackling a rapidly professionalising industry
The threat landscape has room for many different actors. Some may be government employees, and others “lone wolf” hackers. But increasingly we’re seeing a relatively new trend: of highly organised cybercrime groups running service-based businesses. Is a threat actor still a threat actor when they have a regular salary, bonuses and participate in an employee referrals scheme?
Well, yes they are. But as Sun Tzu said, the path to victory begins with knowing the enemy. At a fireside chat event recently, I had an opportunity to share more thoughts on the growing professionalisation of the cybercrime underground – and what it means for network defenders.
Going underground
Trend Micro blocked nearly 64 billion cyber-threats for our customers in the first half of 2022 alone. Even this is likely to be the tip of the iceberg. The cybercrime economy by some estimates is now worth trillions of dollars annually, more than the GDP of many countries. There are several reasons for this rampant growth. But a big part of it is down to a rapidly maturing sector supported by technology innovation. Wannabe cyber-criminals can purchase everything they need to launch attacks, simply by visiting the right marketplaces and dark web forums. Many of these offerings will be packaged into handy, easy-to-use services: no technical skills required. They also have a readymade market on which to sell stolen data.
Now consider the “risk: reward” calculation a prospective cyber-criminal might think about. Attacks can be launched remotely on virtually any target from virtually anywhere in the world. Anonymising technologies can mask the hacker’s true identity. And even if they are unsuccessful in staying hidden, there are plenty of autocracies prepared to shelter such individuals, as long as they don’t attack organisations inside their host country. When the risk of being caught is this low and the potential rewards are so high, it’s perhaps no surprise that cybercrime is booming.
Digging deeper
Many of these hackers act alone, or in loosely connected groups that collaborate remotely online. They operate in thriving communities, where every participant has a clearly delineated role, based around the specific skills and knowledge they’re hoping to monetise. But increasingly, we’re seeing threat actors also coalesce into more organised groups – especially in the ransomware space. When hundreds of thousands of internal chat messages sent between members of one of these groups was leaked earlier this year, it gave us a fantastic opportunity to see just how organised they are.
The group in question, Conti, operated in many ways like a legitimate business. It featured an HR and recruitment division, a specialist in charge of its data leak blog, a training head, and a cryptocurrency specialist. Internal recruiters would post ads on the dark web and organise interviews, as well as offer bonuses for referrals and those able to recruit insiders within target companies.
Also identified were specific teams, each staffed with developers, pen testers, OSINT, admins, QA and reverse engineer experts. Many of the latter were tasked with looking at other malware on the cybercrime underground, to see what they could incorporate into their own offerings. Even more impressively, the group spent an estimated $6m on employee salaries, tooling and professional services from January 2021 to February 2022 – more than the IT security budget of many SMBs.
Fighting back
All of which makes the scale and intent of these criminal organisations pretty clear. Transnational, highly organised and tech-savvy criminal entities like Conti are extremely hard to investigate and track down, not least if suspects are found to be residing in hostile states like Russia and Belarus. Their agility will usually outstrip that of investigators. Conti recently dismantled its infrastructure, for example, although its members will surely be active in other groups and projects.
So how can network defenders respond? It starts with a realisation that the bad guys hold a number of advantages, while security teams must protect an expansive, distributed IT environment. That means threat protection should be combined with detection and response. If and when they breach your organisation, you must have the tooling to rapidly discover, contain and eliminate any malicious activity before it can spread and cause real damage.
All but the largest organisations will find it necessary to team up with third-party experts to derive the threat intelligence needed to power such activities. That means vendors like Trend Micro, whose Zero Day Initiative (ZDI) provides early access to data from the world’s largest bug bounty programme. It powers platforms like our XDR offering Vision One, for accelerated threat detection, investigation, and response. Organisations should also look to sector-specific intelligence-sharing communities such as the Information Sharing and Analysis centres to maximise information flows.
In short: the best way to defeat a highly organised adversary is to match their effort and knack for collaboration. Let’s start today.