With cyberattacks increasingly threatening businesses through ransomware attacks and data theft, executives need new tools, techniques, and approaches to protect their organisations.
Unfortunately, criminal innovation often outpaces their defensive efforts.
Wide-scale cyberattacks are becoming more common, too.
Cyberattackers always seem to be one or two steps ahead of the defenders. Are they more technically adept, or do they have a magical recipe for innovation that enables them to move more quickly?
If, as is commonly believed, hackers operated mainly as isolated individuals, they would need to be incredibly skilled and fast to create hacks at the frequency we’ve seen.
However, from research in darknet marketplaces, reports on cyberattacks, and cybersecurity professionals’ feedback and opinions, it can be concluded that the prevalence of the “fringe hacker” is a misconception and a deception itself!
When business models are applied to cybercrime, it reveals that dark web marketplaces typically serve what academics call a value system.
That system includes a comprehensive cyberattack supply chain, which enables hackers and brokers to customise and sell the products and services needed to mount cyberattacks at scale.
Understanding how it works provides new, more effective avenues for combating cyberattacks on companies, organisations, and even nation states.
The darknet hosts various cyberattack-as-a-service (CAaaS) marketplaces and forums that cater to a criminal ilk of technologists and businesspeople.
The organised crime syndicates, hacktivists or even nation state sponsored groups buy these services and combine them to orchestrate attacks.
Why I’ve specifically mentioned these groups is that large amounts of financing is required initially so this generally rules out most lone or fringe hackers.
Artificial intelligence (AI) has been harnessed to create even more powerful CAaaS darknet offerings.
With the help of AI, personal information collected from Twitter, Facebook, and other social media sites can be used to automatically generate phishing emails and posts with open rates as high as 80 per cent!
The emergence of CAaaS marketplaces is a game-changing development that drastically reduces barriers and challenges in cybercrime: Hackers and darknet brokers don’t need to perform cyberattacks to realise financial benefits from their innovations, and their customers don’t need to be hackers to mount cyberattacks.
The “as a service” model distances developers from the cyberattacks enabled by their products and services as they don’t need to be directly involved in the specific cyberattack.
It helps them evade the grasp of authorities, as well, because many services in CAaaS marketplaces are not fundamentally illegal.
The services offered are not randomly chosen but, rather, purposefully designed, innovative responses to business opportunities — sometimes with the help of cutting-edge technologies.
Thus, we see cybercrime evolving from a nefarious hobby into a business ecosystem and value chain with a global scope.
No wonder it is difficult, if not impossible, for the cyber defence community to keep up.
The service providers use several different pricing models.
In many cases, their offerings are available for a onetime fee for unlimited use. For example, recently, a Microsoft Office zero-day exploit was priced at $35,000 in Bitcoin in a darknet market.
Today’s cyberattacks are more often organised crime business people or nation state sponsored groups using proven business models within a well-defined ecosystem governed by the dictates of supply and demand.
This CAaaS ecosystem makes mounting targeted, scalable cyberattacks quicker, cheaper, and more difficult to stop. But understanding all that helps organisations refocus on how to combat cyberattacks.
Some ideas I would suggest:
2. Expand the focus of cyber-threat intelligence:
Many cyber-threat intelligence services collect data from enterprise IT environments to detect potential cyber threats. There is some investigation of the darknet, but it is usually limited to harvesting threat information and alerting potential targets. The emergence of new services on the darknet can alert defenders and potential targets to the kinds of attacks that may be brewing.
2. Pursue a good offense as the best defense:
Cyber strategy in most organisations is still mainly reactive. Companies defend themselves after cyberattacks have been launched. A value-chain-based view of attacks enables a more proactive strategy: We can switch to playing offence by disrupting the CAaaS ecosystem. For example, defenders can flood the cyberattack ecosystem with deceptive services, making the dark web less attractive for cybercriminals seeking to purchase services. Another offensive strategy is to disrupt select services that are frequently used to create attack vectors, thereby making it difficult and risky to orchestrate an attack. For example, by monitoring and infiltrating botnet services as they did with Emotet, law enforcement agencies can anticipate and prevent attacks that use them. Likewise, infiltrating cryptocurrency-based money-laundering services could deter attackers by making it difficult for them to access their illegal gains.
3. Create a cyber-defence service value chain:
If cybercriminals can create a value chain that makes it easier and more profitable to launch attacks, why can’t we build a defensive value chain? Cyber defence cannot be relegated to law enforcement agencies alone. Instead, it requires an ecosystem aimed at combating cybercrime that includes many actors – cybersecurity experts, corporations, software and hardware providers, infrastructure operators, financial systems, and governments — working together. Ideally, we should see governments supporting the creation of a defensive value chain with policies and regulations.
Infrastructure operators, such as Telco’s and the internet service providers, would use their advantaged monitoring position to disrupt the delivery of cyberattacks. Financial institutions would act to block the monetary activities of cybercriminals, including their money-laundering networks and cryptocurrency monetisation activities.
Granted, bringing together such disparate parties with so many interests is an enormous task, and it’s not entirely clear how it should be approached. One possibility is to better align the capabilities needed to combat cybercrime with financial incentives to act. For Fiji and the region this is already being started through financial assistance provided by Australia, New Zealand and other donor agencies, but more tangible results has to be seen at ground level.
No matter how it is accomplished, however, collecting defence services into a value chain would likely motivate more service providers to create and sell as-a-service cyber-defence offerings, expanding the menu of activities that could be assembled by defenders to thwart attacks. Fighting fire with fire would be far more effective than today’s splintered reactive efforts.
4. Approach defence as a business problem first, not a technology problem:
When business leaders ask, “How can we prepare for unknown cyberattacks?” They often assume that attackers are using new and perhaps unknown technologies. Although this is sometimes true, frequently the attackers and defenders use the same technologies — a top 10 list of cyber attack vectors has not changed much in the past 10 years, only the ranking has changed and sophistication with the use of AI, and the very fact that more business process are fully digital now. Today’s cyberattacks are often orchestrated by clever business people who target organisations with something of value to steal or disrupt. So they should be treated like other business threats.
Risk management tools and techniques can usually help identify vulnerabilities that attackers may prey upon, and enable potential targets to anticipate next moves. Protecting the business and detecting, responding to, and recovering from attacks is not solely the responsibility of technology experts or the IT department.
As cyberattacks are becoming more frequent, dynamic, and damaging, it is clear that the current defensive mindset is not adequate to stem the tide.
We need to shift our view of cyberattacks and cybercrime from that of a chaotic, random set of events to that of a structured, often predictable set of business engagements and processes.
Understanding most cybercrime as an orchestration of services available on the dark web offers new insights into potential threats and effective ways of fighting them.
Heeding once again sage advice from Sun Tzu: “Thus, what is of supreme importance in war is to attack the enemy’s strategy.”
Have a blessed weekend, stay safe and well in both digital and physical worlds.
- Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
