Ian Bancroft, vice president and general manager, EMEA, Secureworks, gives an overview of how threat actors operate.
It’s no secret that 2017 was the year of high-profile cyber-attacks. From WannaCry to NotPetya to BadRabbit, cyber-attacks hit hundreds of businesses, crippled hospital networks and compromised the security of hundreds of thousands of devices around the world.
Unfortunately, the rise in cybercrime shows no sign of slowing as attacks are becoming more sophisticated and the number of cyber gangs continues to grow. Over the next three years in total, experts predict that the damage is set to hit $6 trillion, with cybercrime becoming one of the ‘greatest transfers of economic wealth in history’. With the advent of emerging technologies such as the Internet of Things (IoT) and Artificial Intelligence (AI), the threat landscape is only going to continue to grow. Correspondingly, we’re seeing organisations investing heavily in cybersecurity, as nearly half of them were hit with a cyber-attack in the first half of 2017 alone.
The question is, do we have the right pool of cybersecurity talent available for organisations to dip into? On the one hand analyst houses like Gartner are predicting that the shortage of skilled cybersecurity workers will continue to rise – which is partly evidenced by the zero percent unemployment rate. On the other you have governments investing millions into tech initiatives and promising an increase in the number of teachers trained in computer science and coding.
However, with all of the high-profile attacks of last year taking centre stage, there hasn’t been a tremendous amount of focus on what’s under the hood, e.g. how organised crime rings themselves operate and recruit; and what cybersecurity skills they prioritise for nefarious gain.
Down the rabbit hole
If you were to take a guess, the first image filling your mind might be of hooded people gathered on street corners trading secrets and job specs – it’s the go-to depiction of a traditional cybercriminal. But, organised cybercrime groups function like any other business. The first concern for the discerning dark recruiter will be keeping the cybercrime ring off the radar – but much like mainstream industry, job ads can also be posted to forums on the dark web and referrals are frequently used to ensure the candidate isn’t an undercover law enforcement officer.
As with any business, attracting and retaining the right talent is important for organised cybercriminal enterprises. Before posting a job ad or talking to fellow threat actor, cybercrime recruiters need to differentiate between roles and think about the skills they need. Within the cybercrime ecosystem there are a range of diverse roles, which are filled from inside criminal groups or “outsourced” for efficiency. These roles can be anything from a traditional cybercriminal (distinguished by their focus on minimising risk and maximising profit) to an inject writer (an expert coder able to write malware to interact and mimic the websites of banks) to a data processing specialist (skilled at triaging large amounts of data and identifying the value of it).
These are highly skilled roles that require years of training, experience and technology skills. But when on the lookout for cybercriminals, dark recruiters don’t just look for computer geniuses – as there are always different levels and job descriptions in all organisations. If someone isn’t overtly tech savvy, their role might be as a “money mule”. Money muling is continuing to show up as an integral component of the online criminal landscape, even though criminals are diversifying their cash out operations.
Why is this? Most cybercrime is perpetrated in an effort to make money, so cybercriminals have to be able to turn stolen financial data, such as online banking credentials and credit card details, into physical cash or goods, unless of course Ransomware is the preferred approach. Turning stolen data into cash is often risky, so experienced criminals minimise their own risks by using money mules to do this work. Mules are either knowing or unknowing accomplices who receive the stolen funds or high-value goods, and then transfer them on through a distribution chain out of their country and eventually into the hands of the cybercriminal.
Cybercriminal groups may advertise for money mule positions on the Internet underground and sometimes other threat actors will volunteer to open a bank account and receive stolen funds in exchange for a percentage of those funds or a flat fee. In this way, cybercriminals who are not as technically capable can fill a niche by offering a different service.
Forums on the internet underground often feature “trust rating” systems and specific message boards dedicated to grievances and outing so called “rippers” — individuals who have been deemed untrustworthy. More sophisticated and experienced organised criminal groups will make use of the services of specific mule recruitment groups that specialise in recruiting, grooming and organising unwitting members of the public, rather than using other criminals to receive the initial stolen funds.
Into the light
The old adage “keep your friends close, but your enemies closer” is how organisations and cybersecurity teams need to view these online crime rings. By understanding how these networks operate, it will be easier to safeguard against attacks and spot potential mules within the organisation. But beyond understanding how these threat actors operate, how else can organisations put measures in place to continuously counteract ever-more sophisticated cyber-attacks and outsmart threat actors?
Education at the early stages is paramount. The security industry is already developing interest with the likes of the Cyber Academy and GCHQ-sponsored hacking challenges, but it needs to do more to attract talent. By appealing to students at university and hosting open information days, security firms can help capture interest and encourage graduates to apply for their schemes. Once a company has identified and hired its security talent, it must then nurture and retain that talent for the long-term future. Organisations need to grow talent from the very beginning, encouraging those with an aptitude for cyber security to push themselves further and further. A role in cyber security should not only challenge employees, but also give them the opportunity to develop their own niche and progress upwards with real career options.
Finally, it is critical that organisations help employees adopt the right mindset for a career in cybersecurity. Cybersecurity shouldn’t panic organisations. They are inevitable and will only become more commonplace as cryptocurrencies like Bitcoin, that offer untraceable extortion capabilities, become increasingly popular. Organisations must relish the challenge that cybersecurity presents; approach it from the top-down, and view it as an ongoing challenge rather than a problem. This is the view that the younger generation must also adopt, and it is our responsibility to help ingrain this cultural mindset at the earliest possible stages to ensure they are driven to help protect organisations of the future.