Can the Infosec Community Ever Be as Well-Organized as Digital Criminals?

Can the Infosec Community Ever Be as Well-Organized as Digital Criminals?

Digital criminals are innovating all the time, making them an even more formidable enemy.

  • They’ve begun embracing automated intelligence to learn how a target system’s defenses work and to blend in with normal network activity.
  • They borrow code from successful threats like Mirai to develop new malware strains.
  • They host their websites using blockchain-based DNS, a technique that prevents security researchers from attempting to reroute the domain or access the website via a centralized entity.

These innovations, as well as purpose-built payloads and attacks-as-a-service, are possible only because digital crime has become so organized.

The Structure of Online Crime

Brian Gladstein, a security marketing strategist at Carbon Black, discussed this very development at RSA Conference 2018. In his presentation entitled “Endpoint Security and the Cloud: How to Apply Predictive Analytics and Big Data,” Gladstein observes that digital crime is structured like an economy consisting of several tiers. At the top is the “Digirati,” a term used by Gladstein for the class of high-ranking controllers responsible for executing digital attacks. The Digirati consists of the ones who hide on the network and gather information, usage patterns, and intel. They then share this information and build upon what knowledge they’ve already gathered from other actors in the online criminal community.

Below the Digirati are the subject matter experts. Malware writers, identity collectors, and individuals who hoard zero-day vulnerabilities and other exploits sit on this level of the digital crime economy. These individuals oftentimes sell access to their goods and services to the next tier, which consists of botnet owners, cashiers, spammers, and other brokers and vendors.

The final layer consists of buyers, observers and money mules, individuals who are oftentimes unwittingly enlisted by criminals to transport and launder stolen monies.

Reflections on the Digital Crime Hierarchy

Examining Gladstein’s digital crime hierarchy reveals some important observations. First and foremost, the world of online crime is extremely specialized and compartmentalized. Hardik Modi, senior director of the security engineering and response team at Arbor Networks, told Raconteur that most if not all components used in digital attacks “are routinely upgraded and customized for use in new campaigns, pointing to dedicated and separate teams of competent programmers.” He went on to explain that bad actors usually hire out different teams at each link in the attack chain and pays them using Bitcoin. Such precautions help reduce the risk of the entire operation crumbling if one link gets busted.

Another important observation of Gladstein’s model for digital crime is the fact that digital crime mirrors corporate organizations in their structure. Per ZDNet, some attack chains support a 24-hour operation cycle and create call centers staffed with unknowing customer service representatives. And for those just starting out in digital crime, individuals can take training courses on how to hack a website and infiltrate a target system. Criminal organizations can then use those courses to vet or train candidates for a particular stage in the attack chain.

The parallels between legitimate organizations and digital crime don’t stop there, however. Just like corporate entities, criminal associations are known to reinvest their profits into other pursuits. According to a study conducted by Dr. Michael McGuire at the University of Surrey, bad actors reinvest approximately 20 percent of revenues into subsequent crime. In total, close to $300 billion funnel into various forms of offline crime. This activity has Dr. McGuire convinced that online crime is no longer just a business, as noted in his comment in Silicon Republic:

“It’s much, much more than that. It’s like an economy which mirrors the legitimate economy. Increasingly, what we’re seeing is the legitimate economy feeding off the cybercrime economy. More concerning is evidence that cybercrime revenues are now significant enough to attract the attention of those who are ready to use them to fund more serious crime, such as human trafficking, drug production, or even terrorism.”

Dr. McGuire found that bad actors used PayPal and similar platforms for money laundering purposes to fund these offline criminal pursuits.

How the Security Industry Compares

In comparison to digital crime, the security industry has no aggregate structure. Everyone is on their own, figuring out independently how to mitigate the same attacks and how to detect new threats as they emerge. This lack of cohesiveness is exacerbated by the fact that the industry doesn’t have enough security professionals to fill out its collective organization. According to ESG/ISSA research, 70 percent of security professionals say that the skills shortage has affected their particular place of work, while an almost equal majority (68 percent) said it has taxed them individually by blurring the line between their personal and professional lives. This effect led nearly four in 10 research participants to conclude that the skills gap is responsible for high rates of burnout among infosec personnel, thereby further contributing to an overworked and short-staffed workforce on which the security industry relies.

The security skills gap has some important trickle-down effects for the industry, as well. In a survey of 319 IT security decision-makers by Dimensional Research on behalf of CIS and Tenable Network Security, 95 percent of organizations have trouble implementing digital security frameworks, with 57 percent of enterprises identifying a lack of trained staff as the most predominant factor for these challenges. The skills gap was followed by an inadequate budget (39 percent) and lack of prioritization (24 percent). In the absence of adequate security staff and controls, companies leave themselves open to data exfiltration or attacks that abuse their business relationships in order to target additional companies, which places a further burden on the industry.

Perhaps most significantly, the security industry is limited in its efforts by the absence of an international legal framework around digital crime. There have been proposals for guidelines that can help facilitate cross-border investigations, but some states refuse to sign them. As written in The New York Times, Russia, in particular, stands out because it has a record of working against accused criminals’ extradition to the West and actually hiring these actors into state-level positions.

How Security Organizations Can Even the Balance

Today the criminals appear to have the upper hand, given the security industry challenges describe above. But we collectively can take steps to fortify our respective organization against digital crime. First, we can work with education institutions to emphasize the importance of security education and create corresponding curricula. Second, the industry needs to work with governments to facilitate cross-border investigations into digital crime wherever possible.

Short of industry-wide action, individual security organizations can play a part in evening the balance with digital criminals. Much of the digital economy rests on the success of the Digirati and others successfully hiding in networks for as long as possible so that they can learn from their targets. These actors are stealthy in their attacks, but these intrusions aren’t silent. Organizations need to know where to look to detect them, have the skills and the latest security products to piece together disparate indications of a possible security incident, appropriately incorporate AI into security technology to help compensate for unfilled staff positions, and be open to sharing that information with enterprises and with other security technology companies.

Lastline understands that security organizations can’t go it alone in detecting and deterring digital criminals. That’s why Lastline is a member of the Cyber Threat Alliance, an organization whose mission is to encourage and facilitate security companies sharing and cooperating. For the security industry to even hope to defend against a well-organized adversary, organizations need to band together. This means in some cases working with competitors in the form of sharing threat details for the greater good with the confidence that they can still differentiate themselves with added-value capabilities.

Giovanni Vigna

Giovanni Vigna

Giovanni Vigna is one of the founders and CTO of Lastline as well as a Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He also edited a book on Security and Mobile Agents and authored one on Intrusion Correlation. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.
Giovanni Vigna