Can we take business lessons from cybercriminals? 

While we defend our businesses like islands, information sharing is giving cyber attackers the upper hand.
21 October 2020

The worst is not over with Russia’s hacks. Source: Shutterstock

  • Hackers tend to work as part of large entities, gaining access to troves of information and tools
  • Businesses can take a lesson from their adversary’s approach to collaboration 

The typical ‘hacker’ is often depicted as a hoodie-wearing loner sat in a dark room, Fawkes mask lit green or red by an array of monitors like they’re on the bridge of an aircraft carrier. 

And while this may occasionally be the case (the eye-strain would become old quickly), the kinds of attacks that extort millions or billions from organizations through ransomware aren’t carried out by lone-wolves. ‘Aqua’, the 32-year-old ransomware ‘franchisor’ and founder of Evil Corp — the hacker group behind the ransomware attack on Garmin — is said to flex his customized Lamborghini around the streets of Moscow with state immunity… hardly hiding in his mother’s basement. 

Cybercrime today is so pervasive that it’s often referred to as CaaS or ‘Cybercrime as a Service’. Not only do actors operate within extensive networks or entities, but successful malware is sold to other groups who wish to conduct cyberattacks themselves. Trickbot, for example, has infected over a million computing devices around the world since late 2016, including IoT devices. While the identity of the operators is unknown, research suggests they serve both nation-states and criminal networks.

“Many larger cybercriminal entities work very similarly to corporations we are familiar with. They run a business, they have assets they both create and resell, they leverage trusted networks in forums, blogs, chats to share collateral in hopes of moving a project forward,” Neal Dennis, threat intelligence specialist at Cyware, told TechHQ.

While one threat actor might be able to build a botnet, this can open doors for another individual who builds ransomware. The maker of that ransomware, in turn, might sell access or versions to criminals looking to leverage spam providers to distribute their content. 

“They share knowledge of vulnerabilities, especially ones they might not necessarily have the tools to exploit. They bring on partners or leverage services from another cybercriminal, all with agreed-upon profit sharing percentages.”

The power of cooperation

It is this cooperative approach and knowledge sharing that gives the combined cybercriminal adversary such strength. Information sharing provides cybercriminals a vast and diverse pool of capabilities and exploits in order to better reach their intended goals. Even ‘entry-level’ hackers can access tools and resources to start them off, with the ability to purchase better resources later on. 

In response to the gathering threat, the cybersecurity market is advancing and expanding rapidly. And while security teams may have no shortage of advanced toolsets, they are finding themselves both isolated in the business and isolated among peers and equivalents within their industry. They lack the power of collaboration. While organizations defend themselves like fortresses or islands, an orchestrated ecosystem is attacking from all sides, around the clock. 

While information sharing is beginning to improve between organizations, thanks to initiatives such as the Information Sharing and Analysis Organizations (ISAOs) which enables member organizations to share and respond to cyberthreats in close to real-time, there is still a lot more work to do across industries to  “institutionalize” information sharing,” said Dennis. 

“Leadership needs to perceive information sharing as a requirement, not something altruistic they do simply to feel good. It should be a business requirement.”

Of course, countless surveys over the last several years have gone to highlight just how much security teams already have on their plate. Burnout, stress, and high churn are evidence of the weight of the task and adding another in information sharing — while a longer-term benefit — may not seem feasible for many. 

The answer lies in automation. Organizations can leverage tools and solutions to build “automated bridges” for information sharing, enabling for the sharing of data and reports in relation to attempted or successful cyberattacks which could help other businesses to thwart them or adapt their defenses. 

“Automating, normalizing, and growing information sharing would raise the security capabilities of all parties in that community and lower the overall perceived ROI a threat actor has for that vertical,” said Dennis. 

For example, public sector organizations in the US could be warned about the expected entry-point of a particular strain of ransomware and make subsequent efforts to reduce the risk of an attack. The ransomware campaign is less fruitful as a result. In fact, the dip in ransomware at the beginning of last year was said to be attributed to a rise in awareness campaigns. 

“If they are used to spending time and money to create malware they hope they can leverage against hundreds or thousands of targets, what happens when on day one, target one awareness of that malware has already spread to all potential targets?” Dennis said.  

“What happens if tactics, techniques, procedures are automatically shared with industry peers at machine speeds? You limit the overall impact across the sector, drive costs up for threat actors, and help change perceptions of your industry being a valuable target.”

While an arsenal of matte-black cybersecurity weaponry might keep the wolves from the door temporarily, it is information that could have the longest-lasting impact in the war on cybercrime, and the business world can take a few lessons from the adversary there.