Wednesday, June 22, 2011

Cybercrime is generational

The motivation behind cybercrime is ever evolving and has become generational. That means businesses must remain proactive in knowing their enemy. If you understand the methods and motivation of your enemy, you are more likely to mount a viable defense.

The first generation of cybercriminals (early to late 1990’s) had a common theme: “I did it to prove that I could”. Notoriety and ego were the primary motivators. They also tended to be younger – often students.

First generation cybercriminals focused in being disruptive and making their presence known by causing indiscriminate damage to any vulnerable computer on the Internet. Their first priority was to get noticed.

The second generation of cybercriminals (early 200x’s) turned their attention to money as in “Show me the money!” Now the focus, motivation and priority became profit.

Botnets (large networks of infected computers) became the preferred attack vector allowing cybercriminals to generate millions of spam emails and execute distributed denial of service (DDoS) attacks. Interestingly, these cybercriminals did little to cover their tracks and evade detection.

The third generation of cybercriminals (mid 200x’s) was marked by a higher level of sophistication where the attackers became more organized and discrete.

Hacker groups evolved and began to operate like more traditional organized criminal enterprises. Similar to the previous generation, they had one motive: profit. The technology became secondary. For these criminals, cybercrime was just a means to an end – an easier way to extort and conduct fraud.

This generation looked to target businesses handling large sums of money, particularly in the financial sector.

The fourth generation of cybercriminals (late 200x’s to present) is marked by the development and sale of exploit kits and other hacking software. The rise of criminal-to-criminal activity distinguishes the fourth generation of cybercriminals.

As characterized by “organized crime”, cybercrime evolved into a robust and efficient underground, providing the opportunity for cybercriminals to buy and sell goods and services to each other. As vulnerabilities in software and networks were discovered, cybercriminals developed malware to exploit those vulnerabilities – often selling malware to others or taking their “cut” – even going so far as to “license” their malware.

Malware distribution services, such as IFRAMES.BIZ, evolved that were capable of pushing malware out to infect thousands of hosts. The sophistication of the malware enabled cybercriminals to quickly infect large numbers of computers, send spam, host illegitimate sites, steal sensitive information, execute DDoS attacks and conduct many other criminal activities.

Fourth generation of cybercriminals are also characterized by identity theft and brought the buying and selling stolen identity data to a new level.

Social networks for cybercriminals also emerged, with sites providing reputational rankings of buyers, sellers and partners in the cybercrime marketplace.

As the cybercrime economy has matured, it brings cybercriminals the benefits of specialization and distributed risk. Cybercriminals talented in finding new vulnerabilities and writing exploits can specialize in that area and easily support themselves by selling their exploits.

The same dynamic applies to malware authors, distributors, botnet owners and others in the cybercrime supply chain. Because of this specialization, the sophistication of cyber-attacks increased across the board. This specialization and distribution enables cybercriminals to distribute the risk of being caught.

The current generation of cybercriminals continues to leverage the “power” of malware.

Cybercriminals are continuing to refine and fine-tune each element of the cybercrime supply chain. Today’s cybercriminals are more entrepreneurial and business-savvy than past generations. As a result, attacks continue to grow in sophistication and frequency.

Other evolving current generation threats include:

Pay-Per-Install (PPI)

These scams work where a single PPI site may partner with thousands of “affiliates” who then distribute the malware. The affiliates are paid based on the number of malware installs they can generate – often thousands each month. The exponential factor can result in millions of infected system every month.

APT: Advanced Persistent Threats

I blogged about APT recently: This focus has become much more prominent beginning in 2010 a as name or “label” for targeted attacks on specific organizations by determined, well-coordinated cybercriminals.

Productivity In Cyber Crime

Automation is the name of the game. Just like legitimate businesses, cybercriminals look to do more with less. Automation enables cybercriminals to be more productive using malware authoring tools and scripting techniques.

Malware Tech Support

Leveraging the trend in licensed malware has resulted in the commercialization of malware to the extent that some malware authors even offer technical support under the guise that what they do is for “research only.”

Unfortunately, the legal consequences for selling malware is fuzzy. It is generally not illegal as long as the malware author does not use the malware himself to compromise another computer. Further, many of these malware authors operate from countries that effectively shield them from civil actions.

What Can Businesses Do?

It goes without saying that the only constant is change. Cybercriminals will continue to change and evolve – both from the motivational aspects as well as from the increasingly sophisticated techniques they use.

Businesses can best defend themselves by:

  • Conducting ongoing, comprehensive information security risk assessments. Risk awareness, risk assessment and risk mitigation should form the basis from which businesses develop their cyber defenses. IDP has experience and proven methodologies to assist businesses with this important first step.
  • Investing in security products that are made based on supporting the risk-based information security policy. Simply throwing hardware and software at the problem is not the answer. Investments in this area need to be strategically and thoughtfully deployed. Security investments need to be based on policy, with organizational (upper management – board level) acceptance.
  • Engaging an in-house or strategic security partner. This is essential to staying ahead of cybercriminals curve.
  • Deploying real time monitoring and threat detection / prevention capabilities. This can be accomplished in-house or through a trusted third party who specializes in this area.
  • Establishing a threat intelligence capability to monitor existing trends and emerging threats that could impact your business. Many businesses participate with or establish relationships with peers, industry groups, government agencies and vendors as trusted sources

No comments: