Between 2008 and 2021, the FBI recorded a 207% increase in cybercrime reports, with losses hitting almost $7 billion last year. This is being driven by a highly professionalized cyber-threat supply chain that is enabling threat actors with little know-how and limited resources to imperil personal, economic, and national security.
The bad news is that cybercrime innovation hasn’t stopped. According to a new report from HP Wolf Security in the future we could see emerging technologies like AI and quantum computing be abused to line the pockets of criminal groups and further nation-state goals. The key to resistance will be mastering security basics, planning for the worst, and encouraging collaboration across industries.
The story so far
Criminals have used the Internet since the early days. The 1990s saw hobbyists use Internet Relay Chat to connect like-minded individuals online over topics such as hacking and exploit development. By the late 2000s, the high barrier to entry for hackers was lowered by commoditized malware kits, and financially motivated groups began to coalesce around banking fraud. More recently, threat actors shifted to data denial and destructive attacks, leveraging “as a service” models, and embracing ransomware as their monetization method of choice.
Today’s cybercrime economy is characterized by complex supply chains comprised of individuals with highly specialized skills. Network access, control and persistence is prized above all else, whether via credentials or exploiting vulnerabilities. The supply for both has exploded, lowering prices and barriers to entry. After undertaking a three-month analysis of underground markets and forums, the report found that compromised RDP credentials are selling on average for just $5 each, and that over three-quarters of malware advertisements listed are under $10, and nearly all (91%) adverts relating to exploits are under $10.
Value-added services rolled out by malware sellers make launching attacks even easier for those with few technical skills. They tout one-to-one mentoring, exemplary customer support and discounted malware hosting through bulletproof hosting providers. The report concludes that just 2-3% of sellers are actually coders, reducing cybercrime to a series of reproducible, procedural steps that threat actors can follow again and again to make money.
In this new world, trust and reputation are everything. Vendor feedback scores are ubiquitous, of course, and most sites offer dispute resolutions and escrow payments. But we also observed that 77% of criminal marketplaces now require a “vendor bond” or license to sell, which can cost threat actors thousands. When so much is at stake, and the lifespan of Tor-based sites is so short, it’s perhaps unsurprising that cyber-criminals have also devised ways to transfer their hard-won reputation between marketplaces.
Scanning the horizon
We’re likely to see a continuation of the collaboration, specialization and professionalization witnessed to date. Hackers will continue to exploit the expansion of corporate attack surfaces, perhaps upping the ante with extortion attacks timed to create the most disruption. In doing so, we’ll see more of them use the tools and techniques once the preserve of a limited few APT groups. In fact, the lines between cybercrime and nation state actors will continue to blur, either with hostile states sheltering criminal gangs or investing directly in cybercrime as a revenue stream to evade sanctions.
As always, they will be first to use emerging technologies. Quantum computing could be deployed to supercharge decryption efforts. The Web3 vision of a decentralized, blockchain-based internet could also open up new opportunities to create reputation systems that support the cybercrime economy, which may be harder for the authorities to take down. AI could also be used to automate the selection of targets from a victim’s address book and build highly convincing spear-phishing attacks based on previous communications, helping to improve ROI.
Resilience, best practices and collaboration
We all need to do more to fight this growing cybercrime machine. For individuals, this means become more cyber aware. For organizations, there is a need to focus on mastering the basics, planning for resilience, and collaborating to reduce risk.
Basic mastery includes things like following best practices like multi-factor authentication, IT asset discovery and management, vulnerability management and controls to restrict what can be installed on machines. But it also includes prioritizing self-healing hardware to boost resilience in the event of a breach. In addition, organizations must shut off common attack routes, such as those delivered via email and the web, which could be neutralized through techniques such as threat containment and isolation.
Next comes resilience–achievable by putting in place the people, processes, and technology to detect, prevent and recover from any attack before it gets serious. This means planning for the worst-case scenario, putting the processes in place to limit supply chain and insider risk, and practicing incident response repeatedly.
Finally, remember security is a team sport. Collaborate with peers, invest in third-party security assessments and penetration testing, and gather and share threat intelligence with industry peers–to see what’s happening now and what might be around the corner.
Today’s cybercrime underground is not dissimilar to the workings of a factory. It features a high degree of specialization, with criminal labor sub-divided into niche roles, while other tasks have been distilled into repeatable, almost automated workflows. It is also undeniably industrial in scale and impact. Understanding these dynamics is the first step on the road to building greater resilience against a formidable adversary. The bad guys may be first to take advantage of new technologies. But with better insight, defenders can build effective strategies to mitigate the impact of cybercrime head on.