Apr
24

505614-PHTVW8-461

Cybersecurity specialists often talk about the dangers users and businesses are exposed to by having an online presence. However, this vital conversation tends to ignore the origins of a cyberthreat. Instead, we typically focus on the actual operation of the threat, its technical details, and the prevention/remediation possibilities associated to it.

Many business owners do not fully grasp how real these threats are until they discover the hacker’s agenda. Cyberwarfare, hacktivism, and ‘ego trips’ remain strong motivations for hackers. But as profitability from hacking increases, a new type of figure has evolved to emerge on the scene; the “Rogue CEO”.

If you’re a security consultant, you’re well aware that folks aren’t often willing to invest in their data safety. Congratulations, this article is for you! We’ll translate what we know is fatal, from a technical perspective into business terms (to help you really close that deal).

 

Hacking banks? Try “hacking everyone”

When it comes to gaining profit in the hacking business, there are three tiers of opportunity:

  1. Financial Institutions
  2. Businesses and High Net Worth Individuals
  3. All of us

The image of a scruffy fellow in a hoodie, quickly typing in order to access banking systems might be the first thing that comes to mind when you imagine hacking. (Thanks, Hollywood). Banks are certainly juicy prospects from a financial standpoint. However, they’re very aware of their status as prime targets and, therefore, have the resources in place to protect themselves. Hacking into banks is a high risk operation that requires a great deal of sophistication.

Tier Two is impressive. My security firm has recently responded to cyberattacks involving the kinds of businesses you would least expect to be targeted by hackers. They included independent consultants, such as small law firms and engineering firms, dental clinics, travel agencies and others. Why would a hacker go after their data? When you consider their vulnerabilities, it makes sense. Small businesses typically don’t have cybersecurity staff or a big budget to invest in defenses. And why would they when they don’t consider themselves targets?

It’s hard to see how all of us are targets unless we understand the value our small business, or personal computers have for attackers. So let’s take a look at some examples.

 

Show me the money!

The currency of hacking is data. Data is valuable, which makes obtaining data the main goal for any hacker. Ordinary computers and people are targeted because they can provide hackers with possibilities such as:

· Direct access to data: Duh! Yes, it’s quite obvious but it has to be mentioned. Passwords and credentials, bank account details, credit card details, personal ID information, all of this is sold in bulk on the black market and it’s worth money.

· Access to contacts: Contact lists are valuable as they allow for extended attack opportunities. When hackers achieve access to email accounts, they will store your contact list for further attacks. This is also a door to more valuable targets if you don’t happen to be of much interest. Sadly, this would all be at the expense of your own reputation.

· Recruitment: The most “insignificant” system or account can be used as a valuable recruitment vehicle. A weak website can be compromised with exploit kits used to deliver malicious payloads to thousands of visitors. Email or social media accounts, used for malware distribution, could be a huge hub to recruit zombie computers for future campaigns. You could already be recruiting systems for a huge attack and have no idea that it’s happening!

· Proxying: Anonymity is a top priority in the hacking business. As a result, criminals often hide behind proxies to launch their attacks. What does this mean? Hackers will cause a lot of damage but make it seem like it came from someone else’s (your) PC. Now they have free anonymity services sponsored by you.

· Free resources: Many of us feel like we pay too much for processing and storage in cloud services. A hackers solution for this - why not get it for free? Hackers need high processing power and storage for many of their tasks which they can get easily and cheaply by stealing it from you. They also have utility bills for the electricity they consume. Guess what. You can also help them offload that cost.

The next time someone says “I don’t think my business has a profile that would attract hackers,” clue them into these common hacking practices and they may think twice. Now let’s look at some of the businesses structures that are often copied by hackers.

 

Hey, I’m just doing my job! Sort of…

Believe it or not, hacking started as a prank. Since then hacking has evolved into a more mature industry, with different roles and departments. In fact, many of the concepts we see within the business world are also used in the underground industry.

· Software as a Service: Not everyone who hacks is a skilled developer. As a matter of fact, many are in this industry because they’re business oriented. Many hackers make their profit from selling their hacking tools to others. Exploit kits, for example, can be rented daily, weekly or monthly. Due to growing popularity, the hacking organization eventually becomes channel-oriented and uses resellers for product placement. Some hackers will forgo monetary payment for a percentage of the victim traffic that is captured The more victims you’re able to target, the better volume discount you receive!

· Outsourcing services: Legal industries have been using outsourced services to create value chains for ages. What you may not know is that the hacking business uses this technique as well. There are specialized firms whose sole purpose is to improve the quality of your malware. These firms will do everything from providing obfuscation mechanisms or stolen digital certificates to avoid A.V detection, to placing stolen credit card data on online shops.

· Software Development: If you thought the hacking world was all “open source love” think again. Some folks are willing to pay big bucks to have software crafted for their organization’s specific needs. (Just as you would hire a developing company to build your app.) Some of these providers even offer maintenance and support contracts attached to the personalized piece of evil they’re selling you.

· Botnet Rentals: Remember how I mentioned “zombie recruitment” earlier? The end goal of this is building botnets, which can be used for just about everything. However, botnets are mainly used as a large “muscle” to perform complex attacks. Some hackers have no intention of using the botnet for attacks. Instead they’ll build a botnet and let someone else make use of it… for a good price that is.

· Partnerships: Not all cybercrimes remain digital. Hackers collaborate with larger criminal organizations frequently. In Antwerp, Belgium, a number of ship containers went missing at a maritime port. Upon investigation it was found that a hacker had breached the port’s systems in order to identify the exact location of specific pieces of cargo that contained smuggled goods. They were then able to change the location and delivery times, allowing criminals to pick up the cargo instead of employees. This is just one example of the synergies forming in the world of hacking and organized crime. There are many more out there.

Like any business these enterprises also have their costs and market strategy to resolve because competition is rough. Let’s have a look at some of the challenges our shady peers share with the rest of us mortals trying to make their business thrive.

· Cost Reduction: Yes, like everyone else, hackers also have bills to pay. Using pre-built tools and open source software is a way to reduce development and work hours. Using a victim’s processing power to break passwords can spare the hacker from having to buy their own and therefore will cut down on their personal electricity bill. Compromising servers for attack amplification reduces recruitment costs and processing costs as well.

· Marketing: If you have something to sell, buyers need to know, right? Marketing is tricky in the hacking community. Exchanges mainly take place on private forums which require careful vetting and a hefty fee for access. So it has a significant cost. Moreover, once inside there is no room for error. A slip in the quality of your work will damage your reputation, sometimes gravely.

· Financial Safety: Let’s face it, it’s not easy to build trust with criminals. When it comes to transactions, companies running escrows provide a degree of security to the exchanges taking place. The money is deposited in the escrow and held until the service/tool is proven to work as advertised. Then the escrow holder will release payment.

· Competitive Intelligence: With so many tools being advertised, you’d better find a way to differentiate yourself from your competitor. Competitive intelligence is yet another concern. Testing similar products and hopefully finding and publishing their flaws are not uncommon activities for the “hacktrepreneurs”.

 

Final thoughts

It’s quite a ride to learn about the industry behind the hacks, isn’t it? Besides being entertaining, I believe understanding the enemy will help us be more disruptive of their business as an industry. If we communicate this efficiently to our clients, they will understand the value their business systems and information have and be more protective of it. If you would like to start thinking like a hacker and know your enemy better, feel free to check out my courses on Ethical Hacking.

Learn More!

 

Josue Vargas
About Josue Vargas

Josué Vargas is a networks and security engineer and also owns his own company in Costa Rica, Netquarks Technologies S.R.L. He started law school, but soon realized this wasn't the path for him. While working in the call center industry he discovered Cisco and started researching careers in the IT industry. Josué quickly began taking classes and became CCNA, CCNP and CCDA Security certified. Later, he took a detour towards Juniper Technologies where he achieved JNCIP-Sec and JNCIP-ENT. He was then recruited by IBM to become a deployment and integration engineer for Managed Security Services, where he obtained his CEH certification. This career allowed him to discover the world of information security, the discipline that would take him to Africa as a consultant, to INE as an instructor and to build an entire SOC from scratch. Outside of work, Josué enjoys music, traveling, learning languages and trying all sorts of food.

Subscribe to INE Blog Updates

New Blog Posts!