Organized Cybercriminals use many methods to compromise the defenses of organizations with an effective hidden system of spreading malware through compromised websites and planting them internally through phishing attacks. Their sophistication goes beyond that and into stealth malware that is undetectable. Once an organization is compromised to the time it is detected, the game is up. Many organizations may, in fact, have been compromised and they don’t know it with continued on-going data leakage. Today’s cybersecurity paradigm is a reactive cycle beginning when a threat is exposed, analyzed and a counter solution is designed with response times varying from weeks to years. The problem is that attackers can easily reuse pieces of previous malware, modify them to create a brand new threat that effectively bypasses the newly updated security measures. The Cyber-criminal has a distinct advantage, and they know it, know no budget and armed with legions of underworld developers perfecting their malware rendering it undetectable.
The Cybercriminal reuses code and methods to gain and maintain the upper hand. New malware is far cheaper and easier to develop, while the tools needed to locate and disable it are only becoming more expensive. Many organizations, unusually small business, just cannot afford to deploy necessary defenses to combat the attacks and is becoming overwhelming. In the meantime, defenders need to cover an ever-growing array of potential targets, each with their own set of weaknesses. With every dollar spent by Cybercriminals, hundreds of dollars are being paid by the IT security industry, and the cost is escalating considerably. This economic imbalance is the reason for which cyber-crime, cyber-terrorism, and cyber-warfare are launched. Thus, code and method reuse have become an intrinsic part of the DNA structuring of malware development. Moreover, these Cyber-criminals are well funded and sponsored by government adversaries such as Russia and China. This sponsorship provides the funding for research and development of new technologies, reverse engineer current security industry applications and devices to exploit weaknesses.
The Lucrative Business of Cybercriminals
The business of the Cybercriminal is extraordinarily lucrative and costs from data loss range into the billions annually, estimated at $375-$575 billion in recent studies. It is a growth industry that far exceeds the growth of our current security infrastructure that tries to defend against it. The profits of cyber-crime are ridiculously high, and the risks are very low. Looking at the economics of cyber-crime, it’s easy to understand why crime syndicates have expanded their operations into cyberspace. The global nature of the Internet and the lack of effective cross-border and even national legislation make cyber-crime relatively risk-free compared with traditional crimes. Trafficking drugs are probably still the most lucrative criminal trade, but the risks of getting caught are quite high. When it comes to cyber-crime the chances of getting caught, being prosecuted or convicted, never mind serving a full sentence are minimal. There is a consensus among global law enforcement agencies that Cybercrime will soon if not already has overtaken drug trafficking.
Image credit: The RAND Corporation/Juniper Networks (Markets for Cybercrime Tools and Stolen Data).
For example, the Rustock botnet was thought to be capable of sending 30 billion spam messages a day from some 1 million infected computers. It was taken down in 2011 after concerted efforts by Microsoft, U.S. federal law enforcement, FireEye and the University of Washington. The people behind Rustock have never been caught, despite Microsoft’s offering a reward of $250,000 for information resulting in conviction.
Most players in the cybercrime economy are from or based in countries where there are weak cyber laws or a low level of enforcement, inadequate monitoring and even tacit government support for any business bringing in much needed foreign earnings. Countries that have an excellent educational system but offer few job opportunities are also a breeding ground for people susceptible to the lure of easy money.
Banner ads looking to recruit malware engineers are known to give rate estimates of between $2,000 and $8,000 a month, these rates have far surpassed the best competitive salaries of any organization. This is quite alluring when you consider a sampling of national minimum annual wages for example, in Estonia, $4,900; Brazil, $4,200; Russia, $1,800; and Moldova, $600. Added to this are the military adversaries such as Russia and China that have a far different agenda discussed below with regards to APT.
Cybercrime requires no physical contact with victims, and they can be located anywhere in the world. This both reduces the chances of being caught and makes it very difficult for law enforcement to fingerprint a cyber-criminal. It also dramatically increases the potential number of victims of an attack and the return on investment.
The Anatomy of a Cyberattack
With any attack, the perpetrators must have a target before it can take place. Once the target is identified with the motive of causing annoyance, harm, damage or extracting profit from the breach, the perpetrators proceed as follows:
- Research and Surveillance — Cybercriminals look for weaknesses in the target’s people, systems, or network. It includes conducting extensive research on the organization’s employees and infrastructure. In many cases, this may take time to perform the necessary espionage and social engineering techniques in various ways such as the use of social networks, search engines and other data gathering techniques. It is imperative that once a weakness is exposed, a useful malware exploit must be developed and the appropriate payload delivery method be planed.
- Malware Development and Payload Delivery Methods — once the exposures are determined the exploit of those vulnerabilities commences with the specific development of the malware and the delivery methods to employ. Cyber-criminals are determined to keep malware development and delivery methods secret as with any of their activities. It is imperative not to tip off security industry defense organizations from formulating detection mechanisms.
- Attack Execution — Cybercriminals begin their attack via their delivery methods be it to network and/or social vectors. In a network attack, infrastructure is used such as exposed system and application vulnerabilities as well as cross-scripting, SQL injection and other techniques to provide an open conduit vector to plant the malware. Typical social attacks begin with email, phishing, and spam with the malware payload attached or drive-by download from a staged web site. Most common attack vectors are botnets, fast flux, zombie computers, denial of service and skimmers. Other techniques include deliberate planting from identification of disgruntled employees with the malware planted internally via a USB device. Different ways such as physical infiltration into the organization’s premises by dressing up as staff custodians, service contractors among many other techniques.
- Exfiltration — once the malware has been planted the extraction of the data that are the crown jewels commences with Personal Identifying Information (PII) and/or Personal Health Information (PHI) from various sources. Additionally, and of high value are credentials of administrators and applications that can be used to effectively gain access to far more sensitive information such as intellectual property. These credentials are also used to stage a second attack or manufacture synthetic identities.
The sophistication and ingenuity of Cybercriminals never cease to amaze the very best in information security. With military adversaries, the Advanced Persistent Threats or APT is a set of stealthy and continuous computer hacking processes, often orchestrated by governments targeting a specific entity. It can also be launched by organized crime syndicates and/or be loosely allied with government adversary sponsorship. APT usually targets organizations and or nations for business or political motives. The APT processes require a high degree of covertness over an extended period of time.
The advanced process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The persistent process usually suggests that an external command and control is continuously monitoring and extracting data from a specific target. The threat process is a coordinated involvement in orchestrating the attacks successfully.
The Weakest Point in Security
The human is the weakest point in security, and the Cybercriminals know this by defeating any imaginable state-of-the-art perimeter and endpoint security controls. The first thing Cybercriminals do behind the APT is seeking publicly available information about specific employees, and the social media sites are always a favorite, so be careful who you connect with and always vet them. One of the primary tools any Cybercriminal uses is Google and other search engines incognito to conduct Cyber-espionage. Privacy, as it relates to PII and PHI I might say, is an oxymoron in the United States and I point to the Freedom of Information Act legislation as one example. Anyone can find detailed information about targeted individuals, look up their addresses and relatives, mode of living, real estate tax payment records through online county record the methods are endless.
It is no wonder why the United States is the most targeted in the world because of feeble privacy laws. With this information in hand, they then send that user a Spear Phishing email. Often the email uses relevant content, for instance, if you’re in the audit or finance department, it may talk about some advice on regulatory controls, they may even impersonate a relative via a crafted personal email. The primary purpose is to add some legitimacy to their email. The email is crafted well enough to trick employees to open the attached excel files delivering the malware payload. In any APT is the control of the victim’s computer via backdoor remote administration starting with digital shoulder surfing to establish the employee’s role and their level of access. If this isn’t sufficient for the attackers’ purpose, they will seek user accounts with better, more relevant, privileges.
The APT is a new shift in the Cybercriminal underworld doctrine leaving the door open to employee corruption often targeting disgruntled employees or others in financial distress. This is a crucial motivating aspect on how sophisticated Cyberespionage has gone, and it is nothing new. If you consider what the CIA and other global spy rings do to gain intelligence, infiltrate targeted organizations, this is the method employed except you cannot catch the kingpins orchestrating it from distant lands.
The art of the Cybercriminal touches upon the lucrativeness of illicit activities, their methods of orchestrating attacks on the new paradigm of Cyber-espionage and corruption to willing disgruntled and financially distressed individuals. The Cybercriminal is relentless and ruthless in their lucrative practices to obtain the crown jewels in any organization its data.
The internet provides the perfect platform to stage their criminal activities effectively concealing their actions and has rivaled if not exceeded the profits of the illicit drug trafficking industry. Moreover, weak data privacy laws allow them to conduct surveillance and mining of PII data with relative ease in the public domain.
@Credits: Moraetes