Micki Boland is a global cyber security warrior and evangelist with Check Point Technologies’ Office of the CTO. Micki has over 20 years in ICT, cyber security, emerging technology and innovation. Micki’s focus is helping customers, system integrators, and service providers reduce risk through the adoption of emerging cyber security technologies. Micki is an ISC2 CISSP and holds a Master of Science in Technology Commercialization from the University of Texas at Austin, and an MBA with a global security concentration from East Carolina University.

In this interview, expert Micki Boland discusses the development of cyber criminal gangs and how to strategically defeat hackers’ latest moves. Get amazing insights from an extremely knowledgeable expert in the field.

How are these groups getting started?

These groups start small, typically with one person (the Kingpin), and can quickly grow into enterprises that fulfill a seemingly unlimited appetite for monetary gain, vertical integration, malware development and the expansion of elicit services. Some such services include Hacking-as-a-Service, and ransomware affiliate programs.

The hacker toolbox always includes “smash and grab” attacks, direct hacking for data, intellectual property theft, and holding computers ransom in exchange for monetary compensation.

The quickest way to cash is the first order of business for many of these groups. Therefore, banking fraud, financial breaches are always ongoing.

Could you give a specific example of how a cyber crime group started?

One of the first cyber criminal gangs that comes to my mind started with an individual by the name of Max Butler, a.k.a. Max Vision, a.k.a. Iceman. Max Vision started out as a white hat hacker in the 1980s. He later “switched sides” and began hacking small businesses for financial gain. Butler then hacked and forcibly took over the largest black market carder market, eventually growing his group to a full enterprise cyber criminal organization bent on financial fraud.

His gang enjoyed living large and running operations out of a seaside mansion in California. Here, he and his team hacked banks and printed fake credit cards, maxing out the fake cards through the purchase of luxury goods, then fencing the luxury goods for cash. Max Butler was eventually caught in FBI sting. Later, he was convicted and served time.

Tell us about the structure of today’s cyber criminal groups?

Today’s cyber criminal groups have an organizational structure much like a true enterprise organization. There is the leader/founder a.k.a. Kingpin; the money manager runs cryptocurrency and bitcoin mixing, there are mules and money operations; the technical manager runs malware development and testing operations; a DevOps manager exists for malware developers; and an overall operations manager is in charge of all operations, including operators and infrastructure hosters, DevOps, hacking, malware, and ransomware campaigns.

How do cyber criminal groups recruit members?

The Kingpin and the core leadership (management team) of the organization appear to be more static, however, the individual contributors like hackers, coders, malware developers, pen testers (yes, these groups pen test their own malware) are recruited using IRC channels, Jabber, Rocket.chat and through dark net markets and sites.

Additionally there is a significant “word of mouth” component, where individual contributors recruit other individual contributors. These individual contributors are essentially contract workers paid in cryptocurrency for work on a specific application or project. These people do not know much, if anything, about the cyber criminal enterprise leadership/management team, campaigns or attacks. These individuals typically only know about the specific capabilities needed for the gig.

At what point has a cyber crime group “made it” as an outfit?

They grow quickly if their efforts succeed. As with a legitimate enterprise, it appears that the ability of the management team to adapt and innovate is a key factor for these cyber criminal groups’ survival and expansion. To become well known through notoriously huge and successful cyber criminal attacks is also to become well-known and subject to investigation (and takedown) by global law enforcement groups. These groups rise and fall. Sometimes they fall and get back up.

How are cyber criminal gangs building relationships and making connections with other groups?

Last year, we saw the formation of interesting cyber criminal group alliances. Conti Ransomware-as-a-Service Gang (a.k.a. Conti Group), REvil and DarkSide’s alleged collaboration is an example of loose, mutually useful, temporary alliances formed by these groups. These groups will sometimes share stolen tools, repurposed malware and ransomware, and techniques; sometimes combining those created by the other cyber criminal groups.

What can we as the security industry learn from how cyber crime groups get started?

At the macro level, the global cyber security community needs to understand more about the drivers, origins, growth and sophistication behind these cyber criminal groups. These groups start small, typically with one or two individuals seeking financial gain through hacking and ransomware attacks.

With small successes paid in cryptocurrency, these groups will grow and expand substantially. Cyber criminals are continually on the prowl for the fastest way to cash in. These cyber criminal groups do not need to hit the bank so to speak. At a startup, for example, they will seek small wins.

What does this mean at the micro level?

  1. All organizations regardless of industry sector or size need to understand that they are targets.
  2. All organizations need to take steps to reduce their risk of being victims of cyber financial fraud or ransomware attacks.

This means reviewing your organization’s cyber security posture: review your cyber insurance, have a plan for reducing impact of a financially motivated cyber attack, review banking processes and procedures for conducting financial transactions, ensure encrypted transactions, encrypt all critical proprietary data, back up data off-site or off-net, deploy strong endpoint protection against phishing, malware, and ransomware.

Anything else that you wish to share with the CyberTalk.org audience?

Do not forget to teach your people about cyber criminal groups, what these groups are after, the risk they pose and be sure to identify steps your organization is taking to reduce the likelihood of and impact if targeted and victimized by these cyber criminal groups.

The easiest and fastest way to stop these groups from growing is to NOT become their victim -do not give them money and do not let them steal your organizations valuables: finances, data or intellectual property, source code, customer lists, corporate strategy- anything your organizational holds of value.

Minimize impact if targeted and if possible, plan that the event will happen and identify how your organization with deal with cyber extortion. Can you minimize financial impact, sustain a hit related to stolen data or leaked proprietary corporate information? Build a plan now, test the plan, and continually adapt your plan.

For more insights from cyber security expert Micki Boland, click here. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.