By Pete Nicoletti, Check Point Field CISO, Americas
Since the inception of the internet, we’ve referred to the bad guys as “hackers.” But who are they exactly? How many people are involved? And most importantly, how can we reverse the increasing number of breaches conducted by cyber criminals?
Recently, criminal organizations have evolved into large multi-national enterprises. They now have all of the characteristics of a regular business. As with any other organization, cyber criminals need to pay their hundreds of employees, write and modify software code, create exploits, manage the targeting, exploitation and extortion of companies, and then dole out their ill-gotten gains to the participants. They have standard operating procedures, ticketing systems, tech support, contracts, hiring bonuses, training programs, college recruiting days and other characteristics of a normal company. Furthermore, the cyber criminal supply chain consists of not just one organization, but also dozens of affiliate crime groups that work together to profit from malware, DDoSing, ransomware-as-a-service, botnets, and other threat types.
Cyber crime is an illicit multi-billion dollar industry. If you’re an IT security practitioner or a C-level executive, then it’s critical to understand who you’re up against and how you can disrupt their activities.
The rise in cyber criminal syndicates
Financial reward is still the main motive behind most cyber attacks, so it comes as no surprise that cyber attacks have increased at alarming rates. In 2021, organizations witnessed a 50% rise in cyber attacks compared to 2020, and this number is expected to increase throughout 2022.
Cyber criminal organizations are structured like any other business enterprise. Every year, they evolve, pivot, and expand with new business angles and revenue streams. These organizations have one goal in mind – to spread of malware, ransomware, encryption extortion and related disruptions to generate profits.
The cyber criminal supply chain
What does the cybercrime supply chain look like? There are multiple players working together. First, the creators of malware sell, license, and distribute their software to affiliates and distributors, who then sell the software to partners, clients, and individual threat actors who target their victims.
Then, there are hackers -also known as “brokers”- who sell access to hacked companies as well as to others who manage “insiders” willing to sell out their company for some silver. These criminals are charging anywhere from $500 to $7,000 for access to organizations’ networks, and these victims range from healthcare organizations to charities. When profits are at stake, morals don’t matter.
Brokers often advertise their breaches in the corners of the Dark Web. Thus, it’s recommended that organizations lurk there or hire consultants to find out about whether or not a broker is advertising a breach of their network. Then, the victim organization can take preventative actions to remove the backdoor. A Spain-based arm of Doctors Without Borders discovered that a broker was advertising access into one of their servers. Once discovered, they immediately took corrective measures and strengthened their security processes.
On the financial end, you have money managers who launder money and churn transactions to hide the ultimate money destinations, and those that process transactions and distribute payroll. Other individuals manage the sale of information on the Dark Web. They take advantage of money mules, who unwittingly lauder money and have no idea that what they’re doing is illegal. For example, a crime group will hire for an “Accounts Payable Manager,” portraying it as an easy job that anyone can do. However, what the job entails is processing invoices and sending them off to pay another account, which is actually laundering their money. And the legal consequences will fall on the person moving the money, even if they don’t know that what they’re doing is illegal.
Let’s take a look at one of the most infamous examples of a cyber attack that has become the bread and butter of cyber criminal groups: ransomware, or more specifically, Ransomware-as-a-Service (RaaS). There’s a reason as to why ransomware has become incredibly popular; it’s because it works. The average ransom payment for US victims has increased to more than $6 million. With the amount of money at stake, it makes sense for threat actors to treat this professionally – like a business enterprise.
There are a growing number of organizations, such as REvil, DarkSide, and others who provide Ransomware-as-a-Service to threat actors. Affiliates and clients are responsible for using the tools to penetrate the organization, while the ransomware franchisers provide ransom collection, encryption tools, and other services. They also collect a percentage of the total ransom obtained. The affiliates then attempt to monetize stolen blueprints and intellectual property and will even start blackmailing customers of the hacked company.
This is referred to as “Triple Extorsion Ransomware” as it extracts money from the target company, their customers and their partners. Hackers commonly target critical infrastructure entities such as healthcare, transportation, and citizen services. These organizations often can’t afford the downtime, may not have the budget or security experts on staff, and are more likely to pay a ransom than other types of groups.
How to break the supply chain
The goal of disrupting any threat is to block it before it can cause damage. In the previous generation of cyber threats, we used the “Kill Chain” model of an attack. That model has evolved into the MITRE ATT&CK framework, as it is much more descriptive of the tactics, techniques and procedures that threat actors use. When attackers start to arrive at the front door, the MITRE ATT&CK framework is often put into immediate play.
But what are some approaches we’ve seen used before the hackers knock on your front door? Until you are willing to travel to Russia, China or North Korea, we’ll have to depend on Law enforcement! The FBI, Interpol and other agencies can be a great partner that is at least partially focused on different methods to disrupt the hacker supply chain. In the past, we have seen government agencies shut down pirate sites set up for facilitating illegal sharing of movies and television shows. That was small time stuff.
Now, law enforcement is targeting sites that sell and trade credit cards, illegal drugs, weapons, and hacking tools. Law enforcement is focusing on shutting down service providers, data hosts, and command and control networks that allow criminals to use their infrastructures to carry out their nefarious operations.
It’s also critical to follow the money: police and detectives can focus on tracking cryptocurrency transactions through the block chain to see which groups and affiliates are connected. There is an entirely new FBI Division focused exclusively on criminals abusing cryptocurrency. Compromising those sites and taking internal information and decryption keys, learning their tactics, freezing those assets and arresting the bad actors will have a significant impact. Last week, six members of the LAPUS$ group were arrested, and their activities were disrupted. We have also seen how law enforcement can seed the Dark Web forums with misinformation or traps to lure criminals into giving up valuable information.
Once the attack is directed towards you, there are several ways an organization can disrupt the criminal supply chain. First, you must have your cloud, network, endpoint and email protection tools all working together to “prevent” issues rather than just “detect” them. Detection is no longer good enough as the threat actors have sped up the time from initial compromise to data exfiltration and encryption to mere seconds. Your tools must work at “machine speed,” not at “human speed.”
If your tools only detect an issue, and you create a ticket while waiting for a human to research the problem, then you will experience a compromise soon! Your tools must also leverage artificial intelligence (AI) and Machine Learning (ML) algorithms designed to spot zero-days and their indicators. This capability enhances companies’ ability to execute countermeasures automatically as an attack hits.
Second, your tools must leverage threat feeds to harness the power of seeing threats as they are seen attacking others. This info sharing also needs to be bi-directional, as by sharing this threat intelligence, organizations around the world can be prepared at the hint of a new attack. Of course, there are many other ways that organizations can beef up their own security and make it more difficult for cyber criminals to get in, so they will move on to an easier target. Finally, businesses need to thoroughly examine all the links in their own supply chain, partners, franchisees and remote offices to improve their security posture. This includes requiring 3rd party suppliers to verify the security of their processes as well as not fully trusting them and using security gateways to inspect their traffic. All these tactics combined will effectively disrupt the cyber criminal business model.
Cyber crime has evolved into a huge industry in which threat actors have copied the business structures of legitimate organizations and are becoming more successful and damaging. With their own well-funded supply chain in place, it’s on us – organization and government leaders – to take the necessary actions to disrupt and ultimately put an end to their business model. This requires moving your tools to a “prevention” posture, identifying and dropping zero-day attacks before they are implemented, leveraging AI/ML to respond at lightning speed while working with and cheering on law enforcement as they are disrupting their hacking and financial networks.
Don’t think that it can’t happen to you! Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.