Image: gorodenkoff, Getty Images/iStockphoto

A group at the Massachusetts Institute of Technology (MIT) studied why cybercriminals are way ahead when it comes to technical innovation. Cybersecurity researchers Keman Huang, Michael Siegel, Keri Pearlson and Stuart Madnick in their paper Casting the Dark Web in a New Light, published in the MIT Sloan Management Review, asked whether attackers—who more often than not are one or two steps ahead of cyberdefenders—are more technically adept, or is it something else? The paper was written in 2019, but the material is as relevant now as it was then, and maybe even more so.

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (free PDF) (TechRepublic)

Who or what is the culprit?

The first question asked by the researchers is: Who’s behind all the bad-guy innovation? The team quickly discarded lone-wolf hackers and small groups of cybercriminals.

Using Harvard Business School professor Michael E. Porter’s Value Chain Model, the researchers determined that the dark web is what Porter calls a value-chain system, and they consider it the culprit.

“Criminals who want to launch phishing attacks need to look no further than Dream Market, which was one of the largest dark-web marketplaces, where they could purchase a phishing service, along with an SMTP server, to replicate phishing emails, an automated mailer application to send the emails, fraudulent websites, and high-quality email lists of individuals and businesses,” the authors of the MIT paper explained. “The collective cost: Around $100 per month.”

SEE: How much is your info worth on the Dark Web? For Americans, it’s just $8 (TechRepublic)

How is AI used on Cyber Attacks-as-Service sites?

The MIT researchers made it clear that Cyber Attacks-as-a-Service (CAaaS) marketplaces should be taken seriously. Using such a service, the only thing required to pull off a business-destroying cyberattack is money.

Something equally distressing is developers do not need to be involved in the actual attack, and their products may not be illegal. “For instance, a service that creates emails might not break any laws on its own but can still be used as part of a process for illegal phishing,” the report said. “The same is true for help desks, payment systems, and other services that can be used to support the development or launch of an attack.”

The MIT researchers believe skilled developers are offering “bigger and better” cyberattacks—created with the help of artificial intelligence (AI)—on the CAaaS sites.

“With the help of AI, personal information collected from Twitter, Facebook, and other social media sites can be used to automatically generate phishing emails and posts with open rates as high as 60 percent,” the researchers said. “This is a higher rate than found in spear-phishing campaigns, in which attackers manually research victims and create targeted messages.”

The team’s research suggested sophisticated cyberattack tools and services are for sale by business people on the Dark Web. Their success depends on building accurate business models and paying attention to supply and demand.

SEE: 6 enterprise security software options to keep your organization safe (TechRepublic)

What are tips on how to fight back against cybercrime?

Thankfully, the MIT crew offered thoughts on how to fight back against cybercrime.

Expand the focus of threat intelligence: Instead of only harvesting threat information—for example, data from a company victimized by a breach—on the Dark Web, threat-intelligence services need to determine what cyberattack tools are being offered.

“Because many of today’s cyber attacks are created by linking services, the emergence of new services can alert defenders and potential targets to the kinds of attacks that may be brewing.”

Understand the attack’s structure: The MIT researchers suggest companies become more proactive in their defense philosophy. In particular, look at what it takes to defeat an attack formulated by developers using the CAaaS ecosystem.

“Understanding that attacks are created by combining services reveals new avenues for undermining them,” the authors of the paper said. “For example, defenders can flood the cyber-attack ecosystem with deceptive services, making the dark web less attractive for cybercriminals seeking to purchase services.”

SEE: The aftermath of the SolarWinds breach: Organizations need to be more vigilant (TechRepublic)

Create a cyber-defense-as-a-service ecosystem: Value-chain ecosystems are not just for criminals–the researchers want to create a cyberdefense ecosystem. “Cyber-attack defense cannot be relegated to law-enforcement agencies alone,” they said. “Instead, it requires an ecosystem aimed at combating cybercrime that includes many actors—individuals, corporations, software and hardware providers, cybersecurity-solution providers, infrastructure operators, financial systems, and governments—working together.”

More importantly, this business model will likely motivate developers to create and sell cyber-defense-as-a-service. The paper said, “Fighting fire with fire would be far more effective than today’s splintered efforts.”

Approach defense as a business problem, not a technology problem: The team’s research has them convinced today’s cyberattacks are sanctioned by smart people who target organizations that have something of value they want, which means the attacks can be treated just like other business threats.

“Risk-management tools and techniques can shed light on what’s driving the attacks, help identify vulnerabilities attackers may prey upon, and enable potential targets to anticipate the next move,” the authors said. “Organizations can also use their managerial expertise in business processes, operations, and strategies to help create a more complete perspective on cyber attacks.”

Put succinctly, protecting the business and detecting, responding to and recovering from attacks is not solely the responsibility of technology experts.

SEE: Checklist: Security Risk Assessment (TechRepublic Premium)

Why is this important?

The MIT researchers see cybercrime evolving into a criminal business and value-chain ecosystem having global range. They conclude, “No wonder it is difficult, if not impossible, for the defense community to keep up.”

More about the Dark Web

If you want to learn more about the Dark Web, read these TechRepublic articles: How cybercriminals are now exploiting COVID-19 vaccines, How to protect your personal data from being sold on the Dark Web, Fraud guides a hot commodity on the dark web and How much malware tools sell for on the Dark Web.