Some disturbing news surfaced at this year’s RSA Conference. Brian Mastroianni of CBS News, in his piece Survey raises questions about corporate cybersecurity, writes about a joint survey from RSA Security and Information Systems Audit and Control Association (ISACA), in which the survey’s authors express concern that precious few businesses are prepared to defend against digital attacks.
“The first takeaway from this study is that the cybersecurity skills gap is getting worse,” Rob Clyde, ISACA international vice president, tells Mastroianni. One big reason for the unpreparedness is the current lack of qualified IT workers who understand security. And unless something happens, it is expected to get worse. Forecasters are predicting over half a million data-centric IT jobs will need to be filled by 2020.
Not all bad news
In a roundabout way, the lack of skilled workers could be construed as a good thing for the time being. “The talent struggle isn’t unique to defenders,” mentions Rick Holland, vice president of strategy for Digital Shadows, in a March 1, 2016 blog post.
Holland continues, “Adversaries also struggle to find the right talent, which is critical to capturing profits. In response — and perhaps against their desire for anonymity — many cyber criminal organizations have adopted traditional, real-world recruitment techniques.”
Digital Shadows provides cyber situational awareness that helps their clients protect against cyberattacks that typically lead to a loss of intellectual property, brand, and/or reputational integrity. Holland says, in their line of work, analysts at Digital Shadows can learn much from how dark-side organizations go about recruiting hackers.
Holland points out the digital underground is more than just hackers. “In order to profit, there must be an ecosystem of malware writers, exploit developers, bot net operators, and carders,” explains Holland.
Carders are an example of the intricate dance that must happen in order for the bad guys to be successful. Ironically, trustworthy carders are hard to find. The job ad shown below even uses poor grammar to get the point across.
Like above ground HR departments, hacker recruiters are getting frustrated. “Skids (‘script kids’), who possess no legitimate technical skill, must be put through a rigorous process to ensure they are up to the task,” writes Holland. “Then there are many instances of recruiters asking for application forms — some even offer an application template.”
There is also an interview process. For obvious reasons, regular telephone communications are avoided. Holland says Skype is the preferred method, adding, “Users’ voices are masked, video is turned off, and traffic is ported through services such as Tor.”
Who does this knowledge benefit?
Analysts at Digital Shadows pay close attention to what skills are being sought by cybercriminals. “We can learn there is a new group planning to ‘hack high-profile websites as well as simple accounts’ and ‘is ready to make some money,'” says Holland. “There’s also an insight into their into their TTPs. Skills that the group’s founder is seeking include: Distributed Denial of Service (DDoS), social engineering, cross-site scripting (XSS) and SQL injection (SQLi).”
One piece of information that the analysts appreciate is when there is a requirement for insider knowledge of an organization’s operating system. That according to Holland is a dead giveaway.
Something in common
The bottom line is making money, whether above or below the digital surface. “When it comes to cybercriminals, they must find a balance between Operations Security (OPSEC) and the ability to recruit,” suggests Holland. “Too much OPSEC leaves little time to identify qualified candidates, so cybercriminals make sacrifices in their path toward profit.”
Good defenders are usually the best hackers and vice versa
The above is a well-understood axiom in the IT world, and right now both the good guys and the bad guys are looking for skilled help. According to Holland, “At the end of the day, tracking the adversary that is recruiting and the skills they most desire can improve the overall maturity of an organization’s security program and make that new recruit’s job that much harder.”