On Tuesday, Hewlett Packard Enterprise (HPE) released a new report titled "The Business of Hacking," which examined the underground economy surrounding cybercrime and criminal hackers, and explained how businesses can protect themselves.
Chandra Rangan, vice president of global marketing for HPE security products, said that many of the conversations they have with security professionals in IT organizations can quickly become very technical. As such, some business leaders often relegate security as something to be spoken to exclusively by security professionals.
But, by explaining how the cybercrime underworld economy works, Rangan hopes it will help business leaders "understand that criminal hacking is a business, and it operates like a business. By doing that, it gives business leaders a much better appreciation of what's a happening."
SEE: Network Security Policy Template (Tech Pro Research)
According to the report, cybercrime can take many forms. Criminals can be acting in the interest of organized crime, corporate espionage, hacktivism, cyber warfare or terrorism, or just people who want to make some money. The report itself focused on the criminal exploits that could be monetized.
In terms of the way criminals make money through cybercrime, the report identified 10 ways criminals use hacking for financial gain.
- Ad fraud
- Credit card fraud
- Payment system fraud/Bitcoin mining
- Bank fraud
- Medical records fraud
- Identity theft
- Credential harvesting
- Bug bounty
- IP theft
Ad fraud, or setting up adds to bolster fake website traffic, are one of the easiest forms of cybercrime and have the highest payout potential. Extortion and IP theft, while almost as profitable, are far more difficult to pull off.
Hacking, in and of itself, is not necessarily a bad thing. In fact, many "white hat" hackers provide a valuable service in helping organizations understand how cybercrimes are perpetrated. HPE's report, though, focused on the "bad guys." Although, Rangan said it's less about hackers being the bad guys and more about criminals becoming hackers.
Not all hackers are driven by financial gain. The HPE report identified five different types of bad guy hackers:
- Nation-state backed - Driven by patriotism or military duty. Often highly skilled and going after major targets.
- Hacktivist - Ideologically driven. Wants to disrupt or bring down a system or institution.
- Cybercriminal - Motivated by profit.
- Ego-driven attacker - Wants to be famous, or recognized for their work. Often taunt their victims.
- Hobby hacker and the professional - Simply loves to hack. No set skill level, but typically less anonymous.
As business leaders begin to study cybercrime organizations, they will see just how similar they may be to their own organization. Cybercrime organizations have markets and supply chains, they think about talent when gearing up for a big job, and they have margins to think about when selling their information.
Some groups build their own tools, but others use tools they've purchased in online marketplaces. Anonymity is critical in the cybercrime industry and, just like in the movies, everyone is known by their online handle. Still, there are specific roles filled in every organized group. The "mastermind" pulls the attack together, builds the team, and plans the approach. The "spiders" are black hat hackers who perform the attack and are typically contracted out by the mastermind. Then, there are "mules," people who, sometimes unsuspectingly, play a role in the attack through money laundering or other schemes.
When most people think of cybercrime, they immediately picture the technically proficient hacker. But there are a host of non-technical jobs in the industry as well, including: tool development, guarantor services/background checks, escrow services, recruiting, cyber laundering, sales and marketing, and legal professionals. HR, marketing, outbound logistics, operations, and technical development all play into the industry.
SEE: Don't overlook these two hidden risks to your corporate data (TechRepublic)
So, how do companies combat this sophisticated criminal industry? Because it's a business, Rangan said potential victims must take away the criminals' ability to sell the goods (data) or make it cost too much for them to procure it in the first place. Get rid of the low-hanging fruit.
For starters, Rangan said, do the due diligence. Patch your servers, enable two-factor authentication, and make sure your applications are designed to be resilient from the ground up, which makes it more expensive for them to hack.
There's a maturity curve for each type of cyber attack, but you cannot rely on the novelty of an attack type to know what to protect against. Invest in your security tools but, Rangan said, enterprises also need to invest in educating their workforce.
"I've got to teach my 8-year-old son to lock the door or close the garage when he steps out of the house and plays with his neighbor," Rangan said. "I can try to solve it as a technology problem, but really it's a habit. You've got to have the right habits."
Read the full report here.
The 3 big takeaways for TechRepublic readers
- Cybercrime and criminal hackers have their own underground economy, operating like a traditional business with supply chains, recruiting, margins, and value chains.
- While technical skills are paramount, criminal hacking organizations also need roles filled in HR, marketing, sales, and logistics, among others.
- To combat cybercriminals, businesses must approach these underground organizations as if they are trying to undermine their business, seeking to take away their ability to sell goods, shrinking their margins, or raising the cost of procurement of goods.
- Are you being exploited by online marketers using "tricks for clicks"? (TechRepublic)
- European Court advisor: Dynamic IP addresses are personal data (ZDNet)
- Businesses beware: the 'industrial internet of things' is a prime target for cyberattacks (TechRepublic)
- Three ways encryption can safeguard your cloud files (Tech Pro Research)
- How public cloud providers are making security a non-issue for app developers (TechRepublic)
Conner Forrest has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.