Cyber crime continues to stay one step ahead of cyber security practitioners, which has continued to give criminals the advantage in cyberspace
The expression, “criminals have to be right only once, while network defenders have to be right all the time” has merit in a digital global environment that favors the attacker over defender. Cyber crime’s evolution and its increasingly more diverse and organized ecosystem contributes to its success and popularity. Cyber crime activities cost the global community $600 billion in 2017, with some estimates projecting to impact companies $5.2 trillion over the next five years.
One factor that has benefited cyber crime is the professionalization of the threat space. Previously more disparate, the underground functions very much like legitimate businesses operating under a “supply and demand” philosophy. Product/service competition and as-a-service offerings fuels the growth of the maturing marketplace. This forces developers and sellers to provide quality merchandise at competitive prices. An aggressive marketing strategy helps gain market share with favorable reviews from customers and forum administrators providing corroboration of production utility and the bona fides of sellers. It is common for sellers to offer 24×7 help support, as well as customizable features to prospective customers.
Moreover, the goods and services provided in the underground are not exclusively tailored for experienced cyber crime actors. Some products target inexperienced customers thereby lowering the bar to gain entry into cyber criminal operations. This allows anyone that can pay the price point to engage in hostile activities, either on their own via user-friendly graphic user interfaces, or just paying for the service, hiring “professionals” to do the job.
Now, it appears that cyber crime finds itself in a similar position to network defenders looking for experienced and capable individuals to support their industry. In 2018, it became clear that there was a dearth of experience individuals in the cyber arena. According to a leading research organization for global cyber issues, 3.5 million cybersecurity positions are expected to be unfulfilled by 2021. The same sentiment has been expressed by some U.S. government entities, indicating that it is not solely a private sector problem.
Cyber crime has thrown its hat into the ring, trying to entice the best and brightest to don a black hat in favor of a white one. According to a recent report from a computer security vendor, cyber criminals are willing to pay more than a million dollars a year to skilled security professionals. Highly sought-after skillsets include network management, penetration testing, and programming skills, all of which can be applied to both defensive and offensive purposes depending on the intent of the individual. Therefore, it is unsurprising that cyber criminals are seeking to deepen their personnel resources with these types of individuals.
Soliciting the assistance of experienced “legitimate” security professionals may not seem so far-fetched. For example, Russia’s education system focuses more on information technology than in the United States. Those graduates that do not get jobs or work low paying jobs potentially find cyber crime as a viable profession, or at least a way to supplement income levels. Some Russian hackers are even considered cyber security professionals.
Another temptation that might lure white hats to turn black or gray is limited exposure in the underground. Malware programmers and tool developers need only create the malware/tools, and not necessarily actually conduct criminal operations against targets, leaving the advertising and selling to other partners. It is not uncommon for such tools to be sold with a caveat stating the seller is “not responsible for how the tool is used by the buyer.” While it may seem that tools that enable remote access, scan for vulnerabilities, or test the resilience of a network are to support criminal acts, the fact is that such tools can be used in security testing and network auditing. The intent becomes the important differentiator.
This development may seem minor but is indicative of how the cyber crime ecosystem continues to evolve and push boundaries. According to a 2018 report, nearly one in 10 U.S. security professionals admitted to considering participating in cyber criminal activities, and almost four percent of global security professionals are believe to engage in “gray hat” activities. As more individuals graduate with cyber security degrees, the competition for legitimate jobs may influence some to put their education to use in criminal or quasi-criminal endeavors. Economic necessity, personal philosophy, and intellectual challenge may ultimately encourage more numbers to walk that thin line, keeping the greater cyber crime industry on forefront and the rest of the cyber security industry to keep pushing that boulder up the hill.
About the Author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter