February 2, 2023

Last Updated on January 12, 2024

Hearing the realm of cybercrime described in terms of business models and supply chains can be a real eye-opener. But as these entities have grown more sophisticated, so has their level of specialization and interaction.

Many now stick to a core competency and function as part of a virtual team. It’s a supply chain driven by carefully planned, distributed business models.

To lay out exactly why and how hackers do what they do, and how this understanding can help you defend your business, a recent episode of The Virtual CISO Podcast features Raveed Laeb, Raveed Laeb, VP of Product Development at Kela. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.

A market driven by supply and demand
Raveed relates that traditional business concepts serve well to explain modern cybercrime.

“There is a market because if you want to make money out of something, there has to be supply and demand,” states Raveed. “An analogy that I like to use is from the golden days of [tech] startups, where you’d have an entrepreneur building a billion-dollar company out of their garage with two other people doing everything from coding to marketing to customer success. And as an organization grows, you understand that you need people who specialize in things.”

“That is the same thing we see happening in cybercrime,” Raveed continues. “As cybercriminals create better business models to make more money, they also need people with very specific skills.”

This yields an ecosystem where different cybercrime entities offer goods and services, which are exchanged on the forums where hackers hire and cooperate with one another.

The ransomware business model

An example of a distributed cybercrime business model is the buzz-trending idea of initial access brokers.

“This is a very specific type of threat actor that developed as a bottom feeder for the ransomware ecosystem in the last few years,” shares Raveed. “When we talk about ransomware, usually we hear about a type of attack or a type of breach. But really ransomware is a business model. When bad actors have access to something within your network, the way they monetize it is essentially by extorting your organization.”

The ransomware malware itself is just a technical adjunct to the business model. It’s a product or service that cybercriminals use to make money after they have achieved (or contracted with a specialist to achieve) a network intrusion. These “affiliates” are often paid by the “operator” on commission.

The result has been a marketplace where affiliates recognize they can’t “do it all” and remain competitive. For example, establishing a beachhead on a company’s network takes different skills from deploying the ransomware. Opportunistic hackers with a specialist business model steal credentials, exploit software vulnerabilities, perform social engineering, etc. to breach the network and then sell that position to an entity that specializes in monetizing the network access, e.g., by deploying ransomware, or perhaps exfiltrating credit card data.

Raveed summarizes: “What we see is kind of a gig economy with different people doing different things, like initial access brokers that specialize in obtaining and maturing and selling a network access.”


Meetup sites for hackers

Where do cybercrooks get together to monetize their skills? On the web, no surprise.

Many call it “the dark web,” but Raveed and his peers think that image/language is at least partly about spreading FUD to sell security solutions.

“What you have in reality is a set of websites, forums, platforms, and instant messaging channels that cyber criminals use to communicate just like you and I would,” Raveed reports. “You can probably just go to most of them with your normal browser without having to go beneath any icebergs. (You’d probably need an invitation a lot of times, though.)”

What you’ll then see is usually big, loud banners advertising cybercriminal services and products. Threat intelligence vendors like Kela monitor these forums and markets to provide clients with deeper context to help them better protect themselves.


What’s next?

To hear this podcast episode with cyber threat intelligence expert Raveed Laeb all the way through, click here.

Interested in how the US government is contributing to threat intelligence? Here’s an analysis: US Government Threat Intelligence Programs: Where Are They Headed?