Last Updated on February 23, 2023
In today’s cyber threat landscape, business leaders and security pros need any edge they can get to better protect their orgs and plan their defense. Just like evaluating legitimate competitors, it’s extremely valuable to analyze how financially motivated hackers plan to monetize your assets. What do they want to steal from you? What does their operational approach look like? And how can you use insights into their business model to improve your security?
Raveed Laeb, VP of Product Development at Kela, explains how financially motivated cybercrime businesses really work and how this understanding can benefit your company.
Join us as we discuss:
- Business models and talent forums that hackers use to set up the “team” that will perpetrate an attack
- Observations that will dispel any lingering denial about your org being a desirable cybercrime target
- How forward-looking businesses are using cyber threat intelligence today to reduce their cyber risk
How Financially Motivated Cybercriminals Really Operate
Verizon’s 2022 Data Breach Investigations Report reveals that over 90% of network intrusions are motivated by financial gain. That’s a golden nugget of threat intelligence, because it helps orgs understand the motive, means, and method behind hackers and their attacks.
“In intelligence, what you’re trying to do is provide good advice on the best course of action you can take in a given moment,” Raveed explains. “You can’t predict the future, but you can try to explain and describe the present—and that is what decision-makers can use to make good decisions.”
“Unless you look outwards at the adversary, you can only see what’s happening inwards,” Raveed cautions. “And that’s usually not too indicative of how the reality actually looks.”
“Unless you look outwards at the adversary, you can only see what’s happening inwards, and that’s not usually too indicative of how reality actually looks.”—Raveed Laeb
Cybercrime Business Models and Supply Chains
Common business concepts like business models and supply chains overlay very well onto today’s cybercrime marketplace.
“As cybercriminals create better business models to make more money, they also need people with very specific skills.” Raveed explains.
For example, establishing a beachhead on a company’s network takes different skills from subsequently deploying ransomware. Opportunistic hackers with a specialist business model steal credentials, exploit software vulnerabilities, perform social engineering, etc. to breach the network and then sell that position to an entity that specializes in monetizing the network access, e.g., by deploying ransomware. Or maybe the buyer for the network access has a business model to exfiltrate financial data instead.
Raveed summarizes: “What we see is kind of a gig economy with different people doing different things, like initial access brokers that specialize in obtaining, maturing, and selling a network access.”
“What we see is kind of a gig economy with different people doing different things, like initial access brokers that specialize in obtaining, maturing, and selling a network access.”—Raveed Laeb
How Cyberthugs Find Their Business Partners
Where do the bad actors get together? On the internet, no surprise. But it’s probably a more accessible and familiar seeming kind of marketplace than many of us envision out on the dreaded “dark web.”
Raveed and his colleagues don’t use that term because of its spooky connotations, which tend to spread FUD where Raveed wants to shed the light of reality.
“In reality, what you have is a set of websites, forums, markets, and instant messaging channels that cybercriminals use to communicate just like you and me would. You can probably just go to most of them and browse with your normal browser. (You’d probably need an invitation a lot of times, though.)”
“In reality, what you have is a set of websites, forums, markets, and instant messaging channels that cybercriminals use to communicate just like you and me would.”—Raveed Laeb
Nobody is Not a Target
Despite all possible evidence to the contrary, some people still cling to the misconception that “We’re too small to be targeted,” or “We have nothing of value to hackers.” If this sounds like you, Raveed’s unbiased appraisal of the actual situation might just dissolve the last of your denial.
“The company, the LLC, the organization—attackers don’t necessarily see that,” Raveed reframes. “What they see is assets, things that they can monetize. For example, a threat actor sees the servers that you have in the cloud, and they see that they can maybe sell access to your servers for a good few bucks. Or they can use them to run a cryptominer.”
Raveed continues: “Maybe no one else in the world cares about your data. But you probably do. So, what would you do if someone were to encrypt it and then offer you back access for a fee?”
Raveed cites a report from a few years ago where an attacker compromised a Tesla AWS server. The server had sensitive telemetry data going through it. Wouldn’t that be a huge asset for sophisticated hackers? Maybe so. But what the hackers that perpetrated the attack actually did was to run a cryptominer on the compromised server.
“I very much like that example because it shows that there’s a discrepancy … between [what businesses see] and what attackers see,” emphasizes Raveed. “[Attackers] care about assets that you have that they can monetize as part of their business plan.”
Those assets could include everything from your intellectual property to your employees’ personal data to your users’ credentials to the bandwidth on your servers, and a lot more besides.
“Maybe no one else in the world cares about your data. But you probably do.”—Raveed Laeb
How Orgs Are Benefitting from Cyber Threat Intelligence
Cyber threat intelligence, digital risk management, attack surface management: there seems to be a fine line between the definitions of these buzzwords, if not considerable overlap. What is cyber threat intelligence and why is it a critical component in orgs’ evolving cybersecurity arsenals.
“Intelligence is used to drive decisions by decision-makers,” reiterates Raveed. Attack surface monitoring is another process through which you collect information that you can use to then do things. For example, maybe your attack surface management tool tells you that you have a bunch of servers exposing a specific service to the internet. That’s good to know. But knowing whether that’s something you should take care of, and when, is not something that’s really driven by the attack surface management—that’s driven by cyber threat intelligence. Because if you want to make a good decision, you need to know, okay, do bad guys care about these things that I exposed to the internet?”
Raveed continues: “Cyber threat intelligence is a bit more all encompassing. Cyber threat intelligence is a key component in actually doing things with the attack surface management findings. It’s also a key component in knowing what to do with digital risk protection findings. And also, it’s a practice of its own. So we like to call what Kela does cyber threat intelligence, because we think that’s the general discipline. However, we have a lot of elements of attack surface management and digital risk protection. We just like to think of them as another byproduct or another deliverable of the broader cyber threat intelligence work.”
As John characterizes it, cyber threat intelligence contextualizes risk and vulnerability information.
“Context is king in cyber threat intelligence,” Raveed agrees.
Listen to the full-length episode with Raveed Laeb, here.