The Cyber Crime Revolution: Using Threat Intelligence to Fight Back
18 May 2020
OVER THE past few years, the cyber criminal underground has gradually undergone its own industrial revolution as modernisation, innovation and digitalisation processes have taken hold. How are today's businesses fighting back? Liv Rowley focuses on threat intelligence and partnerships.
Today, cyber crime is a massive business in its own right. The World Economic Forum's Global Risks Report 2020 states that cyber crime will be the second most-concerning risk for global commerce over the next decade until 2030.
Cyber crime now has its own service economy, tools for hire and solution providers. It continues to grow as cyber criminals adopt new practices to scale operations and meet customer demand. This has, in turn, opened the doors to a host of cyber criminals as the tools, expertise and services used to launch malicious campaigns can now be accessed by even the most elementary of threat actors.
The cyber crime markets are a constantly evolving portfolio of cyber crime services, including everything from Distributed Denial-of-Service (DDoS) attacks and malware through to phishing campaigns, trojans and massive stolen data sets. All are available to anyone who's willing to pay for them.
Code for success
The majority of cyber attacks begin with malicious code which allows threat actors a degree of leverage over the victim. This makes such code desirable to aspiring and established cyber criminals.
Some enterprising cyber criminals opt to develop their own malicious code, often turning to the cyber criminal underground in order to find help, feedback and guidance. Savvy cyber criminals may create their own malware and form grabbers or other malicious code. Many cyber criminal forums exist in part to facilitate the exchange of knowledge among threat actors, allowing for malicious coders to connect and learn from one another. This access to a community of knowledge providers allows newer entrants the opportunity to troubleshoot and learn, while the more seasoned cyber criminals can improve and hone their skills.
Many, however, will rely on a small sub-set of cyber criminals who are typically more specialised and sophisticated in the development of malicious code, either contracting those who offer their services as developers-for-hire or directly purchasing a pre-fabricated advertised product in the cyber criminal underground.
For some cyber criminals, it may be most advantageous to hire developers to create products tailor-made for their illegal activity. There are a handful of prominent and well-regarded developers-for-hire in the cyber criminal underground. These individuals typically advertise their services on more sophisticated Russian-language cyber criminal forums. For researchers and organisations concerned with their security posture, closely monitoring these offerings helps to strengthen cyber defences in advance of an attack.
Malware is found for sale across the cyber criminal underground, spanning linguistic communities and levels of sophistication. End goals vary widely, ranging from ransomware that locks out victims in order to extort them to stalkerware or spyware aimed at surreptitiously monitoring a device.
Threat actors of differing ability offer their proprietary malware on forums, marketplaces and other platforms used by cyber criminals. Often mirroring the legitimate cyber security industry, sellers work alongside other threat actors who re-sell malware that isn’t their own, offering, for example, cracked versions of notorious malware families.
These malware offerings are available for outright purchase, meaning that clients pay a one-off cost to obtain the malware for their own use. It should be noted, however, that many threat actors charge clients a fee for updated versions of the malware or other related services such as admin panel installation and rebuilds.
The one-time cost of information stealers available for outright purchase falls within a fairly significant range, though Blueliv analysts have found that highly regarded information stealers available for sale on top-tier Russian language forums are typically priced roughly around the US$100 mark.
Many cyber criminals take advantage of techniques and tools that legitimate software developers use to protect their Intellectual Property, such as packers, crypters, obfuscators and code signing. This allows them to find new ways in which to bypass these tools such as anti-virus, as well as complicate the work of malware reverse engineers.
Cyber criminals use no-distribute anti-virus scanners, also known as Counter Anti-virus Services, that allow users to test files, URLs, domains and IP addresses against security protections. These then generate reports detailing if, and how, the malicious input was identified by any security vendors.
The important element of these services is that they do not distribute elements that they scan to security vendors. This makes it an ideal service for those cyber criminals seeking to conceal their illicit activity. They can also use these services to improve the stealth of their tooling, tweak products or change infrastructure in order to reduce the number of detections and increase the impact of their campaigns. Other cyber criminals share the reports generated by no-distribute anti-virus scanners in their sales threads on underground forums as a way of marketing their product.
While some are free to use, others offer single-scan pricing, multi-scan packages or subscription models. Some are delivered through resellers, much like a legitimate IT ecosystem, in turn providing another way for cyber criminals to earn money.
Cyber crime cannot be curbed without confronting the source of cyber criminal activity, reducing the pay-off and making the risk of prosecution real to offenders.
Organisations need to put the necessary defences in place to sure up their security posture, while also understanding and investigating the threat trends they are seeing, the scope of the threat actors they are dealing with and how they work. Threat intelligence can provide defenders with an enhanced understanding of the threats they’re up against in order to prevent and mitigate attacks.
Threat intelligence can also reveal geographical variations in cyber crime and is invaluable for organisations to gauge their risk based on who might target them and how. Threat intelligence providers track and interrelate different cyber criminal actors, adding detailed context to new threats before they can have a significant impact. The insights provided help businesses strengthen their defences and prevent attacks, allowing organisations to keep up, adjusting security protocols to keep systems and processes secure.
In the same way that cyber criminals collaborate today, we as an industry must work together in combating cyber crime. There is evidence of a growing number of organisations that are already collaborating across industries to share valuable insights. The Blueliv Threat Exchange Network, for example, is a global community of thousands of cyber security experts, IT professionals and academics. Each month, members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response.
Cyber Security Information Sharing Partnership
In the UK, the Cyber Security Information Sharing Partnership was created back in 2013 and now sits within the National Cyber Security Centre. Intent on boosting cyber security collaboration between the private and public sectors, the UK Government has also established the Defence Cyber Protection Partnership, a joint Ministry of Defence and industry initiative.
Participating in collectives such as this enables a distributed defensive intelligence network that can identify and intervene attacks more efficiently and could help to achieve a level of co-operation designed to enable businesses to counter the dark commercial exchange of goods and services.
Liv Rowley is Threat Intelligence Analyst at Blueliv