Most organizations understand their data is at risk of theft by cybercriminals and that these malicious actors are in it for personal gain. But what do hackers do with it once they steal it? Data itself isn't inherently valuable—it must be sold or leveraged in some way to capitalize on its theft. Since some data types can be sold for more money (and more easily) than others, it stands to reason that attackers will be selective about which types they target. Other attackers may not be after money—some may have other nefarious goals in mind, such as using highly sensitive personal health information for blackmail (as one example). The fact is, the more you understand about the types of attackers, their motivations, their end goals, and how they profit from their illegal activities, the better able your organization will be to structure a security program to prioritize your data protection strategies.
The Actors and Their End Game
There are a number of categories of cyber actors; some may be more intent on destruction or making statements than profiting from data, such as hacktivists (hackers making political statements through their actions) and cyberterrorists (extremist groups intent on inciting fear or intimidation to achieve political ends). We will focus here on three categories of data-profiteering actors: state-sponsored actors, organized crime, and cybercriminals.
State-sponsored actors are highly sophisticated attackers that are backed by nation states, often receiving funding or technical assistance from them, with the goal of furthering their nation's political agenda. They often use the most sophisticated forms of attack, such as Zero-Days. Money may be one goal, but often, financial gain will only be to support further exploitation efforts. Their goals are to steal intellectual property (such as technological advancements), defense intelligence, Personally Identifiable Information (PII) for use in espionage or blackmail, and infiltration of the financial or critical infrastructure of the victim country for use in future endeavors.
Organized crime, like any lucrative venture, has evolved over the years to capitalize on the current opportunity. There is money to be made in cybercrime, and many attacks today are waged by organized crime, not only to monetize stolen data such as PII, health records, financial account information, and credit card data but also to leverage sensitive PII for use in blackmail. Organized criminals are generally in it to turn a very quick profit and limit risk exposure, and will target data that can be monetized quickly.
The Individual Cybercriminal
It's never been easier to become a cybercriminal: There is a wealth of ‘how to' information including tutorials, manuals, YouTube videos, exploit kits and step-by-step instructions on how to use them available on the internet, as well as ‘hacking as a service' models, and more petty criminals have moved into the cyber game. Phishing attacks and disclosed vulnerabilities with publicly available exploits are the main tools of this archetype. These actors are typically not very sophisticated in the attack vectors used and are in it for easy monetary gain.
How Do They Convert It to Cash, and What's It Worth?
There is a large, expanding black market for buying and selling stolen data, which is continually evolving to meet changing demand and evade detection. Using the dark web, anonymizing browsers, peer-to-peer networks, encryption, and difficult to track fund transfer mechanisms such as cryptocurrencies, buyers and sellers meet and make transactions in an increasingly sophisticated, multi-tiered model. The cyber marketplace has become very sophisticated, with administrators, intermediaries and brokers, vendors, and a system to carefully vet buyers, making catching actors very difficult.
While it is difficult to put an exact price on stolen data as it fluctuates based on supply and demand economics, one factor for the value of stolen data is freshness: credit card data, for example, has a short shelf life, since buyers are aware that banks will get alerted to the theft and cancel cards. A freshly stolen credit card, for example, may be sold between $5-$15 (depending on whether the CVS code and bank ID come with it), but decline in value in the days thereafter. Complete PII packages (“Fullz dossiers”), with name, address, phone number, social security numbers, etc., are sold for roughly $30 each. PII and credit card numbers are often stolen in large quantities—they can be sold in bulk to a broker, who then sells in smaller batches, or sold in smaller increments initially—all of which increases the difficulty of attribution.
The value that can be extracted from the data is a significant factor in its market value: health records often sell for a higher dollar amount since they can be leveraged for health fraud, such as filling prescriptions, making false insurance claims, buying and reselling expensive medical devices, or even blackmail. Financial records are valuable as they can yield fast cash via withdrawals, and some hackers may see it as a ‘victimless crime,' since banks are insured against losses.
Intellectual property can command extremely high prices, depending on the information. The challenge is finding an interested and qualified niche buyer for the information.
How Does This Knowledge Inform Your Security Strategy?
Understanding what hackers want and what data has the most value to them should help your organization prioritize which data classes you need to protect with the greatest degree of rigor. Some of this is fairly obvious—PII, financial data, social security numbers and the like are common targets. Intellectual property is equally important to protect, as is any personal information of a sensitive or embarrassing nature that could be used as leverage. We can see that healthcare and retail organizations that process card data are particularly enticing targets, as are industries involved with critical infrastructure or national defense with respect to nation-state attacks.
Just as important as knowing what data you have is knowing where that data is stored and used, in both the real and cyber worlds. If you haven't done a complete audit of your data assets, this is essential to protecting desired targets. Most enterprises today have complex IT ecosystems that include third-party vendors—exploring their strategies for protecting data and requiring appropriate levels of security on their end is an essential part of a complete security strategy. Understanding who has access to which classes of data, restricting access only to those who require it, and evaluating these permissions regularly comprise another essential layer of defense. Penetration testing is also recommended for probing your security defenses for weaknesses.