Threat Management, Network Security

Avoid hiring a cybercriminal: understand motivations and thoroughly vet employees

The “Darkode” online crime forum bust spanned 20 countries and led to the charges, arrests and searches of 70 suspected forum members.

While all the indicted individuals allegedly participated in illegal activities, one man received particular attention.

Morgan Culbertson, a 20-year-old and current FireEye intern with two stints at the company on his resume, was arrested in association with the forum.

During his time at the cybersecurity firm, Culbertson spent his days not only working on a dedicated “intern project,” for which FireEye hires the students, but also allegedly running a successful, darker side business.

Culbertson is said to be the creator behind and seller of the notorious “Dendroid” Android remote access tool (RAT), which he advertised on Darkode for $300. Its source code fetched far more, with a price of $65,000, Forbes indicated

FireEye immediately revoked all access to its building and systems when it found out about the arrest, the company said in a statement to SCMagazine.com.

But even still, experts note that Culbertson's work at FireEye likely assisted in the creation of his successful RAT by giving him a peek into the defense's side. 

However, they also say the two are not directly correlated. Making the move over to “the dark side” requires more than a nagging interest; it's a mix of desire for compensation, recognition and the pursuit of intellectual happiness, Katie Moussouris, chief policy officer at HackerOne told SCMagazine.com.

“[The Culbertson news] doesn't surprise me at all,” Moussouris said. “Everybody's got a mix of motivations and different ways their moral compass may point. It might point in the same way that yours does or it might point in a different direction.”

And given Culbertson's age, his compass will likely change. Long-term consequences aren't exactly top of mind for a 20-year-old, Joe Nedelec, an assistant professor in criminology at the University of Cincinnati, said during an interview with SCMagazine.com.

“[The more I study cybercrime] the more I've seen that there's this real witches brew of young people with immense talent and a great temptation to go over to areas of the dark web and try it out,” Nedelec said.

Add in a perceived notion of anonymity, and really, the desire to explore, create and sell doesn't seem too harmful to a cybercriminal's future, he said.

“He's creating security software [at FireEye] to fight people like himself, and that can only make his malware better,” Nedelec said. “But really, I think that there's a personality thing going on here. These guys have so much confidence in their skills to remain anonymous online that they can sort of drift into that area of criminality, such as on the dark web.”

So with firms already paying their interns decent compensation — the Department of Homeland Security, for example, pays approximately $5,800 for a 10-week internship — companies are left with a problem: how to deter interns and employees from moving over to the other side.

Bug bounty programs are often heralded as one way to encourage positive research, but that might not suffice.

Ultimately, the defense side of cybersecurity will never be able to compete monetarily with the offense, Moussouris said, so if that's a sole motivator for a cybercriminal, nothing can really deter them.

Plus, a shortage of qualified cybersecurity professionals presents an even more difficult task for cybersecurity firms. Finding and hiring a worthy and upstanding individual can be rushed, and companies could just settle.

That said, these firms can still adequately keep sketchy people directly out of their physical and digital work environment with a thorough vetting process. 

Anu Kumar, VP of recruitment at SilverBull Software, recommends background checks, credit checks and plenty of references, even beyond those listed on a candidate's resume, as some ways to do so.

“You have to do your due diligence whether it's an intern or a full-time hire, especially when you're a company who deals with sensitive information,” she said in an interview with SCMagazine.com. “These are people who have the skillset to be ethical hackers or hackers, so the need there is definite.”

Background checks can bring up a person's past DUIs or fake ID use, for example, and credit checks can demonstrate how the person handles money, she said.

Taken all together, this behavior can measure how responsible a person is, she said, and then when combined with references, bring up red flags long before system access is granted.

“Nothing can substitute for the time you spend and the care you give to your hiring process,” Kumar said. “It's important for more than one person within an organization to speak and get to know a candidate before bringing a person on board.”

But, she noted, people do fall through the cracks.

“It happens,” she said.

FireEye might have just been the unlikely one this time, as it does perform background checks and calls references. 

More companies are likely to fall victim to the insider threat because, as Nebelec warns, Darkode is only one of many.

“The problem is it's Whack-a-mole,” he said. 

The 70 people arrested in association with Darkode represent only some of the many hackers and participants in dark web cybercrime.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.