Many security pros have misperceptions about the workings of the criminal underground, says a new report.
Many security pros have misperceptions about the workings of the criminal underground, says a new report.

It's not that organized cybergangs are raking it in. It's more that a larger number of small operators are benefiting from automated services that can earn them an average of $2,000 a month, according to a new report from Recorded Future.

The problem for IT security professionals is that there are so many of these smaller players in the threat landscape these days. Andrei Barysevich, director of advanced collection at the cybersecurity firm and author of the report, "Inside the Mind of Cyber Criminals," delves into the operations of the cyber underground, and his advice for security pros: share information with colleagues because that's what the users of the dark web are doing.

These miscreants have access to all sorts of plundered information, ranging from databases with personally identifiable information nabbed from financial institutions and health care providers and proprietary corporate information.

Don't underestimate the ambition of attackers, Barysevich warned. It doesn't take a sophisticated operation to penetrate networks. Rather, criminals can use common attack vectors to gain entry. "As a rule of thumb, perpetrators will initially cast a wide net and move downstream toward the easiest prey," he said.

Consequently, security pros must regard their enterprise data as a ready target and so quarantine it and store it in encrypted formats, he said. As well, contingency plans must be in place should a network be attacked. This must include, he says, a clear response strategy should a ransom be demanded.

Barysevich called on security pros to keep abreast of threats and the mitigation strategies that can defend against them. Certainly, he explained, having data backups in place is part of that plan.

He pointed out that today's security pros have some misperceptions about the workings of the criminal underground. Many believe it's a network of organized gangs with evolved skillsets blasting out any number of attacks that earn them heaps of ill-gotten gains, he said. But the reality is a threat landscape has emerged in which a large number of operators gain entry enabled by off-the-shelf automated services. These novices don't need a great deal of know-how, he explained, pointing to a survey he detected on the dark web which revealed that the majority of criminal operators earn between $1,000 to $3,000 a month. Only 20 percent, he found, were earning greater sums, sometimes as high as $20,000 a month or more.

And it's lone wolf operators with no ties to organized syndicates who make up the majority of participants, he said. These are people with clean records who might be working day jobs while occasionally dipping into illicit activities. Likely they were introduced to cybercrime while college students, he added.

(In fact, a recent report from Bleeping Computer, details how easy it is for entry-level cybercriminals to rent space on a massive Mirai botnet. The botnet is said to have nearly half a million infected bots all set to launch DDoS attacks for the right price.)

As for the organized gangs, Barysevich says these are headed by a boss who manages a hierarchy of sophisticated cyberthieves, each with specific capabilities. The gang might include bankers to handle money laundering, forgers to produce phony documents, and project managers to supervise the technology involved, including software engineers and skilled hackers. These gangs might even include former law enforcement personnel who gather information and feed counter-intelligence.

As far as how to defend against attacks, whether from the more sophisticated operations or the single operators, Barysevich said an effective security perimeter has to include the combination of:

  • Automated tools responsible for identification of unusual behavior;
  • Alerts on known indicator of compromise (IOCs) and terrorist tactics, techniques, and procedures (TTPs);
  • Intelligence obtained from underground communities; and
  • Response procedures and guidelines.

He also advocated that enterprises enlist researchers who have eyes into the dark web, albeit that researcher must avoid the attention of those under surveillance.

"The volume of information on the dark web can be overwhelming, and before proceeding a researcher must clearly define his objective and priorities," Barysevich told SC Media on Wednesday. "If his primary task is identifying the most relevant and damaging financial fraud TTPs, then he must focus on discussions primarily devoted to financial crime. If the company is experiencing ongoing probing of its security systems for vulnerabilities, sole attention must be concentrated toward hacking sections of illicit communities and advertisements of the newest malware variants."

In many organizations, researchers have to operate within tight time constraints and limited resources, and Barysevich said he would recommend considering automated tools available from several threat intelligence providers, effectively canceling most of the "white noise" and allowing security admins to identify the most critical threat indicators.

As far as the role IT security professionals can initiate in their organizations to defend against attacks, Barysevich said that to begin with, they can evaluate the current state of security infrastructure and not be afraid to convey the full scale of potential problems to upper management. "We entered the age where the security of the organization must be one of the fundamental concerns of the CEO," he told SC. "Unfortunately, attack tactics evolve with a rapid speed and not many security specialists are sufficiently experienced to handle upcoming threats."

If a company doesn't have internal resources to perform periodic security evaluations, Barysevich said it must foster trusted relationships with professional security consultants.

"Participation in trusted security groups is one of the simplest and most cost-effective ways to share and receive insight as well as appropriately evaluate threat indicators," he added.

More technology, better trained security pros and better trained employees are all essential, he explained. "Technology, he said, has came a long way in the past five years. "Albeit, it's not ideal, but current solutions can very efficiently support security operations and help companies maintain an optimal size of a security team."

Training is crucial as well and has to be budgeted accordingly, he said. "A company can not expect to train the team once a year and be done with it. Similarly to criminals adjusting their tactics and methods, employees tasked to protect an organization's resources must continuously hone their skills."  

Remember, Barysevich said, security pros are dealing with criminal communities and must treat them accordingly. "Same as you would not attempt to mingle with mafia strongmen in the bar pretending to be one of them, you should not assume you can do so with cybercriminals. Unless absolutely needed, I would rather remain silent and sit in a far corner of the bar and eavesdrop on bad guys than get kicked out."