The popular Netflix series Narcos tells the story of former drug kingpin Pablo Escobar, who in his prime made nearly as much money trafficking cocaine in a year than the whole gross domestic product of Colombia. And while there were many factors that led to the rise of Escobar, the most significant was growing worldwide demand. Similarly, there is a growing demand for privileged user logins on the dark web, and the results could have devastating consequences for businesses worldwide.
The dark web is not just a bazaar for illegal drugs and stolen credit card numbers. Bubbling beneath the surface of this already dicey marketplace is a booming economy thriving on stolen identities.
From consumer credit card logins that sell for $15 to iOS administrator credentials that top out at $1.5 million, the formula is simple: The more access someone has to a system, the more valuable their identity is on the dark web.
And all of these sales add up. Experts estimate that AlphaBay, which was taken down in July, was able to net up to $800,000 a day in revenue. That's a stunning number for just one site on the dark web, and it shows that the money made on the black market can dwarf what many top security companies—who are responsible for protecting these identities—bring in each year.
Why are certain user credentials worth so much more and why do criminals on the dark web want them so badly?
Bad actors hunt for the login credentials of so-called “privileged users” such as system administrators and chief information officers (CIOs) because those logins can unlock access to the most sensitive information a company or organization holds. Today, according to Forrester Research, 80 percent of all cybersecurity breaches involve privileged login credentials. In the wrong hands, those privileged logins can wreak havoc on a business either through orchestrated internal attacks or shutting a system down for ransom.
In a recent example highlighted in a report from BAE Systems and PwC, a group called APT10 targeted the privileged credentials of managed IT service providers (MSPs). That allowed the hacker unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally.
Unfortunately, trying to wage war against these bad actors is largely ineffective unless we all play a part in curbing the supply of credentials to bad actors. Imagine playing three-dimensional whack-a-mole on consoles the size of a football field. Attack attempts happen on a near-constant basis. The FBI reported last year that on average about 4,000 ransomware cyber attacks take place per day across businesses, private users, and government agencies. That's a 300 percent increase over the 1,000 per day the FBI clocked in 2015.
Simply put, you can't ward off every attempt to break into your network, and the dark web is so lucrative that anyone with computer science skills and a wayward moral compass can try to cash in.
Realizing that, it becomes clear that the best way to ward off hackers looking to sell your privileged credentials on the dark web is to devalue them as much as possible. In other words, we must ensure that no user has full, uncontrolled and unregulated access to our networks.
The first step towards this goal is to track employees—and their access—throughout the employees' lifecycle at the company. That means making sure that from their first day to the exit interview, the access that employees have is only adequate to meet the challenge at hand.
Second, when an employee requests greater access, companies need to ensure that access is temporary and never allowed to become the new standard.
Lastly, risk analytics can help automatically identify potential violations to quickly deescalate privileges and make that identity significantly less valuable. And since most hackers are looking for credentials that get them deep into a network, disabling them before they are used makes them almost worthless on the dark web.
To bring this back around to “Narcos,” if cocaine users during Escobar's reign as a narco-trafficker suddenly became immune to the powers of the drug, the market demand—and the fortune Pablo Escobar was amassing—would have dried up. Similarly if we could curb the ease at which criminals can use privileged credentials we can potentially curb cybercrime. The same is true for selling credentials on the dark web. If the keys to your company suddenly stop unlocking sensitive information, no one is going to want to buy them.