Battle cybercrime by treating it as a business, HPE report asserts
“The business of hacking is a business just like ours,” write security researchers from Hewlett Packard Enterprise Co. (HPE) in a new report. “If we think of it like a business, like a competitor, then we can prioritize the most effective efforts to disrupt it.”
HPE’s “Business of Hacking” report, which was released today, goes into detail about how strikingly businesslike the world of cybercrime is. Black-hat hackers have created robust trust networks that validate the skills and reliability of individual criminals despite total anonymity. Hackers operate according to the laws of supply and demand, constantly moving between targets as prices change. There’s even a sales and marketing dimension of this nefarious discipline, as cyber criminals promote their skills to generate a pipeline of new business.
Ironically, the anonymity of cybercrime has created a sophisticated system of trust that discourages the bad guys from doing harm to each other. “Trust and a good reputation are key to the industry,” the authors write. “If you are not trusted, it is very difficult to make money.” Trust is built by providing value and having other anonymous members of the community vouch for you.
As a result, hackers jealously guard the trust they’ve earned, which presents one of the most promising avenues to disrupt them. “Paranoia is the largest opportunity…to disrupt the business of hacking,” the researchers write. “Their business is built on reputation. Tarnish that handle’s reputation and they must start over.”
One way to do this is by planting bad data in easy-to-penetrate locations, making buyers of the data lose trust in the attackers who sell it to them. However, cybercriminals have their own tools for validating data quality, researchers report. They’re among the increasingly sophisticated arsenal of tools that bad guys bring to the business. Crooks have developed disaster recovery networks to quickly get back online when foiled by security teams. There are even “as-a-service” options emerging in a remarkably robust market for tools of disruption.
Crime as a business
The most remarkable aspect of this report is how it profiles criminals in the dispassionate terms of free enterprise. Rather than characterizing hackers as malicious wrongdoers, the report approaches them as business people whose business just happens to involve doing bad things. They are subject to the same market forces as anybody else, and their survival depends upon agility, innovation and speed, the same factors that matter in business success.
Market forces continuously change the nature of their game. In fact, cybercrime is subject to the same maturity model as any other market. For example, credit card fraud is currently in decline because the market is flooded and safeguards like chip cards are raising the stakes, researchers report.
In contrast, advertising fraud is in a growth phase, making the business of creating false clicks on ads to generate revenues from advertisers the most attractive current criminal target because of the lack of effective preventive measures.
An important new avenue to fight cybercrime is understanding the weaknesses of the business model, HPE suggests. These include paranoia, lack of trust and the constant intrusion of unsophisticated new players who interfere with trusted pros. Businesses can sow confusion by planting bad data or leading attackers down dead ends, effectively disrupting their businesses.
“Storage is cheap. If an organization bulk‑stores fake data, then attackers who steal this data will experience quality issues, reducing its value and forcing the attacker to spend extra time validating data before selling it, which will increase the cost of their doing business,” the researchers note.
Legitimate enterprises can also use encryption, which the authors recommend as the most effective general-purpose foil. Encrypted data is useless to attackers, thus restricting their ability to sell and reducing their profits, they conclude. The fact that HPE uses the report to tout its own anti-crime products shouldn’t detract from the useful new perspective it casts upon a seemingly intractable problem.
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU