ITProPortal spoke to Mark Quartermaine, Area VP of the UK and Ireland at Juniper Networks about the true size of the sprawling and shady world of cyber-crime, a world run by giant criminal corporations that most of us have never heard of.
This is simply because you can access thousands of people at once, and there's a lot more fluidity. If you and I were in the drug trade, obviously at some point we'll have to meet: I've got to give you something, and you've got to pay me. In the digital market, some people have access to 70-80,000 end users.
A RAND report we commissioned recently looked at what defines a mature market in academic terms. RAND defined a mature market based on the level of sophistication, whether it's got a hierarchy, whether it's got a degree of resilience in it. Obviously the cyber-crime market isn't a transparent market by definition, so there's a certain amount they had to infer from different sources, and kind of triangulate.
But what they found was that in the early days, the cyber-crime market was predominantly freelance. It was people working on their own, probably working out of their back bedrooms, and only 20 per cent of it was organised. Now, that's been flipped on its head. The market is much more organised, you have people at the tops of organisations, the people driving it, funding it – the bosses. There are links to traditional organised crime.
Then as you come down the pyramid you have the subject matter experts, and below that the mules, whether they be witting or unwitting. They're the people taking all the risks, bringing the money in. But then that money flows up like it does in any organisation, and it's the people at the top really making the big money.
One of the signs of resiliency we've seen is the fact that there are actually storefronts where you can go to buy these things. They list the prices of malware, they talk about how demand and supply works. Obviously if credit card data floods the market, the price goes down. It also depends on the location of the credit cards.
In the UK, the value of credit card data is actually higher, since we have chip and PIN, and no signature – so it's actually easier to steal from it. There are also higher credit limits in the UK than in the US, so you get different demand and supply attributes for different kinds of data. There are also exploits. If people find a zero-day exploit, or malware that takes advantage of that, it's worth a lot of money, but as that comes onto the market and people become aware of it, the value comes down.
Law enforcement is definitely getting more sophisticated in the ways they're going after them, but we're still massively playing catch-up. We're reaching a situation where soon their ability to attack will massively outpace our ability to defend.
The problem is that for an attacker, it's smash-and-grab: it's attacking in one way, in one approach. When you're defending you have to anticipate everything. You defend on a broad front, and attack on a point basis. The exploit kits are evolving, the technology is evolving.
What our software now does is that it looks at the behaviour of the person accessing the website, and says "that's unusual behaviour". It then starts to give the user access to fake code, what we call "tar traps". After that, if you move on to being a bad actor, or doing something illegal, we can disrupt them, block their tools, waste their time and so on. That disrupts the economics of cyber-crime.
Once we've identified them, we can start doing what we call digital fingerprinting. We've identified 200 attributes that we can use to identify a user and blacklist them. That's what operating system they're using, what level of BIOS, what system and so on.
Certain parts of the world tend to focus on different things. For malware, it's Eastern Europe – and definitely the highest quality malware comes out of Russia.
China is very much about intellectual property, and places like Vietnam and the United States are a lot about financial institutions. There's diversity in the marketplace, and my guess is it's bigger than Facebook, Google and Microsoft combined.
There's also cyber-crime among the cyber-crime: people attacking each other in the criminal world, or stealing from their own organisations. You get people attacking each other, but it's not going to be like the Godfather!
We cannot be passive about this anymore. The world is getting more digital, and we're starting to get machine-to-machine.
There will be more connected devices than people on the planet very soon. This problem is only getting bigger, and we have to do something about it.