We are currently experiencing a third wave of hacking and cyber threats. The first wave was the explorers. Those who wrote malware to see what they could do and for the joy of finding vulnerabilities. While a lot of nasty malware was created during this time, and arguably the most costly attack in terms of damage done, for the most part the malware and the intrusions were not monetised or organised.
The second wave saw the monetisation and professionalization of the activity. Groups formed specifically to monetise their illicit skill, nation states moved from experimenting with this new intelligence gathering capability to institutionalising the capability. This phase led to an explosion of activity giving rise to not only a brand new defensive industry but a new dynamic to international relations and statecraft. The other means by which politics was waged no longer was relegated to just war. The institutionalisation of these practices at the nation state level has created a significant increase in tensions between several of the largest economies in the world. Constant accusations from Washington, Beijing, Moscow, London, and Berlin have served to make cyber one of the most important topics in international negotiations over the last several years. This focus on nation sponsored threats has helped to usher in the third wave of hacking.
A decentralised, corporatized threat that sells advanced capabilities to the highest bidder.
Companies, especially in developing economies are seeing significant advantages to hiring hackers to provide key insights into their market and competitors. These hacking groups are also seeing large value in conducting operations against law firms and brokerage accounts for personal gain. Private sector hacking is turning into one of the easiest ways to get rich quick. Trade secrets, R&D, patents, negotiating and market positions, etc.---the list of targets is extensive. The proliferation of these groups combined with an uneven distribution of legal frameworks is creating a massive illicit transfer of technology.
The legitimisation of hacking as part of the competitive intelligence field poses a significant threat to global corporations. While insider threats, reverse engineering - and simply hiring from the competition - have always been considered threats to a corporation’s bottom line, the access afforded to malicious actors by the Internet has fundamentally changed this loss calculation. The proliferation of this activity has the potential to usher in a new age of digital anarchy.
Failure to deter
The fundamental underpinning of this movement isn’t active subterfuge from governments, but rather an inability or unwillingness of those governments to deter this action.
Many countries have poor or no cybercrime laws and of those that do very few have advanced enforcement capabilities. This allows threat actors to operate with impunity and get wealthy for their efforts. The lack of criminality for the hackers creates an environment where supply of varying quality is plentiful.
The demand for the stolen information is also blossoming. Societies where the act of hacking itself is legal also generally have little to no recourse for the impingement on intellectual property or receipt of this information. If a startup or a dominant market player wants to hack their way to market share, there is little legal recourse in large parts of the world.
This legal inequality is creating a similar disparity between industry players that anti-corruption laws do, but this trend has a far more significant disruption potential. As long as significant markets continue to turn a blind eye to this activity, the industry of hacking for competitive intelligence will continue to grow organically.
Adding fuel to the fire
Many countries are responsible for providing a regulatory environment that is conducive to the growth of this industry. A select few are actively fostering it as a means to national economic growth or as part of friction campaigns with foreign adversaries. This state intervention into this market brings tools and budgets to what are otherwise a cottage industry working on generalised capabilities. India, Russia and China support hacking operations that both back government mandates as well as conduct hacking as a service (HaaS) for private sector clients.
This implicit government support has increased this industry in these countries and provided sacrificial lambs should international political tensions become too detrimental. The unofficial relationship both creates a more credible plausible deniability, but also serves to legitimise otherwise illegal activities.
The active government backing has created an environment where these actors are emboldened to take on more clients and conduct riskier operations because the risk associated with getting caught has decreased. Additionally, this support incentivises new groups to expand the industry. India, Russia and China have substantial government programs teaching these skills that are both underpaid and under-respected within society at large. Service members with any level of skill or talent can seek this more lucrative and still sanctioned use of their skills.
Scoping the threat
The growth of this alarming threat does provide some enhanced capabilities for defending networks. This category of actor varies widely in capability depending on their skills, sponsorships, and the permissiveness of their location. What remains constant is the type of data they must acquire to successfully complete their contract. Defenders can more effectively align their resources to prevent the threat actors from achieving their objectives by better understanding these groups, the contracts they normally take and their capabilities.
Generic defensive systems are necessary, but no longer sufficient for keeping out this type of actor. Unlike the banking Trojans, ransomware, and click fraud, these groups must compromise a specific network to monetise their activity. While this results in a larger reconnaissance footprint, it also creates a more determined and educated attacker. These groups will switch entire tool kits mid operation to achieve their goals and often lay down several different persistence methods to ensure a level of resiliency that most threat actors do not bother with. This determination, varied tool kits, and the ability to adapt on the fly make them highly capable of overcoming traditional, standard operating procedure, defences.
If the contract is large enough they will reverse engineer and find vulnerabilities in the defensive technologies themselves to gain access. Actively hunting in your environment for indicators of their activity is the only way to reliably interrupt malicious actors. By understanding the most likely items to be targeted, defenders can identify choke points in their networks that the threat actor must pass through to access the information. Properly segmenting networks and monitoring for known malicious activity acts as the tripwire that border defences can no longer provide.
Lastly, knowing that this phenomenon exists and coming together as a community to identify actors and proscribe a defensible cost to it will help states change the rules of engagement. This activity now that it has been created will never cease in its entirety. However, it’s possible to help states build more stringent laws and enforcement mechanisms to reduce the size of the industry and push it back into the illicit underground where it belongs.
Ross Rustici, senior manager, intelligence research, Cybereason
Image Credit: Welcomia / Shutterstock