Technology

Report: Cybercrime orgs look more like firms than gangs

So sophisticated have cybercrime organizations become that they more and more resemble the companies they are attacking, according to a new study out Monday.

By Shaun Waterman

May 17, 2016

So sophisticated have cybercrime organizations become that they more and more resemble the multinational companies they are attacking, according to a new study out Monday.

‘Cyber criminals look to maximize their profits and minimize risk,’ reads the report, from Hewlett Packard Enterprise Security Research. ‘They have to compete on quality, customer service, price, reputation, and innovation.’

‘The attackers have become almost corporate in their behavior.’

Take recruitment. ‘Any corporation that wants to expand has to recruit the brightest and the best,’ Rob Roy, public sector chief technology officer for HPE Security said in an interview. ‘So do these guys.’

‘Obviously they can’t advertise in the newspapers,’ Roy said, but instead they will recruit on underground forums — ‘completely virtual and mostly anonymous.’

The forums — the best of which are members only — are vital to the criminal ecosystem since they create an environment in which criminals can develop a public reputation.

‘While they are lawless, they have their reputation to protect,’ said Roy. ‘It takes a while to earn’ and that creates a disincentive for criminals to cheat or steal from each other.

There is, in other words, honor among thieves.

Like cyber defenders, online criminal gangs have to deal with demand and supply equations in the labor market, but ‘The barriers to entry are a lot lower [in the cybercrime world] … Defending is a much harder job and the costs of training and education are significant.’

By contrast ‘It is trivial to download free attack tools and practice with them,’ said Roy.

‘There are plenty of countries around the world without a good job market, but with a modern internet infrastructure.’

That imbalance between the ease with which attacks can be conducted and the difficulty of defending against them has helped drive cybercrime to a $300 billion a year business, said Roy.

‘You can’t stop everything,’ he said. ‘The way to do this [defense] is to think of them as competitors. … My job is to make them hate their job.’

Roy quoted Sun Tzu: ‘If you know your enemies and know yourself, you will not be imperiled in a hundred battles.’

‘Over the decades, we’ve come to know ourselves pretty well. This report is to help us get to know them. That’s the next step.’

Download the HPE report here.

Report: Cybercrime orgs look more like firms than gangs

More Like This

House hurtles toward showdown over expiring surveillance tools

Civil society groups press platforms to step up election integrity work

Top Stories

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

‘Large volume’ of data stolen from UN agency after ransomware attack

FBI director warns of China’s preparations for disruptive infrastructure attacks

More Scoops

What keeps CISOs up at night? Mandiant leaders share top cyber concerns

After LockBit takedown, police try to sow doubt in cybercrime community

Defending federal networks requires more than money, CSIS study finds

US internet hosting company appears to facilitate global cybercrime, researchers say

The FBI’s Cynthia Kaiser on how the bureau fights ransomware

‘Russian hackers’ help two New York men game JFK taxi system

The long, bumpy road to cyber incident reporting legislation — and the one still ahead

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics