This past year, we have seen some pretty scary stuff happen in cyber security. Since Halloween is almost here, I thought I would share some scenarios that keep me up at night. These are attacks that we are not ready to battle -- and are well beyond the horrific headlines we read on a daily basis. If you enjoy a good fright, read on.
Legions of citizen botnet armies
Most of the resources cyber criminals use to carry out their objectives are acquired through some method that results in compromised computers on the Internet. These resources remain available until the user or organization detects and remediates the incident. But what if the user participated willingly? Instead of bad guys having to compromise hosts, what if they instead cut other people such as corporate insiders in on the profits? Given crypto currency, the TOR network, and a few other factors, this could be a nightmare scenario, as we are not ready for this type of surge in distributed attacks.
The recruitment for this could be something like the "work from home" signs you see around your town. The work could be as easy as downloading and installing a package and could earn the host user as much as $10.00 per day. That is $300.00 a month for someone to simply leave his computer running and connected. The average citizen is not likely to know what type of activity his computer is involved in on a daily basis.
The end result would be a massive number of networked computers available for distributed denial-of-service, cryptographic brute forcing, or remote network sniffing. With the cooperation of the host, the capability list is endless, and because he's making money, the host will be motivated to help the cybercriminals persist. Service providers and law enforcement are not ready for this type of attack. This could lead to botnet armies with size and capabilities we have never seen before.
Crime and the sharing economy
Another horror story would be if cyber criminals expanded their marketplace networks to include citizen partners. Consider coordination networks like Uber, Instacart, Care.com, etc. These services are facilitators connecting a consumer who wants something delivered with a network of people who can deliver it.
Now think of applying this pattern to cybercrime. On one end there is a criminal who would like the login credentials of a Global 2000 executive. Via TOR networking, he can go to a site where he can place his request, submit his crypto currency, and a skilled global workforce accepts this objective and delivers it within the terms of the agreement. This lowers the coordination cost for cybercrime to near zero and connects the demand with the supply in ways that have never been seen to date. Worse, because so many people are motivated by money, a service like this could turn citizens into cyber criminals if they believe they cannot get caught and that they can easily make a few bucks on the side.
The last thing I will say about this type of participation and marketplace network is that it would fragment security events into small, seemingly disconnected pieces where one event might not look harmful. But when seen and evaluated as a whole, their impact would be significant.
Consider a SaaS service that helped people compute their cybercrimes. The power of big-data analytics and machine learning can compute amazing insight for businesses -- and it can do the same for criminals. Criminals could log in to a website, declare their objective, and the service would compute several alternative attack plans. This would work in the same way that travelers use GPS to reach a destination when getting directions online.
Cybercrime-as-a-Service would have social networks mapped, personal information on each individual, language analysis that yields a level of trust among individuals, mapping to various accounts (some of which may have been compromised), etc. All of this would be creating a corpus of data that can lead the criminal through a directed graph leading to the objective -- exfiltration of a file, ransomware, etc.
At the end of the day (Halloween or any other), cybercrime is a business, and profitable businesses only get smarter and more effective. It’s frightening to imagine how easily cyber criminals could execute these types of attacks and turn my worst nightmare into an even scarier reality.