The cybercrime economy is booming, with an estimated value exceeding many nations' gross domestic product (GDP). The fallout from breaches can last for years, eating into profits and chipping away at hard-won brand reputation. GDPR fines have surged 39% over the past year, and ransomware is costing corporate victims tens of millions of dollars.
While nation-state campaigns like SolarWinds capture the popular imagination, most online threats come from financially motivated cybercrime groups. In their single-minded pursuit of wealth, organized crime groups will stop at nothing. To stand any chance of success against them, we must fundamentally rethink security from the ground up.
Back in 2018, a study by University of Surrey criminologists estimated the cybercrime economy to be worth more than $680 billion. Using anonymization tools and operating from remote jurisdictions, cybercriminals are insulated from risk. They take advantage of a sophisticated underground supply chain that enables rapid innovation and allows even non-techies to participate.
Ransomware is a great example. Once the preserve of opportunistic individuals who targeted consumers with demands of a few hundred dollars, today cybercriminal gangs like Ryuk, REvil, and Egregor make millions from corporate victims. This so-called "big-game hunting" should be ringing alarm bells in many boardrooms.
Typical victims are large but not listed, making them more likely to pay out with less fuss. The alternative is operational disruption that could cost tens of millions of dollars. Other victims, like healthcare organizations battling COVID-19 and other diseases, may be selected because the alternative to paying up doesn't bear thinking about.
Big-Game Hunters on the Prowl
Big-game hunting groups increasingly embrace techniques once the preserve of nation-state hackers, such as lengthy reconnaissance of targets and using legitimate tools to move around inside networks without triggering virtual alarms. They first steal sensitive data, then leverage it to increase the chances victims will pay in "double-dip" extortion attacks
They buy access to corporate networks from groups made up of a range of victims with Trojan malware like Emotet and TrickBot spread through phishing emails. This allows the secondary ransomware gangs to choose their own targets.
But ransomware is not the only game in town, and cybercriminals will monetize attacks wherever they can — from banking Trojans to targeted theft of customer data and sensitive intellectual property.
The Weakest Link
Users are the point of entry for most attacks, which is why endpoints account for 70% of successful breaches, with malware almost always being delivered via email attachments, Web links, and downloadable files. More advanced attackers are using new techniques to make phishing attempts even more successful, such as artificial intelligence (AI)-automated spear-phishing, where an attacker tailors their lures to a specific individual or group. Or thread jacking, where an employee email account is hijacked and spreads malware by responding in existing conversation threads, making it more likely users will open the attachment or link.
Yet simple tricks, such as sending a compromised resume to HR or an infected Excel invoice to finance, are still very effective in bypassing defenses. Once the attacker has a foothold, they can steal credentials and move through organizations, gathering intelligence and stealing data. They can even create their own backdoors to sell on the Dark Web. This means hackers can come and go, right under the nose of enterprise security teams, often undetected for years, and creating huge exposure for the compromised company.
Time to Reimagine Security
To date, the industry mantra for defense has been "detect to protect" by looking for signatures and known-bad code. However, the rise in "polymorphic" autogenerated malware — i.e., machine-generated malware — frustrates such approaches. The next generation of detection tries to address this by using machine learning to spot possible mutations. But malware developers have access to these tools; they can automatically test their code and tweak it until it gets through. This way, when they launch malware, they have full confidence it won't be detected by any of the leading products. While detection will always be a vital part of security, relying on detection alone will end in tears.
We need a new security architecture, one that builds resilience in from the hardware up. With a zero-trust approach, organizations can apply fine-grained segmentation and control to create compartments that can be secured independently of one another. New innovations like micro-virtualization underpin such approaches by containing threats to render malware harmless.
Around the world, business leaders are waking up to a persistent and pervasive threat to their corporate reputation and bottom line. To tackle cybercrime on this scale, we need an equally bold response.