It is time to turn the tables on cybercriminals and use their own tactics against them.

Derek Manky, Chief Security Strategist & VP Global Threat Intelligence, FortiGuard Labs

March 23, 2021

5 Min Read

Cybercrime is big business. There is really no way to know how many people are involved. Some groups have formal organizations. Others are ad hoc collections of independent hackers and other criminals.

Much like any other industry, such an undertaking includes an entire supply chain. And just as these bad actors know that a highly successful way to weaken a business is to disrupt its supply chain, the same goes for cybercrime. It's time to turn the tables on cybercriminals and use their own tactics against them.

The Increasing Organization of Cybercrime
Most cybercriminals are financially motivated. Today's breaches are mainly driven by attackers who encrypt systems and demand a ransom or steal sensitive information to sell on the Dark Web. There's a reason why our FortiGuard Labs team recently documented a sevenfold increase in ransomware attacks during the second half of 2020. It's because they work.

The reality is, more than half of all attacks are run by cybercrime organizations that are set up as effectively as any company. We mainly know the programmers since we track their work closely through threat research and attack trends. But these organizations also have "CEOs," business enablers, call centers that help victims pay their ransoms, and people who manage the money on the back end so that it can't be traced by law enforcement. They may be part of a single criminal organization, a state-sponsored actor or organized crime group, or an affiliate such as the Egregor ransomware-as-a-service operation. But regardless of their association, they all have a common goal and they approach their work like any business — except that their revenue streams are stolen data and extorted money.

To keep ahead of security systems, law enforcement, and advanced countermeasures, hacking has become increasingly sophisticated, and these organizations continue to innovate. For example, bad actors have created a new cybercrime-as-a-service ecosystem to develop revenue streams through third-party criminal franchisees. That's one of the biggest reasons why the cybercrime industry continues to grow so dramatically, generating more than a trillion dollars in revenue every year, requiring law enforcement and other organizations to disrupt the flow of illicit funds.

The Cybercriminal Supply Chain
For defenders, it's important to understand the cybercrime supply chain. In the most sophisticated systems, multiple players work together. The suppliers are the creators and producers of things like malware and zero-code exploits. They sell, license, and share their technology with distributors or affiliates, which sell these solutions to clients or partners who target them at victims. It's very similar to how the reseller/channel system works. They are just using their supply chain to infiltrate their victims' supply chains.

There's also the financial component. Individuals on the back end manage transactions, secure funds, launder money, and distribute "payroll." They may work with account managers who coordinate the sale of ill-gotten information on the Dark Web. And there are also money mules. Many of these individuals aren't criminals by nature; many of them don't even know that what they're doing is illegal.

Disrupting the Supply Chain
Because many of today's cybercriminals operate like a business, defenders can use one of the criminals' own tactics against them by disrupting their supply chain. If security teams keep forcing the criminals to start over, rebuild, and shift tactics, they will be slowed down, need to look for easier prey, or be stopped altogether. That's good news for the digital world. The goal is not to just prevent attacks but to dismantle models and force cybercriminals to change approaches and techniques, which require time and resources.

To stop bad actors before they attack, you've got to hit them where it hurts. This can include things like developing and deploying playbooks to expose criminals early in the attack cycle. Leveraging artificial intelligence (AI) enables organizations to detect and implement countermeasures before an attack occurs. And sharing threat intelligence enables shields to be raised around the world at the hint of a new attack.

At the same time, law enforcement needs to focus on ways to disrupt the sales cycle. This starts by taking down infrastructure. There needs to be a concerted effort to shut down data havens and service providers that look the other way when their infrastructures are used for criminal activities. But they also need to engage in disruption, like flooding Dark Web marketplaces with deceptive content that makes the entire system too unreliable to use.

Following the money is also critical. Much like police and detectives investigating drug rings and other criminal groups, a lot of this comes down to finding and disabling the finance component. This will require diplomacy and legislative action, and it can't come too soon.

At the same time, organizations need to protect themselves by examining all facets of their own supply chains to ensure strong cybersecurity. This includes requiring third-party suppliers and vendors, both upstream and downstream, to verify and certify their security posture.

None of these efforts can be done alone in silos. This is where partnerships and collaboration are so important and provide an advantage that cybercriminals can't duplicate. Private and public organizations need to work together to share information and resources that can ultimately help disrupt these supply chains. By rendering key elements useless, we can undermine the entire criminal process. In fact, last year, the World Economic Forum launched its Partnership against Cybercrime collaboration focused on this goal.

Turning the Tables
Cybercrime has evolved into a trillion-dollar industry because malicious actors have copied the sound business practices of legitimate enterprise. They have developed their own supply chains, and they use them to disrupt those of their targets. Organizations can fight fire with fire by dismantling criminals' infrastructures, identifying and stopping attacks before they get off the ground, finding and stopping their financial networks, and collaborating with public and private entities. They must also fastidiously watch the security of all elements across their own supply chains to close all potential points of entry for malicious attacks.

About the Author(s)

Derek Manky

Chief Security Strategist & VP Global Threat Intelligence, FortiGuard Labs

As Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs, Derek Manky formulates security strategy with more than 15 years of cybersecurity experience. His ultimate goal is to make a positive impact toward the global war on cybercrime. Manky provides thought leadership to the industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders, including law enforcement, who help define the future of cybersecurity. He is actively involved with several global threat intelligence initiatives, including NATO NICP, Interpol Expert Working Group, the Cyber Threat Alliance (CTA) working committee, and FIRST, all in an effort to shape the future of actionable threat intelligence and proactive security strategy.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights