Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Jack Danahy
Jack Danahy
Connect Directly
E-Mail vvv

Breaking the Endless Cycle of 'Perfect' Cybercrimes

A two-step strategy for creating an attack environment that is more complex, less profitable, and more likely to expose the attacker.

Regardless of their methods, hackers are constantly attempting to improve upon what is essentially a perfect crime — a crime that is simple to execute, is performed with near total anonymity, and, most of all, pays off. These have been the hallmarks of successful crimes and criminals for generations, and it's no surprise that the newest generation of criminals would embrace them as well.

That last component of the perfect crime formula, monetization, has always been the driver, because, after all, crime is almost always about the money. Whether threats take the form of malware, a social attack, or a hack, financial gain serves as the motivation for seven of 10 incidents, according to Verizon's "2019 Data Breach Investigations Report." The motivation is clearly working: the Identity Theft Resource Center reported a doubling of the number of records exposed from just under 200 million in 2017 to more than 446 million in 2018. That kind of growth qualifies as a crimewave in any category.

The perfect crime formula has been a consistent predictor of change in the threat space, as attackers apply bottom line business thinking to their strategies: Once profits start declining and/or attacks begin to fail, cybercriminals have evolved their campaigns. As an example, when e-commerce took hold in the 1990s, criminals found ways to steal credit cards and go on shopping sprees. But when card verification codes were introduced to complicate this strategy and reduce the value of stolen cards, ransomware emerged as the go-to option for hackers. The complexity of the crime had gone up, so there needed to be a new, easier attack, and commoditized ransomware fit the need.

Ransomware was a new threat, compromising organizations of all sizes, but with such obvious and catastrophic effects that public notification became common. Ransomware-as-a-service providers arose, attack tools were shared and customized, and widespread attacks became commonplace. When organizations realized the danger, they invested to improve their capacity to recover. As a result, they became less likely to pay the ransom. This reduced the profitability of the crime, and so a newer, more persistent but less obvious attack was needed.

What followed was unauthorized cryptomining (or cryptojacking), which grew 19-fold from March to December 2018 according to Cisco. Since then, interest appears to be on the decline, as sharp decreases in cryptocurrency value have made the crime far less profitable, leading to public events like the shutdown in March of cryptocurrency miner provider Coinhive.

What's next? Criminals will inevitably come up with something else, and there are several candidates already in play: credential and IP thefts, a resurgence in phishing attacks, and business email compromises, in which cybercriminals impersonate C-suite executives and arrange for fraudulent wire transfer payments. In many of the new attacks, social engineering plays a huge role.

Breaking the Cycle
If the perfect crime formula remains the same regardless of the actual crime committed, so does the fact that hackers are exploiting persistent weaknesses and blind spots within the enterprise. If organizations moved faster to identify and respond to these exposures, they'd create an attack environment that was more complex, less profitable, and more likely to expose the attacker. Here are two classic flaws — and recommendations on fixing them.

Classic Flaw No. 1: A Susceptibility to Dwell Time
Dwell time measures the delay between when a breach begins and when it is discovered. According to the Ponemon Institute and IBM, this currently takes a mean time of 197 days. Attackers are exploiting systems and exfiltrating data for more than half of a year before they are noticed, much less contained.

The Fix: Continuous, Ubiquitous Monitoring
Obviously, preventing breaches in the first place is best, but history repeatedly teaches the punishing lesson that some attacks will get through. To detect and contain these attacks, continuous vigilance is necessary, and continuous obviously means 24/7/365. Blind spots are also prime targets, so visibility carries premium value. Ubiquitous monitoring describes the need to watch over everything. Enterprise protection is like home security in this respect: If cameras are only turned on at night, then robbers will wait until daytime to break in. If cameras can only see what's happening at our entrances, then criminals will use the back door. Through round-the-clock, pervasive visibility, cybercriminals have no go times or places to hide their crimes.

Classic Flaw No. 2: Ignoring the Unprotected End User
The end user now ranks as the "weakest security link" within a company, according to survey findings from Tech Pro Research. That's because these systems tend to be less well-protected, and these users tend to be less aware of the dangers. Security teams have traditionally applied themselves to protecting high-value assets and networks, focusing on servers, data centers and the traditional, internal network. Today's users present a much simpler attack vector because of the growth in the use of cloud technology, mobile devices, and telecommuting, as well as bring-your-own-device and bring-your-own-app programs. Through their activities, end users (whether employees, contractors, supply chain partners, etc.) increase enterprise exposure as adversaries leverage social engineering to exploit them.

The Fix: Expanding Protection to Wherever the End Users Are
To elaborate upon the home security analogy, we can’t solely concentrate on our front and back doors anymore. We need to make sure end users and their systems are safe, wherever they happen to be. This requires improvements in our protection of their systems, 24/7/365 monitoring/visibility of all endpoints, and even user behavior analytics to detect and block unusual or threatening activity from a potentially breached end user account or system.

Fortunately, in the real world, few crimes are perfect. Criminals are tripped up by accomplices and random events. In the cyber world, the bad guys are having more success, given the more deterministic nature of the attack vectors and the victims. Through continuous monitoring, total visibility, and improved end user protection, we can close the gaps that adversaries are seeking to exploit, and break the endless cycle of threats to the enterprise. Protection will never be perfect, but these kinds of improvements will make cybercrime less of a perfect option for criminals.

Related Content:

As SVP, Security, Jack Danahy engages with customers and the industry on company product strategy. Danahy is an innovative security technology leader with proven success creating, delivering, and promoting new security technologies and practices to address critical needs. He ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2019 | 3:46:27 PM
Root cause of the problem
I think it is much easier than that:
  • The money divide between the have's and have not
  • People have been killed (drone strikes and war) and the individuals who want revenge
  • Nation-states have sent viruses and teams to spy on other nation-states (i.e. Stuxnet, Nitro-Zeus, Pegasys, NSA-TAO teams, China's Red-teams, Prism, Thinthread, Trailblazer, etc)
  • CONUS and Abroad Governments want to control and extend their reach

This is based on four historic things:
  • Revenge
  • Money/Greed
  • Spying/Warefare
  • Control

Once we identify the root-cause of the problem (Greed Money and Power) and address it from a morality standpoint (stop putting emphasis on the dollar and more on human life); the hacks and security concerns will be reduced to a thing of the past. Once people begin to see life as the most important currency and start treating each other with higher levels of respect then we will start to see the changes but until then, we will remain in a revolving cycle of turmoil.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-05
Huawei Smartphones HONOR 20 PRO;Honor View 20;HONOR 20 have an improper handling of exceptional condition Vulnerability. A component cannot deal with an exception correctly. Attackers can exploit this vulnerability by sending malformed message. This could compromise normal service of affected phones...
PUBLISHED: 2020-06-05
A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.5.1 and iPadOS 13.5.1, macOS Catalina 10.15.5 Supplemental Update, tvOS 13.4.6, watchOS 6.2.6. An application may be able to execute arbitrary code with kernel privileges.
PUBLISHED: 2020-06-05
Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.
PUBLISHED: 2020-06-05
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
PUBLISHED: 2020-06-05
Huawei products NIP6800;Secospace USG6600;USG9500 have a memory leak vulnerability. An attacker with high privileges exploits this vulnerability by continuously performing specific operations. Successful exploitation of this vulnerability can cause service abnormal.