Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Jack Danahy
Jack Danahy
Connect Directly
E-Mail vvv

Breaking the Endless Cycle of 'Perfect' Cybercrimes

A two-step strategy for creating an attack environment that is more complex, less profitable, and more likely to expose the attacker.

Regardless of their methods, hackers are constantly attempting to improve upon what is essentially a perfect crime — a crime that is simple to execute, is performed with near total anonymity, and, most of all, pays off. These have been the hallmarks of successful crimes and criminals for generations, and it's no surprise that the newest generation of criminals would embrace them as well.

That last component of the perfect crime formula, monetization, has always been the driver, because, after all, crime is almost always about the money. Whether threats take the form of malware, a social attack, or a hack, financial gain serves as the motivation for seven of 10 incidents, according to Verizon's "2019 Data Breach Investigations Report." The motivation is clearly working: the Identity Theft Resource Center reported a doubling of the number of records exposed from just under 200 million in 2017 to more than 446 million in 2018. That kind of growth qualifies as a crimewave in any category.

The perfect crime formula has been a consistent predictor of change in the threat space, as attackers apply bottom line business thinking to their strategies: Once profits start declining and/or attacks begin to fail, cybercriminals have evolved their campaigns. As an example, when e-commerce took hold in the 1990s, criminals found ways to steal credit cards and go on shopping sprees. But when card verification codes were introduced to complicate this strategy and reduce the value of stolen cards, ransomware emerged as the go-to option for hackers. The complexity of the crime had gone up, so there needed to be a new, easier attack, and commoditized ransomware fit the need.

Ransomware was a new threat, compromising organizations of all sizes, but with such obvious and catastrophic effects that public notification became common. Ransomware-as-a-service providers arose, attack tools were shared and customized, and widespread attacks became commonplace. When organizations realized the danger, they invested to improve their capacity to recover. As a result, they became less likely to pay the ransom. This reduced the profitability of the crime, and so a newer, more persistent but less obvious attack was needed.

What followed was unauthorized cryptomining (or cryptojacking), which grew 19-fold from March to December 2018 according to Cisco. Since then, interest appears to be on the decline, as sharp decreases in cryptocurrency value have made the crime far less profitable, leading to public events like the shutdown in March of cryptocurrency miner provider Coinhive.

What's next? Criminals will inevitably come up with something else, and there are several candidates already in play: credential and IP thefts, a resurgence in phishing attacks, and business email compromises, in which cybercriminals impersonate C-suite executives and arrange for fraudulent wire transfer payments. In many of the new attacks, social engineering plays a huge role.

Breaking the Cycle
If the perfect crime formula remains the same regardless of the actual crime committed, so does the fact that hackers are exploiting persistent weaknesses and blind spots within the enterprise. If organizations moved faster to identify and respond to these exposures, they'd create an attack environment that was more complex, less profitable, and more likely to expose the attacker. Here are two classic flaws — and recommendations on fixing them.

Classic Flaw No. 1: A Susceptibility to Dwell Time
Dwell time measures the delay between when a breach begins and when it is discovered. According to the Ponemon Institute and IBM, this currently takes a mean time of 197 days. Attackers are exploiting systems and exfiltrating data for more than half of a year before they are noticed, much less contained.

The Fix: Continuous, Ubiquitous Monitoring
Obviously, preventing breaches in the first place is best, but history repeatedly teaches the punishing lesson that some attacks will get through. To detect and contain these attacks, continuous vigilance is necessary, and continuous obviously means 24/7/365. Blind spots are also prime targets, so visibility carries premium value. Ubiquitous monitoring describes the need to watch over everything. Enterprise protection is like home security in this respect: If cameras are only turned on at night, then robbers will wait until daytime to break in. If cameras can only see what's happening at our entrances, then criminals will use the back door. Through round-the-clock, pervasive visibility, cybercriminals have no go times or places to hide their crimes.

Classic Flaw No. 2: Ignoring the Unprotected End User
The end user now ranks as the "weakest security link" within a company, according to survey findings from Tech Pro Research. That's because these systems tend to be less well-protected, and these users tend to be less aware of the dangers. Security teams have traditionally applied themselves to protecting high-value assets and networks, focusing on servers, data centers and the traditional, internal network. Today's users present a much simpler attack vector because of the growth in the use of cloud technology, mobile devices, and telecommuting, as well as bring-your-own-device and bring-your-own-app programs. Through their activities, end users (whether employees, contractors, supply chain partners, etc.) increase enterprise exposure as adversaries leverage social engineering to exploit them.

The Fix: Expanding Protection to Wherever the End Users Are
To elaborate upon the home security analogy, we can’t solely concentrate on our front and back doors anymore. We need to make sure end users and their systems are safe, wherever they happen to be. This requires improvements in our protection of their systems, 24/7/365 monitoring/visibility of all endpoints, and even user behavior analytics to detect and block unusual or threatening activity from a potentially breached end user account or system.

Fortunately, in the real world, few crimes are perfect. Criminals are tripped up by accomplices and random events. In the cyber world, the bad guys are having more success, given the more deterministic nature of the attack vectors and the victims. Through continuous monitoring, total visibility, and improved end user protection, we can close the gaps that adversaries are seeking to exploit, and break the endless cycle of threats to the enterprise. Protection will never be perfect, but these kinds of improvements will make cybercrime less of a perfect option for criminals.

Related Content:

As SVP, Security, Jack Danahy engages with customers and the industry on company product strategy. Danahy is an innovative security technology leader with proven success creating, delivering, and promoting new security technologies and practices to address critical needs. He ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/30/2019 | 3:46:27 PM
Root cause of the problem
I think it is much easier than that:
  • The money divide between the have's and have not
  • People have been killed (drone strikes and war) and the individuals who want revenge
  • Nation-states have sent viruses and teams to spy on other nation-states (i.e. Stuxnet, Nitro-Zeus, Pegasys, NSA-TAO teams, China's Red-teams, Prism, Thinthread, Trailblazer, etc)
  • CONUS and Abroad Governments want to control and extend their reach

This is based on four historic things:
  • Revenge
  • Money/Greed
  • Spying/Warefare
  • Control

Once we identify the root-cause of the problem (Greed Money and Power) and address it from a morality standpoint (stop putting emphasis on the dollar and more on human life); the hacks and security concerns will be reduced to a thing of the past. Once people begin to see life as the most important currency and start treating each other with higher levels of respect then we will start to see the changes but until then, we will remain in a revolving cycle of turmoil.

A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.