A two-step strategy for creating an attack environment that is more complex, less profitable, and more likely to expose the attacker.

Jack Danahy, Vice President of Strategy and Innovation, NuHarbor Security

June 26, 2019

5 Min Read

Regardless of their methods, hackers are constantly attempting to improve upon what is essentially a perfect crime — a crime that is simple to execute, is performed with near total anonymity, and, most of all, pays off. These have been the hallmarks of successful crimes and criminals for generations, and it's no surprise that the newest generation of criminals would embrace them as well.

That last component of the perfect crime formula, monetization, has always been the driver, because, after all, crime is almost always about the money. Whether threats take the form of malware, a social attack, or a hack, financial gain serves as the motivation for seven of 10 incidents, according to Verizon's "2019 Data Breach Investigations Report." The motivation is clearly working: the Identity Theft Resource Center reported a doubling of the number of records exposed from just under 200 million in 2017 to more than 446 million in 2018. That kind of growth qualifies as a crimewave in any category.

The perfect crime formula has been a consistent predictor of change in the threat space, as attackers apply bottom line business thinking to their strategies: Once profits start declining and/or attacks begin to fail, cybercriminals have evolved their campaigns. As an example, when e-commerce took hold in the 1990s, criminals found ways to steal credit cards and go on shopping sprees. But when card verification codes were introduced to complicate this strategy and reduce the value of stolen cards, ransomware emerged as the go-to option for hackers. The complexity of the crime had gone up, so there needed to be a new, easier attack, and commoditized ransomware fit the need.

Ransomware was a new threat, compromising organizations of all sizes, but with such obvious and catastrophic effects that public notification became common. Ransomware-as-a-service providers arose, attack tools were shared and customized, and widespread attacks became commonplace. When organizations realized the danger, they invested to improve their capacity to recover. As a result, they became less likely to pay the ransom. This reduced the profitability of the crime, and so a newer, more persistent but less obvious attack was needed.

What followed was unauthorized cryptomining (or cryptojacking), which grew 19-fold from March to December 2018 according to Cisco. Since then, interest appears to be on the decline, as sharp decreases in cryptocurrency value have made the crime far less profitable, leading to public events like the shutdown in March of cryptocurrency miner provider Coinhive.

What's next? Criminals will inevitably come up with something else, and there are several candidates already in play: credential and IP thefts, a resurgence in phishing attacks, and business email compromises, in which cybercriminals impersonate C-suite executives and arrange for fraudulent wire transfer payments. In many of the new attacks, social engineering plays a huge role.

Breaking the Cycle
If the perfect crime formula remains the same regardless of the actual crime committed, so does the fact that hackers are exploiting persistent weaknesses and blind spots within the enterprise. If organizations moved faster to identify and respond to these exposures, they'd create an attack environment that was more complex, less profitable, and more likely to expose the attacker. Here are two classic flaws — and recommendations on fixing them.

Classic Flaw No. 1: A Susceptibility to Dwell Time
Dwell time measures the delay between when a breach begins and when it is discovered. According to the Ponemon Institute and IBM, this currently takes a mean time of 197 days. Attackers are exploiting systems and exfiltrating data for more than half of a year before they are noticed, much less contained.

The Fix: Continuous, Ubiquitous Monitoring
Obviously, preventing breaches in the first place is best, but history repeatedly teaches the punishing lesson that some attacks will get through. To detect and contain these attacks, continuous vigilance is necessary, and continuous obviously means 24/7/365. Blind spots are also prime targets, so visibility carries premium value. Ubiquitous monitoring describes the need to watch over everything. Enterprise protection is like home security in this respect: If cameras are only turned on at night, then robbers will wait until daytime to break in. If cameras can only see what's happening at our entrances, then criminals will use the back door. Through round-the-clock, pervasive visibility, cybercriminals have no go times or places to hide their crimes.

Classic Flaw No. 2: Ignoring the Unprotected End User
The end user now ranks as the "weakest security link" within a company, according to survey findings from Tech Pro Research. That's because these systems tend to be less well-protected, and these users tend to be less aware of the dangers. Security teams have traditionally applied themselves to protecting high-value assets and networks, focusing on servers, data centers and the traditional, internal network. Today's users present a much simpler attack vector because of the growth in the use of cloud technology, mobile devices, and telecommuting, as well as bring-your-own-device and bring-your-own-app programs. Through their activities, end users (whether employees, contractors, supply chain partners, etc.) increase enterprise exposure as adversaries leverage social engineering to exploit them.

The Fix: Expanding Protection to Wherever the End Users Are
To elaborate upon the home security analogy, we can’t solely concentrate on our front and back doors anymore. We need to make sure end users and their systems are safe, wherever they happen to be. This requires improvements in our protection of their systems, 24/7/365 monitoring/visibility of all endpoints, and even user behavior analytics to detect and block unusual or threatening activity from a potentially breached end user account or system.

Fortunately, in the real world, few crimes are perfect. Criminals are tripped up by accomplices and random events. In the cyber world, the bad guys are having more success, given the more deterministic nature of the attack vectors and the victims. Through continuous monitoring, total visibility, and improved end user protection, we can close the gaps that adversaries are seeking to exploit, and break the endless cycle of threats to the enterprise. Protection will never be perfect, but these kinds of improvements will make cybercrime less of a perfect option for criminals.

Related Content:

About the Author(s)

Jack Danahy

Vice President of Strategy and Innovation, NuHarbor Security

Jack Danahy is the Vice President of Strategy and Innovation at NuHarbor Security where he spearheads the research and development of their unified security service platform, striving to simplify cybersecurity for all organizations. He is also a managing partner at Almanna Cyber Fund, an early-stage cybersecurity investment firm.

Prior to joining NuHarbor, Jack founded three successful security software companies that were acquired by Watchguard Technologies, IBM, and Alert Logic. Following these acquisitions, Jack continued as a senior executive entrusted with strategy, messaging, and corporate development. In addition to business leadership, Jack has received 12 patents for his security innovation.

Jack is a sought-after cybersecurity speaker and writer. You can listen to him weekly as a co-host of Pwned, a cybersecurity podcast. His insights and opinions have also been featured in prestigious publications such as Forbes, Fortune, the NYTimes, and the Washington Post, solidifying his influence and expertise.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights