Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Cybercrooks Think More Like CEOs And Consultants Than You Think

Speaking the language of the board room, and understanding things like value chain and SWOT analysis, might help you speak the language of the adversary.

As enterprise security leaders plan out their IT risk management strategies, it is absolutely crucial that they understand the business motives behind cybercrime. Criminal profits drive the vast majority of security incidents today and the cybercrime marketplace has coalesced to the point where most organized cyber criminals have a sophisticated value chain supporting the delivery of numerous thieving lines of business. It's gotten such that the most damaging cyber crooks think more like CEOS and consultants than techies. The better that enterprises can understand their adversaries' mindset, the more effective they'll be at reducing risk, explains a new report by Hewlett Packard Enterprise. 

"To truly disrupt the business of hacking is to increase the cost of the attacker’s business, erode their profits, and increase the time it takes to successfully execute an attack and sale," explained the report, which took a thorough look at the gears turning the cyber underground.

The paper took a deep dive into 10 different types of businesses supported by this mature marketplace -- including old reliable kinds like ad fraud, extortion, or credential harvesting -- and analyzed them based on profit variables. It also explained a lot of the guiding principles, culture, and market conditions that drive cybercrime today. The nut of it is that cybercrime looks more like an enterprise than many people might think.

For example, authors highlighted the fact that some cybercriminals even operate under banker's hours, running on a 9 a.m. to 4 p.m., Monday through Friday basis, with Monday the busiest day of the week as the bad guys catch up from the weekend.

Among some of the highlights, there are three big ways that the cyber underground has evolved, an understanding of which could potentially help CISOs and other security leaders.


The Value Chain Is Intricate        

The business of cybercrime is highly segmented and specialized, with a value chain that contributes to the "end product" of theft and fraud. This includes subcomponents that fit within categories like human development -- including recruitment and education -- as well as operations, technical development, and marketing and sales.


Each Line Of Business Follows A Maturity Curve

The different types of fraud and theft follow an industry growth maturity curve, much a line of business or product line would within a legitimate business.  

"The progression of credit card fraud provides a good example of this maturity curve. While there is still big money to be made in credit card fraud, the market is flooded and the business is in the declining phase," the report explains. "The introduction of EMV chip and pin cards in the United States will make it harder for attackers to make money on 'card-present' transaction fraud. Even slowing them down a little will negatively affect their profits and we should do it more often. The maturity curve restarts when new technologies are introduced, such as mobile payments. This full curve can mature much faster in cyber businesses than in traditional business."


Their SWOT Analysis Probably Looks Like Yours

Most savvy cybercriminals will weigh their costs and risks carefully against the potential payout for whatever line of business they operate within. More than likely, their strengths, weaknesses, opportunities, and threats (SWOT) analysis looks a lot like the typical legitimate business's. Coming from the lawful side of this, enterprises also need to understand this SWOT grid to be able to diminish the strengths and opportunities while playing up the weaknesses and threats of these adversaries.

"By knowing our competitors’ business goals, strengths, and weaknesses we can arrive at ways to reduce their competitive advantage," the report explains. "If attackers want to increase their profits, it is our job as their competitor to reduce their profits." 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.