[Excerpted from "How Cybercriminals Choose Their Targets and Tactics," a new, free report posted this week on Dark Reading's Advanced Threats Tech Center.]
When police officers go undercover, they must successfully blend into an environment that few of us would ever willingly choose to live in. Good undercover officers know the tactics of traditional criminals because they live in the criminals' world. They study the criminals' tactics, tools and psyches, and can thus anticipate certain behaviors because they understand the end goals.
In some respects, staying a step ahead of cybercriminals is much more difficult than staying ahead of your average street criminal. You won't catch black-hat hackers with traditional surveillance, because they can inflict as much damage in their pajamas as they could if they got dressed and robbed a bank.
Cybercriminals often fit no specific profile. They can effectively hide their tracks through proxies and spoofing. They change their tactics often, and they are adept at hiding tools and other malicious code through obfuscation. Good cybercriminals understand the digital trails they leave, and how easy or hard it is for big-business security tools to detect those activities.
And unlike many security pros, good cybercriminals can code. Talented black hats enjoy decompiling a piece of commercial software for fun,or coding a new botnet with a feature set that is a security admin's worst nightmare.
So how do you defend yourself against an ever-evolving, nameless, faceless enemy that adapts to your defenses as quickly as you can deploy them? The unfortunate reality is that you can never fully defend yourself against a truly skilled cybercriminal, but you can certainly make your organization a more difficult target by deploying the right tools and implementing the right best practices.
A security pro's best defense is to act like an undercover cop, gaining intimate knowledge of how the bad guys operate. Attackers care about advanced cryptography, decompilers and reverse-engineering methods. They know about APIs and SQL. Indeed, as a security pro, you won't necessarily get the knowledge you need to protect your organization by studying for a CISSP all day long -- you need to spend time living in the world that cybercriminals inhabit.
Before motivated attackers can launch a strike, they need to target a victim. The choice of target depends largely on the motive for an attack, but it also depends on organizations' vulnerability to attack.
While some cybercriminals focus their efforts on spreading damage far and wide through malware development, others are content to troll the Internet for sites that are vulnerable to a more direct attack. A black hat who is trolling around for a victim generally uses a simple methodology to set up an attack, but step one of that process always requires the discovery of a target.
The most effective way to select a target is to use a vulnerability scanner. Every organization has exposed public-facing services that could be used as a conduit for attack, and vulnerability scanners and bots can make quick work of finding potential targets for attacks.
Some black hats prefer to exploit network-centric vulnerabilities, so they will unleash scanners on your externally facing IP block, looking to attack hosts listening for SSH, FTP, HTTP, Telnet and RDP (to name a few). Other attackers will use vulnerability scanners to look for externally facing sites that are vulnerable to SQL injection, cross-site scripting attacks or local or remote file include attacks. If an attacker is motivated to hit a specific application or database, then multiple vulnerabilities may be exploited to set up an attack.
To read more about cybercriminals' methods of choosing a target and an attack -- and what you can do to reduce your chances of being a victim -- download the free report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.