deepagopi2011 - Fotolia

HPE report lays bare inner workings of cyber criminal economy

A Hewlett Packard Enterprise (HPE) report shows business how cyber criminals operate and how to disrupt them at each step of their criminal value chain

The value chain driving cyber crime provides insights into improving enterprise cyber defences, according to a report from Hewlett Packard Enterprise (HPE).

The Business of Hacking report explores hacking as a business, assesses the underlying economy driving cyber crime and analyses the motivations behind attacks.

The report – based on data and observations from HPE security teams, open source intelligence and other industry reports – analyses the value chain illegal organisations have established to expand their reach and maximise profits.

Based on this insight, the report provides actionable recommendations for enterprises to mitigate risk through disrupting cyber criminal groups.

Cyber criminals are increasingly using sophisticated management principles in creating and expanding their operations to increase their impact and financial profit, researchers found.

These are the core motivations for nearly all attack groups today, the report said, noting that enterprises can use this knowledge to disrupt criminal organisational structures and mitigate risks.

“Organisations that think of cyber security as purely another checkbox, often do not benefit from the value in high fidelity cybersecurity intelligence,” said Andrzej Kawalec, head of security research and chief technology officer at HPE Security Services.

“This report gives us a unique perspective on how our adversaries operate and how we can disrupt them at each step of their criminal value chain,” he said. 

“This kind of analysis is a good and valuable way to change the perspective to enable organisations to change their defensive strategies.”

Read more about cyber crime

Operating model imitates business

Today’s cyber criminals often create a formalised operating model and value chain similar to legitimate businesses in structure, the report said, and in so doing deliver greater return of investment throughout the attack lifecycle. 

According to the report, if enterprise security leaders, regulators and law enforcement are to disrupt the attackers’ organisation, they must first understand every step in the value chain of this underground economy.

Critical elements to the cyber criminal value chain are remarkably like those in legitimate businesses and typically include human resources management, operations management, technical development, marketing and sales, and outbound logistics for delivering cyber criminals goods and services. 

“Cyber criminals are highly professional, have robust funding and are working together to launch concentrated attacks,” said Chris Christiansen, program vice-president, security products and services at research and analysis firm IDC.

“The HPE Business of Hacking Report offers key insight for legitimate organisations to better disrupt adversaries and mitigate risks by understanding how they are operating and maximising profits.”

How to defend against cyber attack

By understanding the business aspects and drivers of hacking, said Christiansen, enterprises can begin to disrupt the players and the marketplace.

The goal is to make it more expensive for these businesses to operate and/or increase the risk beyond acceptable levels for the attackers, the report said.

HPE recommends a number of approaches for enterprise security professionals to better defend against cyber criminals through:

  1. Reducing profits by encrypting data to prevent it from being sold;
  2. Reducing the attack surface by developing secure systems and protecting all data exchanges;
  3. Learning from the adversaries by using deception grids or dummy networks to monitor attacker behaviour.

Although cyber criminals are extremely collaborative, have easy access to open source tools and skills, the report said hacking businesses are also full of weaknesses – such as a natural lack of trust and paranoia fostered by the code of anonymity among attackers.

This paranoia is the largest opportunity for offensive attacks from those looking to disrupt the business of hacking, the report said. This could be done by seeding mistrust to disrupt sales and operations, and undermining a supplier’s reputation.

Kawalec said that, while the security industry has been talking about a global, integrated and co-ordinated cyber criminal industry for years, this report documents for the first time the motivations, the organisational structures and the profit models of the cyber criminal value chain.

“Mapping out the value chain – how monetary gain is created, how these organisations are able to scale and repeat their operations – has helped put hacking in the context of any other industry, and confirmed that we need to look for a much more structured and industrial adversary,” he said.

Analysing risk/benefit ratio of crime

The report also plots cyber criminal activities according to increasing payout on the vertical axis and decreasing effort and risk on the horizontal axis.

“This graph immediately identifies ad fraud as having one of the highest potential payouts, while having the lowest effort and risk at the same time,” said Kawalec.

“From a defensive perspective, we note that there is a high-value and relatively easy target for fraud so, as an industry, we need to address it and close that loophole.

“When we think of the profit model, it allows us to start industrialising our defences instead of tackling adversaries on a case by case basis.”

Kawalec said that, by looking at the patterns of infrastructure use by attackers and how quickly they cycle through different recruitment techniques, defenders can respond whenever common models appear.

“We can also disrupt the recruitment process through wider education so that people do not inadvertently become enablers of cyber crime,” he said.

Finally, Kawalec said the economic perspective of cyber crime underlines the importance of making it more difficult and therefore less cost-effective for attackers to access data.

“Security professionals need to focus not only on defending the organisation, but on hardening the protections for the data itself,” he said.

Read more on Hackers and cybercrime prevention