Threat Perspective: Risky Business, A Look Inside the Threat Actor Studio

There’s no denying that cyber crime has become a business, and business is booming. British insurance giant Lloyd’s of London estimated the cyber crime market at $400 Billion in 2015. As a result, the World Economic Forum estimates that the total economic cost of cybercrime to currently be $3 trillion worldwide. However, Microsoft predicts that by 2020, data volumes online will be 50 times greater than today. This has led Cybersecurity Ventures to predict that cybercrime will cost the world in excess of $6 trillion annually by 2021. Juniper Research estimates that “the rapid digitization of consumers’ lives and enterprise records” will be a major factor in driving up the cost of data breaches.

In 2016, Ponemon Institute’s 11th annual Cost of Data Breach Study found the average total cost of a data breach grew from $3.8 million to $4 million. That’s for a single breach! And we anticipate that not only will the cost per breach continue to grow, but the number of breaches will increase as well.

We recently talked with Ladi Adefala to get a better understanding of how the dark, mysterious underground of cyber crime is helping to fuel this growth, and how it impacts businesses and individuals.

What is going on in the fast-growing underground business of cyber crime, and why should I care?

One of the forces behind the explosive growth of cyber crime is that illegal business can be safely conducted deep in a part of the Internet that most people have never seen, and have no idea how to access. Called the “darknet” by some, this part of the Internet lies beyond normal web browsers, is cloaked in anonymity, and has become a haven for criminal commerce, including cyber crime.

A peek into “the belly of the beast” (also referred to as the underground, the deep web, onion land, etc.) is necessary to understand this growing business. Why should you care about what goes on in the underground? Because cyber threats and the techniques employed by threat agents are constantly changing. Threats are generated in the hundreds of thousands every day on the darknet, targeting organizations and individuals alike. The more we understand these threats, and how the business of cyber crime works, the better we will be prepared to protect ourselves against them.

Just as legitimate businesses have employees reporting to work everyday for profit, threat actors and agents run their businesses in much the same way. There are three broad segments of the threat marketplace: producers, consumers, and enablers.

Who are the producers of cyber threats, and how are they contributing to the explosive growth of the business?

Producers are the “rain makers” of this underground business, developing tools and instruments that are used to generate multiple threats at machine speed. These threats in turn create risks
for you and your organization. One especially troubling development in cyber threat production is the recent appearance of some very low-priced tools. In the world of ransomware, for example, the relatively new Stampado v2 ransomware is available for anyone to purchase for the price of just $39 in Bitcoins. That is a steal in comparison to other ransomware tools that have cost as much as $1,800. New trends, such as Ransomware as a Service (RaaS), may drive the costs and skill level required to enter this criminal market even lower.

The significant implication of this considerable price difference is that
the barrier to entry for this risky business is now very low, which results in a higher volume and frequency of cyber threats, all coming at you fast. At Fortinet’s FortiGuard Labs, we see up to 50 billion threats a day and leverage our machine learning algorithms to help analyze them.

What are the two types of consumers of illegal and malicious goods on the deep web?

The consumer landscape is vast and complex, with all forms of illegal and malicious goods and services available. These include gift cards, illegal drugs, crimeware, data dumps, tools for cracking EMV chip cards, and more. In the deep web, consumers fall into two broad categories: buyers and renters.

Today, the number of illegal options available for purchase is staggering. Buyers can get stolen gift cards, gift cards purchased with stolen credit cards, or simply stolen credit card numbers. They can purchase tools for committing cyber crime, and can even purchase tutorials to learn how to use them. Many malware creators offer both software for sale and malware-as-a-service in the SaaS model for a range of prices.

Another interesting listing for buyers is TED. This business leverages
the brand recognition of TED Talks (ideas worth spreading)
to market their offerings. For them, TED stands for Targeted Executive Disclosures (ideas worth paying for). This invite-only service offers buyers confidential documents, data, and identification numbers from across financial, healthcare, and retail industries. All of these data elements can then be used for subsequent attacks. The bidding price for some TED packages can start as high as $500K in bitcoins.

The other option for consumers in the cyber crime underground is renting. One of the most popular services available is the rental of botnets (networks of Internet-connected devices infected with malicious software and controlled as a group without the owners' knowledge). Originally used to send spam emails, a majority of botnet rentals today are used for DDoS web-based attacks, scaling up to terabit-grade. Which is why I am recommending that organizations reassess their DDoS strategy to ensure it can sustain terabit-grade attacks..

Renting also extends to the services of hackers (not the ethical kind) and ghost development services. These rentals typically involve requesting the services of a hacker or team of hackers to complete the actual malicious activity or to develop the required tools to be used in launching a cyber attack.

Who are the enablers that make it easier to purchase illegal goods related to cyber crime?

The growth of these risky business models has also spawned a category of threat agents called enablers. These are the service offerings that facilitate darknet business transactions, making it easier to purchase goods and services, and even mitigating the risk associated with these transactions. There are several of these – escrow services, money mules, consultants – with the newest being darknet insurance services.

Yes, similar to conventional insurance, you can actually protect yourself against loss when buying malicious products from low reputation sellers on the underground. How it works: the buyer identifies the product or service they want to buy and sends the details to the insurer. The insurance service researches the seller and provides a buy or no-buy recommendation. If the buyer goes against their no-buy recommendation and gets scammed, he loses his money, but if he follows a buy recommendation and gets scammed, the insurance covers his loss.

Cyber threats are coming at us faster than ever. How do businesses mitigate the risk?

The speed with which the business of cyber crime is growing can be attributed, at least in part, to the declining barriers to entry we just described: decreasing prices of threat creation tools, ease of access to crime services, and the promotion of risk-free transactions. Additionally, the reward potential for these risky businesses is on the increase as the addressable cyber crime market grows into tens of billions of dollars.

To help mitigate the risks associated with these cyber threats, it’s important to consider a comprehensive strategy that includes actionable threat intelligence. Actionable intelligence about new threats and methods is crucial to improving the overall security posture of your organization, as well as your cyber protections outside of work. By “actionable,” we mean information that’s designed to result in meaningful action, such as updating devices, creating new security policies, or hardening vulnerable or targeted systems.

New and emerging threats characterized by attributes and actionable IOCs (indications of compromise) can help reduce the impact of these threats, and in some cases also stop and/or prevent them. Additionally, the benefits of actionable threat intelligence extend to include prioritization of risk, as noted in the report Gartner Predicts 2017 (Threat and Vulnerability Management).

Another tool in battling these growing threats is collaboration, or the sharing of threat intelligence between organizations and nations. A powerful example of threat collaboration is the efforts by FortiGuard Labs, Interpol, and another security vendor, where our threat research and intelligence was instrumental in uncovering a $60M+ cyber criminal ring. A strong proponent of these types of cooperative efforts, Fortinet is also a founding member of the Cyber Threat Alliance, an industry association focused on harnessing the benefits of collaboration and threat information sharing.

What is Fortinet Doing to Help?

FortiGuard Labs offers actionable intelligence that can be delivered and integrated with existing solutions. FortiGuard Labs threat intelligence combines strategic, tactical, and operational insights into actionable controls automatically delivered to your security products. Furthermore, it accounts for the perishable nature of threat artifacts by ensuring that actionable intelligence is validated, timely, and production-ready. The value of our threat intelligence can be seen not only in the 2M+ customers that we protect, but also in our collaboration with partners, as illustrated by the joint FortiGuard-Interpol case cited above. Fortinet and FortiGuard Labs remain committed to serving and providing continued threat research designed to guide leaders worldwide in improving their mitigation strategies.