Over the past few years we’ve seen cybercriminality evolve like never before, with hackers continually inventing new ways of breaching the data of companies both large and small. With this we’ve also seen the motivations behind cybercrime develop to become as diverse as the individuals who now carry out these attacks.
Although the majority of attacks are still financially motivated, gone are the days when hackers were simply after money. Company secrets, business ideas, designs – these are now far more valuable to cyber-criminals than straightforward cash.
Aside from financial gain, the prevalence of attacks carried out in the name of political, religious or social beliefs (breaches performed by hacktivist movements such as Anonymous are a prime example) have skyrocketed in recent years.
With hackers always finding new ways to use everything from advanced persistent threats to low-skilled social engineering, organizations are constantly at risk of becoming victims of cybercrime, and even more so if they are not regularly examining where, and from whom, the risks are manifesting.
In a recent presentation ‘The Unusual Suspects’ Dr Adrian Nish, Cyber Head of Threat Intelligence at BAE Systems, discussed the six specific cybercriminal ‘suspects’ that companies are facing, each with their own incentives, methods and levels of risk.
Firstly, we have ‘The Mule’ – these are casual criminals, the weakest link in the chain. They often work from home, internet cafés or free Wi-Fi spots and are used by others to launder stolen proceeds through online bank accounts. Driven by greed and fear these criminals are the most likely to be arrested or face prosecution.
Second is ‘The Professional’ – working 9-to-5 days, these individuals often have experience in traditional organized crime and exhibit knowledge of avoiding detection, understanding the structure of the businesses they breach. Engaged in running cold-calling scams, writing software for other criminals or propping up supply chains, ‘The Professional’ regularly has a solid reputation and a network of contacts.
‘The Nation State Actor’ – attempting to gain access to valuable data or intelligence to create incidents of international significance, these suspects work for governments, often motivated by nationalism and disrupting other countries. Going to extreme lengths to cover their tracks, their strong links with the military, intelligence or state control apparatus within their homeland allows them to work freely without fear of legal retribution.
Next up is ‘The Getaway’ – named so as they are often too young to be found accountable for their actions and, if caught, most get off with a ‘slap on the wrist’. Though their hacking skills are basic, they are keen to impress their peers and use their online skills to quickly develop new knowledge. They are also likely to be manipulated and influenced by more experienced criminals, using them as proxies or diversions.
The penultimate suspect is ‘The Activist’ – commonly using the internet to voice their political, religious or social standpoint these hackers target specific individuals or groups they disagree with. Hell-bent on disrupting and discrediting their victims ‘The Activist’ often treads a fine line between being a ‘freedom fighter’ and a ‘terrorist’. With their attacks usually not influenced by financial gain they frequently receive funding through non-hierarchical arrangements with multiple sponsors.
Lastly, we have ‘The Insider’ – coming in various guises (disgruntled staff member, blackmail victim, well-meaning innocent) these are perhaps the hardest suspect to defend against. Whilst they may harvest malicious intent to purposefully encrypt valuable files or change system configurations, they can also be well-intentioned employees who unknowingly put their company at risk by doing something as simple as clicking on a suspicious link in a phishing email which opens the door to a hacker. Their position within an organization and their knowledge of its network mean they can be as destructive as the most sophisticated piece of malware.
Companies have to be mindful of the fact that attacks will often involve all or several of these different suspects, working together to manipulate their pieces of the puzzle to collectively reach the goal of successfully breaching their target. Also, as Dr Nish explained in a statement to Infosecurity, whilst it hasn't traditionally been common for one type of 'suspect' to 'pose' as another, there are starting to be some "blurring of the lines" between the different groups.
He added:
"The most concerning is the use of common-place criminal capabilities and infrastructure by espionage actors. The potential for misclassification means that investigators are likely to underestimate the significance of an attack, meaning they may not devote enough resources into fully investigating. Cyber-attacks can have multiple components, and leave plenty of places for the bad-guys to hide and misdirect defenders. Having a strong internal Threat Intelligence function, or ability to reach out to subject matter experts for advice is key to understanding the risk from newly discovered attacks."