Motive, Means and Method – Through the Eyes of a Cybercriminal

With everything digital becoming automated and connected, a cyber pandemic could spread faster than a biological virus and create a far more devastating impact. Leaders and businesses must ready themselves to fight this new battle. One of the first things any battleground will teach you is that you should know your enemy by learning to think like them.

The Motive: Why Hackers Hack

Obviously, a vast majority of attackers are after money. But not all of them.

Nation-state adversaries infiltrate governments to reap military information, or they could be in a competitive bid with another company in another country. Some nation-state attackers are after money. U.S. federal agencies recently warned of a North Korean hacking group known as the “BeagleBoyz,” who are actively siphoning money from international banks across 30 countries. Russia and China are also active in launching disinformation campaigns to target voters and manipulate elections.

Other attackers are simply ordinary people, like former disgruntled employees, people employed for corporate espionage or even trusted insiders. Some hackers are hacktivists who have political agendas or personal objectives or who simply despise your organization and want to disrupt operations by causing financial harm and public embarrassment. For example, the Anonymous Group may consider their motives ethical, but their actions are nefarious.

The emergence of virtual currencies is another big motivation for cyberattackers. Mining cryptocurrency like Bitcoin requires a lot of computing power. Attackers may use bots to commandeer thousands of computers, combining spare CPU cycles to mine cryptocurrency. In one year these so-called “cryptojacking” attacks on cloud servers surged by 250 percent. Another industry that uses a lot of virtual currency is online gaming.  Hackers are known to target gamers because gamer accounts hold real money. A staggering 10 billion cyberattacks have been reported in the past two years and according to recent estimates, trading of stolen gaming accounts on the dark web has become a $1 billion business.

Several cybercriminals have also evolved into organized cybercrime syndicates. Such malicious corporations employ hundreds of people and continuously target big companies to fuel their growth. The most famous of these is Russia’s Internet Research Agency. In its efforts to elicit donations, the fact-checking site Snopes.com likes to point out how they struggle with 10 newsroom employees versus the 1,000 headcount at the IRA. Then there was the infamous and now defunct London-based Cambridge Analytica, used by political groups worldwide including democracies in Australia, India, the U.K. and the U.S. to tilt elections by disparaging opponents with negative campaigns. Some of these crime syndicates can be hired on the dark web and directed to attack large corporations with distributed denial of service attacks demanding a ransom in exchange for halting attacks or unencrypting data.

Budding attackers, on the other hand, are just trying to prove their street cred (aka script kiddies) or win adulation from the community by running small-scale attacks, creating viruses or hacking opponents to beat them in online games. Some are trying to sell fake Viagra or con people into buying or selling stock when they really shouldn’t. Some attackers steal software or license keys and put them up for sale on Pirate Bay or another similar site.

Adware is probably the most ubiquitous and common reason why people get hacked. Unethical operators will often break into computers and maliciously manipulate them so that they boost ad views of targeted ad campaigns. Per recent reports, 24 million adware attacks were found on Windows machines and 30 million on Macs.

The Means: The Tools Hackers Use

Deployment of off-the-shelf tools such as malware-as-a-service is gaining traction.Dozens of hacking tools are available online, with some more commonly used than others. Hundreds of databases are available for sale complete with email addresses, login names and passwords. These passwords may not be current, but criminals can use the login IDs to launch targeted phishing attacks. Hackers also leverage search engines like Shodan to discover vulnerabilities in connected devices. Use of automated hacking and deepfakes is also on the rise to target individuals.

If a hacker is eyeing a sensitive target or a large corporation, they will probably try to learn more about the victim and their potential weaknesses before they attack them. There’s a lot of tools like Fingerprinting Organization Collective Archive (FOCA) out there that cybercriminals will use to dig up all available information about you. Open-source intelligence tools (OSINT) like Recon-NG and theHarvester are also extremely popular with cybercriminals. Nmap (Network Mapper) is another popular hacking tool used by attackers to scan or discover open ports so that they can be hacked.

The Method: How Hackers Hack

It’s usually one of two ways. If a malware randomly hit your organization because somebody clicked on it, you were a victim of opportunity. This is the most common form of attack. The malware will then either break in and do what it’s supposed to do, like stealing your passwords or encrypting your computer then asking you for a ransom in Bitcoin. Other modern forms will break in and then dial home to command and control (CNC) servers. The hacker will use some administrative console to stealthily observe your online activity and plan their next course of attack.

If you were specifically targeted by a human adversary, chances are that it will be extremely difficult to detect and prevent, especially if they are highly skilled and have unlimited resources at hand. Most attackers will use a combination of various tactics called the attack kill chain.

For example, before an attacker targets you with a spear-phishing campaign, they’ll do a reconnaissance of your company. This means they will try to learn as much as they can about your company to discover your vulnerabilities, your login names, email addresses, operating system versions, application versions, open ports, etc., so they can weaponize their attack depending on the information they find. Once they find your vulnerabilities, then there’s literally dozens of websites with hundreds to thousands of exploits that anybody can use to break into something. For example MVpower DVR, the software that runs a lot of web cameras these days, is one of the most common exploited vulnerabilities, impacting 31 percent of organizations globally.

How Can You Defend Yourself?

Focus on these three control pillars: policy, technical and training. Create robust security policies to protect your crown jewels. Next, install standard technical controls such as firewalls, intrusion prevention, endpoint security and vulnerability scanning. You’ll also want tools that provide early warning detection and incident response and recovery so that controls are updated and the incident doesn’t happen again. The MITRE ATT&CK framework may help you identify different ways an attacker can infiltrate your network.

As the defender, you need to act like a hacker and discover what your attack surface is by doing reconnaissance. Use the same fingerprinting tools that cybercriminals use to uncover hidden vulnerabilities, unpatched systems and open ports.  Carry out simulated scenarios of what you think an attacker might do and what type of attacks they are prone to execute, and then see what would happen if they were able to successfully deploy those breaches.

Users themselves need to be aware of the most likely threat vectors and, with frequent testing, develop the highly needed muscle memory to recognize and repel the most common attacks. This only comes with repeated and focused training. Studies show that simulated phishing exercises can help to reduce the phish-prone percentage (PPP) by over 60 percent.

Finally, find out what’s breaking your system today and focus on plugging those holes. Don’t treat things like adware lightly. Ask yourself, how did it get in? Today it could be adware, tomorrow it could be something a lot worse.