It’s no secret that cybersecurity has become big business — to the tune of $1.5 trillion a year, according to one estimate — nor is it any surprise that hackers are getting better and smarter. What’s changing lately, though, is the degree to which cybercrime has become organized crime, the province of international criminal networks that run in many ways like ordinary businesses.
So argued James Morrison, a Houston-based senior computer scientist with the FBI who specializes in cybercrime. Speaking at a session at HPE Discover 2019, the annual conference of users and partners taking place through June 20 in Las Vegas, Morrison said today’s cybercrime organizations reinvest profits in their businesses, acquiring data centers and machine learning technology to help them manage and expand their efforts.
“Two years ago at this event, I remember we talked about the threats to firmware and hardware,” he said. “Now we’re starting to see cybercriminals really rising up. It’s getting more involved and organized — we’re starting to call it organized crime. A couple of years ago, it was about 50/50, organized crime versus individuals just out there doing it. But now we’re seeing a lot of very organized criminal elements operating out of countries, including countries we haven’t seen in the past. A lot of countries are getting involved — countries like India, Nigeria and Indonesia.”
Cybercrime Is Getting Easier to Execute
One reason cybercrime is exploding is because the barrier to entry is getting lower, Morrison said. No longer is it necessary for threat actors to be hacking geniuses; today, all they need is access to the dark web, where they can purchase simple ransomware tools. Combined with a list of email addresses purchased for a few dollars, they can turn a tidy profit if only a small number of targets are duped into clicking on a link.
Morrison described the economics of cybercrime for an audience of analysts and journalists attending HPE Discover:
“I can go on the internet and buy 100,000 email addresses for, let’s say, $50. It’s not very expensive. And then I can go rent ransomware — and that’s actually what it is; you go into a marketplace and purchase a license for ransomware for maybe a month, and it has full, 24-hour customer service. So now I have ransomware and I have email addresses. So I fire it out, and let’s say 5,000 people click, which is actually a low number. And out of those, maybe 1,000 pay me $400 for releasing the ransomware. I just got paid $400,000 on a $250 investment. That’s the economy of scale that we’re really seeing.”
Cybercrime Is Starting to Look Like a Typical Industry
Drew Simonis, deputy CISO for Hewlett Packard Enterprise, described this phenomenon as the “industrialization” of cybercrime, which he said is made possible by the “development of complex supply chains and specializations.” Just like every other industry, Simonis said, as cybercrime has grown, each aspect of it has become an area of specialization.
Given the prevalence and continued success rate of phishing attacks, Morrison argued that companies must begin deploying intrusion detection systems so they have insight into what’s happening inside their networks. It’s impossible to avoid every breach, but a business can only respond effectively if they know they’ve been breached.
“I go out to companies, and I’m still amazed at the number of companies that don’t have some way to detect lateral traffic inside their network,” he said. “They’re like, ‘Yeah, I didn’t even know what happened.’ Ransomware now isn’t just ‘click and hit.’ It’s gonna take a week before you even know it’s there if you don’t have some sort of system to detect it. And it’s gonna blow up.”
Follow along with our HPE Discover coverage on Twitter at @BizTechMagazine or the official conference Twitter account, @HPE_Discover, and join the conversation using hashtag #HPEDiscover. You can also check back here.