By Gerard Allison, senior vice president of sales for EMEA at Sophos.
The dark web has become much more developed than most businesses think. It has seen cybercriminals scale up their operations in dark marketplaces where bad actors trade, creating a tertiary industry with a network of supporting services and well-established, professionalised approaches to cyber operations. The parallels of the dark economy to our own are endless.
Similar to that of information technology companies, the cybercrime ecosystem is shifting to ‘as-a-service’ offerings. As the dark economy evolves to meet the ever-growing demand from cybercriminals, the structures of their operations have developed into established businesses. This raises a number of operational challenges for businesses and poses the question, what does this mean for the future of IT security and can we learn from any dark practices?
The dark economy
Criminal marketplaces have made it much easier for entry-level cybercriminals to commoditize malware and malware deployment services, stolen credentials and other data across the dark web. Access brokers use commodity exploits of vulnerable software to gain footholds on hundreds of networks and then sell them on to other criminals, often selling the same exploited access multiple times.
This bustling economy is proving to be the perfect breeding ground for scammers and cyber criminals. Marketplaces on the dark web often have no recourse to law enforcement, due to the (semi) anonymous and clandestine culture surrounding its operations. These spaces are populated by criminals and offer an open market, providing no regulation or quality assurance and most activity is extremely difficult to trace.
Ransomware operators use the dark web as their HQ and are using it in sophisticated ways; both to evade detection, as well as to spread novel techniques. These are then made available online to other cybercriminals – in the same way you’d buy antivirus software. For instance, more and more cybergangs have embraced the use of new programming languages to try and avoid detection, and to make it easier to deploy ransomware under various operating systems or platforms.
Diversifying their operation is at the heart of the growth of ransomware groups. A key area is the increase of leak sites, where these cyber criminals post details of their victims. Traditionally, the model has been fairly simple: if organisations pay, their data isn’t published on the leak site. If they don’t, it is. However, there have been some interesting developments in that space.
A prime example of this is the LockBit ransomware group which has been at the forefront of ransomware innovation. For example, one tactic used by the group is to offer visitors, or the victim, the chance to destroy or purchase the stolen data, or to extend the timer counting down to publication.
However, it doesn’t stop there, LockBit 3.0 offers a bug bounty program to crowd-source testing of its malware and performs market research in the criminal community to improve the group’s operations and services. As a part of its bug bounty program, the ransomware group pays ‘researchers’ to provide Personally Identifying Information (PII) on high-profile individuals as well as web exploits for rewards between $1000 and $1 million. LockBit has also started paying bounties for “brilliant ideas” to improve its ransomware operations.
Some businesses are already following suit – offering bounty schemes to improve their own security stature. Ethical hackers can earn money by helping to improve organisations’ security and identifying vulnerabilities in their software. Increased visibility into these vulnerabilities means patches can be made before they are exploited by cybercriminals, whilst service feedback can be used to optimise user experience and services.
However, these marketplaces have quickly become far more than just places where products and services are advertised. When businesses become successful, organisations invest additional budget and resources into recruiting and retaining the best talent, whether this may be IT support, cybersecurity or any other vital tech position – this is no different for cybercriminals.
The dark economy is worth billions and cybercrime and other underground activity need the same talents and skill sets to that of the above ground economy to remain successful. To lure this talent, cybercriminals not only offer competitive salaries, but groups have even started offering added benefits including flexible working, paid time off and even sick leave. Job offers and recruitment posts become much more common on these platforms, with the biggest dark marketplaces having dedicated help-wanted pages to cater to both those seeking employment and those recruiting staff. This is becoming a concerning aspect of cybercriminal operations and it’s important that the security industry learns from this and continues to invest in the fight for cyber talent. The cybersecurity job market is already seeing a shortage in talent and skilled professionals are in high demand, but as these criminals continue to recruit, it’s vital that businesses continue to attract the skills they need to stay ahead of the competition.
When looking across the entire dark economy, there are a few points that standout – the ease for would-be cybercriminals to break into the industry, the fight to keep talent on the right side of the law, and the commodification of what once were advanced persistent threat tools and tactics. Whilst a thriving dark marketplace for malware and hacking tools is nothing new, the activity of ransomware operations and malicious actors is becoming more available to the wider criminal community, meaning it’s never been more important for partners to protect against these threats.
Ransomware gangs have become the leading orchestrators of the ‘as-a-service’ model for cybercrime. Underground digital marketplaces have made it possible for gangs or individuals to virtually access all of the components of the cybercrime toolkit to those willing to pay for them — from the initial compromise of victims all the way to malware delivery.
This industrialisation of ransomware has allowed for the development of ransomware ‘affiliates’ to become a much more professional outfit. The use of professional offensive-security tools, legitimate administrative and technical support software, malware-as-a-service, and other market-obtained exploits and malware, mean we are no longer able to associate sets of tools, tactics and practices with specific ransomware groups.
Similar to that of the corporate IT sector, cybercriminals have adopted the ‘as-a-service’ model in order to boost their scope of operations and almost all aspects of the cybercrime toolkit can be outsourced to crime-as-a-service providers that advertise on underground web boards.
It is becoming fairly simple for organisations to stay ahead of their operations by outsourcing their cybersecurity solutions to experts in a similar way. Businesses can reap the rewards of implementing a cybersecurity-as-a-service model, which not only reduces the pressure on internal IT teams, but allows businesses to improve their cyber defences, and access support from experts equipped with the knowledge and know-how based on current data, research and insight.
The benefits of using an MDR service
As the criminal economy continues to thrive and become increasingly complex, the reality is that today’s technology solutions individually cannot prevent every cyberattack. To prevent the most advanced attacks requires human-led threat hunting, investigation, and response – which is where Managed Detection and Response, or MDR, services come into play.
Many types of organisations across all sectors benefit from the use of an MDR service, from small companies with limited IT resources to large enterprises with an in-house Security Operations Centre (SOC) group. And whilst threat hunting can be performed in-house using Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) tools, there are extensive benefits to using an MDR service either alongside your in-house team or as a fully outsourced service.
A huge advantage of implementing the use of an MDR provider over in-house only security operations programs is the elevated protection against ransomware and other advanced cyber threats that are born in the dark web. If we’ve learnt one thing from how cybercriminals are operating it is that they are only becoming increasingly more advanced and more difficult to detect. An MDR vendor will experience a larger quantity and variety of attacks than any individual business, giving them a level of expertise that is near impossible to replicate when using in-house operations. Threat hunting continues to be a highly complex operation and it has never been more important that people in this space possess a specific and niche set of skills. This in turn makes recruiting threat hunting experts a challenging task, but working with an MDR services provider brings the expertise for you.
Not only is threat hunting a complex operation, staying ahead of these criminals and the developing dark economy can be expensive. Maintaining a 24/7 threat hunting team requires at least five full-time staff, therefore MDR services are proving to be a cost-effective method of securing organisations. Not only does this stretch cybersecurity budgets further, but it also reduces the risk of incurring financial penalties after experiencing major incidents.
Cybersecurity providers that have much less visibility into these active threats generally supplement their in-house insights with additional threat intelligence feeds that are aggregated from a broader set of sources. Whilst these feeds are valuable, they only inform security teams of an event after it has happened. A provider that has visibility into threats whilst they are happening has insights that can quickly discover new adversary activity in a single customer environment and proactively defend every other organisation under its watch.
Whilst there is no sure defence against these ever-evolving threat actors, having an active defence is the key to prevent any individuals from doing any damage, however the burden of defence is often too great for many organisations to shoulder. It’s never been so important for organisations to arm themselves against a continually growing threat landscape through endpoint and network defence and managed security operations services.