THE ECONOMICS OF MODERN HACKING
Hacking is no longer solely the province of curious or bored programmers. The production of malicious software is now a business, and that fact in itself profoundly changes the scope of the challenge.
HEIM: Maybe the security vendors here can give us some perspective on this. In the beginning, broad, wormlike attacks were disruptive mostly for glory—for example, to show how much of the Internet a hacker could take down. Nowadays, attacks are nearly 100 percent economic and if it’s economic, and the Internet is your pathway to your victims, why would you want to cripple it with devastating worms? It’s counterproductive to your business model.
SHERSTOBITOFF: I am sure that all of us from the antivirus perspective can agree, that there are two things that we’re seeing. One, the massive propagation of malware is no longer present; they’re focusing on targeted attacks. They’re focusing on “what companies can I penetrate?” But there’s also another strategy: they are releasing a lot of brand new malware in the hope that the signature files cannot keep up-to-date.
So that’s why our customers, and I’m sure that some of yours too, are asking for outsource services that go into more of a “security as a service” platform, where we can keep applying real-time updates continuously while hackers are making focused attacks.
ABHYANKAR: Yes, I mean, the economic model for hacking is so well established that if it were legitimate and you were a venture capitalist looking to put money into this business, you would get good returns, right? The cost of sending malicious email just keeps getting driven down. And anonymity in the network makes it harder to track down the bad guys from a legal enforcement and prosecution perspective.
SHERSTOBITOFF: Especially when the attacks come out of foreign countries like China and Russia. A lot of the activity is not really centered on the original hackers. They’re using middlemen. So when you actually investigate, you end up getting to individuals—what they call “mules”—who had no awareness or knowledge that they were becoming victims of this whole scheme. We’re seeing that result as an upsurge from these websites that say, “I have a great job for you! Make a thousand dollars a week!” Law enforcement can’t get to the hacker who created the malicious software; the hacker or the attacker is long gone. The hackers don’t actually conduct the attacks; they sell these creations for money.
So there’s an underground economy just on sales of these attacks. You can now purchase something for $1,200 and be a cybercriminal; it’s so simple, your next-door neighbor could become a botnet master. It is not that hard to conduct crime, and it multiplies the potential number of invasions on an individual’s privacy when the common Joe Blow, without technical experience, could become a botnet mastermind.
SADLER: So given that we all understand how sophisticated the bad guys have become, what level of cooperation do you think we should be employing? Because essentially, we still all compete. We’re fragmented and the bad guys are coordinated. And there’s plenty of evidence that these different organized criminal elements are actually trading this stuff amongst themselves. We don’t have that level of cooperation amongst ourselves.
SHERSTOBITOFF: That’s why I would advocate a vendor agnostic approach here. To circumvent this threat takes not only a technological approach but also a community sharing response, with research labs working together to share what they’ve seen. Because already, not all the malware samples in our labs come from our customers. We do get them from others in the industry. I’m sure we get some from McAfee, I’m sure we get some from Symantec. So at the top, we’re not like bitter rivals. It’s a common problem that the industry as a whole needs to respond to.