According to the recent Cybersecurity Ventures 2022 “Cybersecurity Almanac,” organizations will spend approximately US$1.75 trillion on cybersecurity between 2021 and 2025. At the same time, by 2025 it is projected that cybercriminals and their activities will earn around $10.5 trillion. First off, that is trillion with a “T”. That means that cybercriminals will earn almost six times more in revenue than defenders will spend! It is a fair question to ask how these malicious cyber actors (MCA) can be so far ahead of their defender counterparts?
Let’s first be clear as to what constitutes an MCA. They range from script kiddies to hacktivists to criminal organizations to Advanced Persistent Threats (APT), and even nation-states. To begin with, all MCAs have negative intent. This negative intent could be as simple as defacing a website or as advanced as stealing intellectual property. Next, MCAs are motivated, which could be for revenge or even ideological differences. Lastly, MCAs have the knowledge, skills, and abilities to execute their attacks for maximum effect. Regardless of capacity and capabilities, all MCA activities start with online infrastructure, which eventually becomes the patterns and trends observed in malicious activities.
When it comes to infrastructure, MCAs are quite creative. The goal of every MCA is to keep costs as low as possible. In general, MCAs acquire infrastructure in three primary ways:
- First, they can buy what they need using the normal process via standard registrars or other resellers for domain names and standard hosting services for content. For MCAs, registering domain names carry both risk and reward. Legitimate domains stand a better chance of slipping past defenses. However, once these domains are blacklisted, they are no longer usable.
- Second, MCAs will co-opt infrastructure. This can be done via broken web parts, cloud misconfigurations, or even currently exploited vulnerabilities (such as Log4Shell or Spring4Shell). MCAs will use co-opted capacity until they are discovered and evicted. Unfortunately, even less experienced MCAs can persist for months in co-opted infrastructure without detection.
- Third, MCAs regularly leverage free cloud-based capabilities to host malicious content. Ranging from online collaboration to on-demand storage, MCAs will even redirect seemingly benign Uniform Resource Locators (URL) to these free or low-cost services.
Wherever possible, MCAs want to spend the least amount of money on delivering their malicious content. This is especially true for cybercriminals and less sophisticated MCAs whose goal is to maximize their return-on-investment. Therefore, these groups will look to co-opt infrastructure or use free capabilities to the maximum extent possible. Add to that the ability to register domain names from the 1,500+ Top Level Domains (TLD) for a small annual cost to support redirection to free or inexpensive hosting infrastructure and the scene is set for MCAs to maximize their profits. If they get caught, MCAs simply shift to their backup infrastructure (which they usually have) or spin up more capabilities in just minutes to hours.
MCAs make extensive use of the infrastructure described to create believable URLs, which victims click on, arriving at malicious content that ultimately adds money to not-so-savory coffers. All of this sounds like bad news for defenders, however, there is a silver lining. MCAs use the same capabilities (such as domain registration, content hosting and redirections) as everyone else on the internet, meaning there are observable patterns – breadcrumbs – that point to the good, bad and ugly. When viewed on a larger scale, these patterns become trends that defenders can use to assess their inbound and outbound traffic to stop MCA activities.
Are you ready to better defend your organizations using available data sources and tools to catch MCA patterns in your network? Look no further than my upcoming session at ISACA Conference North America, “Malicious Trends: What You Need to Know!” Let’s have a deeper conversation about MCAs, trends and patterns that you can observe right now to improve your defenses.
Editor’s note: ISACA Conference North America 2022 is a hybrid event to take place in New Orleans, USA, and virtually 4-6 May. Find out more here.