Andrzej Kawalec, CTO for Hewlett Packard Enterprise Security Services, has seen a significant shift in recent years in how hackers operate. While hacking was at one time just a disorganized, ad hoc activity, it has become a business and is structured that way.
In a new report, HPE details how the business of hacking and modern cyber-crime operate.
"Today, we're not just facing talented individuals or groups of hackers; we're facing a globally integrated, industrial-scale and highly profitable adversary," Kawalec told eWEEK.
To properly defend against the modern cyber-threats, it's important to first understand the adversaries and how they work, Kawalec said. All businesses are organized around the general goal of revenue generation. Roles and operational procedures in any business are set up to support the primary goal, and the business of hacking is no different.
Once defenders understand the business organization and motivation of hackers, it is possible to disrupt the operation, Kawalec said. "Disrupting the business of hacking is about changing the profit model for what the hackers are trying to do. So for intellectual property theft, the minute we put encryption around the data, we change the profit model as the attackers can't easily monetize what they've stolen."
By adding encryption to IP, it's not enough for an attacker to break into an organization and steal data, as the attackers still need to figure out how to make money, he said, adding that it's possible for defenders to disrupt the business cycle for attackers.
When it comes to ad fraud and extortion, it's also possible to disrupt the profit models there as well. For advertising fraud, one way to disrupt the business model is to tighten controls around ad delivery and advertisement payment approaches. For extortion, which is often executed by way of ransomware, Kawalec suggests that by having proper backup and data retention policies in place, it's possible to make attacks less profitable.
Other areas where defenders can disrupt the business of hacking include human resources. As is the case with any business, hackers often need to recruit personnel. Kawalec suggested that by disrupting hackers' human resources by way of education and intervention, it's possible to hamper the recruitment process and the overall hacker business model.
The modern business of hacking is also about scale and involves adversaries that are able to operate distributed online computing resources, including shared code, Web, email and hosting. By understanding how the infrastructure is being used to support the hacking enterprise, it can be disrupted, Kawalec said.
"There are a number of ways we can disrupt the adversary, rather than just fighting one-off battles," Kawalec said. "Criminals have been able to scale operations using all manner of techniques that allow modern organizations to build businesses, so we need to address the issue at the fundamental function level and not as a point-in-time attack."
While HPE is describing modern cyber-threats as a business, another common approach taken by many in the security industry today is to view threats as a military conflict, with the idea of the kill chain. In a military context, a kill chain is the set of steps required to fire a missile or another piece of armament. In cyber-security, the term has been adoped to refer to the entire process used by an attacker to exploit a victim.
"There is less kill chain and more on value chain in our view," Kawalec said.
The HPE business of hacking model is shifting away from a focus on how an attacker got into an organization and now emphasizes how the hacker infrastructure is organized, managed and what its goals are.
"I would never forget the kill chain, but in our report, we're focused on the economics of attacks, rather than the techniques and the procedures," Kawalec said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.