Learn Ethical Hacking for free!
Infosec’s Ethical Hacking learning path teaches you how to use the same techniques used by malicious hackers to carry out an ethical hack and assess your organization’s vulnerabilities.
“Cybersecurity! Don’t talk to me about cybersecurity!” is what Marvin the Paranoid Android would say if his diodes stopped hurting. But Marvin also complained about performing “trivial tasks with a brain the size of a planet” — and one thing we can say about cybersecurity threat mitigation is that it is no trivial task.
Since the Internet entered our lives and workplaces, cybersecurity has been a game of attrition where the strategic moves continually evolve. The winner takes all and then some, and it can be a harsh ending if your organization is at the hard end of a cybersecurity attack. The cost of cybercrime damages is expected to reach $6 trillion by 2021.
The tools of the trade help cybercriminals reach those figures. Zero-day exploits are increasing, giving the hacker a hand up. Malware strains just keep on being created, adding more into the wild year after year. Data breaches seem never-ending. All the while, the security professional has to deal with this onslaught on a daily basis.
This evolutionary arms race we find ourselves in has to change. We need to outthink the hacker by being smarter.
The culture of being a cybercriminal
The cybercriminal should never be underestimated. For many, this is their day job, and cybercrime is now big business. According to Cybersecurity Ventures research, the business of cybercrime is now worth more than the global illegal drug trade. That is a compelling reason to stick with it for any aspiring hacker-to-be.
Being a hacker means being part of a culture. If you’re a hacker, that’s your thing. Let’s get something straight: Being a hacker is not necessarily the same as being a cybercriminal. Hacking can be a vocation. Some companies even employ hackers to test their networks. But for the purposes of this article, I’ll break it down into those who call themselves hackers (of which there is a variant called an “ethical hacker”) and those just hell-bent on committing cybercrime for money, disruption or both.
The cybercriminal: In it for the $$$
Once upon a time, you had to know how to create software code to carry out any kind of cybercrime. Nowadays, you can rent the code or the phishing templates, or pick up a spoof website for a few dollars. Being a cybercriminal is about getting rich quick. You don’t want to have to spend months creating code to get there.
Hacking groups: A disruptive force
Hacking groups or hacker gangs are commonplace, and they are usually looking for trouble. Groups (like Dragonfly and Fancy Bear) are often state-sponsored. The recent Singapore SingHealth breach, which resulted in 1.5 million patient records being stolen, seems to have been an Advanced Persistent Threat (APT) from a state-sponsored group.
Hacker groups often target critical infrastructures for disruption purposes. Other motives include the theft of intellectual property and sensitive corporate data. Distributed Denial of Service (DDoS) attacks are often disruptive in nature and state-sponsored in origin.
Hackers as a group or subculture can often be more about the game of hacking. Hackers see themselves as more of a group of like-minded individuals who see creativity in what they do. The challenge of hacking is real for them. The hack is about the chase, the intellectual challenge, the endgame.
There is a whole story about how hacker culture originated at MIT back in the ‘60s. But this isn’t a history lesson. There is also a kind of treatise on hacker culture from the ‘80s, “Mind of a Hacker.” It ends with these immortal lines:
“Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.”
The hacker-cybercriminal hybrid
And then there’s the heady mix of hacker turned cybercriminal, perhaps the most dangerous of all. They have the mindset of a highly creative individual seeking challenges coupled with the need to make a quick buck. They are the ones who may create the Darknet marketplaces filled with the tools of the cybercrime trade. They have the wherewithal to evolve tactics and create new and novel vectors. They are probably adept at social engineering and if I had to guess, I’d say it was probably a hacker-cybercriminal hybrid that masterminded the Business Email Compromise (BEC) scams of recent times.
Hacking the hackers in three steps
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” ― Sun Tzu, The Art of War
If you know what you are up against, you can work out strategies to counter the threat. Here are three interlocking areas to work with that can help you out think a hacker.
1. The psychology of the hacker
Above, I gave you my take on the world of the hacking/cybercriminal. Being aware of the whole space, what it’s all about, types of threats and so on, is Cybersecurity 101 in the modern world of cybercrime. Cybersecurity is as much about knowing how the enemy thinks as it is about the anatomy of an attack. Thinking like a hacker lets you get under the skin and understand their thinking.
What would you do if you wanted to find new ways into your company? Look at new and emerging threats like chatroom phishing links and malvertising. Or how new technologies like digital assistants can be used to subvert security.
A great way to get into the same frame of mind as a hacker is to live in their world a little. Cybercriminals and hackers will use the same communication channels as the rest of us. The thing is, they tend to use them on the Darknet or using encrypted apps like Telegram. Take a look at how Darknet intelligence works and ask yourself whether you can apply it to your work as a cybersecurity professional.
2. The A-C team
To understand your enemy and outthink them, you need a group of diverse individuals. People from different cultures, men and women, and across all walks of life. This can give a new and useful perspective on how a cybercriminal can and does operate. This will be your A-C team, combining the right people to thwart cyber-attacks.
This should not be a team of purely technical folk. The A-C team should be a mix of folks: People who understand people, not just programmers and traditional security analysts. Over time, with the right people, you can build a strong ethos of security that brings strong ideas into your organization and helps prevent cyberattacks.
3. Tooling up
Apply technologies where it is appropriate, but don’t overuse them. The cybercriminal community are masters of change. As soon as a new technology becomes ubiquitous in stopping cybercrime, a new technique is developed to overcome it. Antivirus software and fileless attacks are one good example.
The use of detection as well as prevention is important when choosing tools. Your cybercrime strategy should be about using all three of the steps given here, each building on the other. Technologies like AI and machine learning can help improve your sight of threats in a complicated landscape. This then feeds into the intelligence we are building with diverse teams who understand the psychology of the hacker.
The way to keep ahead of the cybercrime arms race is by being bold, brave and bright. It’s not easy to outthink clever people who are on a mission. And then there’s the whole issue of just how easy it is to commit cybercrime.
You do, however, have ways and means of counteracting cybercriminals. If you can understand their motives, how they carry out their actions and what makes them tick, you have a good chance of winning this war. Outthinking the hacker is achievable; it just takes a similar level of commitment as the hackers have themselves.
- Cybercrime Damages $6 Trillion By 2021, Cybersecurity Ventures
- Malware Statistics & Trends, AV-TEST
- Ethical Hacker Jobs, Job Monkey
- SingHealth breach work of a typical state-linked group, The Straits Times
- The Conscience of a Hacker, Phrack Magazine (archive)