Professor James Hendler, Director of the Institute for Data Exploration and Applications, Rensselaer Polytechnic Institute
In addition to the deep web, criminal hackers are using any encrypted mechanism to communicate such as encrypted phone calls, instant messaging/OTR (off the record), and secret codes. “Secret codes may be in plain text but they don’t refer directly to who was hacked or when. The target/victims and the type of payload used in the attack will have code names. Criminal hackers will communicate using these cryptic codes,” says Charles Tendell, CEO, Azorian Cyber Security.
Attackers also communicate with each other by flooding communications channels with an exorbitant amount of information, far too much for any one person to weed through. “Unless you know what you’re looking for, you’re not going to find the legitimate conversation in all of it,” says Tendell.
How attackers achieve dwell time
The cybercrime underground has already made so much compromised information available that any cyber thug can easily avail himself of a variety of PII and login credentials, gain access to more systems, steal many additional credentials, and retrieve saleable data from some new enterprise victim.
“Criminal hackers can go to a large data dump site, enter a name, and find out whether that person was in a compromised database or was part of some breach. Since people reuse the same password many times, if that victim hasn’t changed their password, attackers can use those credentials to gain more access at other sites and get more information,” explains Tendell.
In addition to vulnerable information, attackers can easily find vulnerabilities in the internet of things that they can use to eventually gain access to the enterprise. Criminal hackers use search engines such as Shodan, which people use to find internet connected devices, to search geographical locations and IP addresses in order to see what may already be vulnerable, says Tendell.
With vulnerabilities galore in hand, attackers apply zero-days, rootkits, malware, cryptic communications, and compromised credentials using one of two models to maintain dwell time and exfiltrate the most data possible before someone stops them. “Criminal hackers either move a little data out at a time so as to go unnoticed or they cache the data somewhere inside the enterprise over an extended period and broadcast it out all at once with stealth and low visibility,” says Hendler. Either of these approaches is fruitful for an attacker.
Shifting the balance of power in cybersecurity
The balance of power between criminal hackers and security pros is decidedly slanted in favor of the attackers. New vulnerabilities crop up every time new software or software updates are added. “While an attacker has only to find one flaw to gain entry, the security pros must know, close, and protect every vulnerability,” says Hendler.
Sign up for CIO Asia eNewsletters.