With the significant advances of technology over many years, not only have law-abiding citizens, organisations and governments leveraged this to their advantage to grow and prosper, so too have criminals, writes David Fairman, CSO APAC at Netskope.

Criminals have taken every advantage of new technology and new technologically driven capabilities, to grow and prosper in their chosen illegal activity. They are not regulated or governed, but are often well funded and well-coordinated.

This is the challenge that organisations, governments, and their security teams battle with on a daily basis.

Link to the illegal economy and financial crime

The illegal economy, also known as the underground economy, shadow economy, or informal economy, refers to the illegal trade of goods and services, such as human trafficking, racketeering, smuggling of endangered species, sale of illegal drugs and just about any other activity that generates financial transactions that are deemed illegal in nature.

As with any organisation or entity, criminals look to take advantage of new ways of working in order to make their trade more effective and efficient, thus resulting in these entities leveraging technology to achieve their mission and increasing the opportunity for financial crimes.

This also applies to cybercrime and the facilitation of financial crimes through digital means. While some entities are looking to take advantage of technology to further their illicit activities, they don’t always have the technical skill sets to be able to do so. This has given rise to crime-as-a-service (CaaS). CaaS is where experienced and skilled cybercriminals build and develop sophisticated tools, platforms, and capabilities and then sell or rent these to other criminals (and threat actors) who do not have the technical knowledge to create these themselves.

The business model is like any other technology development business model. The technical entity (cybercriminal) develops the technology that can then be sold or rented to multiple customers, and the customers (criminals) benefit from the use of the technology to run their business, in the same way that any legitimate business would leverage technology.

As a result, these capabilities become very cost-effective and cybercriminals look to make these scalable and consumable for their customers. This is one of the factors that is driving the volume and sophistication of the attacks that we are seeing in the threat landscape today, as threat actors no longer require the deep technical knowledge they once did - the barrier to entry into cybercrime and the illegal economy is lowering.

Common services

There are a number of common services that can be readily sourced as CaaS:

  • Phishing kits / platforms
    Phishing continues to be one of the top attack vectors used to compromise organisations, so it is little wonder that the commoditisation of these capabilities has dramatically increased. Phishing kits, as well as phishing platforms, are readily available on the dark web for as little as US $2-$10 to facilitate an attack.
  • Exploit kits
    These include the development of exploit code and tools to take advantage of known vulnerabilities. One of the most popular kits, RIG, costs just US $150 a week and can spread ransomware, trojans, and other forms of malware. It has a large network of resellers with a complex business structure, making it both accessible and affordable for criminals.
  • DDoS services
    No longer does a criminal group need to build up a botnet to launch an attack on a target. Today, they can rent these services on demand. The time it takes to launch an attack is minimal and the infrastructure can be spun up and spun down quickly and efficiently, making it harder to track and mitigate. DDoS services are also cheap and accessible, with many providers offering subscription plans on the dark web. Some examples include a plan listing - with the cheapest being US $5 a month (one concurrent attack at a 300 second attack time) up to the largest, most expensive plan - priced at US $60 a month (one concurrent attack, 10,800 second attack time). Other providers will engage in DDoS on servers or websites that use protection, charging approximately US $400 a day, with some even offering attacks on targeted government resources.
  • Ransomware as a service
    Similar to DDoS services, cybercriminals can leverage purpose-built ransomware services to target a victim, removing the need for technical knowledge. These services provide not only the technical depth and skills but also all the information needed to carry out an attack. Ransomware as a service has a range of prices and payment models: subscription-based, flat fee and profit-sharing. Amounts can be as low as US $40 or go into the thousands for large targets.
  • Research as a service
    This involves the legal or illegal collection of information on targeted victims as well as the resale of stolen personal data, such as compromised credentials. It can also include the selling of information about potential exploits within software or systems.

Digital currency

Cryptocurrencies are a widely used method by cybercriminals to transfer and collect funds due to their anonymity, ease of use and lack of international borders and restrictions - things that make using a traditional bank difficult for criminals. Cryptocurrency accounts generally do not require the user to provide any personal information or their location and also allow the usage of multiple accounts at once.

Bitcoin is the preferred currency of cybercriminals, with ransomware attack demands often being requested in Bitcoin. The Bitcoin addresses recorded in the blockchain are not registered to certain individuals - only the account holder of the Bitcoin wallet who is receiving the transaction can see this information. This means authorities have a difficult time tracking down connections and trails to criminals.

How can the cyber industry help?

As digital transformation has accelerated and more business is conducted through digital channels, this has naturally resulted in cybersecurity playing more of a role in combating financial crime and disrupting the illegal economy. This has led to cybersecurity and fraud and financial crime teams working more closely.

This is especially true in the banking sector - some of the major UK and European banks had been operating with an organisational structure where financial crime and cybersecurity teams have been part of the same business unit for over 10 years, driven by the natural synergy between these functions.

With the convergence of cyber and financial crime teams, the industry has seen the emergence of the fusion centre and a number of large global banks and financial institutions have been very successful in building this capability.

A fusion centre is an advanced version of the security operations centre (SOC) management model that unifies several different teams within an organisation, such as fraud, financial crime, cyber, physical security and intelligence teams. By bringing together these units, organisations can increase situational awareness, share analytics and threat intelligence more easily, have increased attractiveness to talent and have a standard framework for procedures.

Underpinning this operating model is a data model that will enable intelligence-led, data-driven decision making and activities. Bringing together these - what would typically be disparate data sets - and performing advanced analytics, including AI and ML techniques, can generate insights that would not typically be realised.

Using these approaches, including cluster analysis and neural network analysis, an organisation can identify anomalies that can lead to the identification of facilitation of the illegal economy, allowing that organisation to take action, including disruption of this activity.

The cyber industry needs to be aware of which cryptocurrency providers are available, what their features are and how criminal organisations are going to make use of those services. It also needs to be considered how authorities are tracking these transactions and how they will plan to do so as cryptocurrencies become more anonymous - even going to the extent of being offline.

One such solution is seen with Bithumb, Upbit, Corbit and Coinone: four of South Korea's cryptocurrency companies, joining forces to share wallet data in real-time in order to mitigate pyramid schemes and phishing funds being sent through their services.

There are some powerful examples of where private industry and government have partnered to disrupt cybercrime. In the US, the large banks and US government joined, under the Financial Services Information Sharing and Analysis Centre (FS-ISAC) and the Financial Services Analysis & Resiliency Center (FS-ARC), to combat cyber-attacks and financial crime running through the financial system. Also, the Financial Action Task Force (FATF) is attempting to regulate cryptocurrency organisations by compelling them to include the details of senders or recipients in transactions.

The cyber threat landscape is growing in velocity and volume at an unprecedented pace. One of the key drivers is the maturation of the business model that has evolved in support of cybercrime to facilitate the illegal economy. Where there is money to be made, even illegally, a subset of society will take advantage of the opportunities that await. With the advances in technology and the barriers of entry lowering, the risk to the general public, industries and business, continues to grow.

We have seen some good examples of where the cybersecurity industry is working to address this threat at a macro and systemic level, but this alone will not eradicate this threat, nor is it realistic that it ever will be eradicated. Just as cybercriminals continue to share information, coordinate, and evolve their capabilities, so must private industry and government.