How Hackers Profit

Today, I am a hacker.

I have breached your system; I have stolen your customer and employee data, your financial account information and your intellectual property.  I have your databases of stored email accounts and a large supply of employee personal data you did not know was stored on your system. (ITunes accounts, Facebook logons, software credentials, etc.)

So now, how do I make money?  I mean that's why I attacked you, I’m a financially motivated hacker.  I didn’t attack you because I’m a spy or I wanted to destroy your network or even to embarrass you for your corporate politics, beliefs or lifestyle. 

I attacked you to make money.

The easiest play is to use the credit cards right?  No not really, carding is a more of an art now as it requires special know how to circumvent address verification systems.  In addition, I need "mules" to collect the goods I buy and then reship them. 

The credit cards, I have stolen I will sell or trade.  Going rate is about $.06 per card.  Alternatively, I can trade them to other hackers for services, software or exploits.

Next up is banking details.  If I have full access to your bank accounts I can make transfers to accounts I own.  Again, this takes some planning, as I need to make sure the accounts the money will be paid into are not in my real name and that as soon as the money arrives in those accounts, I transfer to a second and third account, thus hiding the trail.  This takes pre-planning and a good network of people to move the money around and extract the cash.

Now to the email address and employee/customer data.  Much of this can be sold to others who are set up to use it for various schemes like phishing to spread malware and botnets. 

I’m going to use it for advertising.  I have a program that will try to access all the email addresses, social media and other online system by inputting the email addresses and passwords I stole.  Since 85% of people use the same password for everything, this should be very successful. 

Once I access their (your employees' and customers') email and social media accounts, Ill harvest various data sets like financials to commit fraud.  Ill likely use the access to install ransomware, encrypting the user’s hard drives and demanding payment of about $500 to provide the password to free up the data.  However, Ill also start impersonating the real account holder.

It’s not really identity theft as most call it it’s more like as account takeover.

I’ll send out email and posts, comments and tweets as the true owner of the account encourage people to go to websites or click on links.  Why?  Because I get paid by advertisers to drive traffic to websites with a bonus if I can get them to click on ad links (it’s called performance marketing)

The payment ranges for $2 to $200 per sign up.  So I take all the data I have, bounce through VPN's, proxies and TOR to sign your employees up for Teeth Whiting ads, Netflix, Airline Miles, Ringtones, etc.  All of which pay me cash and the victims have no idea "How those companies got their details!"  On a good day, this will pay me $500-700/day.

Now for the other data, your intellectual property will go to the highest bidder, as there are always people interested in what new products your company has or the real numbers behind your earnings reports.  I will also extort you offering to return the data if you pay me.  Of course, if you negotiate, it means the data is valuable and I can use that when selling to the bidders on the underground. 

The vulnerability I exploited, will garner cash and a reputation online, when I publish it. 

Equally, the software and ITunes credentials can be sold or traded on the underground market, just as accounts on various online games like World of Warcraft have a special marketplace.

So let’s see because I stole data from you and your company I (Actually me and the crew I work with) can:

• Extort you, your company, your employees and your customers
• Commit fraud against everyone's accounts
• Sell or publicize your intellectual property
• Impersonate everyone to drive traffic and sales
• Sell the program I used to exploit the vulnerability in your system
• Create a bot net to steal and monetize more data
• Trade the data for service and build my hacker reputation
• And if I want to, do some stalking, attack your reputation and/or spread corporate lies.

All this without actually applying myself and reading the data stolen to extrapolate other ways to use it like stock manipulation or M&A activities.

Best thing about all this is you will not try to come after me because you are afraid of the reputational damage.  You might ask the police or FBI or some LE to chase me down but that will take several years and I may not live in a country where they have jurisdiction.

See, when most breaches or attacks occur, everyone talks about the data stolen and the cost to the company to fix the "hole" but no one talks about how I, the hacker, will use the stolen data.

A cyber attack's impact depends on the motivation of the attacker.  

Crime is for money, Espionage is for secrets, Warfare is for destruction and Activism is to embarrass. 

The way the attack occurs; phishing, social engineering, malware installs, etc. is likely the same but, what is taken and how it will be used, is often dramatically different.  So is the response.  Most Incident Response deals with how the bad guys got in and stops there.  But, that is only a fraction of the impact. 

But then again, I’m the hacker, I encourage you to continue to do the same thing as has been done for the past 15 years when an attack occurs.  Just worry about how I got in and plug that hole.  I’ll find another hole.   

Right now, I’m busy making money off of what I stole.

The Perfect Cyber Security Firm?

What is the perfect cyber security firm? What does it offer?

This was a question asked of me at a recent talk with start-ups and people looking to get into the cyber security market.

My initial response was that "I’m not qualified to answer that" but me being me (you would understand if you ever saw one of my talks) I answered the question.

First there is no such thing as a cyber-security firm because that assumes the firm is engaged in protecting "cyber" and after 15+ years I’m not sure what a "cyber" is.

A firm dedicated to the protection of information is a different animal. Such a company has to address several different client requirements to include:

• Protect the data
• Don't slow down business
• Educate the employees
• React to breaches
• Find the bad guys
• Explain how it the attack happened
• Fix it
• Save the client money

Most companies in the "cyber" security space focus on the "React to breaches" business as cyber breaches are no longer a matter of if but when and how many times. For many this is a great money making model and has been supported by mandatory audits, reporting requirements and legal risks.

However, that approach is limiting and given the number of new security related companies joining the mix, good or bad, the profit margin shrinks. Incident response relies on people/companies not knowing how or not having the tools to respond themselves, which is simply no longer the case.

Other firms sell equipment, software, hard ware, or even claim to manage the whole security world for you but again this is limited. Equipment and intel is only as good as the people using it. Just as a managed solution will require in house actions by the client or it is a pointless service. (Lack of employee action is always blamed on the service provider). In addition, if you do not understand the business you are selling into, you do not understand which risks on the threat matrix really apply to them or how employees will circumvent your “fix”.

The firms that will survive and expand need to change their focus.

Cyber/Information security needs to focus on information management first. What information do you have, why, who has access and how do you know.

Understanding the business implications of information and the security apparatus are equally if not more important that what type of firewall or IDS/IPS system is in place.

Clients do not often realize these two key elements as the backgrounds and educations of those in charge are narrowed to specific fields such as IT, Sales, Marketing, etc. Security touches all of those and is often a revenue generator for each if management and business principles are applied.

So back to the question, the perfect Information Security firm would address all of the client needs starting with a business understanding and information management focus, not a sell my limited solution.

The firm will offer threat intel that highlights the viable client risks amongst those threats. This information can be offered at low cost, as it is really a relationship builder.

Pro-active security assessments that highlight potential issues based on an understanding of the data controlled the access to it, the monitoring and the most importantly the business itself is the growing trend. Companies need to know the risks in a language they understand so they can make informed decisions on how to address the risks.

Education or awareness programs go hand in hand with proactive assessments. These programs need to be tailored to the audience and personal in nature. In the "cyber" world, as it is misunderstood by most, personal relevance is the key to building secure practices. You learn to lock your doors because you do not want to be robbed not because your employer told you to!

Incident Response needs to give way to Incident Management, the response is first 24-48 hours after that management starts, and this includes the investigation, remediation, communications (internal and external) and resiliency. Any consultancy firm needs to be able to walk their client through the whole issue and not just air drop in, do some forensics and disappear.

Managed Services is a new a tricky offering because effectiveness requires spending time understanding the clients’ business processes and procedures rather than just applying some generic filters to the monitoring. Clients are looking for a turnkey solution but unless the firm is handling five other companies in the same industry, the solution needs to be bespoke. In addition, managed services rely on a competent internal client resource to act on the information being provided. Clients need to be educated that a managed solution only works if the company is prepared to react to situations.

Remediation and Resilience are the new buzzwords because we all know "cyber" incidents occur and you have to be able to bounce back. Companies need sounding boards to in essence hold their hands and get them back to fighting strength. A firm that can offer their clients that sympathetic ear without gouging them on price will see return business. Offering general consulting contracts where the client can call anytime over the course of the year at a fixed cost per hour is one way to address this.

In my opinion, the perfect "Cyber" Security firm is proactive before the incident, responsive to the incident and reactive, post incident. Above all else, the consultancy business is based on personal relationships where you understand the client, their needs and what they want:

• Protect the data
• Don't slow down business
• Educate the employees
• React to breaches
• Find the bad guys
• Explain how it the attack happened
• Fix it
• Save them money

Even if they do not.