Reverse Deception: Organized Cyber Threat Counter-Exploitation (57 page)

To determine why your network is a target, consider what it is that you are protecting. Once your enterprise is identified as of value, it is subleased to the highest bidder or closest of partners (foreign intelligence services—just think of them all). This is an everyday occurrence and one of the primary reasons this is an over $30 billion per year industry. Here is a short list of types of organizations that may become targets:

Any organization that has valuable data

Large organizations with rich, copious, and highly salable data (such as intellectual property that can be monetized or strategic political information)

Organizations that are trusted by the target

Strategic vendors and business partners

Local or remote offices of a large organization, where security is generally weaker than at the primary sites

Sadly, everyone is a target simply due to the fact that we are all plugged into the Internet and cyber crime, espionage, and warfare are so common. This has been an ongoing issue for well over two decades. Not many of the world governments make a stink out of it because, whether they acknowledge it or not, cyber espionage is the best way to prevent kinetic warfare. When it comes to cyber espionage, if your adversary can dive into all of your secrets without performing any type of kinetic warfare, the aggressor is able to gather knowledge and counter the victim organization’s goals and initiatives. Using cyber espionage rather than human operatives allows you to hack your way into systems directly, or use a third party to do it for you, and remain almost anonymous, minimizing the attribution to your mission or objectives.

Evolution of Vectors

Twenty years ago when the Internet was still in its infancy, before global public availability, the injection vectors were simple remote or local exploits, and there were no platforms such as enterprise security devices. The Internet was created by a group of government and civilian scientists who believed that the Internet would become something of wonder and enable people around the world to share information freely, and the world would prosper. Well, some of that dream came true, but most of it did not.

Over the past few decades, the ability for criminal operators to move from physical crimes to cyber crimes has increased drastically. You can make a lot more money much faster and increase your ability to get away with your crimes for a very long period of time without getting caught—if those crimes are planned properly.

Criminals who plan more than others last a lot longer in the game. As there are so many books and online resources that talk about these vectors in depth, we will simply present a short list of key avenues of approach used by criminal groups who distribute and operate cyber-criminal networks (listed in no specific order of severity).

Hacked high-volume websites
High-profile news, e-commerce, vendor, and freely accessible websites are embedded with malicious code that redirects and/or attempts to infect each visitor. The higher volume the website, the more it is worth. A short campaign, even if it’s effective for only a few hours, could potentially infect thousands of visitors. An example is when the Drudge Report was infected via malvertising, and every visitor who was vulnerable to the exploits uploaded by the criminals was capable of infecting millions of victims in a single day. This is not the case with lower ranking sites that do not generate as much Internet traffic.

Embedded in digital devices
There have been several instances where malicious code has been found embedded and directly added to a digital device. These are devices such as external hard drives, network devices, flash drives, digital photo frames, and even chipsets.

Embedded in software suites
There have been numerous accounts of freeware and shareware not being so free because unsuspecting individuals became the victims of a criminal campaign. These attacks may employ rogue antivirus suites that are embedded with a Trojan or some form of ransomware (malware that locks down a system and allows the criminals remote leverage over the victim, logically holding the victim’s system hostage until the criminal’s demands are met).

Social networks
There have been numerous criminal campaigns over the years to infect victims through the use of social engineering. The criminals exploit accounts and the trust of individuals to have them click links to redirect and/or infect victims daily.