Henchperson wanted: Must have Java, C++, signature villain cackle
RSA 2016 Cybercrooks, much like ethical security defenders, are facing a skills crisis and difficulties in recruiting qualified staff.
Their attempts to bring workers into criminal organisations leave it possible for experts to learn more about their strategies and tactics, according to new research from threat intelligence firm Digital Shadows.
Kingpins behind cyber-fraud need an ecosystem of malware writers, exploit developers, botnet operators and mules in order to build their business in order to turn a dishonest living. However, finding individuals who can be trusted is difficult and requires a rigorous application procedure.
Running against their desire for anonymity, many cyber criminal organisations have being obliged to adopt traditional, real-world recruitment techniques.
These tactics include posting standalone job ads on general purpose forums or by using specific job boards to seek out talent.
Once candidates apply, they are put through an application and vetting process. Hackers face the challenge of wedding out “script kiddies”, who possess few legitimate technical skills and can waste limited resources, as well as the need to guard against potential infiltration by law enforcement agencies or security researchers.
All this is not too dissimilar to corporate cybersecurity hiring challenges.
Due diligence is required to ensure that the proper candidates come through the process.
S’kiddies, who possess no legitimate technical skill, must be put through a rigorous process to ensure they are up to the task.
There are many instances of recruiters asking for application forms – some even offer an application template, according to Digital Shadows. Just like in corporate cyber security hiring, bringing the wrong candidate on board wastes limited resources.
Honour among thieves
Reputations are even more important to cyber-criminals than they might be to legitimate businesses, who would be prepared to train up less-skilled individuals. On the dark side, by contrast, there’s a desire to hire people who will be “productive” from the get-go and a desire to weed out chancers and clueless script kiddies.
In practice, cybercrime gangs frequently use Skype to conduct interviews. However groups often require that the users’ voices are masked, video is turned off and traffic is ported through a service like Tor.
The precautions are needed in order to provide a degree of anonymity.
Some crime groups – which as in the past mostly hail from eastern Europe and Russia – require that new recruits serve a probationary period, similar to common practice for techies starting work with legitimate corporations.
These varied hiring practices can be a source of useful intelligence to the the “good guys”.
The information contained in cybercrime job ads can provide organisations with real value into attackers’ motivations and tactics.
Digital Shadows researchers involved initially harvesting intelligence by spidering the dark web and open web (forums and paste sites).
Analysts then evaluated this data, which looked at cybercrime forums and more write in either Russian, English or German.
The research is skewed towards cybercrime groups. Looking for signs of nefarious activity by government intel agencies and military groups was beyond the scope of the study.
The research was releases on Tuesday at the RSA security conference in San Francisco.
Showing their hand
Researchers were able to glean intelligence on a group’s tactics and capabilities from their adverts.
For example, if they are looking to hire people who can run DDoS attacks, then it stands to reason that swamping targeted websites with junk websites is one of the tactics they are likely to deploy.
The same goes for organisations looking for with the capability to mount social engineering attack or the coding skills to run cross site scripting attacks or SQL injection attacks. Knowledge of Java, Python and C++ is sought among would-be recruits in some cases.
Social engineering skills are frequently required.
Cyber criminals must balance operations security (OpSec) and their ability to recruit – too much OpSec may result in a failure to identify suitable candidates, so cyber criminals are obliged to expose themselves to some scrutiny in order to recruit.
Too much OpSec leaves little time to identify qualified candidates, so cybercriminals are obliged to make compromises in their race towards profit.
Stolen information, particular carding details, is a perishable commodity so crooks need a team that can move quickly, meaning they can’t do everything themselves and are constantly obliged to bring in fresh talent.
Criminals organisations need a decent roster or they will be left unable to carry out cybercrime at scale, hence the need to recruit substantial number of people over a tight timescale.
During the recruitment process, attackers can leave behind clues that defenders can take advantage of to build resiliency into their security programs.
In specifying the skills they are looking for, hackers are essentially showing their hand.
In some circumstances, defenders might find specific details about attacks targeting their organisation, while in others they might find general attack trends that could bolster their defences.
Rick Holland, Vice President of Strategy at Digital Shadows, told El Reg that occasionally cybercrooks are looking to recruit people who have access to a particular environment. “Cybercriminals are more like us in the corporate world than we’d like to think,” he said.
Holland said potential recruits are motivated primarily by money but also get involved in illicit activity in order to show off their skills. Occasionally crooks are trying to turn insiders to their own nefarious ends. One advert featured in Digital Shadows research sought help in intercepting money transfers, and was pitched at potential corrupt or disaffected insiders.
This ad was the exception rather than the rule.
In the most part crooks are going for “low hanging fruit”, straightforward ways to make an illicit profit.
“Getting the basics right like as setting up an app security programme and applying two-factor authentication cane really help businesses in defending against cybercrime groups,” Holland concluded. ®