When people conjure
up the image of a Cyberattacker, very often the image of them wearing a hoodie,
sitting in a dark room hunched over five monitors very often comes to
mind. But, while this could be true to
some degree, this is really not how Cyberattackers truly operate. Of course, he or she will want to keep their
tracks as covered as possible, so that they can evade detection. But believe it or not, the Cyberattacker of
today often thinks like an entrepreneur when they plan to launch an attack, or
even attempt to form a Cyberattacking group of sorts.
So what goes into
their mind, you are asking? Well here are
some clues to it:
1)
They
try to find the markets:
In
the old days of the hacks, the goal of the Cyberattacker was to launch what is known
as a “Smash and Grab” campaign.
Meaning, the goal was to get in by any means that are possible, get whatever
they could, and run off into the distance, with hopes of not being caught. But today’s Cyberattacker takes a very unique
approach. Just like entrepreneurs, they
study the kind of market that they can get into. In other words, what fits the profile of a potential
victim? Once this has been figured out,
the Cyberattacker, using open-sourced tools, such as Social Media, then tries
to find their victim. But keep in mind that
there are many other tools that can be used out there in the public domain, such
as “OSINT”, which stands for “Open-Source Intelligence”. Also, it may not be an individual that they
are trying to target, it could even be a business. Or worst yet, the Cyberattacker may have even
been hired by someone on the Dark Web or through other covert means in order to
launch an attacks.
2)
Creating
the product/service:
Once
an entrepreneur has an understanding of the market that they want to get into the
next step is to create or further develop a product or service that will meet the
needs and demands of prospects. In this
case, once the Cyberattacker as figured out their victim, their next step is to
then determine their weapon of choice.
For instance, will it be a Phishing Attack? Or one that involves Social Engineering? Or perhaps even launch a Ransomware Attack to
steal information and data?
3)
Getting
the funding:
As
the entrepreneur is now finalizing the business plan, the next thing on their mind
is to now figure out how to get funding to launch their brand-new product or
service. There are two ways they could do
this, which are either tapping into their own savings, or reaching out to
investors. In the case of the Cyberattacker,
their goal here is to now figure how they will get the means to launch their
Attack Vector. For example, will he or
she be joined by other Cyberattackers in an effort to pool resources, or will
they go on it solo? The goal here, just like
the entrepreneur, is to keep costs as low as possible, primarily to avoid raising
red flags. So, they could hire a service
on the Dark Web that could launch the attack for literally pennies on the dollar
(the most popular one in this regard is “Ransomware as a Service”). Or, the most preferred method is to take the profile
of an existing Threat Variant and modify in some fashion so that it will be deadlier. In other words, building a better mouse trap.
4)
Launching
the product/service:
Now,
once the victim (the target market) has been selected, and the funding has been
secured, the next move is to now launch the actual Threat Variant, in order achieve
the desired outcome. Most likely, it
will be an attempt to heist login credentials, or exfiltrate data that can be
used to either sell on the Dark Web, or even launch a Ransomware Extortion
Attack. But, just like the entrepreneur,
if things are not going as planned or expected on the initial launch, they will
shift strategies in order to gain what has been planned. In the case of the Cyberattacker, it would be
to stay as covert as possible.
5)
The
continuation of the marketing:
Once
the entrepreneur has reached a point of some stability and have actually
achieved sales on their new product or service, their next goal is to keep up with
the marketing strategies or even tweak them further in order to generate more prospects,
which in turn, will lead to more sales.
This is also true of the Cyberattacker.
Once they have launched their Threat Variant, found a way in, and remained
as covert as possible, their next objective would be to move across the IT/Network
Infrastructure in a lateral fashion to see they can steal. For example, it could be trade secrets, other
sorts of confidential documentation, or even Intellectual Property (also known
as "IP”.).
6)
The
next wave:
For
the entrepreneur, once they have had a successful launch of their product or
service, the next thing for them is to figure out what to produce next. Most likely, since funding and resources will
still be rather tight, they will take what they have already created, and attempt
to add more functionalities to it to perhaps even serve a different market
entirely. The same is true for the Cyberattacker. Once they have achieved what they wanted to
get with Threat Variant, they will want to add more stuff to it to not make it
only stealthier, but even deadlier as well.
In this case, it is quite likely that they will even target an entirely
new victim.
My
Thoughts On This:
What I have
detailed in this blog is the basic model that a Cyberattacker could potentially
follow. All of the steps may not be followed. But the bottom line here is that just like when
launching a new business, a lot of time is spent these days trying to figure out
how to do it right the first time. The
same is also very true of the Cyberattacker.
They now take their time to carefully profile and target their victims,
in an effort to strike them at their weakest point when they are the least
aware of it.
No comments:
Post a Comment