While not everyone considers economics when analyzing cybersecurity issues, the impact of economic pressures and efficiencies drive defenders and attackers alike. Consider the concept of the division of labor, which is the separating of worker labor or machine production processes needed to produce something into smaller and distinct sub-tasks.
As markets mature, it's common for businesses, individual workers, and the tools and technologies we create to specialize. This specialization enables a focus on specific aspects of the production process and for efficiencies and productivity to increase. The division of labor is witnessed across history and societies, and, as it turns out, active adversaries are also driven by such economics.
In recent years, active adversaries have turned to such specialization when targeting organizations. They're compartmentalizing tasks used for initial compromise, lateral movement within target organizations, ransomware development, and more. That's because not everyone can excel at all functions for successful compromise. For example, a threat actor who excels at social engineering may be unable to craft workable malware or software exploits. By selling and consuming the services of others, attack efficiencies are optimized.
Wim Remes, operations manager at Belgium-based cybersecurity advisory firm Spotit, says this becomes obvious when looking at different threat actors. "There is significant data out there that shows that some groups focus their efforts on initial access,” he said. “When they gain access, that access is resold to other groups that will perform the post-exploitation activities such as lateral movement, data exfiltration, or conduct ransomware attacks."
Recent research from the Sophos X-Ops Incident Response team underscores these evolving aspects of cyber threats and, ultimately, the necessity for organizations to adopt comprehensive, adaptive security strategies that can protect against an increasingly sophisticated threat actor-driven "industry."
What the Sophos X-Ops Incident Response team uncovered about how active adversaries successfully compromise organizations with their attacks is telling. For instance, active adversaries use compromised credentials as their primary entry point. Compromised credentials accounted for 50% of incidents the Sophos X-Ops Incident Response team studied.
In many cases, attackers offer specialized services to other criminals as part of the overall cyberattack process. "Attackers are quite organized in how they operate. The team that does the initial surveillance can be different from the one that gets the initial foothold, while another team performs the lateral movement. Another team performs data exfiltration and ransomware activity. Some of the activity across the different teams is automated while others are manual," explains Remes.
Such division of labor is standard among ransomware gangs. Here, it will include initial access brokers who specialize in the initial breach, and they will market and sell that access. Then, the malware developers create and maintain the malware behind the ransomware. The affiliates then deploy that ransomware but don't write it. Finally, there are even criminal gangs that specialize in the laundering of ransom payments.
Here are some of the specialized skills active adversaries engage in as services sold to other attackers:
Social engineering, phishing: Active adversaries use social engineering skills to trick users into clicking on links they shouldn't, divulging confidential information (such as the sharing of a password or even confidential data), and even providing credentials that can be used to log into applications and services.
Malware Development: Some active adversaries specialize in creating and selling malware, including ransomware. Ransomware platforms encrypt the victim's data and demand payment for the decryption key.
Distributed Denial of Service (DDoS) Attacks: Botnet owners will install their bots on endpoints and then rent or lease access to the botnet so that others can launch distributed denial of service attacks for a fee.
Software exploit development: Threat actors who can develop malware and software exploits will do so for hire, or they will develop exploits and sell them in marketplaces. These exploits can be improvements on existing toolsets or newly discovered zero days.
Initial Access Brokers: These threat actors breach systems, gain a foothold, and sell that access to other attackers or groups that will further exploit that access.
Each of these capabilities requires different sets of skills, and through collaboration, threat actors can increase their efficiencies. And they can do it through the division of labor just as workers and businesses do worldwide.
But it isn't just the division of labor where increased operationalizing by active adversaries can be seen. They're also maturing their organizations in other ways, according to John Shier, field CTO at Sophos.
"Not only do they conduct themselves professionally and partner with other criminals and criminal partner networks, but some of these groups are also maturing their internal networks, have managers and key performance indicators, and their own HR departments, complete with bonuses," Shier said.