Much of cybersecurity is based on thinking like criminals. Security consultants, pen testers and software experts make our computers safer based on their expectations of what a hacker will do. One security expert, Robert Hansen, CEO of SecTheory, is bridging the gap between the blackhat and the professionals.
Hansen has been spending months delving into the world of the blackhat. Gaining their trust, he has been able to have candid conversations about hacking and security with the experts. He then blogs insights gained from these conversations. Hansen is trying to better understand the tactics, mindsets and motivations of a cyber hacker. In a recent post, Hansen says that most hackers do acknowledge that security features are doing well to make cyber crime harder.
A hackers biggest problem is that it is not as easy as it used to be. It takes much more work to break into a site. Modern blackhats hack particular interested sites that will yield a big payout. In the past a handful of basic tools would allow them to hack any site. Now they all run the risk that once they send out a mule, it will be detected.
Hansen suggests that hackers should implement more botnet technology. “Here are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.”
For hackers, a botnet replaces much of the work of the hacker and increases the effectiveness of attacks. “So let’s say I’m badguy1 who wants to break into one or more companies of interest. Sure, I could work for days or weeks and maybe get into one or both of them, but at the risk of tipping my hand to the companies and there’s always a chance I’ll fail entirely. Or I could work with badguy2 who has a botnet. I could simply give a list of IPs, domains or email addresses of known targets to the bot herder and say that instead of paying a few cents to rent some arbitrary machine for a day, I’ll pay thousands of dollars to get a bot within the company I’m actually interested in,” said Hansen.
Hansen also sees a future where hackers hire botnets. A hacker looking to infiltrate a specific network would not spend weeks hacking one machine in that network, looking for a weak spot and potentially raising the suspicion of the company’s security team, instead they would hire a botnet, provide a list of server IPs and be in. Once a botnet has infiltrated a computer it remains there until detected. So, lets say a company continues to grow, its property stays in its location, the hacker prospers. Now lets say that an infiltrated company fails, the company is bought by a few other companies. The old infected computers, go to new companies, and the one botnet has increased its value even more than in a successfully growing company. There is no way to lose if you are a hacker. It creates an evolutionary flow of money between criminal using technology more advanced than most can understand.
Although the hackers that Hansen talked to do not currently use this model, there not indications that is has not been used and been sued successful. For businesses, this presents a scary look into the future of cyber crime where e value of a large botnet for executing DDoS attacks or extracting valuable data from the compromised machines could be multiplied hundreds or thousands.