Cover Feature
Monitoring threat actors A concerted effort to understand your adversary improves your cybersecurity posture
T By Maryam Jafari Lafti Ph.D.
and Jamie Lee MacDonald
he underground cyber-criminal economy is a mature and complex ecosystem with threat actors constantly adapting and innovating their strategies in order to profit. The market for cybercrime-enabling tools, services and jobs continues to expand and is increasingly accessible. This has significantly reduced the barrier of entry for individuals with lesser technical skills and those who are willing to assist in the execution of cyber-attacks, thus creating revenue-generating opportunities for the many players involved. Underground marketplaces provide an array of offerings, including hosted attack infrastructure, malware and exploits, and various types of cyberattacks, as a service. Highly capable malware developers demand a premium for their wares, followed by resource and infrastructureintensive offerings, such as dedicated fast flux bulletproof hosting and sophisticated proxy services, which enable broader cyber-attack campaigns. Additionally, these marketplaces encompass a flourishing job market, with recruiters and job seekers offering functions that span a range of skillsets and pay. Higher risk jobs and those requiring advanced skillsets demand a higher pay, while unskilled jobs pay less. Examples of jobs on the unskilled end of the spectrum include CAPTCHA solvers and local advertising for cybercrime group channels on secure instant messaging services such as Telegram. On the other end of the spectrum, insiders at major financial institutions who can aid in planting malware on banking systems, stealing sensitive financial data, or committing and covering up fraudulent acts, demand a hefty sum for their services. The underground economy is a varied but
70 | Australian Cyber Security Magazine
interconnected ecosystem, operating based on the foundational principle of supply and demand, but also influenced by developments in the environment in which it exists. Criminal tools and services only remain popular while they are profitable or useful, but disappear otherwise. A more effective competitor, change in threat actor preferences, or security controls, which renders the tools or services obsolete, will have a dramatic impact on the market. Understanding the dynamics of this economy is pivotal to developing sound cybersecurity strategies that not only protect organisations, but also contribute to disruptive influences on cybercrime operations. The complex nature of the underground economy and gaps in visibility into its operations present obstacles to constructing a macro-economic analysis of cyber-criminal enterprises. This has often led researchers to focus on a micro-economic perspective, highlighting the price of individual cyber-attack offerings and estimation of potential profits for threat actor(s) made by enabling or partaking in attack campaigns. To gain a better understanding of prevalent economic relationships, we set out to investigate cybercriminal activities through a business lens. Our research sought to compile information about the mostcommonly used tools and services sold, their average cost, and the combination of components required to operate real world cybercrime enterprises. Based on this information, we were able to examine and compare these enterprises to determine which are the most affordable — both from a cost of entry and routine operations standpoint. Finally, we overlayed the extracted insights with observed threat activity trends to draw a clearer picture of the common business models adopted by threat actor(s) and
