Most of the stereotypes that come to mind when thinking of a hacker are inaccurate, outdated and borrowed loosely from some Hollywood production. Hackers are far from being pimply juvenile delinquents with Aspergers and boring day jobs who moonlight as geeks. The real faces of teams causing billions of Dollars worth of damage through cyberattacks are very different.
What we’re seeing is a sophisticated underground crime world of cyber criminal gangs dangerous enough to teach some of the most organized crime syndicates a thing or two. But that’s only one aspect of this thriving industry. There are also white hackers, known as ethical hackers, who work behind the scenes to prevent security breaches. The problem is that the industry remains skeptical of these hackers when they may be our only route to cyber salvation.
The real cost of cybercrime
Cybercrime is rampant, and impossible to ignore. In fact, it is now a multi-billion dollar industry. A recent Ponemon report found that in 2014, data breaches cost businesses on average $3.8 million per breach. As if that isn’t bad enough, another report estimates that by 2019 cyber attacks will cause $2 trillion in damage, amounting to four times more than the estimated cost in 2015. One of the main reasons for this is the evolving nature of cybercrime. After all, the face of cybercrime is changing from attacks carried out by lone wolves, to an increasing number of operations run by crime syndicates (and ignoring nation states for now).
It’s the fact that these attacks are carried out by highly organized groups that makes them so terrifying and costly. One estimate suggests that as many as 80% of attacks are carried out by sophisticated crime rings that work together and share data and resources openly. Attacks carried out in this way tend to be more effective, causing far more damage than was ever imaginable.
Perhaps the best way to understand the true extent of the threat from such cyberattacks is to consider that the largest bank robbery in U.S. history saw $30 million being stolen while the annual cost of cybercrime is estimated to be a staggering $445 billion. Cybercrime has quickly become one of the most profitable forms of criminal activity.
The allure of the black hat
Most hackers start off harmlessly enough, but the adrenaline rush that comes with breaking the law combined with impressive pay cheques are soon too hard to resist. The reality is that it pays to wreak havoc online. One black hat hacker, for example, claims to make between $15K and $20K per hour. With the right skill-set and a good understanding of the darknet, even a newcomer can cash in nicely. A study conducted by Trustwave estimated that using basic ransomware that targets 20,000 users every day, a hacker could earn about $3,000 daily which, after expenses, amounts to a monthly income of $84,100. Not bad for a month’s work.
Despite the illegalities and questionable ethics surrounding most black hat hacking, what’s interesting is that many of these cyber syndicates are run like any other business. The main difference, however, is that because they’re part of the underground economy, they’re forced to find clever ways to get paid for their nefarious services without getting caught. Many resort to Bitcoin which is decentralized, unregulated and largely impossible to trace. Other popular services used by hackers include Western Union, Cryptocheck and Money Gram. While cash is still the preferred choice, some hackers will accept payment in the form of stolen data, gift cards and even drugs.
In many ways these cyber crime syndicates are mafia-like in nature with a complex hierarchy designed to ensure smooth hit-and-run like attacks. While very few of these syndicates work in the same way, they’re all characterized by their sophisticated inner workings. Some will resort to selling their malicious software, including malware and trojans to bots, on secret forums. These forums are often only accessible to other hackers. Another common approach is for a cyber gang to rent out their exploit kit for a specific period of time. Prices range anywhere between $30 to $500 or more, depending on time period and the type of exploit kit.
Every cyber crime syndicate has its own unique business model - you have to love how organized they are. These include offering exploit kits for free, and in exchange the customer has to share a percentage of the malware traffic with the hackers. Then there are hackers who use ransomware which forces a person whose computer has been compromised to pay in order to gain access to any lost data. These tend to be very successful with hackers often demanding the ransom be paid in Bitcoin. From fake freemium antivirus software to offering to create custom malware, anything goes on the darknet.
Black hat hackers have mobilized in a way security experts never thought possible. The frightening reality is that these gangs are continuously evolving, and we see them executing increasingly sophisticated attacks. This begs the question: how are we ever to fight against this threat? Enter white hat hackers.
Not all hackers are bad
White hat hackers, who break into security systems in order to find vulnerabilities and get them fixed, could be our best defense. After all, who better to ensure an organization’s safety than a security expert that thinks like a hacker? But many organizations still remain skeptical. There is, after all, no way to ensure these so called ethical hackers use their skills for good. For many organizations, that’s simply too costly a risk to take.
While many ethical hackers do charge upwards of six figures, there is often more money to be made as a black hat hacker. Companies like Google, for example, run bug bounty programs where they award prizes of $50,000 for hackers who spot security flaws in their software. This is in an attempt to improve the software, and to encourage hackers not to sell details of these weaknesses on the black market. While it sounds like a great way for a skilled hacker to make a living, it’s far more tricky than that. These companies only pay out on a first come first serve basis, which means that if someone else spots a security flaw first they’ll receive the award. Most ethical hackers see these hunts as a fun side-gig, nothing more.
Regardless of the need for such professionals, many organizations are not ready for what ethical hackers have to offer. We hear of enough cases where white hat hackers notify companies of security flaws, only then to be accused of trying to hack into the company’s systems.
TRUE STORY: In August 2014, CyberInt discovered that threat actors had managed to penetrate Samsung’s internal servers. Despite being notified of this by our security team, there is no clear evidence that Samsung did anything about this. We have no idea why. Do companies distrust the whistle blower or simply not know what to do with this information?
August 2014 - Shell Access to internal server found on Twitter by Argos
Are we scaring the wrong hackers?
Ethical hacking could very well be one of the best paid and most in demand professions of our time….. But we still have a long way to go. Many of the negative connotations and false assumptions surrounding ethical hacking need to change, and organizations must learn to embrace this new generation of hackers.
For the record, ethical hackers are subjected to stringent security checks which focus on online activity as well as the hacker's background. Many organizations also require hackers to have some official certification before they'll employ them. The fact that these security checks are ongoing coupled with the impressive pay, is seen to be reason enough to keep ethical hackers on the straight and narrow. All things considered, it really does pay to be a white hat hacker.