Think you can spot a Cyber Criminal ? Think again.

Mark Cutting Analysis, Investigation, Network, Patching, Risk, Security 12 Comments

Think you can spot a Cyber Criminal ? Think again. Cyber Criminals do not live up to the stereotyping that we have grown accustomed to, and are convincingly portrayed in films as breaking into high profile organisations using state of the art technology. In reality, it’s a lot less glamorous and exciting than the movies. If you consider the effort that is often involved in compromising the intended target, the process is far from action packed and exciting. The reward for the Cyber Criminal however is paramount and he or she will never lose sight of this. The dark web market for data stolen from organisations is rapidly increasing, and a significant profit can be made from such activity.

How did Cyber Criminals evolve ?

Here, we take a look at how Cyber Criminals evolved and broke free from their geeky personas into the advanced cyber criminals they are today. Years ago (and I’m perhaps showing my age here), Cyber Criminals were considered as being along the lines of Linux and Unix fanatics – long hair, beard, glasses, and sandals. Very much a 70’s look, and somewhat stereotypical. Hackers in the 80’s were seen as nerds or geeks with big teeth, big glasses, zero charisma, and no social skills when it came to dealing with the opposite sex (think Napoleon Dynamite). They were often the target of “bigger boys”, who made their lives intolerable.

Between the 90’s – 00’s, “hacking” suddenly became cool thanks to films like The Matrix. Almost as if overnight, three-quarter length coats, shades and boots became essential attire if you wanted to look like a Cyberpunk. Of course, the colour had to be black to finish the look.

Now here’s the truth. Cyber Criminals do not look like something out of Lynrd Skynrd, Bill Gates as a teenager, or Neo from The Matrix – they look like ordinary people – ordinary like you and I. The chances of you hand picking a Cyber Criminal out of a crowd is virtually zero.

Criminals are often very intelligent individuals, and should not be underestimated in terms of their abilities. After all, they’ve found a way into your network and stolen gigabytes of personally identifiable data, and dumped it onto Pastebin for everyone to see. If they breached any point of sale terminals or other payment system, they’ve possibly also taken credit card information and will sell this data to the highest bidder. Another point is education. Hackers are not a dumb bunch  -some of them have had top tier education, and obtained recognised qualifications. Having said that, do you think Cyber Criminals sit exams such as CISSP, CISM, or OSCP ?

The answer to this is a firm no. In fact, you’ll probably find that a Cyber Criminal or cyber criminal knows excessively more about breaking into a network than you know about securing it. Take the recent high profile breaches and their success level (bearing in mind that the perpetrators are still at large), and then consider the accreditation curriculum.

Certainly makes you stop and think. I personally do not carry any accreditation, and this could be seen as a defensive stance. In fact, it’s quite the opposite. Had I been twenty years younger when cyber security became the “next big thing”, I would have gone down this route myself – you could make an absolute fortune out of providing training for certification. There’s several discussions on LinkedIn and Reddit around this very topic. However, I’m at the stage of life where I don’t want to reinvent the wheel and would rather teach others the real world skills, knowledge, and proven techniques needed to fortify and secure their castle. I’m not looking to cast doubt or be dismissive of these qualifications, as I do believe they add value if you are looking to get past HR departments and those employers who seem to insist on academia over experience. My question is how much of this “information and training” can really be used in the real world ?

The answer ? Not much.

What I am alluding to here is that a Cyber Criminal possess skills you cannot buy – knowledge and experience. Some of the best Cyber Criminals known are extremely creative, and those who have decided to work on the right side of the law have become white hat penetration testers, and are the cream of the crop when it comes to cyber security and the associated awareness requirements.

Why are Cyber Criminals so successful ?

With this knowledge and experience, a Cyber Criminal becomes a formidable force to be reckoned with. The best Cyber Criminals are those who enter and leave a network without being detected, with the modus operandi then described as a “sophisticated attack”. But how “sophisticated” is the attack in reality? Is this terminology being overused to hide inefficiencies in security, or to make the Cyber Criminal sound like they breached Fort Knox ? Either way, we’ll never know the full extent of any breach, and there are always elements of an attack where an organisation will not make the full details known publicly due to the potential client confidence impact and loss of business, or a similar vulnerability being leveraged against another key system. Hacking isn’t always about financial gain either. Many attacks are borne out of several reasons, but if not financially motivated, are often political or state funded. A Cyber Criminal can be motivated by something they read about, which then becomes the focus of their attack. In most cases, this type of attack is usually DDoS based, and is designed to wreak havoc in terms of performance, availability, and in essence, damage credibility.

Knowing what to hack is a skill on it’s own, and actually breaching a defence is a “kudos” in the underworld community. As a Cyber Criminal, you have to understand how systems work in the first place before you can exploit any vulnerabilities in them. Seasoned criminals are known for their ability to leverage a buried vulnerability in a system – one that you did not know even existed – until it is used against you to breach your environment. Also consider the lengths a Cyber Criminal will go to in order to gain access. Applications that are reverse engineered look innocent on the outside, but once executed, the intended target becomes compromised and can be controlled remotely. A similar principle is used when downloading legitimate software from a compromised site. Effectively, you land up with more than you bargained for as a result of a drive-by download.

Who do Cyber Criminals target ?

Criminals do not just use technology. They exploit it’s benefits, are exceptionally adept at social skills and can engage someone they have never even met, convincing them to hand over substantial amounts of money without fear of reprimand. This nefarious activity is mostly associated with cyber gangs targeting individuals, known as a “soft target”. The so called “soft target” can arrive in various forms, but is often an individual exploited owing to their trusting nature – typically on business and emotional levels. The true identity of the criminal is rarely divulged, and within the consumer sector, this activity often goes unreported and ultimately undetected, as the victim is too embarrassed to admit they’ve been duped.

Still think you’d be able to spot a Cyber Criminal given the above ? I doubt it. Cyber Criminals are years ahead in terms of ability, and attitudes around upcoming and established talent need to change in order to tackle this increasingly powerful and damaging phenomenon. By attitudes, I refer to actually hiring talent with experience rather than accreditation. Without this change, we are simply running on a huge hamster wheel and not addressing the core issue.

What’s your view ?

 

About the Author
Mark Cutting

Mark Cutting

Facebook Twitter Google+

Mark Cutting is the founder of Phenomlab.com and Inocul8r.net. He is a network, security and infrastructure expert with more than 27 years service in the Information Technology sector. Mark has a significant eye for detail, coupled with an extensive skill set. Having worked in numerous industries including trading, finance, hedge funds, marketing, manufacturing and distribution, he has been exposed to a wide variety of environments and technologies alike.

12
Leave a Reply

avatar
2 Comment threads
10 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
Marc KisnerMark CuttingMark CuttingMark Honeycutt Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Mark Honeycutt
Member

It’s much easier to spot a cybercriminal through their code or exploitation methods than the clothes they wear or the hardware they own. I’m intrigued with cyber forensics, malware analysis, etc., because there is a rhetoric there — a pattern of “communication” — a “voice” — that coexists with each individual. Hmm…that sounds like an excellent research project!

Marc Kisner
Member

Hi Mark – I enjoyed reading your article and agree in general that a certification cannot replace real world experience, knowledge and true capability. What I would say is that certain certifications such as OSCP, OSCE definitely test your hands on practical skills and require a lot of background research and practice to gain the knowledge and ability needed to pass that particular exam. The exams are also very much hands and test the ability of a candidate to compromise a certain number of systems in a time period of 24/48 hours and then write up a pen test report. I think its a good indicator or snapshot of ability that one could survive on the real world battlefield with continued research and practice etc. Nothing will ever beat real world knowledge, experience and true capability.