7 Habits of Highly Effective Cyber-Criminals

Photo by Markus Spiske on Unsplash

Yes, there are habits of highly effective cyber-criminals use to be successful! We can leverage the knowledge of these habits to better prepare, defend, and attribute attacks.

To understand where these habits were first observed, we must go back to the point where the Internet explosion was creating the opportunity for new criminal enterprises. Why back in 2002ish, Rob Thomas and I were chatting after a night of tracking what people now call the “dark web.” We noticed interesting patterns emerging in the behaviors of the miscreants who interacted on the Dark Web. We noticed there were clueless miscreants doing things which would get them caught, have their tools exposed, and be victimized by other miscreants. We notice a distinct contrast with the really smart miscreants. These were people who were careful, methodical, followed patterns, stayed focused on a goal (a criminal goal), and worked toward clear end goal objectives (i.e. making money). We wondered if the clueless might learn from the smart ones. We know the smart ones keep getting better, following key habits which made them successful Internet criminals. It was a dangerous foreshadowing of what Rob would label the “Miscreant Economy.” Rob and I started listing these observed principles. There were only a few, common sense habits which we identified. The scary joke was that if the clueless miscreants followed these “7 Habits,” they too could be effective “cyber-criminals.”

We started to map these habits as part of a tracking tool for the ‘miscreant economy’, but it turned out that these criminal habits had a dual defensive function. The “7 Habits of Highly Effective Cyber-Criminals” provide a criminal behavior pattern that can be used to deter criminals. Leveraging criminal behavior profiling or threat actor profiling is not a new principle minimize risk. It is well known that street lights, locked doors, and many other factors deter crime in a neighborhood. The same is true on the Internet. What also became a surprise is during postmortem work with organizations who have been victimized, a review of the “7 Habits” open CxO’s eyes to obvious practices which would have deterred criminal interest.

These “7 Habits” also illustrate why they are attacked and why they are not attacked. Not being attacks does not mean that there is no risk. It often means that a criminal has not figured out how to monetize (follow the money) in a way that they don’t have to “work too hard” and “not get caught.” The risk might be there, but creative criminal entrepreneurs have yet to find the right angle. When they do …. BLAM! For example, during one ‘Executive” session with a Telecom company’s leading execs, the exec expressed confidence in how their network is “secure.” They based their confidence in data which showed they were not targeted. The objective of the session was to walk through how easy it was to “take out their network.” Once the shocking session was over another question was put forward, “If you knew I can do this to your network now, and I asked you to move 1 million to a bank account within the next 12 hours, how would you make that happen?” The room of CxOs sat stumped. “Exactly! You are a large telco with very bureaucratic processes. The criminals know that. Sure they could easily attack you, but without a way to “monetize,” it would be a waste of time and effort. In essence, their “security confidence” was skewed by the lack of criminal creativity. Attacks would begin once a criminal business model was created. Until then, the network’s risk remains. What did the Telco do? They used the “7 Habits” and many other tools to transform the security posture of their organization. Today (over a decade later), they are known for their top security posture and practices (now all the other Telcos in the world need to adopt the same intense “always expect an attack” security posture).

What follows is an expansion of the “7 Habits of Highly Effective Cyber-Criminals.” This has been taught in presentation format for over a decade in tutorials for Telcos & ISPs. Today’s Operator’s Security Toolkit workshop uses it as part of their risk assessment model. It is shared here to allow others to use it as a tool for their security posture.

Essential Criminal Principles

There are key essential principles to a successful miscreant (i.e. cybercriminal). In many ways, these principles are not new. Law enforcement continually studies criminal behavior and habits. What we have seen with the massive Internet explosions a mirroring of miscreant behaviors from the physical world to the Internet world (note that in many ways they are now one in the same).

These miscreant principles need to be understood by all Security Professionals. They help scope the risk to their organization. Understanding allows one to cut to the core concerns during security incidents — why are we being attacked. For example, what are people trying to monetize? Is the attack a distraction? Did the attackers to everything in their power to not get caught? Conversely, there will be a mitigation of risk if you set up your organization’s security defense to make it easier to catch the attackers or make it too hard to attack a critical service. The principles of “do not get caught” and “don’t work too hard” are habit/behaviors that if you know them can be turned against the miscreant.

In essence, attacking the dynamics behind these principles are valuable tools to disruption of the Miscreant Economy. What are these principles?

1. Don’t Get Caught
2. Don’t work too hard
3. Follow the money
4. If you cannot take out the target, move the attack to a coupled dependency of the target
5. Always build cross jurisdictional attack vectors
6. Attack people who will not prosecute
7. Stay below the pain threshold

Let’s review each of these in detail. But first, is this list going to help the miscreants? Yes, but this is a drop in the bucket to how they are helping each other. What is more important is to get the word out to the masses who need to defend their organizations. Think of it this way, how would you think of your local police if they never came by and shared with you tools/technique/BCPs that would minimize the risk of crime? How would you feel about an insurance company who did not have a list of “ways to minimize risk to crime?” The 7 Habits of Highly Effective Cyber-Criminals are shared in the same spirit.

Habit 1: Do Not Get Caught!

The first principle is the most important and the most obvious. Criminals commit a crime expecting to get caught. Corporate espionage attackers do not want their targets to know they are spying for someone. State Threat Actors do not want attribution to reflect on their country (let the blame fall on someone else). “Not getting caught” is a fundamental thought process in the miscreant mindset. A smart and effective criminal on the street knows it is no fun getting caught, prosecuted, and thrown in jail. They know that is they step in someone’s territory, that their peer/rivals will get upset (and perhaps get lethal retribution).

All threat vectors used by a miscreant will have an element of un-traceability to the source. But, it is a mistake to think that the Internet means you are anonymous. Effective miscreants know this will take every step to keep the “traceback,” “backtrace,” and attribution from happening. They also know people will go looking for them, so they will plant false flags. If a criminal activity can easily be traced, it is usually one of three things:

• A violated computer/network resources used
  by the miscreant
• A distraction to the real action
• A really dumb newbie

How to Leverage Habit 1 to Minimize your Risk?

Make you architecture set up where visibility is required by the element which connects to your network. The more visibility, the more risk the attacker that they will be caught. In addition, build your network data collection to be able to collect evidence. Proactively build a relationship with your law enforcement contacts so that when you get hit, you know who to call, have the data to do the investigation, and be able to demonstrate damages that can be used in court. If you have seen the new, we can and will investigate crimes on the Internet, arrest, prosecute, and put people in jail.

Habit 2: Do Not Work Too Hard!

Smart Miscreants use the easiest attack/penetration vector. They use malware toolkits that others have created to focus on their objective (vs coding new tools). They know that new vulnerable systems are being plugged into the Internet all the time. They know that people are watching. They know that too much time on a target means they are working too hard to leverage their criminal gain. They know when to move on to an easier target.

For example, if you were a smart miscreant contracted to take out a company’s Internet access for a day during their shareholder’s quarterly announcement, would you?

1. Penetrate the Site and Delete files?
2. Build a custom worm to create havoc in the company?
3. DOS the company’s DMS and Internet connection?
4. DOS the SP supporting the connection?

Which would be easier? Whichever is easier would be the priority for the defense team to protect.

How to Leverage Habit 2 ‘Don’t work too Hard’characteristic to Minimize your Risk?

Sit down with your team, look at your organization and ask “what would be the easiest attack vector someone couple exploit. Prioritize the defense for that vector, then ask the question again. Plug that “easy vector” and ask the question again. Over and over this tool is a simple way to prioritize the defensive actions to minimize the security risk to your network. If you know that crimes are not going to “work too hard,” then plugging those security holes will push back against those criminals who “don’t want to work too hard.”

Warning: Don’t let this replace the most basics of Security. Patch, Security Updates, Operating System Updates are essential hygiene techniques that the “don’t work too hard” criminals know to leverage. Zero days are ugly, but when you look at the big break in damages, the “don’t work too hard” vector was from a known exploit vector with a software patch that was released over a year prior to the break-in.

Habit 3: Follow the Money

If there is no money in the crime then it is not worth the effort. This is the mantra of the criminal threat actors on the Internet. Their goal is specific, making money that disregards, victimizes, and exploits other’s resources for their gain. If there is no money, then there is no point in doing the crime.

Following the money is a powerful law enforcement tool. Investigators can track the flow of money from the victim and then as it exchanges value the money flows through the criminally exchanged value. New creative crime vectors are opened when the miscreant finds a way to move ‘stored value’ from the victim through the criminal economy. For example, at the time of this update, there is a rapid increase in malware that load crypto-currency mining. This wave of activity is directly related to “following the money.” Multiple malware crews have found a market for the “CPU resources” they are breaking into with their malware. They are finding more money to be made with crypto-mining than phishing, spam, and DOS. Does that mean the other crime vectors are gone? No. It just means that if you follow the money, you will see that there is a change monetary gain.

How to Leverage Habit 3 “Follow the Money” to Minimize your Risk?

First, don’t give into extortion, bribery, and other approaches that criminal uses to get money from your organization. If opens the door for further exploitation. Second, work with law enforcement to help them “follow the money.” This technique has been fruitful to the arrest and prosecution of the people behind these attacks. Finally, explore those services that can be exploited and abused for criminal gain. They can be as small as click fraud to as large as using your services for proxy, malware, DOS stressor, to other activities. Actively exploring the ways criminal might monetize for their gain at your expense is one of the core ways to push back against this habit. Remember, habit 2 — don’t work too hard. If they have to work harder on your system to make money, they will move somewhere else.

Habit 4: If You Cannot Take Out The Target…

“Your job is to DOS company X on this day at this time. If has to be this day and this time.” The miscreant scopes out company X. What they see is a robust organization with a lot of security and big bandwidth. It looks to be a DOS target that would take a bit of effort. But wait! A traceroute to the organization shows the IP addresses of every hope through the two ISPs who are supporting company X. Cool! Why waste money on stressors when simple attacks can take down the routers which support company X. The make sure I meet my ‘customer’s expectations, I’ll hit the routers around the ISP’s backbone just to throw them off balance.

This scenario is an illustration of why you can never connect to the Internet in isolation. We are a collective that has to work together. Otherwise, miscreants will move around the Internet to your transit, peering, and upstream connections to target you for an attack. In today’s cloud hybrid world, the situations are more complicated and interdependent. Miscreants will look for “coupled dependencies like the control plane, management plane, DNS authoritative servers (i.e. like the Dyn Attack), overload firewalls/load balancers with state attacks, throw in queries which overload cloud computational cycles (or spike the cloud computation to exhaust all your money), etc. All these attack vectors are the miscreant targeting other shared resources with no regard to the collateral damage caused on the larger community. They are happy and paid if they can succeed in their mission to take out the target.

How to Leverage Habit 4 to Minimize your Risk?

Work with your ISPs to prepare for attacks targeted for you while their network receives the brunt of the attack. Don’t wait for the attack. Don’t be surprised with your ISP uses a Remote Triggered Black Hole to move the attack and your connection to their DOS Sink Hole (if the ISP has a Sinkhole). Here are some previous articles that can help you prepare (below). Notice that all of them do not require hiring a security expert. They require commitment, time, and focused conversations.

• Preparing for DOS Attacks — the Essentials
• Three questions every CxO should ask their ISP

Habit 5: Always Build Cross-Jurisdictional Attack Vectors

Smart miscreants will always build their tools across legal jurisdictions. Remember habit 1 — don’t get caught. One way to minimize the criminal’s risk is to use violated resources from all over the world. Don’t put all your command and control for a BOTNET in one country. Spread it all over the world. It adds a level of difficulty to any industry investigation and law enforcement action. This is is why we see malware systems global in reach, even if their target is very specific.

How to Leverage Habit 5’s Cross-Jurisdictional characters to Minimize your Risk?

The biggest leverage point will be the frame of reference that all the attacks against your organization will be cross-jurisdictional. That means the alliances, partnerships, security organizations, and law enforcement activity would need to cater to a global capability.

While it might be daunting to think that this habit would make impossible to track and arrest the people behind the attack. The new reality is that the community of industry and law enforcement has been working together to “legally synergized.” Groups like Interpol, Europol, and National Cyber-Forensics and Training Alliance (NCFTA) all pull together law enforcement from multiple countries to work with industry “Trust Groups” to track online criminal activity cross-jurisdictionally. We have an ever-growing community working together to where the “cross-jurisdictional habit is less effective.

Habit 6: Attack People Who Will NOT Prosecute

In 2005 there was a country whose national Carrier was saturated with a massive DOS attack. An organized crime gang in the north part of the country was upset with their southern rival’s illegal online gambling site encroaching on their “territory.” The northern gang and the southern gang did not understand that “territories” did not exist on the Internet. All they saw was a loss of criminal business. What do they do? Start shooting each other with a DOS attacks. The funny part was how the national Carrier tried to get permission to pull both organizations offline. The police insistent that the “victims” of the DOS attack call them and report the crime. The Carrier’s AUP at that time did not allow them to just “unplug” a customer. The Carrier was on the phone yelling at the police with phrases like “why would a criminal gang call you to report that another gang is attacking them???!!!”

This paraphrased incident is an example of what many miscreants know. If people do not report the crime, then their risk of getting caught is reduced. So, look for industries, organizations, countries, and community who do not report the crime to the police. If your activity is something that you would not want everyone around you to know about, then you are a miscreant target. Why? Because when you become a victim, the embarrassment of collateral risk does not motivate you to call the authorities for help. For example:

• Someone addicted to gambling is targeted via a Phishing site
• Someone addicted to porn is targeted to get botted
• Someone addicted to facebook/chat is targeted to get manipulated by state actors
• Someone new to the Net is targeted and abused on the
  physical world
• A government, Finance, and Defense, Employee — who lose face when they have to call INFOSEC “whoops I got infected because I was playing fantasy football on the government computer.”

All these are the type of “targeting” that would tend not to get reported.

How to Leverage Habit 6 to Minimize your Risk?

Step one for all organizations is a meetup with your local law enforcement team. In some place, you have solid organizations like the US’s InfraGard (https://www.infragard.org/). In other locations, you may need to knock on doors. The key is to build a working relationship before things happen. Put on your “/security” page the organizations you work with. Explore organizations like Forum of Incident Response and Security Teams (FIRST) (www.first.org) who will not only help protect your organization but allow you to reach out the law enforcement and national CERT teams in other countries.

Habit 7: Stay below the Pain Threshold

Do not trip the alarm. Do not alert the guards. Do not draw the attention of focus that would disrupt your objectives. In other words, find the Pain Threshold that would draw the attention of sysadmins, security operations centers, Security Trust Groups, Law Enforcement, or any other force that are in a position to disrupt your criminal operations. If you are below the pain threshold, you can safely do what you want without action being triggered.

What are examples of “staying below the threshold?” A malware writer who is taking up 100% of the computer’s CPU, making the computer slow, and getting the user frustrated is not staying below the pain threshold. That user would say “something is broke,” start to fix the problem, patch and remove the malware. What would be better would be for the miscreant to only use the device when the user is not on the machine or only use a small percentage of the resource. Another example would be if someone is sending SPAM from computers that are choking bandwidth on an ISP’s network. That ISP would wonder “why my users are taking up all the bandwidth” (or the customer could complain about getting charged for data they did not think they used). The ISP investigates, finds the SPAM malware system, and deploys a range of mitigation/remediation. The “stay under the pain threshold” approach would set up the SPAM system to not alert or draw a reaction from the ISP.

Both of these examples are part of a logical pattern that is used by an effective miscreant who is using this habit as part of their operation. The logic behind the very “loud” press coverage on key malware/botnet takedowns is to trigger the reaction by the miscreants controlling the malware/bots. When you combine “staying under the threshold” with other habits in a defensive mode, you force people into “runaway” mode. We call this the cockroach effect when miscreant who ‘don’t want to caught’ and see they are no longer “under the threshold” abandon their malware system. The challenge for the industry is that they know there will always be more systems to violate and exploit in the future, but you can only do that if you don’t get caught and stay under the threshold.

How to Leverage Habit 7 “Under the Threshold” characteristic to Minimize your Risk?

Using all the 7 Habits of Highly Effective Cyber-Criminals changes the threshold and risk to all miscreants. The biggest push to the people who do poke at your system is a strong response that is cross-industry. For example, within the Financial Services Information Sharing and Analysis Center (FS-ISAC), banks and other financial institutions collaborate on the industry response to targeted attacks. The profile of an attack on one bank is shared with the entire industry responding. That shifts the “threshold” on the entire industry.

Final Thoughts — Notice Collaboration is the Key to Risk Reduction!

You’ll notice a theme to the “how to leverage.” Collaboration has been proven to be the most effective tool to push back against these criminal habits. Time and time again, it is not the “firewall feature” or “vendor x” that saves the day. It is peers work with peers, industry working cross-functionally, public-private collaboration, focused industry action, active participation in security communities, and simple “have a beer with peers to build Trust Groups that take action.

Contact me if you are wondering “which security group(s)” are best for your organization’s goals. There is a whole range of groups who are very open to new participants. Many of these will set up trial period so you can see if they are the best fit for your team/organization.

[This article is a cross-post from www.senki.org — the home of the Operator’s Security Toolkit.]