RSA 2016 Cybercrooks, much like ethical security defenders, are facing a skills crisis and difficulties in recruiting qualified staff. Their attempts to bring workers into criminal organisations leave it possible for experts to learn more about their strategies and tactics, according to new research from threat intelligence firm Digital Shadows.
Kingpins behind cyber-fraud need an ecosystem of malware writers, exploit developers, botnet operators and mules in order to build their business in order to turn a dishonest living. However, finding individuals who can be trusted is difficult and requires a rigorous application procedure.
Running against their desire for anonymity, many cyber criminal organisations have being obliged to adopt traditional, real-world recruitment techniques. These tactics include posting standalone job ads on general purpose forums or by using specific job boards to seek out talent.
Once candidates apply, they are put through an application and vetting process. Hackers face the challenge of weeding out “script kiddies”, who possess few legitimate technical skills and can waste limited resources, as well as the need to guard against potential infiltration by law enforcement agencies or security researchers.
All this is not too dissimilar to corporate cybersecurity hiring challenges. Due diligence is required to ensure that the proper candidates come through the process. S’kiddies, who possess no legitimate technical skill, must be put through a rigorous process to ensure they are up to the task. There are many instances of recruiters asking for application forms – some even offer an application template, according to Digital Shadows. Just like in corporate cyber security hiring, bringing the wrong candidate on board wastes limited resources.
Honour among thieves
Reputations are even more important to cyber-criminals than they might be to legitimate businesses, who would be prepared to train up less-skilled individuals. On the dark side, by contrast, there’s a desire to hire people who will be “productive” from the get-go and a desire to weed out chancers and clueless script kiddies.
In practice, cybercrime gangs frequently use Skype to conduct interviews. However groups often require that the users’ voices are masked, video is turned off and traffic is ported through a service like Tor. The precautions are needed in order to provide a degree of anonymity.
Some crime groups - which as in the past mostly hail from eastern Europe and Russia - require that new recruits serve a probationary period, similar to common practice for techies starting work with legitimate corporations.
These varied hiring practices can be a source of useful intelligence to the the “good guys”. The information contained in cybercrime job ads can provide organisations with real value into attackers’ motivations and tactics.
Digital Shadows researchers involved initially harvesting intelligence by spidering the dark web and open web (forums and paste sites). Analysts then evaluated this data, which looked at cybercrime forums and more write in either Russian, English or German. The research is skewed towards cybercrime groups. Looking for signs of nefarious activity by government intel agencies and military groups was beyond the scope of the study.
The research was released on Tuesday at the RSA security conference in San Francisco.