Corporate extortionists get focused on skills specialisation

A lot has been (and continues to be) made of the shortage of specialist cyber security skills and the ongoing battle for talent.

The US alone needs an estimated 250,000 professionals over the next four years. Australia is expected to need an additional 18,000 people by 2026.

But defenders aren’t alone in trying to source specialist skills; increasingly, attackers are also building on existing technical capabilities that (they hope) will make their operations more difficult to counter.

Research shows ransomware operators are actively out in the market recruiting for “intrusion specialists” and skilled people that are good at privilege escalation, two skills that could help attackers gain initial entry and then cause as much damage as possible.

We now also see ransomware operators encouraging each member of their extended supply chain “to become an expert in one role”, with specialisation resulting in much more tailored industry-specific campaigns.

The result is more potent and effective attacks, with a level of sophistication that many targeted organisations may not be prepared for.

Attackers become ‘professionals’, too

The focus on skills development by attack groups points to a broader trend of “professionalism” among operators.

VIEW ALL

It was mid-2020 when WIRED first recognised the “patina of professionalism” forming on the surface of ransomware operations. Less than a year later, The New Yorker followed in calling out the increased professionalism displayed by some groups in their approach to corporate extortion.

Once an activity conducted by opportunists and petty criminals, ransomware started to look more and more like a “business”, with a large potential market to tap and huge amounts of cash at stake.

That is not to glamorise it by any stretch: ransomware remains a scourge of businesses and governments worldwide, with substantial efforts being made in many parts of the world to curtail the attackers’ success rates at securing ransom payments.

Instead, it’s an acknowledgement that attackers are increasing their sophistication and developing their skills in an effort to stay “in business”, out of the crosshairs of governments and out of reach of an existing array of security tools.

Industrial-strength capabilities

According to a recent eSentire report, “role specialisation has afforded cyber crime groups the opportunity to procure specific services to expand both reach and velocity of ransomware campaigns, craft lures using industry-specific terminology, and execute every stage of a successful ransomware attack to maximise their return”.

The eSentire report also found ransomware operators are working together to utilise each other’s specific skills and adopting a kind of “assembly line” approach to malware delivery.

“Different types of criminal specialists can focus on perfecting and developing their specific role in long-term intrusion campaigns by working together. Like the industrial period of the 20th century, in which the assembly line paradigm yielded highly efficient factories, a cooperative cyber crime marketplace lends greater efficiencies to the production of ransomware intrusions,” the report says.

Other signs of professionalism among ransomware operators can be seen in the timing of attacks, as well as in the way these are executed. As another report notes, more attacks now coincide with periods “when human response times are slow”, such as on weekends or public holidays.

The extent to which this is a successful endeavour will depend upon how companies that are targeted by these criminals adapt their approach and defensive stance.

Attackers know that targets may not be well-resourced enough to have around-the-clock detection and mitigation at their disposal.

However, new business models emerging in the managed security space bring this kind of specialised support within the reach of many more businesses.

The rise of MDR

To counter the threat, organisations are increasingly looking to managed detection and response (MDR) capabilities to tip the balance of access to specialist skills and tools back in their favour.

Officially recognised by Gartner in 2016, MDR has exploded in popularity answering the challenge to rapidly identify advanced threats and contain these before business disrupting damage can occur.

Gartner describes MDR as a service that provides customers with remotely delivered modern security operations centre (SOC) capabilities, allowing organisations to detect, analyse, investigate and actively respond to unfolding incidents.

Among MDR’s key benefits is access to skilled threat hunters and investigators, giving organisations that lack the resources to assemble their own specialist teams access to that same level of skills.

MDR augments these personnel with the right mix of operational security technologies to aid in threat hunting, investigation and ultimately mitigation.

Murray Mills is the manager – cyber security at Tecala.