SlideShare a Scribd company logo
1 of 34
Report
Tilting the Playing
Field: How
Misaligned Incentives
Work Against
Cybersecurity
Center for Strategic and International Studies
Contents
Cybersecurity Is Now a Top Priority 	 5
“A Tax That We All Don’t Want to Pay …” 	 8
A Disconnect Between Strategy and Implementation	9
Measuring Effectiveness 	 11
What Motivates Improvements in Security? 	 12
Searching for Solutions 	 17
The Black Hat Ecosystem 	 22
Specialization in the Criminal Market 	 23
The Cybercrime Market: Competitive, Decentralized,
Innovative 	 24
Big Budgets Support Innovation in the Grey Market 	 26
Black Hat or White Hat? 	 27
Part-Time Crime is More Common in the Russian-
Speaking World 	 29
Realigning Incentives to Strengthen Cybersecurity 	 31
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 3
Cybercriminals have the advantage. This has been true
since the internet was commercialized 20 years ago. The
incentives for cybercrime have made it a big business and a
dynamic marketplace. Defenders are hard pressed to keep
up.
Misaligned incentives explain much of this—both within
organizations and between attackers and defenders in
cyberspace. Misaligned incentives between attackers
and defenders mean that the decentralized market in
which cybercriminals operate makes them adapt and
innovate faster and more efficiently than defenders, whose
incentives are shaped by bureaucracies and top-down
decision making.
Some of the advantage cybercriminals have over defenders
is due to technology—we now all know that the internet
was never designed to be secure. Some is due to policy.
There are countries that tolerate, shelter, and maybe even
encourage cybercrime. Governments and companies know
they are at a disadvantage, but they are playing catch-up.
Managing the risk posed by cyberthreats has become
a priority, but the best criminals still seem able to stay
ahead, even as companies allocate more resources to
cybersecurity.¹ This does not mean cybercrime will always
win. It does mean that companies and governments will
need to rethink how they measure, reward and incentivize
defense.
Markets send signals by creating prices and rewards, creating
incentives for action. The cybercrime market is efficient, and
the incentives for cybercriminals are clear and compelling.
The same is not true for defenders. Criminals flourish in
this market, but most defenders work in bureaucracies. In
most companies, cybersecurity is the responsibility of a
diverse range of groups and individuals using different (and
sometimes conflicting) metrics for success.
Incentives are not only misaligned between attackers
and defenders, but within companies. To examine this
misalignment of incentives, we conducted a survey of 800
respondents from companies ranging in size from 500
employees to more than 5,000 across five major industry
sectors, including finance, healthcare, and the public
sector. Our survey targeted respondents with executive
level responsibility for cybersecurity, as well as operators
that have technical and implementation responsibilities
for cybersecurity. The results provide insight into how
each group views cyber risk in making decisions about
an organization’s cyber-risk management strategy. Better
calibrating the misaligned incentives we uncovered may
yield a more coherent and effective cybersecurity posture for
companies worldwide.
Cybercriminals compete—
for money and fame—
and this makes them
fast to adapt and
innovate faster than
defenders.
1		 SANS Institute, “IT Security Spending Trends,” February 2016
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 4
Our survey found three key misalignments in cybersecurity. Within organizations,
incentives are misaligned between strategy and implementation and between
senior executives and those with operational responsibility.² Most importantly,
the governance processes, risk management policies, and structured workflows
within cybersecurity are at odds with the freeform, ad hoc networking that is
at the heart of adversary innovation. The top-down, corporate governance
structures for defenders lies in stark contrast to the dynamic and free-flowing
structure their adversaries occupy.
Three levels of misaligned incentives put defenders at a disadvantage
Attackers versus
defenders
Attackers’ incentives are shaped by a fluid,
decentralized market, making them agile and
quick to adapt, while defenders are constrained by
bureaucracy and top-down decision making.
Strategy versus
implementation
While more than 90% of organizations have a
cybersecurity strategy, less than half have fully
implemented their strategies.
Executives
versus
implementers
Senior executives designing cyber strategies measure
success differently to those who put strategies into
practice, limiting their effectiveness.
Senior company executives develop strategies to reduce cyber-risk and mitigate
the potential effects on critical activities in their enterprise. Operators and IT
managers are then responsible for identifying and deploying a mix of practices
and technologies to implement these strategies. Our study found that there is
a misalignment of incentives between executives and operators regarding their
respective approaches to managing cyber-risk.
For attackers in cyberspace, or “black hats,” the risks and rewards are much
more clear. Black hats, a term taken from spaghetti westerns, means any hackers
that break into systems without the owner’s permission, whether they are
governments conducting espionage, criminals out for financial gain, or hacktivists
motivated by ideology. Black hats are part of an underground ecosystem that
channels tools, expertise, and infrastructure into criminal operations that extract
billions of dollars of profit from data theft, extortion, and fraud. This ecosystem
is largely comprised of commoditized markets of specialized freelancers with
different skills and expertise. This loose, informal structure provides low barriers
to entry, transparency and competition, and efficient allocation of resources that
allows black hats to tap a wide talent pool, innovate quickly, and adapt quickly to
changes in defenses and technology.
2		 Executives include respondents who identified as company owner, director, CEO, CIO, CISO, CTO, or CISO, and operators
include those who identified as head of IT or data protection, IT department manager, or IT team leader.
Executives see cyber-risk as
another cost to be managed.
Operators define success
differently.
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 5
The incentive structure for black hats in the cybercrime market drives attackers
toward rapid collaboration, innovation, and specialization that make it a relatively
efficient and flexible marketplace. The black hat community draws from a
large talent pool and relies on a freelance model to produce highly specialized
products and exploits for specific attack purposes. This market is also more
efficient and fluid, being able to adapt quickly and with more ease based on
an attacker’s motives. This underground economy creates an entirely different,
powerful set of incentives for attackers to succeed and stay atop of the market.
The black hat ecosystem is comprised of two markets: a high-tier market of
highly sophisticated and well-resourced actors looking to exploit specific targets
with highly advanced techniques, and a low-tier market comprised of criminals
and hacktivists launching opportunistic attacks on any vulnerable systems they
can find.³ These markets have some overlap, and many of the tools initially
trafficked in the high-tier market eventually trickle down to the low-tier market as
they age and become more widely known.⁴
Cybersecurity Is Now a Top Priority
Internet users have been slow to react to the black hat advantage. Six years
ago, cybersecurity did not even rank in the top 10 risks prioritized by company
boards.⁵ There was little understanding of how cybersecurity fit into risk
management. Many company boards did not allocate resources to practices now
thought of as fundamental, such as conducting security program assessments,
assigning responsibilities to privacy and security roles, and receiving regular
reports on cybersecurity risks.
Hard lessons have been learned since then as companies and governments
around the world have experienced cyberattacks exceeding $400 billion in total
annual cost. A majority of respondents to our survey now rate cybersecurity
risk as one of the top three risks facing their organization, confirming that
cybersecurity now ranks among the top concerns for companies.⁶
Our survey shows a marked change in board attitudes toward cybersecurity.
A majority of respondents reporting both that their boards understand and
prioritize cyber-risk. Furthermore, nearly three-quarters (72%) of respondents
indicated that their company boards are being briefed on cybersecurity risks at
most or every meeting.
3		 Lillian Ablon, Martin Libicki, and Andrea Golay. “Markets for Cybercrime Tools and Stolen Information: Hackers’ Bazaar.”
RAND. 2014. http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf
4		 Jaziar Radianti and Jose J. Gonzalez, “Dynamic Modeling of the Cyber Security Threat Problem: The Black Market for
Vulnerabilities,”Cyber-Security and Global Information Assurance: Threat Analysis And Response Solutions, 2009, http://
www.igi-global.com/chapter/dynamic-modeling-cyber-security-threat/7408
5		 Lloyds, “Lloyd’s Risk Index,” 2011
6		 Osterman Research, “What’s Driving Boards of Directors to Make Cyber Security a Top Priority?,” September 2016
A majority of respondents rated
cybersecurity risk as one of
the top three risks facing their
organization.
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 6
Respondents in all sectors see a significant cyberthreat to critical aspects of their
organization, ranking the loss of intellectual property and confidential business
information, disruption of operations, and harm to company reputation and
brand as the largest risks that could result from poor cybersecurity practices.
60%
70%
80%
50%
40%
30%
20%
10%
0%
Cybersecurity ranked highest by organizations
Reputationalrisk
Financialrisk(interestrates,
exchangerates)
Cybersecurityrisk
Regulatoryorliabilityrisk
Technologicalrisk
Manufacturingorsupply
chainrisk
Politicalrisk
Naturaldisasters,global
economicshocks
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 7
The observed effects of a cybersecurity incident experienced by survey
participants largely mirror the perceived risks from above. More than four in five
(83%) respondents report that their organizations have seen an effect as a result
of cybersecurity breaches, with the disruption of operations, loss of intellectual
property, and harm to company reputation or brand once again ranking among
the top areas affected.
60%
70%
80%
50%
40%
30%
20%
10%
0%
Largest risks organizations associate with poor cybersecurity practices
Disruptionofoperations
Regulatoryorliabilityrisk
Politicalrisk
LossofIPandconfidential
businessinformation
Harmtoreputation
andcompanybrand
Revenuesandprofit
decrease
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 8
“A Tax That We All Don’t Want to Pay …”
Despite the overwhelming response from survey respondents that
cyberbreaches have resulted in disruptions, IP loss, and harm to company
reputation, less than a third (32%) reported experiencing revenue or profit loss
as a result of a cybersecurity incident. The perception that cyberbreaches do not
directly lead to loss of revenue or profit may be giving companies a false sense of
security.
It is also interesting to look at differences in opinion between individuals at
the executive level versus those who serve in technical and operational roles.
Our study shows that executives view breaches as a cost of doing business.
Sixty-three percent of executives say as much, while operators that work for
them focus on reducing the number and scope of breaches. For executives,
cybersecurity competes with a range of other company imperatives, some of
which are in direct conflict with investing in security. Executives from one large
company called cybersecurity “a tax that we all don’t want to pay …”⁸
Organizations may also lack the metrics to assess indirect costs as the result of a
breach, such as quantifying the time spent notifying customers, damage to brand
loyalty, or time spent investigating an incident. Incomplete data on cost could
mean that executives have an inflated level of tolerance for poor cybersecurity.
In fact, more than a majority (54%) of executive respondents say that their
organizations are more concerned about reputation than cybersecurity itself.
60%
50%
40%
30%
20%
10%
0%
Observed effects of breaches on organizations
Disruptionofoperations
Regulatororliabilityrisk
Politicalrisk
LossofIPandconfidential
businessinformation
Harmtoreputation
andcompanybrand
Revenuesandprofit
decrease
Wehavenotseen
anyeffects
Wehavenotseenany
cybersecuritybreaches
“It is clear that too many firms do
not believe that the dangers of a
breach will severely affect them.”⁷
—Inga Beale, CEO, Lloyd's of
London
More than a majority (54%) of
executive respondents say that
their organizations are most
concerned about reputational
effect rather than actual breaches.
7		 “Business warned not to be complacent about cyber security,” Computer Weekly, September 20, 2016
8		 Blackstone Group LP CTO Bill Murphy, “Cybersecurity Spending Reflects Limited Shift in Priority, Wall Street Journal,”
July 1, 2014
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 9
A Disconnect Between Strategy and
Implementation
Companies and governments across all the sectors and regions we surveyed are
developing cybersecurity strategies at a rapid pace. More than nine in ten (93%)
of respondents said that their organizations now have a cybersecurity strategy
designed to combat both existing and new threats.
Executives may be overconfident in their organization’s ability to manage
emerging threats. Operators, who are on the front lines of cyberdefense, tend to
believe that their organization’s cybersecurity strategy is less forward looking,
focusing more on current rather than emerging threats.
60%
50%
40%
30%
100%
90%
80%
70%
20%
10%
0%
Cybersecurity strategy design balance
Existing
Threats
New
Threats
Executives versus operators and sector respondents on how much their
organization’s cybersecurity strategy is designed to manage existing
versus new threats
Executive Existing Threats
Operators New Threats
60%
50%
40%
30%
100%
90%
80%
70%
20%
10%
0%
Government Public
Education
Healthcare
(Public
and Private)
IT and
Telecoms
Finance
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 10
Differences across sectors are also worth noting, as the finance and IT/telecom
sectors have a more balanced approach to managing current and future threats.
In contrast, the cybersecurity strategies of public sector organizations, including
government and educational institutions, are less forward looking and skew
toward managing existing threats rather than future threats. Given that most
government and public sector organizations are not well regarded for their
cybersecurity know-how, this is not unexpected.⁹
Although respondents overwhelmingly report having a cybersecurity strategy,
implementation remains a major challenge, as less than half of respondents
(49%) report that their cybersecurity strategy is fully implemented across their
organization. Our study also found that executives and operators disagree on the
extent to which their cybersecurity strategy is actually implemented, as well as on
the metrics used to evaluate the level of implementation.
Executives tend to view their organization’s cybersecurity strategies as more
fully implemented than operators. They are also more likely to evaluate the
effectiveness of their cybersecurity strategies through the lens of broader
organizational goals, including cost control and maintaining reputation, than
operators who focus more on technical cybersecurity metrics.
60%
50%
40%
30%
20%
10%
0%
Perceptions of cybersecurity strategy implementation
Operators
Executives express with more confidence that their organization’s
cybersecurity strategy fully implemented in comparison to
partially implemented
Executives express with more confidence that their organization’s
cybersecurity strategy fully implemented in comparison to
partially implemented
Yes, but it’s only partially
implemented across the
organization
Yes, and it is fully
implemented across the
organization
Executive
9		 CSIS, The Role of Shared Services and the Cloud in Enhancing Cybersecurity, Cyber Policy Task Force Working Group
Discussion Papers, 2016
10		http://fortune.com/2014/10/29/home-depot-cybersecurity-reputation-frank-blake/
“There are assumptions we made
and assessments of the nature
of the threat that in retrospect
weren’t sufficient.”
—Frank Blake, CEO, Home Depot¹⁰
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 11
Measuring Effectiveness
The disconnect between strategy and implementation is partly due to the fact
that those who determine the strategy (executives) and those who implement
the strategy (operators) are not measuring effectiveness and outcomes using the
same set of metrics.
In general, operators looked to metrics such as breach numbers, penetration
testing, vulnerability scans, and cost-of-recovery analysis to measure their
organization’s cybersecurity effectiveness. However, executives are more
likely to rely on general performance and cost-centric metrics to gauge their
cybersecurity strategy effectiveness.
Both executives and operators rank the overall number of breaches as the
preferred metric to gauge their cybersecurity strategy’s effectiveness. Executives,
however, are more likely to focus on the cost of recovery from a breach, negative
publicity, or the number of employed cybersecurity staff.
60%
70%
50%
40%
30%
20%
10%
0%
How cybersecurity effectiveness is measured
Negativepublicity
Vulnerabilityscans
Penetrationtesting
Numberofbreaches
Numberofcybersecurity
staffemployed
Costofrecoveryfrom
abreach
Proprietarymetricstogauge
returnoninvestmentfor
cybersecurityspending
Wedonotmeasure
cybersecurityeffectiveness
Executives versus non-executive respondents on the metrics used
to measure cybersecurity effectiveness at their organization
ExecutiveOperator
Executives who make
cybersecurity strategy and the
operators who implement those
strategies (operators) are not
measuring effectiveness and
outcomes using the same set of
metrics.
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 12
Executive respondents also ranked “proprietary metrics to gauge return on
investment for cybersecurity spending” significantly higher than operators when
measuring the effectiveness of their organization’s cybersecurity strategy. While
metrics are essential to establishing qualitative criteria in order to evaluate
effectiveness for any risk management strategy, there is not yet a consensus on
whether the use of “return on investment” (ROI) provides for accurate, risk-based
cybersecurity evaluations.¹¹ By comparison, operators ranked technical metrics
higher than executive respondents, with vulnerability scans ranking second
and penetration testing third among ways they measure their organization’s
cybersecurity strategy.
What Motivates Improvements in
Security?
Incentives shape how people and organizations behave. Our survey shows
that cybersecurity professionals lack adequate incentives. Most respondents
report that, while some incentives do exist, they are lacking for cybersecurity
professionals. Executive participants in our survey were more confident than
operators about the existing incentives for cybersecurity professionals, indicating
they are more likely to believe all categories of incentives are available to security
professionals in their organization.
60%
70%
50%
40%
30%
20%
10%
0%
Measures used to determine if cybersecurity strategies
are meeting objectives
OperatorExecutive
Having no
or minimal
exfiltration
of priority
data assets
Mean time to
resolution
Having no
negative
publicity
about the
organization’s
cybersecurity
We can’t
determine
if we are
meeting
objectives
Don’t knowGeneral
organizational
performance
indicates that
risks are
managed to
acceptable
tolerance levels
11		SANS Institute, “IT Security Spending Trends,” February 2016; Barkly, “2016 Cybersecurity Confidence Report,” 2016
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 13
Operators were five times more likely to report that no incentives exist for
cybersecurity professionals in their organization. Almost half of operators
reported no incentives existing in their organization. It is possible that incentives,
even when they exist, may not actually be known by employees, especially if they
are lower down in the organization’s structure.
Although our survey results show that many respondents believed incentives
for cybersecurity professionals are lacking, 65% of respondents said they were
“personally motivated” to strengthen their organization’s cybersecurity. The first
result (incentives are lacking) is probably more accurate. Responses relating to
organizational success, such as preventing data breaches, defeating hackers,
reducing the risk of organizational reputational damage, and financial impact,
were ranked higher by respondents than were categories relating to personal
success, such as harm to personal reputation or job security. These results may
reflect respondent bias, with participants self-reporting on putting the success of
their organization ahead of their own interests.
60%
50%
40%
30%
20%
10%
0%
Existing incentives for cybersecurity professionals
OperatorExecutive
No incentives
exist
Recognition
or awards
Financial
compensation
(bonus)
Paid time
off
Promotion
Executives versus non-executive respondents on incentives that exist
for cybersecurity professionals
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 14
So what’s the real story? Individuals responsible for cybersecurity define
success differently, and are motivated by a mix of performance incentives. Both
executives and operators value financial compensation and recognition or awards
the highest over paid time off and promotions. However, our study showed that
operators are almost equally motivated by recognition and awards as they are
by financial compensation. An earlier study on how organizations attract and
retain skilled security professionals found that having employers paying for
training, allowing for flexible schedules, and providing opportunities to engage
in challenging tasks were valued more highly than compensation by security
professionals when looking at possible employers.¹² In contrast, executives
ranked financial compensation significantly higher than any other form of
incentive.
60%
50%
40%
30%
20%
10%
0%
Cybersecurity professionals report a lack of existing incentives
Decision making
responsibility
Leadership
responsibility
No incentives
exist
Recognition
or awards
Financial
compensation
(bonus)
Paid time
off
Promotion
Cybersecurity roles reporting on existing incentives within
their organization
Contribute to decisions
made by others
12		CSIS, “Recruiting and Retaining Cybersecurity Ninjas,” October 2016
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 15
Respondents in different countries displayed a range of views on incentives
perhaps due to differences in cultural norms. Japan and the United Kingdom
valued recognition or awards higher than other incentives, while Mexico and
Germany valued them the least. Respondents in Brazil, Mexico, and the United
States were most likely to place the most value in financial compensation. Japan,
Mexico, and Germany put a higher premium on paid time off than other countries
in our survey.
60%
70%
50%
40%
30%
20%
10%
0%
Respondents are mission-focused on organization’s
cybersecurity success
Preventingdatabreaches
Helpingtrainotheremployees
Jobsecurity
Therearenomotivations
Increasingcybersecurity
strength
Reducingtheriskofhackers
beingsuccessful
Reducingtherisk
offinancialimpacts
Reducingtheriskofpersonal
reputationaldamage
Reducingtheriskof
organizationalreputational
damage
Total respondents when asked of their motivations when considering
their organization’s cybersecurity. Respondents personal motives when
considering their organization’s cybersecurity.
Personal motivationsEnterprise motivations
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 16
60%
50%
80%
70%
40%
30%
20%
10%
0%
Incentives cybersecurity professionals would like more of
OperatorExecutive
Paid time
off
Financial
compensation
(bonus)
Recognition
or awards
Promotion
60%
50%
80%
90%
70%
40%
30%
20%
10%
0%
Incentives country respondents would like more of
Recognition
or awards
Financial compensation
(bonus)
JapanBrazil Mexico US Germany France UKPaid time
off
Promotion Paid time
off
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 17
Searching for Solutions
As organizations learn to manage risk and adapt to new cyberthreats, they
appear to be eager to work with the government. A majority of respondents in
most sectors share threat intelligence with partner organizations, as well as with
the government and outside consultants.
A significant majority of respondent organizations view voluntary models of
collaboration with the government as valuable in helping to create cybersecurity
incentives within organizations. Executives appear to value public-private
partnerships more than operators, suggesting these models could be better
structured to benefit IT operators in order to provide value to their day-to-day
technical mission.
Companies see cooperation with government as an important part of their
cybersecurity strategy and a key means of improving their cybersecurity. But
less than half of respondent organizations report using unclassified government
briefings as a source of information when making decisions about cybersecurity.
More than three-quarters of organizations believe that faster access to security
clearances would be the most effective way to improve their cybersecurity
posture, and 66% want greater access to government threat intelligence.
41%
46%
9%
4%
Yes, these are somewhat useful
Yes, these are very useful
No, these are not useful
Don’t know
Organizations value public-private partnerships
Organizations on whether voluntary models create useful incentives
for cybersecurity
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 18
This may be a case of do what we say, not what we do. Companies appear to be
motivated and incentivized to work with the government with the expectation of
gaining access to information to improve cybersecurity.
Companies value interactions with the government as a source of information,
but in many cases, we found that the government sector performed lowest in
areas of cybersecurity competency when compared with other surveyed sectors.
Based on the survey, government sector entities appear to be locked into a
reactive cybersecurity model skewed toward managing existing threats versus
new ones. They were also the least likely to report having a fully implemented
cybersecurity strategy or provide incentives to cybersecurity professionals.
60%
50%
40%
30%
100%
90%
80%
70%
20%
10%
0%
Public-private partnership usefulness according by sector
No, these are not usefulYes, these are very useful
GovernmentIT and
telecoms
Finance Healthcare
(public and private)
Public
education
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 19
By country, respondents to our survey in the United States, Brazil, and Germany
place the most value in public-private partnerships. Mexico, Brazil, Germany, and
the United States all would like faster access to security clearances, while the
United Kingdom ranked having access to government threat information higher
than access to security clearances. Across the board, countries ranked using
government briefings as a source of information to make cybersecurity decisions
either third or fourth in importance
60%
50%
40%
30%
80%
70%
20%
10%
0%
Tactics to improve cybersecurity and information used
in cybersecurity decision making
Share of respondents
who want faster access
to security clearances
Share of respondents
who want access to
government cyber
threat information
Share of respondents
who use government
agency briefings in their
decision making
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 20
In a previous report, “Hacking the Skills Shortage,” we found that nine out of
10 respondents believe technological advancements could compensate for
the cybersecurity skills shortage.¹³ This confidence was not reflected in this
survey, where respondents ranked third-party managed services and leveraging
automated workflows to manage lower level threats fourth and fifth respectively
in ways to ensure new cyberdefense measures don’t open them up to new risk.
The findings of this report suggest that the evolving threat landscape will not
only change the demand for a skilled cybersecurity workforce, but also for new
and innovative tools and practices.
Innovation in the cybersecurity space can be complicated as new cyberdefense
technologies require extensive vetting in order to ensure they do not have
vulnerabilities that expose users to additional risk. In recent interviews with
senior cybersecurity, technology and risk management specialists from across
the financial services industry, it was found that CISOs often have difficulty
assessing and integrating new security tools due to the rapid pace at which
they are developed and released, all the while attempting to better align their
cybersecurity policies with the business, operational, and technology strategies
of their companies.¹⁴
60%
70%
50%
90%
100%
80%
40%
30%
20%
10%
0%
Public-private partnership usefulness by country
No, these are not usefulYes, these are useful
UKUS Brazil Germany Mexico France Japan
13		McAfee, “Hacking the Skills Shortage: A study of the international shortage in cybersecurity skills,” http://www.mcafee.
com/us/resources/reports/rp-hacking-skills-shortage.pdf
14	 “Taking cyber risk management to the next level,” Deloitte, July 22, 2016, https://dupress.deloitte.com/dup-us-en/
topics/cyber-risk/cyber-risk-management-financial-services-industry.html
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 21
In a 2015 survey on risk and innovation, a significant majority of respondents
said that their organization had invested in security technology that was
“ultimately discontinued or scrapped” soon after being deployed.¹⁵ The
shortages in skilled cybersecurity workforce and in-house expertise further
compounds the difficulty organizations have in producing innovative approaches
to cybersecurity.
To avoid new risk exposure, most respondent organizations to our survey
maintain a security platform that integrates existing and new technologies, or
acquire overlapping security technologies. Over half of organizations viewed
investing in more talent to manage cybersecurity events as a way to ensure cyber
defense measures do not result in new risk.¹⁶
“If you think technology can solve
your security problems, then you
don’t understand the problems
and you don’t understand the
technology.”
—Bruce Schneier¹⁷
15		“Risk and Innovation Drive Cyber Technology Investment,” Ponemon Institute, April 27, 2015, http://www.
lockheedmartin.com/us/news/press-releases/2015/april/isgs-cybersecurity-survey-042715.htm
16	 McAfee, “Hacking the Skills Shortage: A study of the international shortage in cybersecurity skills,” http://www.mcafee.
com/us/resources/reports/rp-hacking-skills-shortage.pdf
17	 Bruce Schneier. Preface, Secrets and Lies: Digital Security in a Networked World. 15th Anniversary ed, New York: Wiley,
2015.
60%
70%
80%
50%
40%
30%
20%
10%
0%
Practices used to limit risk when using new cyberdefense tools
Maintainasecurityplatform
thatintegratesexistingand
newtechnologies
Leverageautomated
workflowstoaddresslowest
levelthreats
Investinmoretalent
tomanagesecurityevents
Internaltrainingfor
existingstaff
Acquireoverlappingsecurity
technologiesacrossthestack
Partnerwiththird-party
securityserviceprovider
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 22
The Black Hat Ecosystem
In contrast, the “black hats” against whom companies must defend lack neither
workforce nor innovative technology. The black hats have clearly designed
incentives created by market forces, not by organizational fiat. The market
economy of the criminal hacker ecosystem facilitates innovation and rapid
adaptation, and channels resources efficiently to the lowest cost and most
profitable criminal enterprises. Unlike the defensive market, in which the
strictures of corporate hierarchy affect priority setting and decision making to
create a slow, bureaucratic process (even in the best of companies), the criminal
market is competitive, commoditized and decentralized.
This open and decentralized criminal market creates strong incentives for
criminals to strive to be the best, attracting the largest customer base and
commanding premium prices. With low barriers to entry for new products and
services, criminals have to remain innovative and maintain a strong reputation to
stay at the top of the market. Unsurprisingly, we were unable to survey members
of the black hat community, relying instead on interviews with technical experts,
police and cybersecurity experts. Their experience and observations identify a
fast-paced, well-resourced, and dynamic cybercrime ecosystem where incentives
are clearly aligned with objectives.
The top tier of the black market is comprised almost exclusively of elite technical
specialists selling highly coveted zero-day vulnerabilities, intermediaries who
specialize in high-dollar-value exploits that serve as brokers between buyers
and sellers, and governments that buy tools in the white or grey market for
everything from domestic surveillance to cyberespionage.¹⁸ The grey market
includes many black hats but few criminals—while they access systems
surreptitiously, most grey market participants claim they work exclusively with
governments who can pay top dollar, and they avoid the risk of arrest and of
dealing with criminals and scammers in the low-tier market.¹⁹ Zero-days and
highly sophisticated tools are almost exclusively sold in this market for the same
reason.
The lower tier, dominated by criminals and the networks that support them,
is made up primarily of products like financial information and counterfeit
goods, as well as “exploit-as-a-service” and spamming services, as opposed
to sophisticated tools and exploit kits, which are primarily in the upper tiers.²⁰
Exploit kits and crimeware services offered in the lower-tier market often take
advantage of older, unpatched systems or vulnerabilities that have not been
addressed by vendors, as opposed to expensive zero-day vulnerabilities.²¹ While
upper-tier actors commit espionage, steal intellectual property (IP), and launch
destructive attacks, the lower-tier criminals are driven primarily by money.²²
18		Ablon, Libicki, and Golay. Prev. cit.
19	 Andy Greenberg. “Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees).” Forbes.
March 21, 2012. http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-
to-crack-your-pc-and-get-paid-six-figure-fees/#1a2762359448
20	 Lillian Ablon, Martin Libicki, and Andrea Golay. “Markets for Cybercrime Tools and Stolen Information: Hackers’ Bazaar.”
RAND, 2014. http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf
21	 Jennifer L. Bayuk et al. “BITS Malware Risks and Mitigation Report.” BITS, A Division of the Financial Services Roundtable.
June 2011. http://www.nist.gov/itl/upload/BITS-Malware-Report-Jun2011.pdf
22	 Kurt Thomas et al. “Framing Dependencies Introduced by Underground Commoditization.” In Proc. Of the Workshop on
the Economics of Information Security, 2015. https://cseweb.ucsd.edu/~savage/papers/WEIS15.pdf
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 23
Specialization in the Criminal Market
Virtually anyone who is computer literate can participate in the criminal
market.²³ This criminal market is made up of a network of specialists, ranging
from providers of compromised hosts and human services to exploit kits and
compromised accounts, supporting a wide variety of criminal businesses or
strategies to monetize these tools and services through spam, fraud, data theft,
and extortion.²⁴
Each of these actors has their own specialized profession, which either enables
others further down the chain to acquire money from victims, or provides
incentives for actors further up the chain to develop new tools and services. The
most common specialties/professions in these chains are:²⁵
■■ Programmers—who develop malware.
■■ Web designers—who create malicious sites.
■■ Tech experts—who maintain the criminal infrastructure (servers,
databases).
■■ Hackers—who exploit system vulnerabilities and break into computer
networks.
■■ Fraudsters—the classic con artists who devise social engineering
schemes (phishing, spam).
■■ Intermediaries—in general, these are criminals who collect data
stolen from users, advertise it to other cybercriminals, sell, or
exchange it for money or other illegal actions.
Map of the white, grey, and black hacker markets
Defensive
intermediaries
(Hacker One)
Grey market
intermediaries
(Zerodium,
Endgame)
Vendors
(Google, Apple)
Nation states
Vulnerability
researchers
Malware
developers
Mule
herders
Infrastructure
providers (providers
of malicious
hosts, web pages)
Users/the public
(public disclosure)
Cybercriminals (ransomware,
carders, fraudsters, DDoS extortion)
Social
engineers
23		Ablon, Libicki, and Golay. ibid.
24	 Kurt Thomas et al. “Framing Dependencies Introduced by Underground Commoditization.” In Proc. Of the Workshop on
the Economics of Information Security, 2015. https://cseweb.ucsd.edu/~savage/papers/WEIS15.pdf
25	 Bull Guard. “The Online Black Market—How it Works (Part I).” Accessed August 26, 2016. http://www.bullguard.com/
bullguard-security-center/internet-security/internet-threats/online-black-market-part-i.aspx
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 24
Profits from criminal businesses are then divvied up among these specialists.
According to one law enforcement expert, 80% to 90% of proceeds typically go
to the supporting technical specialists and money mules, not to the criminals that
devise the schemes.
The Cybercrime Market: Competitive,
Decentralized, Innovative
The cybercriminal market is dynamic and responds to “price signals” with
innovation and with new products and services on offer every day. When old
capabilities are burned, replacements come online quickly. For example, one
expert we interviewed reported that after version 3.0 of the CryptoWall malware
family was disrupted, its developers were able to release version 4.0 within days.
Similarly, when the developers of the once-dominant Angler exploit kit (which
made up 82% of exploit kit activity, according to one estimate) were arrested,²⁶
within weeks attackers who had relied on Angler adopted the Neutrino exploit kit
to replace it and deliver their payloads.²⁷
The fast pace of innovation in the criminal market is the result of a combination
of factors. First and foremost, criminals are opportunistic, and the free availability
of support services in the black market makes them nimble and quick to act,
putting defenders at a disadvantage.
For example, when new vulnerabilities and exploits are disclosed, criminals
quickly find ways to exploit them for profit. One study found that 42%
of disclosed vulnerabilities are exploited by criminals within 30 days of
disclosure,²⁸ meaning that as these vulnerabilities are disclosed publicly, the
criminal underground quickly adopts them into new attacks. Criminals are also
opportunistic and focus their energies on the lowest-hanging fruit. Instead of
investing in costly vulnerability research and exploit development, they take
advantage of publicly disclosed vulnerabilities to exploit unpatched systems.
Leveraging publicly disclosed vulnerabilities and exploits in their attacks
eliminates the costliest and most time-consuming part of the development
cycle—vulnerability research and exploit development. Most of the exploit
kits offered on the criminal market use known vulnerabilities, and some of our
experts even reported that criminals have taken to advertising the CVE numbers
of the vulnerabilities used in their products. While costly capability development
is supported by million dollar contracts in the upper-tier market, the lower-
tier market is sustained at much lower prices by the free availability of publicly
disclosed vulnerabilities and the plethora of unpatched systems that can be
exploited in the aftermath of disclosure.
26	 Ruslan Stoyanov. “The Hunt for Lurk.” Secure List. August 30, 2016. https://securelist.com/analysis/publications/75944/
the-hunt-for-lurk/
27	 Kevin Townsend. “Did Angler Exploit Kit Die with Russian Lurk Arrests?” Security Week. June 13, 2016. http://www.
securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests
28		Leyla Bilge and Dumitras Tudor. “Before We Knew It: An Empirical Study of Zero-Day Attacks in the Wild.” Proceedings
of the 2012 ACM conference on Computer and Communications Security. October 2012. https://users.ece.cmu.
edu/~tdumitra/public_documents/bilge12_zero_day.pdf
“For cybercriminals, unpatched
vulnerabilities in popular software,
such as Microsoft Office or Adobe
Flash, represent a free pass to any
target.”
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 25
In a competitive and open market, success requires being the best
Cybercrime is a competitive market founded on reputation and thorough
product vetting, so developing new capabilities or providing superior service
is paramount for cybercriminals to outdo their competitors. The open and
competitive nature of the market creates a strong incentive to be the best. As one
expert we interviewed put it, “Attackers don’t innovate for the sake of innovating,”
they do it to maintain competitive advantage or exploit newer and more lucrative
opportunities.
In the underground, “good products squeeze out bad ones, and high-quality
brands can command premium prices … new products thrive or wither depending
on the judgment of the market.”²⁹ As criminals develop new schemes, they are
tested by the market, and while those that succeed can quickly scale up their
resources and support by buying services in the open market, those that fail
quickly disappear and their developers turn to new projects.
In order to succeed in this fast-paced and competitive marketplace, criminals
must constantly strive to be better than the competition, creating a race to the
top that supports the most innovative and efficient operators.
Innovation is not limited to new malware. Sometimes, criminals can find profit
in novel marketing schemes or repackaged goods. Threat intelligence company
SecureWorks observed Russian hackers offering free five- to 10-minute “tests”
of their DDoS service before proceeding with the lease transaction.³⁰ Skilled
underground players are also making money off of lower-skilled cybercriminals,
offering malware-as-a-service, social engineering tutorials, and carding (stealing
credit card information) “bibles,” or guides for would-be criminals.
29		Lilian Ablon, Martin C. Libicki, Andrea A. Golay, “Markets for Cybercrime Tools and Stolen Data,” RAND Corporation,
March 24, 2014.
30		“Underground Hacker Markets Annual Report,” SecureWorks, April 2016.
Lifecycle of a vulnerability in the white, grey, and black markets
Vulnerability
discovered
Exploit
developed
Zero-day
attacks
Zero-day
burned
Tool repurposed
for pen-testing
Disclosure
to public
Patch
developed
Patch
implemented
Criminal
attacks
Disclosure
to vendor
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 26
The relative transparency of the criminal underground, where many attackers
participate in shared forums and love to brag about their successes, helps these
innovations to proliferate and achieve scale quickly. When one criminal sees
that customers are attracted to a new service offered by a competitor (24/7
customer support, pre-purchase tests or demos of the product, working through
guarantors that ensure both parties do not get ripped off), they quickly adopt the
same practices in order to remain competitive.
Similarly, attackers swarm around targets and attack methods that prove
lucrative for their competitors. For example, after some enterprising attackers
began making significant profits from ransomware attacks on hospitals in
2015, recognizing that they could not afford to let their systems go down with
patients’ lives on the line, other operators quickly followed suit. The ransomware
community swarmed around these soft targets so intensely that by mid-2016,
one report found that 88% of detected ransomware attacks were targeting
healthcare companies.³¹
Big Budgets Support Innovation in the
Grey Market
Companies in the more exclusive “grey” markets are quick to replace and
repurpose capabilities because their customers demand it. Catering primarily
to governments and major corporations whose primary purpose is surveillance
and intelligence gathering, they often maintain a backlog of vulnerabilities and
exploits that they use to replace capabilities that are burned. In some cases,
customers want multiple exploits available for the same systems so that they
can vary their attack methodology, reducing the probability of detection and
attribution. Others want to ensure that there are no breaks in their intelligence
coverage, meaning they want new tools to be available as soon as old ones are
burned.
These customers have massive budgets, and are willing to pay top dollar—in
some cases hundreds of thousands of dollars or more³²—for these capabilities,
allowing companies to invest the time and money necessary to develop and
maintain a backlog of elite tools. They can also afford to vacuum up any zero-
days discovered by other hackers, whether amateurs, white hats, or criminals.
While data on the price of zero-day malware and exploits is hard to come by,
intermediaries like Zerodium are willing to pay extremely high prices for exclusive
access to these tools.
31		Max Green, “Hospitals are hit with 88% of ransomware attacks,” Becker’s Health IT & CIO Review, July 27, 2016, Security
Research Engineering Team, “Q3 2016 Threat Intelligence Report,” NTT Security.
32		Zerodium. “Our Exploit Acquisition Program.” Accessed January 20, 2017. https://www.zerodium.com/program.html
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 27
Grey market firms can also repurpose capabilities. While many of these
companies focus on providing offensive capabilities for surveillance and
intelligence gathering, they also offer fuzzing services, penetration testing, and
white hat security services. When a zero-day used in offensive operations is
burned, it may be incorporated into a penetration testing tool or used to develop
indicators of compromise that can be marketed to defenders.
Black Hat or White Hat?
Attackers and defenders in cyberspace often have similar skills and backgrounds.
People with technical skills face a choice between going into the legitimate ICT
or cybersecurity industries or pursuing a criminal career. While many early black
hat hackers were students and young people fascinated by computers, so-called
“script kiddies,” today’s underground economy is dominated by professional
criminals. While some are self-taught, others are IT professionals or security
researchers moonlighting in their off hours, former government hackers, or out-
of-work computer science graduates.
Prices offered for zero-day tools by grey market intermediary
Up to
$1,500,000
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
1,001
RJB
Apple iOS
Up to
$200,000
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
1,002
RJB
Android
Up to
$100,000
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
1,003
RJB
Windows
Phone
Up to
$80,000
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
3,001
RCE + SBX
Adobe PDF
Reader
2,002
RCE + SBX
Chrome
with SBX
2,003
RCE + SBX
IE + Edge
with SBX
2,004
RCE + SBX
Safari
with SBX
Up to
$50,000
4,001
VME
VM
Escape
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
3,003
RCE
Windows
Reader App
2,005
RCE
Flash Player
w/o SBX
6,001
RCE
OpenSSL
6,002
RCE
PHP
Up to
$40,000
5,001
MTB
ASLR
Bypass
5,002
RCE + LPE
Antivirus
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
3,002
RCE
Office
Word/Excel
7,001
RCE
Sendmail
7,002
RCE
Postfix
7,003
RCE
Exchange
Server
7,004
RCE
Dovecot
Up to
$30,000
4,002
LPE + SBX
Windows
4,003
LPE + SBX
Mac OS X
4,004
LPE
Linux
2,001
RCE + SBX
Flash Player
with SBX
2,001
RCE + SBX
Flash Player
with SBX
2,006
RCE
Chrome
w/o SBX
2,007
RCE
IE + Edge
w/o SBX
2,008
RCE
Tor
Browser
2,009
RCE
Firefox
2,010
RCE
Safari
w/o SBX
Up to
$10,000
8,001
RCE
IP.Suite
8,002
RCE
IP.Board
8,003
RCE
phpBB
8,004
RCE
vBulletin
8,005
RCE
MyBB
8,006
RCE
WordPress
8,007
RCE
Joomla
8,008
RCE
Drupal
8,009
RCE
Roundcube
8,010
RCE
Horde
LPE: Local Privilege Escalation MTB: Mitigation Bypass RCE: Remote Code Execution
RJB: Remote Jailbreak SBX: Sandbox Escape VME: Virtual Machine Escape
Source: Zerodium. “Our Exploit Acquisition Program.” Accessed January 20, 2017. https://www.zerodium.com/program.html.
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 28
Many old school black hats have moved into the legitimate cybersecurity
industry as opportunities have grown and law enforcement has cracked down
on cybercrime. These early hackers, many of whom got involved in black hatting
to learn about cool exploits and make a name for themselves, were eventually
drawn to bigger and better-paying opportunities in the defense market. As one
former black hat we interviewed said, “I crossed over to get access to new and
cooler tech and bigger environments … I got to hack super-cool systems as a
white hat!”
Highly skilled programmers and vulnerability researchers primarily work in
top-tier white and grey markets. With access to six-figure salaries at legitimate
companies, no fear of arrest, and the opportunity to spend their time figuring out
how to hack the most complex and “cool” systems, there is little incentive to be
involved in criminal activity. This is especially true for the most elite hackers that
find and exploit zero-day vulnerabilities. One user summed up the choice facing
hackers who identify zero-days clearly in an online hacker forum:
“Almost no reason to sell zero-days on the black market anymore if you can
broker it to security firms. Risk is high and chance of being ripped off is crazy high
when selling on black market. Another plus being that zero-day sold to reputable
security firms can land you a six-figure job.”³³
A criminal background can also make it difficult to get into the white and grey
markets. Grey and white market companies rely on reputation and connections
to secure lucrative contracts with governments and major corporations. These
contracts often involve administrator access to highly sensitive or classified
data and systems, and most customers are wary of allowing criminals or former
criminals high level access to their systems.
There are exceptions, however. For example, a student at Carnegie Mellon
University was arrested in 2015 for creating and disseminating the “Dendroid”
malware family, which compromised Android apps and allowed attackers to gain
complete control of Android devices.³⁴ He sold the malware on Dark0de, the top
English language cybercrime forum,³⁵ to any interested customer for $300 and
even offered 24/7 customer support.³⁶
“I crossed over to get access to
new and cooler tech and bigger
environments … I got to hack
super-cool systems as a white
hat!”
33	 bitcointalk, “Where Can I Sell a 0 Day?” bitcointalk.org, September 16, 2013. As of February 4, 2014: https://bitcointalk.
org/index.php?topic=295200.5;wap
34	 Jose Pagliery, “Cybersecurity intern accused in huge hacking bust,” CNN Tech, July 15, 2015. http://money.cnn.
com/2015/07/15/technology/hacker-fireeye-intern/
35	 Europol. “CYBERCRIMINAL DARKODE FORUM TAKEN DOWN THROUGH GLOBAL ACTION.” July 15, 2015. https://www.
europol.europa.eu/newsroom/news/cybercriminal-darkode-forum-taken-down-through-global-action
36	 Jose Pagliery, “Cybersecurity intern accused in huge hacking bust,” CNN Tech, July 15, 2015. http://money.cnn.
com/2015/07/15/technology/hacker-fireeye-intern/
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 29
Part-Time Crime is More Common in the
Russian-Speaking World
While highly skilled hackers rarely participate in criminal activity in the West, in
some regions there is more overlap between the white/grey markets and the
criminal market. In particular, the Russian-speaking hacker community is highly
fluid, is home to many of the world’s most sophisticated cybercriminals, and
involves a higher degree of overlap between the legitimate ICT and cybersecurity
industries and the criminal ecosystem.
One expert interviewed for this report noted that many of the top Russian-
speaking hackers that he identified work for legitimate ICT companies while
moonlighting as criminals. The majority of these are Russian or Eastern
European IT and telecom companies, but some work for legitimate cybersecurity
companies. Some of these criminals even list their criminal identities and dark
web handles on their open Facebook pages, right next to their legitimate day job.
Some of the most sophisticated Russian cybercriminals are also plucked from
Russia’s advanced math and computer science programs and trained by the
intelligence services. One expert we talked to described Russia’s approach to
hacking as similar to their approach to Olympic athletes. The government invests
significant resources in developing an elite athlete who competes for the nation,
then they go independent and make millions playing for themselves.
Some experts argue that this greater overlap with the legitimate ICT industry is
the result of a permissive environment for transnational cybercrime. There is a
well-known rule in the Russian underground that you do not hack Russians or
Russian-speakers. According to law enforcement sources, Russian and Eastern
European authorities are tolerant of cybercrime as long as the targets are in
Western Europe, the US, or Asia, but can be quick to take action against criminals
that target computers in their jurisdiction.
As one law enforcement official told us, some of the major prosecutions of
Russian and Eastern European cybercriminals by US law enforcement have
started with a call from the FSB³⁷—“We’ve identified a cybercriminal who is
responsible for serious crimes in your country. We would be happy to cooperate
with you in bringing them to justice.” Of course, in many cases, these criminals
have been operating openly in their home country for years, and the FSB only
“identified” them after they made the mistake of using their skills against targets
in Russia.
Criminals know this, and use a variety of techniques to constrain their attacks
to foreign computers. For example, the Citadel Botnet included an interesting
quirk in the malware—it only infected computers using the Roman alphabet,
but did not infect computers whose operating systems are in Cyrillic, ensuring
that Russian and Ukrainian authorities would take little interest.³⁸ As shown
in the heat map below, the botnet was prolific in western Europe and the US,
but infected very few computers in the Russian-speaking world. A cluster of
infections in Moscow reflected the concentration of foreigners living in the
Russian capital.
37	 The Federal'naya Sluzhba Bezopasnosti (FSB) is the Federal Security Service of the Russian Federation.
38	 Enigma Software. “Citadel Trojan.” http://www.enigmasoftware.com/citadeltrojan-removal/
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 30
Heat map of the Citadel Botnet by Microsoft’s Digital Crimes Unit
The shortage of legitimate ICT jobs in Russian and Eastern Europe also pushes
many talented ICT experts into criminal activity. Many hackers in the Russian
criminal underground are out-of-work IT experts and computer science
graduates who are unable to find legitimate jobs. A 2013 survey by recruiting
website HeadHunter found that only 51% of polled IT specialists in Russia had
found jobs in the legitimate IT sector. Given their abilities, honed in top-tier
technical universities, weak law enforcement, and the low wages even for those
that do make it: “People think: why not earn a bit on the side?”⁴⁰
Breaking down the geographic and institutional barriers with the Russian-
speaking cybercommunity can help to channel more of the talent and resources
in that region into the legitimate cybersecurity industry. Russian universities
produce highly talented programmers and mathematicians, but the lack of
cybersecurity and ICT jobs in the Russian-speaking world and the lack of
consequences for criminal activity push many of these professionals into criminal
activity.
In contrast, the US and Europe face a shortage of talent in the legitimate ICT and
cybersecurity industries, and computer science skills are highly marketable.⁴¹
With legitimate firms paying top dollar for security professionals, there is little
incentive for skilled programmers to get involved in criminal activity. Tapping
into the underemployed talent pool in Russia and Eastern Europe could not only
help fill the skills shortage, but also shrink the talent pool supporting some of the
most sophisticated cybercriminal operations.
Source: Jennifer Warnick. “Digital Detectives: Inside Microsoft’s New Headquarters for the Fight Against Cybercrime.”
Microsoft News Center. 2015. http://news.microsoft.com/stories/cybercrime/
39	 Alissa de Carbonnel. “Hackers for Hire: Ex-Soviet Tech Geeks Play Outsized Role in Global Cyber Crime.” NBCNews.com/
Technology. August 22, 2013.
40	Ibid
41	 CSIS and McAfee. “Hacking the Skills Shortage.” July 27, 2016. https://www.csis.org/programs/strategic-technologies-
program/cybersecurity/cybersecurity-workforce
“People think: ‘I’ve got no money,
a strong education, and law
enforcement’s weak. Why not earn
a bit on the side?’”
—Alexei Borodin, 21-year-old
hacker³⁹
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 31
For people with technical skills, high-paying job opportunities, low risk of arrest,
and the opportunity to work with the top professionals and most cutting edge
technologies create powerful incentives against participating in cybercrime.
These incentives are distributed unevenly around the world, however. In the
absence of legitimate opportunities and clear consequences for criminal
behavior, as in Russia and Eastern Europe, the allure of making money and
making a name for yourself can draw talented operators into cybercrime.
Realigning Incentives to Strengthen
Cybersecurity
The scope and nature of the cybersecurity challenge is so complex and daunting
that multiple measures at the international, national and company level are
required to address it. This report looks at one segment of the problem—the
governance issues that put companies at a disadvantage compared to their
attackers.
The report identifies several critical areas on the defender side where divided
attitudes, often split between technical and non-technical roles, toward
organizations’ cybersecurity appear. These attitudes, such as how a cybersecurity
strategy is designed, the degree of implementation, and its overall effectiveness,
are central to how individuals develop an impression of their organization’s
overall cybersecurity posture. The resulting differences in perception create an
inaccurate, disjointed picture of a defender’s posture, undermining the goal of
establishing an effective cybersecurity strategy and adding to the disadvantage
defenders are at against black hat attackers.
The good news is that most companies recognize the seriousness of the
cybersecurity problem and are willing to address it. We focus on governance,
the processes, rules, and structure companies use to manage, make decisions on
resources and technology, and compete—because these processes will usually
be slower and less nimble than the market forces that drive attackers. This is in
some ways inevitable, but it can be minimized through organizational innovation.
Each company will need to identify innovation that best fits its business model
and structure.
The tendency of executives to approach cybersecurity through a cost-conscious
framework is no surprise. However, differences in how executives and operators
measure risk and the misalignment of incentives is leading to suboptimal
security. The establishment of a common set of metrics used by both executives
and operators that took both cost and effectiveness into account would allow for
a more coherent approach to companies’ cybersecurity efforts to mitigating risk.
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 32
Learning from cybercrime
Defenders can learn from the black hat community. “Security-as-a-service” can
offer greater flexibility to counter the “crime-as-a-service” model of the criminal
market, leveraging market forces to foster competition and strengthen incentives
for defenders. The most effective defense (at companies that can afford it) blends
in-house efforts and outside services and technologies.
Lessons from
the criminal
market
Criminal market Defenders’ analogue
Leverage
market forces
Crime-as-a-service
The open and decentralized criminal market
leverages competition and market pricing to
minimize barriers to entry, foster innovation,
and help successful ventures quickly achieve
scale.
Security-as-a-service
Greater use of outsourcing and open
contracting can help reduce costs, increase
competition, and facilitate the broad adoption
of effective security technologies and
practices.
Use public
disclosure
Target publicly disclosed vulnerabilities
Exploiting disclosed vulnerabilities avoids
costly vulnerability research and exploit
development, and quickly incorporates new
disclosures into attacks to maximize value
before defenders patch.
Improve patching practices
Responding more quickly to public
vulnerability disclosures through improved
patching practices and faster replacement of
legacy systems can enhance security and raise
costs to attackers.
Increase
transparency
Open forums and online advertising
Open forums and public advertising facilitate
the proliferation of successful new attacks and
criminal business models and the widespread
adoption of best practices.
Information sharing and collaboration
Expanding information sharing can help reduce
costs to defenders by reducing duplication
and can help spread the word about new
technologies and practices that deliver
significant improvements in security.
Lower barriers
to entry
“Anyone who is computer literate”
Lacking formal qualifications or geographical
constraints, the criminal ecosystem is able
to bring in undervalued talent from the
legitimate economy and maximize its value.
Tap global talent pool
Drawing on a broader talent pool, including
young people and foreign ICT experts that are
often drawn into cybercrime, can help fill the
skills gap for companies and drain talent from
the criminal market.
Align incentives Freelance markets reward performance
In the freelance criminal market, operators
at all levels and all functional areas of
the attack chain are rewarded by the
market for excellence and penalized for
underperformance.
Performance incentives
In order to align incentives from leadership
down to operators, incentives like awards and
bonuses must be provided to employees and
managers who deliver good security outcomes.
Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 33
Attackers respond quickly to public disclosure of vulnerabilities, and leverage
the transparency of online forums to spread best practices and new attacks.
Defenders must accelerate efforts to patch vulnerabilities and replace legacy
systems to match the speed of cybercrime. A faster patch and refresh cycle can
raise costs to attackers, forcing them to invest in expensive and time-consuming
vulnerability research and exploit development or go after other targets that are
slower to raise their defenses.
Our research showed that black hats benefit from greater speed and focus.
They are incentivized by direct rewards for being faster, newer, and nimbler in
their attacks. The incentives for speed and focus are not there for defenders.
But incentives can be changed. Companies have successfully experimented with
their business models and structure to become more dynamic and innovative
in order to remain competitive. The same sort of experimentation is necessary
if cybersecurity is to keep up with the attackers. This will require identifying the
right metrics for success and revamping organization structure to build a nimbler,
faster defense. In thinking about how to do this, the best approach may be to
take lessons from the black hats on how to create effective incentives.
McAfee. Part of Intel Security.
2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.intelsecurity.com
About CSIS
For 50 years, the Center for Strategic and International Studies (CSIS) has
developed practical solutions to the world’s greatest challenges. As we celebrate
this milestone, CSIS scholars continue to provide strategic insights and bipartisan
policy solutions to help decision makers chart a course toward a better world.
CSIS is a bipartisan, nonprofit organization headquartered in Washington, DC.
Its 220 full-time staff and large network of affiliated scholars conduct research
and analysis and develop policy initiatives that look to the future and anticipate
change.
http://csis.org/
About Intel Security
Intel Security, with its McAfee product line, is dedicated to making the digital world
safer and more secure for everyone. www.intelsecurity.com. Intel Security is a
division of Intel.
Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other
countries. Other marks and brands may be claimed as the property of others. Copyright © 2017 Intel Corporation.
2443_0217
FEBRUARY 2017

More Related Content

What's hot

White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite  defining and understanding risk in the moder...White paper cyber risk appetite  defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsScalar Decisions
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital FutureCognizant
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for InsuranceAccenture Insurance
 
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsKnow Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsSurfWatch Labs
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Reportaccenture
 
Deloitte stay ahed of the game
Deloitte stay ahed of the gameDeloitte stay ahed of the game
Deloitte stay ahed of the gameFranco Ferrario
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016rsouthal2003
 

What's hot (18)

White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite  defining and understanding risk in the moder...White paper cyber risk appetite  defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
2019 Hiscox Cyber Readiness Report
2019 Hiscox Cyber Readiness Report2019 Hiscox Cyber Readiness Report
2019 Hiscox Cyber Readiness Report
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian Organizations
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target Attack
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsKnow Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
 
Effects of IT Governance Measures on Cyber-attack Incidents
Effects of IT Governance Measures on Cyber-attack IncidentsEffects of IT Governance Measures on Cyber-attack Incidents
Effects of IT Governance Measures on Cyber-attack Incidents
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Report
 
Deloitte stay ahed of the game
Deloitte stay ahed of the gameDeloitte stay ahed of the game
Deloitte stay ahed of the game
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. Framework
 
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
Forrester-Wave-Digital_Risk_Monitoring-Q3-2016
 

Viewers also liked

Cybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesCybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesAlex Matrosov
 
The Principles of Biopharmaceutical Manufacturing Certificate
The Principles of Biopharmaceutical Manufacturing CertificateThe Principles of Biopharmaceutical Manufacturing Certificate
The Principles of Biopharmaceutical Manufacturing CertificateVICTOR MAESTRE RAMIREZ
 
Python Programming: Class and Object Oriented Programming
Python Programming: Class and Object Oriented ProgrammingPython Programming: Class and Object Oriented Programming
Python Programming: Class and Object Oriented ProgrammingChan Shik Lim
 
[Infographic] A Simple Guide To Myanmar
[Infographic] A Simple Guide To Myanmar[Infographic] A Simple Guide To Myanmar
[Infographic] A Simple Guide To MyanmarFederico Sferrazza
 
Presentaciones GS1 University 2016, Culiacán, Sin.
Presentaciones GS1 University 2016, Culiacán, Sin.Presentaciones GS1 University 2016, Culiacán, Sin.
Presentaciones GS1 University 2016, Culiacán, Sin.Martín Angeles González
 
Metología para caracterizar yacimientos de gas - Convencionales y no convenci...
Metología para caracterizar yacimientos de gas - Convencionales y no convenci...Metología para caracterizar yacimientos de gas - Convencionales y no convenci...
Metología para caracterizar yacimientos de gas - Convencionales y no convenci...Academia de Ingeniería de México
 
Raade detektorklubb
Raade detektorklubb Raade detektorklubb
Raade detektorklubb Hugo Falck
 
Sergey Negodyaev - Cybercrime in Russia and its impact on the economy
Sergey Negodyaev - Cybercrime in Russia and its impact on the economySergey Negodyaev - Cybercrime in Russia and its impact on the economy
Sergey Negodyaev - Cybercrime in Russia and its impact on the economyInfotropic Media
 
Incident Response and Advanced Forensics Certificate
Incident Response and Advanced Forensics CertificateIncident Response and Advanced Forensics Certificate
Incident Response and Advanced Forensics CertificateVICTOR MAESTRE RAMIREZ
 
31,000 federal government cyber incidents identified by White House
31,000 federal government cyber incidents identified by White House31,000 federal government cyber incidents identified by White House
31,000 federal government cyber incidents identified by White HouseDavid Sweigert
 
Политика обнаружения и реагирования на инциденты информационной безопасности
Политика  обнаружения и реагирования на инциденты информационной безопасностиПолитика  обнаружения и реагирования на инциденты информационной безопасности
Политика обнаружения и реагирования на инциденты информационной безопасностиEvgeniy Shauro
 
Penyelenggaraan pemerintahan kecamatan
Penyelenggaraan pemerintahan kecamatanPenyelenggaraan pemerintahan kecamatan
Penyelenggaraan pemerintahan kecamatanLim Othe
 
Red Team Assessment Process
Red Team Assessment ProcessRed Team Assessment Process
Red Team Assessment ProcessDavid Sweigert
 

Viewers also liked (20)

Cybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and IssuesCybercrime in Russia: Trends and Issues
Cybercrime in Russia: Trends and Issues
 
The Principles of Biopharmaceutical Manufacturing Certificate
The Principles of Biopharmaceutical Manufacturing CertificateThe Principles of Biopharmaceutical Manufacturing Certificate
The Principles of Biopharmaceutical Manufacturing Certificate
 
Python Programming: Class and Object Oriented Programming
Python Programming: Class and Object Oriented ProgrammingPython Programming: Class and Object Oriented Programming
Python Programming: Class and Object Oriented Programming
 
[Infographic] A Simple Guide To Myanmar
[Infographic] A Simple Guide To Myanmar[Infographic] A Simple Guide To Myanmar
[Infographic] A Simple Guide To Myanmar
 
Presentaciones GS1 University 2016, Culiacán, Sin.
Presentaciones GS1 University 2016, Culiacán, Sin.Presentaciones GS1 University 2016, Culiacán, Sin.
Presentaciones GS1 University 2016, Culiacán, Sin.
 
Metología para caracterizar yacimientos de gas - Convencionales y no convenci...
Metología para caracterizar yacimientos de gas - Convencionales y no convenci...Metología para caracterizar yacimientos de gas - Convencionales y no convenci...
Metología para caracterizar yacimientos de gas - Convencionales y no convenci...
 
Raade detektorklubb
Raade detektorklubb Raade detektorklubb
Raade detektorklubb
 
Curso tenho uma ideia de startup, como começar?
Curso   tenho uma ideia de startup, como começar?Curso   tenho uma ideia de startup, como começar?
Curso tenho uma ideia de startup, como começar?
 
Tic(1)
Tic(1)Tic(1)
Tic(1)
 
Ppt tobias en jamie
Ppt tobias en jamiePpt tobias en jamie
Ppt tobias en jamie
 
Sergey Negodyaev - Cybercrime in Russia and its impact on the economy
Sergey Negodyaev - Cybercrime in Russia and its impact on the economySergey Negodyaev - Cybercrime in Russia and its impact on the economy
Sergey Negodyaev - Cybercrime in Russia and its impact on the economy
 
La Edad Media. Pablo Forjanes
La Edad Media. Pablo ForjanesLa Edad Media. Pablo Forjanes
La Edad Media. Pablo Forjanes
 
Active learning for students
Active learning for studentsActive learning for students
Active learning for students
 
Tributaria
TributariaTributaria
Tributaria
 
Incident Response and Advanced Forensics Certificate
Incident Response and Advanced Forensics CertificateIncident Response and Advanced Forensics Certificate
Incident Response and Advanced Forensics Certificate
 
Víctor Maestre Ramírez
Víctor Maestre RamírezVíctor Maestre Ramírez
Víctor Maestre Ramírez
 
31,000 federal government cyber incidents identified by White House
31,000 federal government cyber incidents identified by White House31,000 federal government cyber incidents identified by White House
31,000 federal government cyber incidents identified by White House
 
Политика обнаружения и реагирования на инциденты информационной безопасности
Политика  обнаружения и реагирования на инциденты информационной безопасностиПолитика  обнаружения и реагирования на инциденты информационной безопасности
Политика обнаружения и реагирования на инциденты информационной безопасности
 
Penyelenggaraan pemerintahan kecamatan
Penyelenggaraan pemerintahan kecamatanPenyelenggaraan pemerintahan kecamatan
Penyelenggaraan pemerintahan kecamatan
 
Red Team Assessment Process
Red Team Assessment ProcessRed Team Assessment Process
Red Team Assessment Process
 

Similar to Understanding the black hat hacker eco system

Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeNishantSisodiya
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseThe Economist Media Businesses
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportHBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportFERMA
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summarypatmisasi
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfdLadd Muzzy
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameTatainteractive1
 
Navigating The Cyber-Security Vortex : 4 leadership imperatives
Navigating The Cyber-Security Vortex : 4 leadership imperativesNavigating The Cyber-Security Vortex : 4 leadership imperatives
Navigating The Cyber-Security Vortex : 4 leadership imperativesCharles Forte
 
Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Paperjam_redaction
 

Similar to Understanding the black hat hacker eco system (20)

Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportHBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
 
2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary2016 Scalar Security Study Executive Summary
2016 Scalar Security Study Executive Summary
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfd
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
Navigating The Cyber-Security Vortex : 4 leadership imperatives
Navigating The Cyber-Security Vortex : 4 leadership imperativesNavigating The Cyber-Security Vortex : 4 leadership imperatives
Navigating The Cyber-Security Vortex : 4 leadership imperatives
 
Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)
 

More from David Sweigert

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting  Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisDavid Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterDavid Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityDavid Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsDavid Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartDavid Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team   NIMS   Public CommentCyber Incident Response Team   NIMS   Public Comment
Cyber Incident Response Team NIMS Public CommentDavid Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team  -  NIMS  -  Public CommentCyber Incident Response Team  -  NIMS  -  Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTDavid Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackDavid Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTDavid Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals  2015  2nd editionNational Preparedness Goals  2015  2nd edition
National Preparedness Goals 2015 2nd editionDavid Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanDavid Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector  -  DHSCyber Risk Assessment for the Emergency Services Sector  -  DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSDavid Sweigert
 

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting  Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team   NIMS   Public CommentCyber Incident Response Team   NIMS   Public Comment
Cyber Incident Response Team NIMS Public Comment
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team  -  NIMS  -  Public CommentCyber Incident Response Team  -  NIMS  -  Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals  2015  2nd editionNational Preparedness Goals  2015  2nd edition
National Preparedness Goals 2015 2nd edition
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector  -  DHSCyber Risk Assessment for the Emergency Services Sector  -  DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
 

Recently uploaded

Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 

Recently uploaded (12)

Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 

Understanding the black hat hacker eco system

  • 1. Report Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity Center for Strategic and International Studies
  • 2. Contents Cybersecurity Is Now a Top Priority 5 “A Tax That We All Don’t Want to Pay …” 8 A Disconnect Between Strategy and Implementation 9 Measuring Effectiveness 11 What Motivates Improvements in Security? 12 Searching for Solutions 17 The Black Hat Ecosystem 22 Specialization in the Criminal Market 23 The Cybercrime Market: Competitive, Decentralized, Innovative 24 Big Budgets Support Innovation in the Grey Market 26 Black Hat or White Hat? 27 Part-Time Crime is More Common in the Russian- Speaking World 29 Realigning Incentives to Strengthen Cybersecurity 31
  • 3. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 3 Cybercriminals have the advantage. This has been true since the internet was commercialized 20 years ago. The incentives for cybercrime have made it a big business and a dynamic marketplace. Defenders are hard pressed to keep up. Misaligned incentives explain much of this—both within organizations and between attackers and defenders in cyberspace. Misaligned incentives between attackers and defenders mean that the decentralized market in which cybercriminals operate makes them adapt and innovate faster and more efficiently than defenders, whose incentives are shaped by bureaucracies and top-down decision making. Some of the advantage cybercriminals have over defenders is due to technology—we now all know that the internet was never designed to be secure. Some is due to policy. There are countries that tolerate, shelter, and maybe even encourage cybercrime. Governments and companies know they are at a disadvantage, but they are playing catch-up. Managing the risk posed by cyberthreats has become a priority, but the best criminals still seem able to stay ahead, even as companies allocate more resources to cybersecurity.¹ This does not mean cybercrime will always win. It does mean that companies and governments will need to rethink how they measure, reward and incentivize defense. Markets send signals by creating prices and rewards, creating incentives for action. The cybercrime market is efficient, and the incentives for cybercriminals are clear and compelling. The same is not true for defenders. Criminals flourish in this market, but most defenders work in bureaucracies. In most companies, cybersecurity is the responsibility of a diverse range of groups and individuals using different (and sometimes conflicting) metrics for success. Incentives are not only misaligned between attackers and defenders, but within companies. To examine this misalignment of incentives, we conducted a survey of 800 respondents from companies ranging in size from 500 employees to more than 5,000 across five major industry sectors, including finance, healthcare, and the public sector. Our survey targeted respondents with executive level responsibility for cybersecurity, as well as operators that have technical and implementation responsibilities for cybersecurity. The results provide insight into how each group views cyber risk in making decisions about an organization’s cyber-risk management strategy. Better calibrating the misaligned incentives we uncovered may yield a more coherent and effective cybersecurity posture for companies worldwide. Cybercriminals compete— for money and fame— and this makes them fast to adapt and innovate faster than defenders. 1 SANS Institute, “IT Security Spending Trends,” February 2016
  • 4. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 4 Our survey found three key misalignments in cybersecurity. Within organizations, incentives are misaligned between strategy and implementation and between senior executives and those with operational responsibility.² Most importantly, the governance processes, risk management policies, and structured workflows within cybersecurity are at odds with the freeform, ad hoc networking that is at the heart of adversary innovation. The top-down, corporate governance structures for defenders lies in stark contrast to the dynamic and free-flowing structure their adversaries occupy. Three levels of misaligned incentives put defenders at a disadvantage Attackers versus defenders Attackers’ incentives are shaped by a fluid, decentralized market, making them agile and quick to adapt, while defenders are constrained by bureaucracy and top-down decision making. Strategy versus implementation While more than 90% of organizations have a cybersecurity strategy, less than half have fully implemented their strategies. Executives versus implementers Senior executives designing cyber strategies measure success differently to those who put strategies into practice, limiting their effectiveness. Senior company executives develop strategies to reduce cyber-risk and mitigate the potential effects on critical activities in their enterprise. Operators and IT managers are then responsible for identifying and deploying a mix of practices and technologies to implement these strategies. Our study found that there is a misalignment of incentives between executives and operators regarding their respective approaches to managing cyber-risk. For attackers in cyberspace, or “black hats,” the risks and rewards are much more clear. Black hats, a term taken from spaghetti westerns, means any hackers that break into systems without the owner’s permission, whether they are governments conducting espionage, criminals out for financial gain, or hacktivists motivated by ideology. Black hats are part of an underground ecosystem that channels tools, expertise, and infrastructure into criminal operations that extract billions of dollars of profit from data theft, extortion, and fraud. This ecosystem is largely comprised of commoditized markets of specialized freelancers with different skills and expertise. This loose, informal structure provides low barriers to entry, transparency and competition, and efficient allocation of resources that allows black hats to tap a wide talent pool, innovate quickly, and adapt quickly to changes in defenses and technology. 2 Executives include respondents who identified as company owner, director, CEO, CIO, CISO, CTO, or CISO, and operators include those who identified as head of IT or data protection, IT department manager, or IT team leader. Executives see cyber-risk as another cost to be managed. Operators define success differently.
  • 5. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 5 The incentive structure for black hats in the cybercrime market drives attackers toward rapid collaboration, innovation, and specialization that make it a relatively efficient and flexible marketplace. The black hat community draws from a large talent pool and relies on a freelance model to produce highly specialized products and exploits for specific attack purposes. This market is also more efficient and fluid, being able to adapt quickly and with more ease based on an attacker’s motives. This underground economy creates an entirely different, powerful set of incentives for attackers to succeed and stay atop of the market. The black hat ecosystem is comprised of two markets: a high-tier market of highly sophisticated and well-resourced actors looking to exploit specific targets with highly advanced techniques, and a low-tier market comprised of criminals and hacktivists launching opportunistic attacks on any vulnerable systems they can find.³ These markets have some overlap, and many of the tools initially trafficked in the high-tier market eventually trickle down to the low-tier market as they age and become more widely known.⁴ Cybersecurity Is Now a Top Priority Internet users have been slow to react to the black hat advantage. Six years ago, cybersecurity did not even rank in the top 10 risks prioritized by company boards.⁵ There was little understanding of how cybersecurity fit into risk management. Many company boards did not allocate resources to practices now thought of as fundamental, such as conducting security program assessments, assigning responsibilities to privacy and security roles, and receiving regular reports on cybersecurity risks. Hard lessons have been learned since then as companies and governments around the world have experienced cyberattacks exceeding $400 billion in total annual cost. A majority of respondents to our survey now rate cybersecurity risk as one of the top three risks facing their organization, confirming that cybersecurity now ranks among the top concerns for companies.⁶ Our survey shows a marked change in board attitudes toward cybersecurity. A majority of respondents reporting both that their boards understand and prioritize cyber-risk. Furthermore, nearly three-quarters (72%) of respondents indicated that their company boards are being briefed on cybersecurity risks at most or every meeting. 3 Lillian Ablon, Martin Libicki, and Andrea Golay. “Markets for Cybercrime Tools and Stolen Information: Hackers’ Bazaar.” RAND. 2014. http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf 4 Jaziar Radianti and Jose J. Gonzalez, “Dynamic Modeling of the Cyber Security Threat Problem: The Black Market for Vulnerabilities,”Cyber-Security and Global Information Assurance: Threat Analysis And Response Solutions, 2009, http:// www.igi-global.com/chapter/dynamic-modeling-cyber-security-threat/7408 5 Lloyds, “Lloyd’s Risk Index,” 2011 6 Osterman Research, “What’s Driving Boards of Directors to Make Cyber Security a Top Priority?,” September 2016 A majority of respondents rated cybersecurity risk as one of the top three risks facing their organization.
  • 6. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 6 Respondents in all sectors see a significant cyberthreat to critical aspects of their organization, ranking the loss of intellectual property and confidential business information, disruption of operations, and harm to company reputation and brand as the largest risks that could result from poor cybersecurity practices. 60% 70% 80% 50% 40% 30% 20% 10% 0% Cybersecurity ranked highest by organizations Reputationalrisk Financialrisk(interestrates, exchangerates) Cybersecurityrisk Regulatoryorliabilityrisk Technologicalrisk Manufacturingorsupply chainrisk Politicalrisk Naturaldisasters,global economicshocks
  • 7. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 7 The observed effects of a cybersecurity incident experienced by survey participants largely mirror the perceived risks from above. More than four in five (83%) respondents report that their organizations have seen an effect as a result of cybersecurity breaches, with the disruption of operations, loss of intellectual property, and harm to company reputation or brand once again ranking among the top areas affected. 60% 70% 80% 50% 40% 30% 20% 10% 0% Largest risks organizations associate with poor cybersecurity practices Disruptionofoperations Regulatoryorliabilityrisk Politicalrisk LossofIPandconfidential businessinformation Harmtoreputation andcompanybrand Revenuesandprofit decrease
  • 8. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 8 “A Tax That We All Don’t Want to Pay …” Despite the overwhelming response from survey respondents that cyberbreaches have resulted in disruptions, IP loss, and harm to company reputation, less than a third (32%) reported experiencing revenue or profit loss as a result of a cybersecurity incident. The perception that cyberbreaches do not directly lead to loss of revenue or profit may be giving companies a false sense of security. It is also interesting to look at differences in opinion between individuals at the executive level versus those who serve in technical and operational roles. Our study shows that executives view breaches as a cost of doing business. Sixty-three percent of executives say as much, while operators that work for them focus on reducing the number and scope of breaches. For executives, cybersecurity competes with a range of other company imperatives, some of which are in direct conflict with investing in security. Executives from one large company called cybersecurity “a tax that we all don’t want to pay …”⁸ Organizations may also lack the metrics to assess indirect costs as the result of a breach, such as quantifying the time spent notifying customers, damage to brand loyalty, or time spent investigating an incident. Incomplete data on cost could mean that executives have an inflated level of tolerance for poor cybersecurity. In fact, more than a majority (54%) of executive respondents say that their organizations are more concerned about reputation than cybersecurity itself. 60% 50% 40% 30% 20% 10% 0% Observed effects of breaches on organizations Disruptionofoperations Regulatororliabilityrisk Politicalrisk LossofIPandconfidential businessinformation Harmtoreputation andcompanybrand Revenuesandprofit decrease Wehavenotseen anyeffects Wehavenotseenany cybersecuritybreaches “It is clear that too many firms do not believe that the dangers of a breach will severely affect them.”⁷ —Inga Beale, CEO, Lloyd's of London More than a majority (54%) of executive respondents say that their organizations are most concerned about reputational effect rather than actual breaches. 7 “Business warned not to be complacent about cyber security,” Computer Weekly, September 20, 2016 8 Blackstone Group LP CTO Bill Murphy, “Cybersecurity Spending Reflects Limited Shift in Priority, Wall Street Journal,” July 1, 2014
  • 9. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 9 A Disconnect Between Strategy and Implementation Companies and governments across all the sectors and regions we surveyed are developing cybersecurity strategies at a rapid pace. More than nine in ten (93%) of respondents said that their organizations now have a cybersecurity strategy designed to combat both existing and new threats. Executives may be overconfident in their organization’s ability to manage emerging threats. Operators, who are on the front lines of cyberdefense, tend to believe that their organization’s cybersecurity strategy is less forward looking, focusing more on current rather than emerging threats. 60% 50% 40% 30% 100% 90% 80% 70% 20% 10% 0% Cybersecurity strategy design balance Existing Threats New Threats Executives versus operators and sector respondents on how much their organization’s cybersecurity strategy is designed to manage existing versus new threats Executive Existing Threats Operators New Threats 60% 50% 40% 30% 100% 90% 80% 70% 20% 10% 0% Government Public Education Healthcare (Public and Private) IT and Telecoms Finance
  • 10. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 10 Differences across sectors are also worth noting, as the finance and IT/telecom sectors have a more balanced approach to managing current and future threats. In contrast, the cybersecurity strategies of public sector organizations, including government and educational institutions, are less forward looking and skew toward managing existing threats rather than future threats. Given that most government and public sector organizations are not well regarded for their cybersecurity know-how, this is not unexpected.⁹ Although respondents overwhelmingly report having a cybersecurity strategy, implementation remains a major challenge, as less than half of respondents (49%) report that their cybersecurity strategy is fully implemented across their organization. Our study also found that executives and operators disagree on the extent to which their cybersecurity strategy is actually implemented, as well as on the metrics used to evaluate the level of implementation. Executives tend to view their organization’s cybersecurity strategies as more fully implemented than operators. They are also more likely to evaluate the effectiveness of their cybersecurity strategies through the lens of broader organizational goals, including cost control and maintaining reputation, than operators who focus more on technical cybersecurity metrics. 60% 50% 40% 30% 20% 10% 0% Perceptions of cybersecurity strategy implementation Operators Executives express with more confidence that their organization’s cybersecurity strategy fully implemented in comparison to partially implemented Executives express with more confidence that their organization’s cybersecurity strategy fully implemented in comparison to partially implemented Yes, but it’s only partially implemented across the organization Yes, and it is fully implemented across the organization Executive 9 CSIS, The Role of Shared Services and the Cloud in Enhancing Cybersecurity, Cyber Policy Task Force Working Group Discussion Papers, 2016 10 http://fortune.com/2014/10/29/home-depot-cybersecurity-reputation-frank-blake/ “There are assumptions we made and assessments of the nature of the threat that in retrospect weren’t sufficient.” —Frank Blake, CEO, Home Depot¹⁰
  • 11. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 11 Measuring Effectiveness The disconnect between strategy and implementation is partly due to the fact that those who determine the strategy (executives) and those who implement the strategy (operators) are not measuring effectiveness and outcomes using the same set of metrics. In general, operators looked to metrics such as breach numbers, penetration testing, vulnerability scans, and cost-of-recovery analysis to measure their organization’s cybersecurity effectiveness. However, executives are more likely to rely on general performance and cost-centric metrics to gauge their cybersecurity strategy effectiveness. Both executives and operators rank the overall number of breaches as the preferred metric to gauge their cybersecurity strategy’s effectiveness. Executives, however, are more likely to focus on the cost of recovery from a breach, negative publicity, or the number of employed cybersecurity staff. 60% 70% 50% 40% 30% 20% 10% 0% How cybersecurity effectiveness is measured Negativepublicity Vulnerabilityscans Penetrationtesting Numberofbreaches Numberofcybersecurity staffemployed Costofrecoveryfrom abreach Proprietarymetricstogauge returnoninvestmentfor cybersecurityspending Wedonotmeasure cybersecurityeffectiveness Executives versus non-executive respondents on the metrics used to measure cybersecurity effectiveness at their organization ExecutiveOperator Executives who make cybersecurity strategy and the operators who implement those strategies (operators) are not measuring effectiveness and outcomes using the same set of metrics.
  • 12. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 12 Executive respondents also ranked “proprietary metrics to gauge return on investment for cybersecurity spending” significantly higher than operators when measuring the effectiveness of their organization’s cybersecurity strategy. While metrics are essential to establishing qualitative criteria in order to evaluate effectiveness for any risk management strategy, there is not yet a consensus on whether the use of “return on investment” (ROI) provides for accurate, risk-based cybersecurity evaluations.¹¹ By comparison, operators ranked technical metrics higher than executive respondents, with vulnerability scans ranking second and penetration testing third among ways they measure their organization’s cybersecurity strategy. What Motivates Improvements in Security? Incentives shape how people and organizations behave. Our survey shows that cybersecurity professionals lack adequate incentives. Most respondents report that, while some incentives do exist, they are lacking for cybersecurity professionals. Executive participants in our survey were more confident than operators about the existing incentives for cybersecurity professionals, indicating they are more likely to believe all categories of incentives are available to security professionals in their organization. 60% 70% 50% 40% 30% 20% 10% 0% Measures used to determine if cybersecurity strategies are meeting objectives OperatorExecutive Having no or minimal exfiltration of priority data assets Mean time to resolution Having no negative publicity about the organization’s cybersecurity We can’t determine if we are meeting objectives Don’t knowGeneral organizational performance indicates that risks are managed to acceptable tolerance levels 11 SANS Institute, “IT Security Spending Trends,” February 2016; Barkly, “2016 Cybersecurity Confidence Report,” 2016
  • 13. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 13 Operators were five times more likely to report that no incentives exist for cybersecurity professionals in their organization. Almost half of operators reported no incentives existing in their organization. It is possible that incentives, even when they exist, may not actually be known by employees, especially if they are lower down in the organization’s structure. Although our survey results show that many respondents believed incentives for cybersecurity professionals are lacking, 65% of respondents said they were “personally motivated” to strengthen their organization’s cybersecurity. The first result (incentives are lacking) is probably more accurate. Responses relating to organizational success, such as preventing data breaches, defeating hackers, reducing the risk of organizational reputational damage, and financial impact, were ranked higher by respondents than were categories relating to personal success, such as harm to personal reputation or job security. These results may reflect respondent bias, with participants self-reporting on putting the success of their organization ahead of their own interests. 60% 50% 40% 30% 20% 10% 0% Existing incentives for cybersecurity professionals OperatorExecutive No incentives exist Recognition or awards Financial compensation (bonus) Paid time off Promotion Executives versus non-executive respondents on incentives that exist for cybersecurity professionals
  • 14. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 14 So what’s the real story? Individuals responsible for cybersecurity define success differently, and are motivated by a mix of performance incentives. Both executives and operators value financial compensation and recognition or awards the highest over paid time off and promotions. However, our study showed that operators are almost equally motivated by recognition and awards as they are by financial compensation. An earlier study on how organizations attract and retain skilled security professionals found that having employers paying for training, allowing for flexible schedules, and providing opportunities to engage in challenging tasks were valued more highly than compensation by security professionals when looking at possible employers.¹² In contrast, executives ranked financial compensation significantly higher than any other form of incentive. 60% 50% 40% 30% 20% 10% 0% Cybersecurity professionals report a lack of existing incentives Decision making responsibility Leadership responsibility No incentives exist Recognition or awards Financial compensation (bonus) Paid time off Promotion Cybersecurity roles reporting on existing incentives within their organization Contribute to decisions made by others 12 CSIS, “Recruiting and Retaining Cybersecurity Ninjas,” October 2016
  • 15. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 15 Respondents in different countries displayed a range of views on incentives perhaps due to differences in cultural norms. Japan and the United Kingdom valued recognition or awards higher than other incentives, while Mexico and Germany valued them the least. Respondents in Brazil, Mexico, and the United States were most likely to place the most value in financial compensation. Japan, Mexico, and Germany put a higher premium on paid time off than other countries in our survey. 60% 70% 50% 40% 30% 20% 10% 0% Respondents are mission-focused on organization’s cybersecurity success Preventingdatabreaches Helpingtrainotheremployees Jobsecurity Therearenomotivations Increasingcybersecurity strength Reducingtheriskofhackers beingsuccessful Reducingtherisk offinancialimpacts Reducingtheriskofpersonal reputationaldamage Reducingtheriskof organizationalreputational damage Total respondents when asked of their motivations when considering their organization’s cybersecurity. Respondents personal motives when considering their organization’s cybersecurity. Personal motivationsEnterprise motivations
  • 16. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 16 60% 50% 80% 70% 40% 30% 20% 10% 0% Incentives cybersecurity professionals would like more of OperatorExecutive Paid time off Financial compensation (bonus) Recognition or awards Promotion 60% 50% 80% 90% 70% 40% 30% 20% 10% 0% Incentives country respondents would like more of Recognition or awards Financial compensation (bonus) JapanBrazil Mexico US Germany France UKPaid time off Promotion Paid time off
  • 17. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 17 Searching for Solutions As organizations learn to manage risk and adapt to new cyberthreats, they appear to be eager to work with the government. A majority of respondents in most sectors share threat intelligence with partner organizations, as well as with the government and outside consultants. A significant majority of respondent organizations view voluntary models of collaboration with the government as valuable in helping to create cybersecurity incentives within organizations. Executives appear to value public-private partnerships more than operators, suggesting these models could be better structured to benefit IT operators in order to provide value to their day-to-day technical mission. Companies see cooperation with government as an important part of their cybersecurity strategy and a key means of improving their cybersecurity. But less than half of respondent organizations report using unclassified government briefings as a source of information when making decisions about cybersecurity. More than three-quarters of organizations believe that faster access to security clearances would be the most effective way to improve their cybersecurity posture, and 66% want greater access to government threat intelligence. 41% 46% 9% 4% Yes, these are somewhat useful Yes, these are very useful No, these are not useful Don’t know Organizations value public-private partnerships Organizations on whether voluntary models create useful incentives for cybersecurity
  • 18. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 18 This may be a case of do what we say, not what we do. Companies appear to be motivated and incentivized to work with the government with the expectation of gaining access to information to improve cybersecurity. Companies value interactions with the government as a source of information, but in many cases, we found that the government sector performed lowest in areas of cybersecurity competency when compared with other surveyed sectors. Based on the survey, government sector entities appear to be locked into a reactive cybersecurity model skewed toward managing existing threats versus new ones. They were also the least likely to report having a fully implemented cybersecurity strategy or provide incentives to cybersecurity professionals. 60% 50% 40% 30% 100% 90% 80% 70% 20% 10% 0% Public-private partnership usefulness according by sector No, these are not usefulYes, these are very useful GovernmentIT and telecoms Finance Healthcare (public and private) Public education
  • 19. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 19 By country, respondents to our survey in the United States, Brazil, and Germany place the most value in public-private partnerships. Mexico, Brazil, Germany, and the United States all would like faster access to security clearances, while the United Kingdom ranked having access to government threat information higher than access to security clearances. Across the board, countries ranked using government briefings as a source of information to make cybersecurity decisions either third or fourth in importance 60% 50% 40% 30% 80% 70% 20% 10% 0% Tactics to improve cybersecurity and information used in cybersecurity decision making Share of respondents who want faster access to security clearances Share of respondents who want access to government cyber threat information Share of respondents who use government agency briefings in their decision making
  • 20. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 20 In a previous report, “Hacking the Skills Shortage,” we found that nine out of 10 respondents believe technological advancements could compensate for the cybersecurity skills shortage.¹³ This confidence was not reflected in this survey, where respondents ranked third-party managed services and leveraging automated workflows to manage lower level threats fourth and fifth respectively in ways to ensure new cyberdefense measures don’t open them up to new risk. The findings of this report suggest that the evolving threat landscape will not only change the demand for a skilled cybersecurity workforce, but also for new and innovative tools and practices. Innovation in the cybersecurity space can be complicated as new cyberdefense technologies require extensive vetting in order to ensure they do not have vulnerabilities that expose users to additional risk. In recent interviews with senior cybersecurity, technology and risk management specialists from across the financial services industry, it was found that CISOs often have difficulty assessing and integrating new security tools due to the rapid pace at which they are developed and released, all the while attempting to better align their cybersecurity policies with the business, operational, and technology strategies of their companies.¹⁴ 60% 70% 50% 90% 100% 80% 40% 30% 20% 10% 0% Public-private partnership usefulness by country No, these are not usefulYes, these are useful UKUS Brazil Germany Mexico France Japan 13 McAfee, “Hacking the Skills Shortage: A study of the international shortage in cybersecurity skills,” http://www.mcafee. com/us/resources/reports/rp-hacking-skills-shortage.pdf 14 “Taking cyber risk management to the next level,” Deloitte, July 22, 2016, https://dupress.deloitte.com/dup-us-en/ topics/cyber-risk/cyber-risk-management-financial-services-industry.html
  • 21. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 21 In a 2015 survey on risk and innovation, a significant majority of respondents said that their organization had invested in security technology that was “ultimately discontinued or scrapped” soon after being deployed.¹⁵ The shortages in skilled cybersecurity workforce and in-house expertise further compounds the difficulty organizations have in producing innovative approaches to cybersecurity. To avoid new risk exposure, most respondent organizations to our survey maintain a security platform that integrates existing and new technologies, or acquire overlapping security technologies. Over half of organizations viewed investing in more talent to manage cybersecurity events as a way to ensure cyber defense measures do not result in new risk.¹⁶ “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” —Bruce Schneier¹⁷ 15 “Risk and Innovation Drive Cyber Technology Investment,” Ponemon Institute, April 27, 2015, http://www. lockheedmartin.com/us/news/press-releases/2015/april/isgs-cybersecurity-survey-042715.htm 16 McAfee, “Hacking the Skills Shortage: A study of the international shortage in cybersecurity skills,” http://www.mcafee. com/us/resources/reports/rp-hacking-skills-shortage.pdf 17 Bruce Schneier. Preface, Secrets and Lies: Digital Security in a Networked World. 15th Anniversary ed, New York: Wiley, 2015. 60% 70% 80% 50% 40% 30% 20% 10% 0% Practices used to limit risk when using new cyberdefense tools Maintainasecurityplatform thatintegratesexistingand newtechnologies Leverageautomated workflowstoaddresslowest levelthreats Investinmoretalent tomanagesecurityevents Internaltrainingfor existingstaff Acquireoverlappingsecurity technologiesacrossthestack Partnerwiththird-party securityserviceprovider
  • 22. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 22 The Black Hat Ecosystem In contrast, the “black hats” against whom companies must defend lack neither workforce nor innovative technology. The black hats have clearly designed incentives created by market forces, not by organizational fiat. The market economy of the criminal hacker ecosystem facilitates innovation and rapid adaptation, and channels resources efficiently to the lowest cost and most profitable criminal enterprises. Unlike the defensive market, in which the strictures of corporate hierarchy affect priority setting and decision making to create a slow, bureaucratic process (even in the best of companies), the criminal market is competitive, commoditized and decentralized. This open and decentralized criminal market creates strong incentives for criminals to strive to be the best, attracting the largest customer base and commanding premium prices. With low barriers to entry for new products and services, criminals have to remain innovative and maintain a strong reputation to stay at the top of the market. Unsurprisingly, we were unable to survey members of the black hat community, relying instead on interviews with technical experts, police and cybersecurity experts. Their experience and observations identify a fast-paced, well-resourced, and dynamic cybercrime ecosystem where incentives are clearly aligned with objectives. The top tier of the black market is comprised almost exclusively of elite technical specialists selling highly coveted zero-day vulnerabilities, intermediaries who specialize in high-dollar-value exploits that serve as brokers between buyers and sellers, and governments that buy tools in the white or grey market for everything from domestic surveillance to cyberespionage.¹⁸ The grey market includes many black hats but few criminals—while they access systems surreptitiously, most grey market participants claim they work exclusively with governments who can pay top dollar, and they avoid the risk of arrest and of dealing with criminals and scammers in the low-tier market.¹⁹ Zero-days and highly sophisticated tools are almost exclusively sold in this market for the same reason. The lower tier, dominated by criminals and the networks that support them, is made up primarily of products like financial information and counterfeit goods, as well as “exploit-as-a-service” and spamming services, as opposed to sophisticated tools and exploit kits, which are primarily in the upper tiers.²⁰ Exploit kits and crimeware services offered in the lower-tier market often take advantage of older, unpatched systems or vulnerabilities that have not been addressed by vendors, as opposed to expensive zero-day vulnerabilities.²¹ While upper-tier actors commit espionage, steal intellectual property (IP), and launch destructive attacks, the lower-tier criminals are driven primarily by money.²² 18 Ablon, Libicki, and Golay. Prev. cit. 19 Andy Greenberg. “Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees).” Forbes. March 21, 2012. http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools- to-crack-your-pc-and-get-paid-six-figure-fees/#1a2762359448 20 Lillian Ablon, Martin Libicki, and Andrea Golay. “Markets for Cybercrime Tools and Stolen Information: Hackers’ Bazaar.” RAND, 2014. http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf 21 Jennifer L. Bayuk et al. “BITS Malware Risks and Mitigation Report.” BITS, A Division of the Financial Services Roundtable. June 2011. http://www.nist.gov/itl/upload/BITS-Malware-Report-Jun2011.pdf 22 Kurt Thomas et al. “Framing Dependencies Introduced by Underground Commoditization.” In Proc. Of the Workshop on the Economics of Information Security, 2015. https://cseweb.ucsd.edu/~savage/papers/WEIS15.pdf
  • 23. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 23 Specialization in the Criminal Market Virtually anyone who is computer literate can participate in the criminal market.²³ This criminal market is made up of a network of specialists, ranging from providers of compromised hosts and human services to exploit kits and compromised accounts, supporting a wide variety of criminal businesses or strategies to monetize these tools and services through spam, fraud, data theft, and extortion.²⁴ Each of these actors has their own specialized profession, which either enables others further down the chain to acquire money from victims, or provides incentives for actors further up the chain to develop new tools and services. The most common specialties/professions in these chains are:²⁵ ■■ Programmers—who develop malware. ■■ Web designers—who create malicious sites. ■■ Tech experts—who maintain the criminal infrastructure (servers, databases). ■■ Hackers—who exploit system vulnerabilities and break into computer networks. ■■ Fraudsters—the classic con artists who devise social engineering schemes (phishing, spam). ■■ Intermediaries—in general, these are criminals who collect data stolen from users, advertise it to other cybercriminals, sell, or exchange it for money or other illegal actions. Map of the white, grey, and black hacker markets Defensive intermediaries (Hacker One) Grey market intermediaries (Zerodium, Endgame) Vendors (Google, Apple) Nation states Vulnerability researchers Malware developers Mule herders Infrastructure providers (providers of malicious hosts, web pages) Users/the public (public disclosure) Cybercriminals (ransomware, carders, fraudsters, DDoS extortion) Social engineers 23 Ablon, Libicki, and Golay. ibid. 24 Kurt Thomas et al. “Framing Dependencies Introduced by Underground Commoditization.” In Proc. Of the Workshop on the Economics of Information Security, 2015. https://cseweb.ucsd.edu/~savage/papers/WEIS15.pdf 25 Bull Guard. “The Online Black Market—How it Works (Part I).” Accessed August 26, 2016. http://www.bullguard.com/ bullguard-security-center/internet-security/internet-threats/online-black-market-part-i.aspx
  • 24. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 24 Profits from criminal businesses are then divvied up among these specialists. According to one law enforcement expert, 80% to 90% of proceeds typically go to the supporting technical specialists and money mules, not to the criminals that devise the schemes. The Cybercrime Market: Competitive, Decentralized, Innovative The cybercriminal market is dynamic and responds to “price signals” with innovation and with new products and services on offer every day. When old capabilities are burned, replacements come online quickly. For example, one expert we interviewed reported that after version 3.0 of the CryptoWall malware family was disrupted, its developers were able to release version 4.0 within days. Similarly, when the developers of the once-dominant Angler exploit kit (which made up 82% of exploit kit activity, according to one estimate) were arrested,²⁶ within weeks attackers who had relied on Angler adopted the Neutrino exploit kit to replace it and deliver their payloads.²⁷ The fast pace of innovation in the criminal market is the result of a combination of factors. First and foremost, criminals are opportunistic, and the free availability of support services in the black market makes them nimble and quick to act, putting defenders at a disadvantage. For example, when new vulnerabilities and exploits are disclosed, criminals quickly find ways to exploit them for profit. One study found that 42% of disclosed vulnerabilities are exploited by criminals within 30 days of disclosure,²⁸ meaning that as these vulnerabilities are disclosed publicly, the criminal underground quickly adopts them into new attacks. Criminals are also opportunistic and focus their energies on the lowest-hanging fruit. Instead of investing in costly vulnerability research and exploit development, they take advantage of publicly disclosed vulnerabilities to exploit unpatched systems. Leveraging publicly disclosed vulnerabilities and exploits in their attacks eliminates the costliest and most time-consuming part of the development cycle—vulnerability research and exploit development. Most of the exploit kits offered on the criminal market use known vulnerabilities, and some of our experts even reported that criminals have taken to advertising the CVE numbers of the vulnerabilities used in their products. While costly capability development is supported by million dollar contracts in the upper-tier market, the lower- tier market is sustained at much lower prices by the free availability of publicly disclosed vulnerabilities and the plethora of unpatched systems that can be exploited in the aftermath of disclosure. 26 Ruslan Stoyanov. “The Hunt for Lurk.” Secure List. August 30, 2016. https://securelist.com/analysis/publications/75944/ the-hunt-for-lurk/ 27 Kevin Townsend. “Did Angler Exploit Kit Die with Russian Lurk Arrests?” Security Week. June 13, 2016. http://www. securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests 28 Leyla Bilge and Dumitras Tudor. “Before We Knew It: An Empirical Study of Zero-Day Attacks in the Wild.” Proceedings of the 2012 ACM conference on Computer and Communications Security. October 2012. https://users.ece.cmu. edu/~tdumitra/public_documents/bilge12_zero_day.pdf “For cybercriminals, unpatched vulnerabilities in popular software, such as Microsoft Office or Adobe Flash, represent a free pass to any target.”
  • 25. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 25 In a competitive and open market, success requires being the best Cybercrime is a competitive market founded on reputation and thorough product vetting, so developing new capabilities or providing superior service is paramount for cybercriminals to outdo their competitors. The open and competitive nature of the market creates a strong incentive to be the best. As one expert we interviewed put it, “Attackers don’t innovate for the sake of innovating,” they do it to maintain competitive advantage or exploit newer and more lucrative opportunities. In the underground, “good products squeeze out bad ones, and high-quality brands can command premium prices … new products thrive or wither depending on the judgment of the market.”²⁹ As criminals develop new schemes, they are tested by the market, and while those that succeed can quickly scale up their resources and support by buying services in the open market, those that fail quickly disappear and their developers turn to new projects. In order to succeed in this fast-paced and competitive marketplace, criminals must constantly strive to be better than the competition, creating a race to the top that supports the most innovative and efficient operators. Innovation is not limited to new malware. Sometimes, criminals can find profit in novel marketing schemes or repackaged goods. Threat intelligence company SecureWorks observed Russian hackers offering free five- to 10-minute “tests” of their DDoS service before proceeding with the lease transaction.³⁰ Skilled underground players are also making money off of lower-skilled cybercriminals, offering malware-as-a-service, social engineering tutorials, and carding (stealing credit card information) “bibles,” or guides for would-be criminals. 29 Lilian Ablon, Martin C. Libicki, Andrea A. Golay, “Markets for Cybercrime Tools and Stolen Data,” RAND Corporation, March 24, 2014. 30 “Underground Hacker Markets Annual Report,” SecureWorks, April 2016. Lifecycle of a vulnerability in the white, grey, and black markets Vulnerability discovered Exploit developed Zero-day attacks Zero-day burned Tool repurposed for pen-testing Disclosure to public Patch developed Patch implemented Criminal attacks Disclosure to vendor
  • 26. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 26 The relative transparency of the criminal underground, where many attackers participate in shared forums and love to brag about their successes, helps these innovations to proliferate and achieve scale quickly. When one criminal sees that customers are attracted to a new service offered by a competitor (24/7 customer support, pre-purchase tests or demos of the product, working through guarantors that ensure both parties do not get ripped off), they quickly adopt the same practices in order to remain competitive. Similarly, attackers swarm around targets and attack methods that prove lucrative for their competitors. For example, after some enterprising attackers began making significant profits from ransomware attacks on hospitals in 2015, recognizing that they could not afford to let their systems go down with patients’ lives on the line, other operators quickly followed suit. The ransomware community swarmed around these soft targets so intensely that by mid-2016, one report found that 88% of detected ransomware attacks were targeting healthcare companies.³¹ Big Budgets Support Innovation in the Grey Market Companies in the more exclusive “grey” markets are quick to replace and repurpose capabilities because their customers demand it. Catering primarily to governments and major corporations whose primary purpose is surveillance and intelligence gathering, they often maintain a backlog of vulnerabilities and exploits that they use to replace capabilities that are burned. In some cases, customers want multiple exploits available for the same systems so that they can vary their attack methodology, reducing the probability of detection and attribution. Others want to ensure that there are no breaks in their intelligence coverage, meaning they want new tools to be available as soon as old ones are burned. These customers have massive budgets, and are willing to pay top dollar—in some cases hundreds of thousands of dollars or more³²—for these capabilities, allowing companies to invest the time and money necessary to develop and maintain a backlog of elite tools. They can also afford to vacuum up any zero- days discovered by other hackers, whether amateurs, white hats, or criminals. While data on the price of zero-day malware and exploits is hard to come by, intermediaries like Zerodium are willing to pay extremely high prices for exclusive access to these tools. 31 Max Green, “Hospitals are hit with 88% of ransomware attacks,” Becker’s Health IT & CIO Review, July 27, 2016, Security Research Engineering Team, “Q3 2016 Threat Intelligence Report,” NTT Security. 32 Zerodium. “Our Exploit Acquisition Program.” Accessed January 20, 2017. https://www.zerodium.com/program.html
  • 27. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 27 Grey market firms can also repurpose capabilities. While many of these companies focus on providing offensive capabilities for surveillance and intelligence gathering, they also offer fuzzing services, penetration testing, and white hat security services. When a zero-day used in offensive operations is burned, it may be incorporated into a penetration testing tool or used to develop indicators of compromise that can be marketed to defenders. Black Hat or White Hat? Attackers and defenders in cyberspace often have similar skills and backgrounds. People with technical skills face a choice between going into the legitimate ICT or cybersecurity industries or pursuing a criminal career. While many early black hat hackers were students and young people fascinated by computers, so-called “script kiddies,” today’s underground economy is dominated by professional criminals. While some are self-taught, others are IT professionals or security researchers moonlighting in their off hours, former government hackers, or out- of-work computer science graduates. Prices offered for zero-day tools by grey market intermediary Up to $1,500,000 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 1,001 RJB Apple iOS Up to $200,000 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 1,002 RJB Android Up to $100,000 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 1,003 RJB Windows Phone Up to $80,000 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 3,001 RCE + SBX Adobe PDF Reader 2,002 RCE + SBX Chrome with SBX 2,003 RCE + SBX IE + Edge with SBX 2,004 RCE + SBX Safari with SBX Up to $50,000 4,001 VME VM Escape 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 3,003 RCE Windows Reader App 2,005 RCE Flash Player w/o SBX 6,001 RCE OpenSSL 6,002 RCE PHP Up to $40,000 5,001 MTB ASLR Bypass 5,002 RCE + LPE Antivirus 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 3,002 RCE Office Word/Excel 7,001 RCE Sendmail 7,002 RCE Postfix 7,003 RCE Exchange Server 7,004 RCE Dovecot Up to $30,000 4,002 LPE + SBX Windows 4,003 LPE + SBX Mac OS X 4,004 LPE Linux 2,001 RCE + SBX Flash Player with SBX 2,001 RCE + SBX Flash Player with SBX 2,006 RCE Chrome w/o SBX 2,007 RCE IE + Edge w/o SBX 2,008 RCE Tor Browser 2,009 RCE Firefox 2,010 RCE Safari w/o SBX Up to $10,000 8,001 RCE IP.Suite 8,002 RCE IP.Board 8,003 RCE phpBB 8,004 RCE vBulletin 8,005 RCE MyBB 8,006 RCE WordPress 8,007 RCE Joomla 8,008 RCE Drupal 8,009 RCE Roundcube 8,010 RCE Horde LPE: Local Privilege Escalation MTB: Mitigation Bypass RCE: Remote Code Execution RJB: Remote Jailbreak SBX: Sandbox Escape VME: Virtual Machine Escape Source: Zerodium. “Our Exploit Acquisition Program.” Accessed January 20, 2017. https://www.zerodium.com/program.html.
  • 28. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 28 Many old school black hats have moved into the legitimate cybersecurity industry as opportunities have grown and law enforcement has cracked down on cybercrime. These early hackers, many of whom got involved in black hatting to learn about cool exploits and make a name for themselves, were eventually drawn to bigger and better-paying opportunities in the defense market. As one former black hat we interviewed said, “I crossed over to get access to new and cooler tech and bigger environments … I got to hack super-cool systems as a white hat!” Highly skilled programmers and vulnerability researchers primarily work in top-tier white and grey markets. With access to six-figure salaries at legitimate companies, no fear of arrest, and the opportunity to spend their time figuring out how to hack the most complex and “cool” systems, there is little incentive to be involved in criminal activity. This is especially true for the most elite hackers that find and exploit zero-day vulnerabilities. One user summed up the choice facing hackers who identify zero-days clearly in an online hacker forum: “Almost no reason to sell zero-days on the black market anymore if you can broker it to security firms. Risk is high and chance of being ripped off is crazy high when selling on black market. Another plus being that zero-day sold to reputable security firms can land you a six-figure job.”³³ A criminal background can also make it difficult to get into the white and grey markets. Grey and white market companies rely on reputation and connections to secure lucrative contracts with governments and major corporations. These contracts often involve administrator access to highly sensitive or classified data and systems, and most customers are wary of allowing criminals or former criminals high level access to their systems. There are exceptions, however. For example, a student at Carnegie Mellon University was arrested in 2015 for creating and disseminating the “Dendroid” malware family, which compromised Android apps and allowed attackers to gain complete control of Android devices.³⁴ He sold the malware on Dark0de, the top English language cybercrime forum,³⁵ to any interested customer for $300 and even offered 24/7 customer support.³⁶ “I crossed over to get access to new and cooler tech and bigger environments … I got to hack super-cool systems as a white hat!” 33 bitcointalk, “Where Can I Sell a 0 Day?” bitcointalk.org, September 16, 2013. As of February 4, 2014: https://bitcointalk. org/index.php?topic=295200.5;wap 34 Jose Pagliery, “Cybersecurity intern accused in huge hacking bust,” CNN Tech, July 15, 2015. http://money.cnn. com/2015/07/15/technology/hacker-fireeye-intern/ 35 Europol. “CYBERCRIMINAL DARKODE FORUM TAKEN DOWN THROUGH GLOBAL ACTION.” July 15, 2015. https://www. europol.europa.eu/newsroom/news/cybercriminal-darkode-forum-taken-down-through-global-action 36 Jose Pagliery, “Cybersecurity intern accused in huge hacking bust,” CNN Tech, July 15, 2015. http://money.cnn. com/2015/07/15/technology/hacker-fireeye-intern/
  • 29. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 29 Part-Time Crime is More Common in the Russian-Speaking World While highly skilled hackers rarely participate in criminal activity in the West, in some regions there is more overlap between the white/grey markets and the criminal market. In particular, the Russian-speaking hacker community is highly fluid, is home to many of the world’s most sophisticated cybercriminals, and involves a higher degree of overlap between the legitimate ICT and cybersecurity industries and the criminal ecosystem. One expert interviewed for this report noted that many of the top Russian- speaking hackers that he identified work for legitimate ICT companies while moonlighting as criminals. The majority of these are Russian or Eastern European IT and telecom companies, but some work for legitimate cybersecurity companies. Some of these criminals even list their criminal identities and dark web handles on their open Facebook pages, right next to their legitimate day job. Some of the most sophisticated Russian cybercriminals are also plucked from Russia’s advanced math and computer science programs and trained by the intelligence services. One expert we talked to described Russia’s approach to hacking as similar to their approach to Olympic athletes. The government invests significant resources in developing an elite athlete who competes for the nation, then they go independent and make millions playing for themselves. Some experts argue that this greater overlap with the legitimate ICT industry is the result of a permissive environment for transnational cybercrime. There is a well-known rule in the Russian underground that you do not hack Russians or Russian-speakers. According to law enforcement sources, Russian and Eastern European authorities are tolerant of cybercrime as long as the targets are in Western Europe, the US, or Asia, but can be quick to take action against criminals that target computers in their jurisdiction. As one law enforcement official told us, some of the major prosecutions of Russian and Eastern European cybercriminals by US law enforcement have started with a call from the FSB³⁷—“We’ve identified a cybercriminal who is responsible for serious crimes in your country. We would be happy to cooperate with you in bringing them to justice.” Of course, in many cases, these criminals have been operating openly in their home country for years, and the FSB only “identified” them after they made the mistake of using their skills against targets in Russia. Criminals know this, and use a variety of techniques to constrain their attacks to foreign computers. For example, the Citadel Botnet included an interesting quirk in the malware—it only infected computers using the Roman alphabet, but did not infect computers whose operating systems are in Cyrillic, ensuring that Russian and Ukrainian authorities would take little interest.³⁸ As shown in the heat map below, the botnet was prolific in western Europe and the US, but infected very few computers in the Russian-speaking world. A cluster of infections in Moscow reflected the concentration of foreigners living in the Russian capital. 37 The Federal'naya Sluzhba Bezopasnosti (FSB) is the Federal Security Service of the Russian Federation. 38 Enigma Software. “Citadel Trojan.” http://www.enigmasoftware.com/citadeltrojan-removal/
  • 30. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 30 Heat map of the Citadel Botnet by Microsoft’s Digital Crimes Unit The shortage of legitimate ICT jobs in Russian and Eastern Europe also pushes many talented ICT experts into criminal activity. Many hackers in the Russian criminal underground are out-of-work IT experts and computer science graduates who are unable to find legitimate jobs. A 2013 survey by recruiting website HeadHunter found that only 51% of polled IT specialists in Russia had found jobs in the legitimate IT sector. Given their abilities, honed in top-tier technical universities, weak law enforcement, and the low wages even for those that do make it: “People think: why not earn a bit on the side?”⁴⁰ Breaking down the geographic and institutional barriers with the Russian- speaking cybercommunity can help to channel more of the talent and resources in that region into the legitimate cybersecurity industry. Russian universities produce highly talented programmers and mathematicians, but the lack of cybersecurity and ICT jobs in the Russian-speaking world and the lack of consequences for criminal activity push many of these professionals into criminal activity. In contrast, the US and Europe face a shortage of talent in the legitimate ICT and cybersecurity industries, and computer science skills are highly marketable.⁴¹ With legitimate firms paying top dollar for security professionals, there is little incentive for skilled programmers to get involved in criminal activity. Tapping into the underemployed talent pool in Russia and Eastern Europe could not only help fill the skills shortage, but also shrink the talent pool supporting some of the most sophisticated cybercriminal operations. Source: Jennifer Warnick. “Digital Detectives: Inside Microsoft’s New Headquarters for the Fight Against Cybercrime.” Microsoft News Center. 2015. http://news.microsoft.com/stories/cybercrime/ 39 Alissa de Carbonnel. “Hackers for Hire: Ex-Soviet Tech Geeks Play Outsized Role in Global Cyber Crime.” NBCNews.com/ Technology. August 22, 2013. 40 Ibid 41 CSIS and McAfee. “Hacking the Skills Shortage.” July 27, 2016. https://www.csis.org/programs/strategic-technologies- program/cybersecurity/cybersecurity-workforce “People think: ‘I’ve got no money, a strong education, and law enforcement’s weak. Why not earn a bit on the side?’” —Alexei Borodin, 21-year-old hacker³⁹
  • 31. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 31 For people with technical skills, high-paying job opportunities, low risk of arrest, and the opportunity to work with the top professionals and most cutting edge technologies create powerful incentives against participating in cybercrime. These incentives are distributed unevenly around the world, however. In the absence of legitimate opportunities and clear consequences for criminal behavior, as in Russia and Eastern Europe, the allure of making money and making a name for yourself can draw talented operators into cybercrime. Realigning Incentives to Strengthen Cybersecurity The scope and nature of the cybersecurity challenge is so complex and daunting that multiple measures at the international, national and company level are required to address it. This report looks at one segment of the problem—the governance issues that put companies at a disadvantage compared to their attackers. The report identifies several critical areas on the defender side where divided attitudes, often split between technical and non-technical roles, toward organizations’ cybersecurity appear. These attitudes, such as how a cybersecurity strategy is designed, the degree of implementation, and its overall effectiveness, are central to how individuals develop an impression of their organization’s overall cybersecurity posture. The resulting differences in perception create an inaccurate, disjointed picture of a defender’s posture, undermining the goal of establishing an effective cybersecurity strategy and adding to the disadvantage defenders are at against black hat attackers. The good news is that most companies recognize the seriousness of the cybersecurity problem and are willing to address it. We focus on governance, the processes, rules, and structure companies use to manage, make decisions on resources and technology, and compete—because these processes will usually be slower and less nimble than the market forces that drive attackers. This is in some ways inevitable, but it can be minimized through organizational innovation. Each company will need to identify innovation that best fits its business model and structure. The tendency of executives to approach cybersecurity through a cost-conscious framework is no surprise. However, differences in how executives and operators measure risk and the misalignment of incentives is leading to suboptimal security. The establishment of a common set of metrics used by both executives and operators that took both cost and effectiveness into account would allow for a more coherent approach to companies’ cybersecurity efforts to mitigating risk.
  • 32. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 32 Learning from cybercrime Defenders can learn from the black hat community. “Security-as-a-service” can offer greater flexibility to counter the “crime-as-a-service” model of the criminal market, leveraging market forces to foster competition and strengthen incentives for defenders. The most effective defense (at companies that can afford it) blends in-house efforts and outside services and technologies. Lessons from the criminal market Criminal market Defenders’ analogue Leverage market forces Crime-as-a-service The open and decentralized criminal market leverages competition and market pricing to minimize barriers to entry, foster innovation, and help successful ventures quickly achieve scale. Security-as-a-service Greater use of outsourcing and open contracting can help reduce costs, increase competition, and facilitate the broad adoption of effective security technologies and practices. Use public disclosure Target publicly disclosed vulnerabilities Exploiting disclosed vulnerabilities avoids costly vulnerability research and exploit development, and quickly incorporates new disclosures into attacks to maximize value before defenders patch. Improve patching practices Responding more quickly to public vulnerability disclosures through improved patching practices and faster replacement of legacy systems can enhance security and raise costs to attackers. Increase transparency Open forums and online advertising Open forums and public advertising facilitate the proliferation of successful new attacks and criminal business models and the widespread adoption of best practices. Information sharing and collaboration Expanding information sharing can help reduce costs to defenders by reducing duplication and can help spread the word about new technologies and practices that deliver significant improvements in security. Lower barriers to entry “Anyone who is computer literate” Lacking formal qualifications or geographical constraints, the criminal ecosystem is able to bring in undervalued talent from the legitimate economy and maximize its value. Tap global talent pool Drawing on a broader talent pool, including young people and foreign ICT experts that are often drawn into cybercrime, can help fill the skills gap for companies and drain talent from the criminal market. Align incentives Freelance markets reward performance In the freelance criminal market, operators at all levels and all functional areas of the attack chain are rewarded by the market for excellence and penalized for underperformance. Performance incentives In order to align incentives from leadership down to operators, incentives like awards and bonuses must be provided to employees and managers who deliver good security outcomes.
  • 33. Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity | 33 Attackers respond quickly to public disclosure of vulnerabilities, and leverage the transparency of online forums to spread best practices and new attacks. Defenders must accelerate efforts to patch vulnerabilities and replace legacy systems to match the speed of cybercrime. A faster patch and refresh cycle can raise costs to attackers, forcing them to invest in expensive and time-consuming vulnerability research and exploit development or go after other targets that are slower to raise their defenses. Our research showed that black hats benefit from greater speed and focus. They are incentivized by direct rewards for being faster, newer, and nimbler in their attacks. The incentives for speed and focus are not there for defenders. But incentives can be changed. Companies have successfully experimented with their business models and structure to become more dynamic and innovative in order to remain competitive. The same sort of experimentation is necessary if cybersecurity is to keep up with the attackers. This will require identifying the right metrics for success and revamping organization structure to build a nimbler, faster defense. In thinking about how to do this, the best approach may be to take lessons from the black hats on how to create effective incentives.
  • 34. McAfee. Part of Intel Security. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.intelsecurity.com About CSIS For 50 years, the Center for Strategic and International Studies (CSIS) has developed practical solutions to the world’s greatest challenges. As we celebrate this milestone, CSIS scholars continue to provide strategic insights and bipartisan policy solutions to help decision makers chart a course toward a better world. CSIS is a bipartisan, nonprofit organization headquartered in Washington, DC. Its 220 full-time staff and large network of affiliated scholars conduct research and analysis and develop policy initiatives that look to the future and anticipate change. http://csis.org/ About Intel Security Intel Security, with its McAfee product line, is dedicated to making the digital world safer and more secure for everyone. www.intelsecurity.com. Intel Security is a division of Intel. Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. Copyright © 2017 Intel Corporation. 2443_0217 FEBRUARY 2017