The Upside Down: making sense of the business models, organizational structure, and the economy of the cybercrime
Looking at the maturation and the business side of the cybercrime and what this means for cyber defense
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Introduction
Although the vast majority of the attacks are driven by financial motivations, it is still rare to see discussions about the business side of cybercrime. This knowledge vacuum is a big problem for cyber defense because it is not possible to get ahead of the adversary if we as an industry are just reactively chasing their business moves. For the defense to outpace the offense, we need to take a broader view of cybercrime and understand its mechanics, incentive systems, supply and value chains, demand drivers, and interested parties.
The Upside Down from Stranger Things is an alternative dimension that mirrors our world. In Upside Down, there is no order, no real structure: this mysterious place is overrun by unknown creatures that operate in largely unexplained ways. In this piece, I would like to look at some of the elements of this alternative world, namely the business models, the economics, and what cyber defense can do to impact its ability to spread.
I must admit that writing this piece was incredibly hard. Not only because the topic is so complex, but also because I don’t want it to trivialize the problem of cybercrime. Cybercrime is a real issue, and no matter what lenses we were to take, there are people and organizations whose lives were shuttered by the actions of threat actors. The goal of this article is not to pretend that there is an easy way to simplify the sheer complexity of the problem or legitimize the work of the threat actors but to offer a different look at the structures, systems, and models of cybercrime.
The credit for the “Upside Down” analogy goes to Grace Chi of Pulsedive Threat Intelligence who brought it up when we were discussing this topic a few months ago.
Disclaimer: This post is for general information and education only. The author does not endorse cybercrime. Engaging in criminal activities is illegal and punishable by law. Please use this information responsibly and ethically.
Cybercrime as a business operation
Types of organizations in the Upside Down
Similar to cybersecurity startups, cyber gangs often start as upstarts - when several malicious actors develop a technology that allows them to do something that hasn't been done before, or otherwise find a way to achieve their goals. Different criminal groups compete for the same market so the bar to entry is not low. To find their place in the universe of cybercrime, bad actors often choose a niche where their competitive advantages (technology, technical know-how, access to resources, understanding of the space, etc.) enable them to win faster.
As these “startups” grow, similar to growing tech companies, they need to hire more specialized people. Similar to the mergers and acquisitions (M&A) process we are used to seeing in the security industry, criminal gangs sometimes merge with others, form their equivalents of joint ventures, and build partnerships with other criminals.
If all this sounds like I am discussing a well-formed industry, it is because it is. Almost every type of player we find in the cybersecurity market exists in the underworld: startups, enterprises, brokers, resellers, marketplace providers, consultants, service firms, and the like. Although I haven’t heard of an equivalent of angel investors (“demon investors”?) I know that there are players ready to provide capital to upstarts and fund the expansion of large criminal gangs.
When it comes to forms of employment, these vary a lot. Some people are affiliated with specific criminal groups (an equivalent of full-time employment), others are available for short-term and long-term contracts, and some are gig workers offering their services on Upwork-like freelance marketplaces. One can find different types of resumes and job offers - from hacking, exploit, and ransomware development, to much less esoteric areas such as software development, graphic design, public relations, and translation.
Running the business side of the cybercrime
The mature organized cybercrime players function as well-oiled, tightly-run operations, and as such, they share many key characteristics with legitimate businesses. First of all, every gang has investors and shareholders - those who profit from the enterprise's success. Then, it has operators (think business leaders), and the need to perform activities essential to the functioning of an organization:
Recruitment - finding and recruiting talented hackers. Think of bad guys' versions of background checks and portfolio reviews, managing job boards, deciding what benefits to offer, and so on.
Payroll - compensating employees for work, keeping track of who got paid, etc.
Operations & HR - ensuring that everything runs as it should, firing underperforming gang members, and dealing with employee complaints that from time to time show up in different channels and can hurt the reputation of the gang.
Marketing - building a presence in media and managing social media accounts.
Sales - finding customers for their products and services and ensuring their satisfaction.
Customer support - although it sounds odd, it is easy to picture customer complaints - “this malware didn’t deploy”, or “there are too many detections and we weren’t able to get initial access”. Another use case for customer support is helping companies through the process of paying a ransom and regaining access to their data.
Public and media relations - contacting journalists and sending information to the press about the latest hacks.
Research and development - working on new ways to break into organizations’ environments and expand the scale of cybergang’s operations.
Each of these activities requires focus, time, and effort, and similar to legitimate businesses, they are all connected. For instance, when it's nice and sunny outside, many people may take a vacation which would subsequently slow down the productivity of the gang. Or, similar to any tech company, if a criminal group does not have a "good" reputation (more notoriety than reputation in a typical sense) in circles of bad actors, it will struggle to attract and retain top hackers. As with every business, cyber gangs have financial goals that need to be met, hiring and expansion plans that have to be fulfilled, and other key performance indicators (KPIs) they are trying to reach.
Exploiting weaknesses in business operations of the adversary
Understanding what it takes to run a cyber gang is critical to find ways to impact its operations. Here are some of the many ways in which it can be done:
Forcing cyber gangs into a re-brand. Those that have ever been a part of a large re-brand of the whole company, know how much effort it takes. Every time a criminal gang is forced to change its branding, be it due to competition with other groups or pressure from law enforcement, it has to use a large amount of resources to reorganize its operations. In other words, every time a group is rebranding, it is not working (or not working as much) on accomplishing its financial goals.
Making it harder to recruit the right talent. Every time the cyber gang re-brands, it needs to re-establish itself as a player on the market, build a reputation and re-establish the recruitment machine. Cyber defense can make it harder for criminals to recruit the best technical talent by weakening their reputation, by improving working conditions, and the compensation levels of the blue teams. Although it sounds counter-intuitive, defenders and criminal gangs often compete for the same talent, so the ability of security teams to evolve HR processes and start hiring for technical skills and abilities above certifications and other pedigrees will directly impact the number of talented technical people in search for jobs.
Cybercrime as a business model
Although it may be much more exciting to look at technology, the problem of cybercrime is a problem of incentives and financial motivations. The vast majority of organizations are targeted by hackers looking to monetize their work, not those interested in making a statement of some kind. Therefore, it is critical to enumerate some of the ways in which threat actors make money.
A brief look at some of the most common business models in cybercrime
Monetizing access to the victim’s devices and networks
Ransomware
Ransomware - when attackers hold information for ransom and demand payment to unlock it for the victim - has become one of the most prominent threats to businesses today. The payments are typically done in cryptocurrency so they are very hard (and often impossible) to track.
In recent months, we have started to see a new trend: ransomware gangs are demanding that victims provide a copy of their cyber insurance policy so that attackers can “tailor their ransom demands to the policy limits, maximizing their profits while minimizing the risk of victims refusing to pay”.
Crypto mining
Cryptojacking, or deploying malware that enables attackers to mine cryptocurrencies on victims' machines, is another common way for attackers to generate money. Since mining cryptocurrency requires a lot of computing power, subverting hundreds of thousands of machines to work as a part of the same mining network can result in great profits.
Selling access to compromised networks
Initial access brokers sell access to compromised networks. Instead of looking to exfiltrate data or get the money from breached organizations themselves, they sell access to personal and organizational networks to ransomware gangs and the likes who can take advantage of it. The price of access largely depends on the size of the opportunity (company industry, size, revenue, etc.).
Monetizing access to financial data
By hacking databases that contain credit card information, tricking people into providing their financial details, and intercepting credit card data or wire transfers during the transaction, attackers collect large numbers of credit card data. It’s not just the traditional financial institutions that are affected - accounts such as PayPal and Venmo also get stolen by the bad actors.
One of the most common ways for attackers to monetize stolen credentials is to buy cryptocurrencies such as Bitcoin or Ethereum and send them to themselves, or use them to pay for products and services. Money from stolen gift cards, intercepted wire transfers, and the like also typically ends up being cashed out using cryptocurrency.
Monetizing stolen non-financial data
Cybercriminals steal a lot of non-financial data both about people, companies, and governments. There are several ways to make money off this data: selling it on the dark web, threatening companies that they will expose their secrets unless they get paid, or leveraging it in a scam to get access to financial records. When it comes to data about individuals, it is commonly used for identity theft.
Monetizing vulnerabilities
Selling exploits
Selling exploits is another common way for cybercriminals to leverage security expertise as a way to profit. Threat actors looking for ways to target specific companies, as well as those that have creative ideas about leveraging backdoors, commonly look for ways to get their hands on the latest zero days.
The market of zero day brokers is one of the particularly tricky gray areas as oftentimes, it is governments who are seeking the backdoors.
The rise of marketplaces
In the past decade, we have seen the rise of marketplaces - tools akin to Facebook Marketplace that enable bad actors to buy and sell exploits, and stolen data, as well as their other products and services. Marketplace providers in the Upside Down make money by using the same model as Airbnb or any other legitimate tech company - charging fees for transactions that happen on the platform. In this model, the seller of the product (think exploits, ransomware kits, etc.) won’t execute the attack themselves which in turn often makes them much less interesting for law enforcement who are focused on marketplace providers and the end users (attackers) utilizing the tools they bought.
Business models around services
Although relatively new, selling services is becoming an increasingly common way for criminals to make money. In recent years, we have seen bad actors successfully replicate the software-as-a-service (SaaS) model and start offering their products and services on a subscription basis. Many providers even offer options for buyers to choose payment frequency - monthly or yearly.
Three of the most common models are ransomware as a service, phishing as a service, and cybercrime as a service:
Ransomware-as-a-service (RaaS) includes a full set of tools, malicious code, training materials, and even customer support - everything a customer needs to launch a ransomware attack. Buyers have the ability to read reviews and evaluate products before getting into long-term relationships. Ransomware-as-a-service and the degree to which it has lowered barriers to launching a cyberattack is one of the main drivers for the growing number of ransomware attacks.
Phishing-as-a-service (PhaaS), similar to RaaS, is a model that makes phishing kits readily available to anyone interested in launching a phishing attack, regardless of the level of their technical skills and abilities.
Cybercrime-as-a-service (CaaS) is a broad term that includes ransomware, phishing, as well as many other types of tools - platforms to steal user credentials, offers to hack or DDoS sites for a fee, gaining access to corporate networks, and a wide variety of other illegal offerings.
Weakening the infrastructure that powers the adversarial business models
As with any business, cyber gangs rely on tools and infrastructure to run their business. To deliver their products and services to their customers around the globe, tech companies heavily rely on the cloud - a collection of hardware and infrastructure managed and maintained by third parties. To conduct their operations at scale, cybercriminals also need computing power, but to access it, they do not negotiate multi-year contracts with AWS, Google Cloud, or Azure. Instead, they typically leverage botnets - millions of infected computers that silently provide their network to serve the interests of the adversary such as spreading malware or breaking encryption. To deprive bad actors of the ability to turn computers and IoT devices into bots, we need to force manufacturers to build security into their products from the design stage, and ensure we patch and regularly update operating systems and programs that are running on them.
The infrastructure that powers cyber crime goes far beyond computing power. Some other examples of the critical components for running a cyber gang include:
Marketplaces and other tools for communication and goods exchange. If cyber gangs were to lose the ability to sell stolen data on the black market, it would severely hurt their ability to monetize the results of their work. This is why taking down marketplaces and forums where illicit and stolen stuff is exchanged is a critical task for law enforcement and cyber defense operations. An example of what success looks like is Operation Cookie Monster resulted in the takedown of the Genesis Market - an illegal service that hosted about 80 million credentials and digital fingerprints stolen from more than 2 million people available for sale.
Payments infrastructure and escrow services. Cybercriminals heavily rely on cryptocurrency for everything from running ransomware, DDoS extortion, and cryptojacking businesses, to making payments to those employed by the gang. Although privacy and anonymity are one of the core value propositions of crypto, there is most certainly a strong need to do what is possible to limit the ability of criminals to launder money with the help of Bitcoin, Ethereum, etc.
Publicity and marketing tools. Cybercriminals have enough tools in their arsenal to popularize their work and recruit people. Business models such as extortion rely on publicity and the ability of bad actors to reach a wide audience - people who are not using Tor and not spending time on the dark web. We mustn't make their jobs easier by allowing cyber gangs to advertise their work and attract customers on public media- be it Twitter, public forums, or elsewhere.
Cybercrime as an economy
People form companies, companies form markets, and markets form economies. Cybercrime is no different: the individual players, be it cyber gangs ("large corporations"), emerging groups ("startups"), or individual bad actors ("solo proprietors"), are all tied together into an ecosystem with aggressive competition and a huge total addressable market (TAM). If cybercrime was a country, it would be the world’s third-largest economy - a fact that is easy to forget when we think of cyber as "some bad guys exploiting some vulnerabilities".
Similar to legitimate businesses, cyber groups often specialize in specific types of companies they target, competing in some areas and collaborating with other gangs in others. Ransomware and cryptojacking, for example, aren't simply the attack methods - they are different markets of cybercrime.
As an economy, cybercrime is entirely borderless - it spans all countries that maintain some kind of connection to the internet, however poor or low-speed it may be. It is international and fully self-regulating: there are no governing bodies, no standards to abide by, and no guarantees of any kind.
Getting the adversarial economy into a recession
As with any economy, there are bloodlines that power it - financial institutions, intermediaries, and suppliers. And, as with every economy, its health is dependent on the health of all of the components of the model. Every time a critical part of this shadow economy is affected, it has the potential to affect other parts. When the prices of cryptocurrency went down, it had a material impact on the dynamic of cybercrime. Similarly, although I haven't been able to find any discussions of this, I suspect a collapse of cryptocurrency exchanges such as FTX, made some criminals bankrupt while greatly enriching others.
Every economy is cyclical, and major unexpected events can send it into a recession. There is a lot of great reading about the impact of the recession on cyber activity, such as this article written by Christopher Boyd at the time when it wasn't clear how threat actors will react to the global pandemic. However, the question I am curious about is what can the economy of cybercrime itself be sent into a recession? Which of the infrastructure criminal gangs rely on can be dismantled in such a way that would undermine their ability to recover for months or even years to come? I will leave it here as an open-ended but not a rhetorical question.
Walking on the edge: a brief note about the gray zone of cyber
When talking about cybercrime, it is all too easy and convenient to draw a solid line between good and bad; the reality, however, has much more shades of gray than we are comfortable admitting.
While the vast majority of the technical security professionals are working on the defense side, and a minority operate as adversaries, there is also a small percentage of those that are trapped in between the two. When people working on purple or red teams during the day get home, they typically want to practice and grow their skills. How can they do it? The answer to this question sometimes depends on their values and levels of integrity: while the overwhelming majority choose to hack for the likes of Bugcrowd or submit their findings directly to vendors, some moonlight for the Upside Down. Although I don't think this is so widespread that it requires a wide discussion in the industry, it most definitely needs to be called out.
An area where we see businesses walk on the edge has to do with offering services and selling products to bad actors. While the overwhelming majority of founders and business owners stay away from serving the underworld, some knowingly under-invest in anti-fraud and anti-money laundering efforts so that they can close their eyes and ears and not think about where the money comes from. This, however, isn’t as common as having attackers exploit legitimate businesses without their explicit or implicit consent, such as when bad actors distribute malware and ransomware via Google ads.
Closing thoughts
Cybercrime is much more than the problem of patching software, getting people to use multi-factor authentication (MFA), identifying and addressing vulnerabilities, and chasing zero days. It is a system - an industry, a market, and an economy. To reduce the number of cyber breaches, we most certainly need to invest in better defenses, embrace an engineering mindset to security operations, move from promise-based to evidence-based security, and fully internalize that it is people, not tools, that can help us to secure our society. Because most cybercrime is financially motivated, it makes heavy use of the concept of ROI (return on investment). If we make the work of criminals much harder and prohibitively expensive, they will be forced to look for better ways to make money.
Unfortunately, simply fighting the work of cyber gangs is not going to be enough. The reason cybercrime has been spreading so much is not the excitement about technology, it’s the economics of the Upside Down. Cybercriminals developed the ability to do their work cheaply, by using somebody else’s infrastructure, and by hiring others to do the low level work. Cyber defense needs to embrace the systems view and seek to tackle the problem of cybercrime as a whole, undermining the ability of criminal groups to launder money, taking down places where stolen goods are exchanged, and looking for ways to hurt business models, infrastructure, and operations of the adversary. Although most of this work has to be left to the government, we as an industry have a role to play.
First of all, we need to continue investing in security education and getting more technical talent to join cyber defense. Second, we should look for ways to hire people who are talented, highly motivated, and technically proficient, not just those who have the right certifications. Adversaries do not care what certifications people possess, they care about their ability to produce results; as long as hiring people on the defense is behind on embracing a similar approach, we will be giving attackers an unfair advantage. Third, we have to continue improving the compensation, and working conditions of those in the industry. Lastly, we need to expedite the maturation of cybersecurity, the move from promise-based to evidence-based security, shift to security-first mindset, and the adoption of the engineering approach in the industry to strengthen our defenses.
A lot has been said about the importance of public-private collaboration, the need to share insights between different agencies and trusted parties, and requiring security to be a part of design decisions from day one. The truth is, we do need to do all of this, and the number of things we need to get right is overwhelming. However, whatever we do, we should keep in mind the business, the market, and the economy of cybercrime because, without this foundational understanding, we will keep fighting the symptoms instead of the root cause.
We must not trivialize: there are people’s identities, savings, and sometimes lives at stake. And yet, in our race to chase the latest vulnerabilities, let’s not forget that there is most certainly a way to crash any economy, including the economy of the Upside Down.
Great deep dive! One thing I'd like to add under closing thoughts: there are MANY threat intel sharing groups that do an unheralded amount of work to inflict pain and cost on these groups. We should try to tear down as much red tape as possible to not only make sharing intel between companies on these groups easier, but also tear down redtape so the government (read: law enforcement) can work in symbiosis with private industry
Great post Ross -- I think it's really important to educate people about the business side of cybercrime. One of the great sources on this (I would argue definitive) is Jonathan Lusthaus and https://industryofanonymity.substack.com/. Definitely recommend to anyone interested in this space.