Plus ca change- the Chinese general Sun Tzu said “know your enemy” 2,500 years ago- and the advice is as pertinent today as then when it comes to cyber security.
Organisations can build better cyber defences by understanding which criminal underground is likely to target them, according to Robert McArdle, threat research team manager at Trend Micro.
There are several distinct types of cyber criminal undergrounds divided along language lines, each with their own particular characteristics, he told the Cloudsec 2016 conference in London.
The biggest and most mature are the Russian, English, German and Chinese cyber criminal undergrounds, but there also significant operations in Portuguese (Brazil) and Japanese.
“The all operate slightly differently and focus on different activities, so it depends on your business which of these undergrounds are the most likely to target your organisation,” said McArdle.
The Russian criminal underground is the longest-running, most mature criminal underground and was the first to introduce that as-as-service model, which has since been copied by most of the others.
The Russian cyber criminal underground is highly competitive, with most operations run along strict business principles, with some boasting dedicated sales departments and 24-hour support services.
The Trend Micro research team has identified several trends in the Russian underground, such as the fact that fierce competition is forcing prices lower, providing easier access to tools and services.
There has been a rapid increase in the number of tools and services targeting mobile devices and platforms in line with the growing popularity of mobile devices.
Another rapidly growing area is the trade in information about compromised sites that can be used in various cyber criminal campaigns.
Trade in credit card details continues to be strong on the Russian underground, with several sites dedicated to buying and selling this data.
“Some even have clickable maps that enable cyber criminals to view what credit cards are available in particular countries, cities and particular companies,” said McArdle.
“We have also seen the emergence of star-rating systems and the introduction of validation services that allows customers to try before they buy,” he said.
The Chinese underground is interesting, said McArdle, because although China is strongly associated with cyber espionage in the West, it is responsible for relatively little of run-of-the-mill cyber crime.
“Because of the language differences, the Chinese underground tends to build its own malware, does not rely on outside sources and mainly targets companies and individuals in China,” he said.
Although there is a fair amount of cyber crime hardware produced in China, such as card skimming devices, this tends to be sold through the cyber criminal markets based in South America.
The English cyber criminal underground is characterised by a much greater focus on physical goods, such as recreational drugs and fake identity documents, in addition to malware and killers for hire.
Distributed denial of service (DDoS) tools and services are very common in the English underground because they started out as tools developed by rival English-speaking gaming groups before migrating into extortion tools used by cyber criminals.
“We see a lot of tools and services for identity theft on the English underground, such as fake IDs, particularly in the US, where a stolen social security number can be used to impersonate someone to commit fraud by taking out loans, for example,” said McArdle.
Although the Portuguese cyber criminal underground based in Brazil is still relatively immature, he said it is growing and developing rapidly, driven by excellent online tutorials.
“Our researchers came across a three month tutorial programme for just £75 that is practically a masters level course on every aspect of conducting carding operations, including practical assignments with feedback on performance,” said McArdle.
The Portuguese underground is heavily focused on attacks on online banking, with 40% of Brazilians interacting with banks online. Consequently, most new attack methods aimed at online banking emerge in this region, providing a good indicator of what is likely to emerge in other parts of the world.
The Japanese underground is one of the least mature cyber criminal undergrounds, said McArdle, and, like the Chinese, it tends to focus on Japanese speaking customers and targets.
Although there is relatively little malware available because of the strict anti-malware legislation in Japan, he said there is a strong focus on Trojan malware and malware for webcams.
The Japanese underground is also characterised by gated communities, the use of coded language to refer to goods and services, and free porn websites pop-ups that demand payment for allegedly accessing member-only content.
“Strangely enough, around 10% of those targeted by these pop-ups pay the money demanded, even though the claims are false and no malware is involved,” said McArdle.
The German cyber criminal underground is the most mature in Europe and is not far behind the Russian underground.
“There are a lot of overlaps with the Russian underground, especially in terms of fake identity goods and services driven by demand from the growing Syrian refugee population in Germany,” said McArdle.
An understanding of nature of these undergrounds, he said, means that the banking sector should concentrate on the Russian and Portuguese undergrounds, for example, while those tasked with defending government or military networks would do well to concentrate on the Chinese underground.
“Understanding attackers is key to understanding what you need to defend against and building a strategy for doing so,” said McArdle.