WeBuyAnyScam.com

Barrie Desmond examines the new demand trend that is shaping cybercrime markets

The internet has given us a million ways of selling a car, and as a result there are a million cars up for sale at any one time. This has given rise to the other end of the market, with websites such as WeBuyAnyCar.com, a UK-owned example, also operating in the Netherlands. Such sites can be said to guarantee demand for all of them, on their terms.

The supply and demand sides of the cybercrime market are mature enough to feature a similarly wide-ranging ecosystem of players. On the supply side, the cybercrime "fire starter" needs lots of skills to accomplish his or her targeted attack. If they know where to go, they can commission freelance operators, download ready-made kits, or source standalone cybercrime services.

A lot of attacks are simply intended to cause damage, in so doing diverting attention from the true objective. Even to IT security and law enforcement professionals, what exactly has been stolen may not be easily divined. Credit card and bank details are not the end game.

Credit card data, for instance, can often be used as currency allowing criminals to purchase - for comparatively small sums of money - illegal skills and resources in what economists might describe as a sophisticated labour market. Credit cards are a means to an end, rather than the end itself.

Cybercriminals face the same challenge as any other criminals in laundering their proceeds. This is compounded by the absence of hard currency, meaning the cybercriminal must find a way of cashing out that does not draw attention to the source of the money.

This can be much like people do with winnings from an online poker game. But ultimately, that may mean selling stolen goods to organised crime gangs with the ability to safely and discreetly manage that process.

People don't realise how advanced and mature the demand side of cybercrime economics is today. This has come about because all confidential information is worth money to somebody.

If you are a buyer of illegally obtained router tables, firewall configurations, user credentials, IP addresses and so on, you are creating demand for the suppliers of such information.

In other words, demand for the cybercriminals - however small time - to go out there and exploit vulnerabilities. Not so much a case of WeBuyAnyCar.com as WeBuyAnyScam.com.

All this means that suppliers need not care about cashing out in complex or risky ways. For hundreds of years, burglars and other robbers have converted their goods into usable funds by fencing them to a middleman who will pay them "clean" money (often a tiny proportion of the goods' full value) for whatever they've stolen.

The only difference from e-fencing is that the middleman is in organised crime, while the burglar may have little idea of the true value of what he or she is selling.

The effect of these market dynamics on the nature of threats can be summed up in one word: patience. The average time it takes to detect a breach, I have read, is 229 days. In a world where everything is so immediate these days, that's an extraordinarily long period of time.

The attacker can afford to be patient in waiting for the investment to pay off; and the buyer of that information can afford to be patient in accumulating sufficient intelligence for planning large-scale attacks.

Where does this leave the channel? These and other valuable insights can be gleaned easily enough from following what the security vendor threat researchers and malware scientists are talking about online.

It all points to the reality that many businesses aren't protecting the right assets and are thinking too literally rather than laterally about the value of information. In a market as big as this, everything has a value - and it isn't just the immediately obvious financial data.

The other reality is the presence of cybercriminal activity within the customer's network, often without them ever knowing it. How do you derive actionable intelligence from innocuous event logs, and prioritise your response when the signs of a breach do occur?

How can you close down a zero-day attack? There's a lot to be said for the latest generation of really exciting security technology that's absolutely relevant to these demands.

Explore this with customers in a vendor-agnostic way. The customer has to accept that some attacks will never be detected, or at least not until they start to wake up and get active. When a response is needed, will you be powerless to help your customer, or not?

Barrie Desmond is chief operating officer at Exclusive Networks