Organized Crime is About Relationships!
The phenomenon of cyber-crime that we know today didn't just appear out of thin air - but was nurtured and grew along the way leveraging on what is perhaps one of the biggest intangible strengths of cyberspace - establishing relationships. Just like other social networks, member organizations, retail businesses, and so forth use the online world to find like-minded people to interact with, cyber-criminals were able to connect in similar fashion and share their best practices, challenges, and ideas. Each of the members of the partnership plays their role, and once their task is done, passes off the baton to the next group. This process is done transparently and efficiently. In this article, we overview the typical roles and relationships between the different types of threat actors and ways to detect their presence in your environment.
Initial Access Brokers
Playing the role of expeditionary forces, these threat actors are the first wave of attack. They scan the Internet looking for known vulnerable systems. These systems are still vulnerable because of delayed or missing critical patches to services and servers accessible to anyone on the Internet. Weak passwords or successful phishing attacks are other methods used to gain an initial foothold into companies. Once access and persistence has been established, Initial Access Brokers sit quietly and covertly until they can sell or hand off access to the next team.
Protection: Solid and thorough patch management is the best way to prevent an easy path for Initial Access Brokers to gain access to your company. This includes firewalls, web servers, end-users, and phones, among others. Every device that touches your data needs to be updated regularly. Pay particular attention to any internal security alerts related to Emotet, Trickbot, QakBot/Qbot, Dridex, Zloader, SDBBot, and BazarLoader.
Malware Brokers
These threat actors are the middlemen. Their role is gathering many different compromised systems and companies into a single network of zombies. Often called botnets, these networks are much more than that. Each member of the network is evaluated for entity revenue/value and ease of spreading ransomware, which gives it an overall rating of profit likelihood when combined with other factors. Once the network is stable and refined, Malware Brokers prepare it for sale and hand off to the next team in the process.
Protection: As your systems join malware networks and botnets, anomalous and unusual connections will be made to locations on the Internet where you likely don’t do business. There will be perceptible changes in traffic through your border firewall. Review traffic logs on a regular basis with alerts to known hostile locations. These connections should be highly scrutinized and investigated. Do not rely on “artificial intelligence” or product promises to detect these connections. Do not ignore any anomalous connections - it's easy to evade at this level.
Ransomware Owners
Ransomware owners are rarely the ones that broke into your network initially, but they are certainly the most destructive. Their primary goals are to gain administrative access and spread everywhere in your network. This is surprisingly easy in most networks that haven’t taken additional steps to turn off default features, upgrade to the latest versions, or monitor activity on their network. The most popular ransomware families are Ryuk, Conti, MegaCortex, Clop, BitPaymer, DoppelPaymer, Prolock, Egregor, and Ragnar Locker.
Protection: Monitor for unusual account activity. As ransomware spreads across a network, there are clear and obvious clues in the logs that something isn’t right. The opportunities are there to detect the attack, but are often missed. Set up multi-factor authentication on critical assets at the perimeter (VPN) and internally (Domain Controller, File Servers). Ensure your backups are isolated from the rest of the network and don’t rely on Active Directory for access.
As you’ve all heard before, it is not a matter of if you will be subject to an attempted cyber-attack, it’s a matter of when. Ensuring your IT department is considering the tips above will have you better prepared to detect and protect from a breach. If you’d like to discuss specific risks associated with your business, contact Michael Camacho.
Related Insights
All InsightsOur specialists are here to help.
Get in touch with a specialist in your industry today.