A New Way to Look at Hacking
May 25, 2016 by Bill Rosenthal

A new white paper from Hewlett Packard Enterprise advances a novel perspective on cybercrime. The Business of Hacking (you can download the report for free) examines cybersecurity from the standpoint of someone trying to run a criminal enterprise: "Cyber criminals look to maximize their profits and minimize risk. They have to compete on quality, customer service, price, reputation, and innovation. The suppliers specialize in their market offerings. They have software development lifecycles and are rapidly moving to Software as a Service (SaaS) offerings.”

The report describes 10 hacking “industries,” including ad fraud, identity theft, medical records fraud, and extortion. Then it looks at the different functions within all hacking businesses: human resources, operations, technical development, marketing and sales, and distribution. The insights gained from imagining what makes a hacking enterprise successful as well as the problems it faces lead inevitably to a SWOT analysis.

“SWOT,” of course, is an acronym for strengths, weaknesses, opportunities, and threats. It is traditionally used in corporate planning and helps organizations understand the paths to capitalizing on their strengths, shoring up their weaknesses, taking advantage of their opportunities, and minimizing the threats they face. But it turns out to be useful in suggesting ways to disrupt the business of hacking, because it provides insight for working around the hackers’ strengths, attacking their weaknesses, denying them opportunities, and enhancing the threats they face.

It took a lot of imagination for the writers of this report to turn the problem of cybercrime around and look at it from the point of view of the criminal trying to find a path to success. And that same imagination informs the report’s suggestions for fighting cybercrime. The most memorable technique suggested in the report is the use of a deception grid.

The deception grid is made possible by the plunging cost of storage. It is the creation of a decoy network: “Organizations set up realistic duplications of their networks to trap adversaries. The adversaries believe they are in the real network and continue to move laterally in this deceptive network. Enterprises can then learn more about the intended target (data, infrastructure, credentials, etc.) as well as observe the attacker’s techniques. This allows organizations to take proper precautions in the real network to protect their true assets.” I don’t know if the deception grid is the answer to the cybercrime problem, but it certainly shows a new kind of thinking.

Reading the report shifts your perspective on cybercrime from one of protecting yourself to one of increasing the hackers’ cost of doing business. Anything you can do to slow them down, reduce the size of the talent pool they can draw on, or disrupt their distribution systems makes cyberspace a safer place.

My advice is to make this white paper known to the members of your CyberSec First Responder (CFR) team, who are already looking at cybercrime from a platform-agnostic, big-picture perspective, and see what kind of ideas it inspires. If you don’t have a CFR team, try a SWOT analysis of your own. I think you are denying yourself an important strength, maximizing a weakness, and missing an opportunity. But most of all, I think you are facing a major threat, and without a CFR team, you’re doing so unarmed.