Michael Marriott, research analyst, Digital Shadows
Michael Marriott, research analyst, Digital Shadows

Engaging with media is a well-trodden path for most commercial organisations. Talk to journalists with the right news at the right time and it's just possible that they may decide to give a company's product or service a favourable mention, which could in turn generate interest and sales. This approach works for companies that, in the main, have a self-interest in being in the public eye - but what about cyber-criminals?

Publicity versus jail time

In the past, it's fair to say that most were determined to remain hidden in the underbelly of the internet, thinking that attention could damage their nefarious activities. Popping one's head above the parapet could potentially result in jail time so most understandably avoided it. However, times could be changing and there's evidence that some are prepared to balance the risk of getting caught versus the opportunity to gain publicity and heighten interest in their ill-gotten gains.

While cyber-criminals engaging with journalists is not an entirely new phenomenon, it has accelerated in the last few weeks and we've observed a recent trend of previously unknown actors using the media to self-publicise and advertise the data they have for sale. For example, in June 2016 alone, Peace (AKA Peace of Mind), Tessa88 and thedarkoverlord, none of whom were previously well-known outside the security community, all spoke to journalists about compromised data they were offering for sale with the likely motivation to garner publicity and attract buyers.

The OPSEC trade off

What's behind the phenomenon? It could be that using the media for publicity is simply a manifestation of an ongoing trend where cyber-criminals increasingly trade off the risk of not getting caught with other commercial considerations. The tactics behind Operations Security (OPSEC) could help explain this. OPSEC is used by commercial and military organisations to protect privacy and anonymity. When done well, it denies adversaries information that could be used to harm them. But criminals use OPSEC too as a means to an end – avoiding detection, maintaining availability of their attack infrastructure, and retaining access to environments they have compromised. Both criminals and commercials know the consequences of lapses in OPSEC. For criminals it can mean a spell behind bars – as we saw when alleged Dridex botnet operator Andrey Ghinkul associated his nickname – “Smilex” – with his real name, likely providing law enforcement a valuable clue in their investigation.

Yet cyber-criminals have a fundamental dilemma. On one hand, keeping the highest levels of OPSEC can reduce their risk of law enforcement tracking them down. But keeping a low profile has trade-offs, one of which is obvious – remain too secretive and buyers can't track down the seller and remain unaware of the illegal wares they wish to trade. Another is less apparent – it becomes very difficult to recruit ‘talent' to an unknown criminal organisation and this can stymy their growth. In a similar vein, an unofficial ‘hierarchy' exists amongst cyber-criminals, which typically looks down on the relatively low skilled so called ‘skiddie' (script kiddie) ranks. In much the same way a limited LinkedIn profile might harm a commercial job seeker, the same applies in the cyber-criminal world where evidence of past ‘success' can yield more plentiful and lucrative job offers. So here too ‘fame' can pay.

Taking action

The picture, therefore, is far from clear cut. Very few people – whether criminal or non-criminal – who depend on the internet in some form to make a living can exist without a digital footprint of some description. But it brings risks and opportunities for all parties. While no company wants to be on the end of a buyers frenzy for their stolen property, the more vocal cyber-criminals are, the more we can understand their tactics, techniques and procedures (TTPs) and learn to defend against them.

The opportunity for organisations, therefore, lies in better understanding how cyber-criminals work. It's why an organisation's ability to know what is going on around it from a cyber-security perspective is so important. Organisations should always look at themselves via the eye of an attacker and be diligent about assessing their own vulnerabilities. Maintaining good situational awareness, means organisations are empowered to make smarter decisions about how to defend themselves with limited resources and greatly reduces the risk of being at the centre of the next round of hacker-generated publicity.

Contributed by Michael Marriott, research analyst, Digital Shadows