Talk to your average consumer about dark web criminal marketplaces and the first picture they conjure up is likely one of stolen credit cards, breached password databases and maybe malware for sale. Unfortunately, that same portrait is the one viewed by many security professionals. The reality is somewhat different, these criminal marketplaces should be viewed as landscapes not portraits, with important detail surrounding the central focal point.
A good example of this would be the sale of 'access' to more than just data. The "Access for Sale" report published today by Positive Technologies, highlights just how quickly these markets respond to changing demand, and how dangerous ignoring that dynamism could be to your enterprise.
A year ago, the Positive Technologies analysts were seeing an emphasis on trading individual servers when it came to corporate access sales. It was possible to purchase access to such a server for as little as £16 (US$ 20). This started to change during the second half of 2019, when interest picked up in the sale of access to corporate networks instead. Picked up, and then some. The average cost of privileged access to a single local network is, the report reveals, in the £4,100 (US$ 5,000) range.
During the last quarter of 2019, there were more than 50 such network access points of major enterprises offered for sale. By the end of the first quarter of 2020, that number had risen to 80. Industrial, professional services, finance, science/education and IT accounted for a majority of these by sector. That's a increase of 69 percent, quarter on quarter, and indicative of the interest in this one definition of access for sale. When it comes to location, the organisations in the United States are the most targeted, followed by Italy and the UK. For the UK criminal access dark market, science and education leads the hall of shame, followed by finance.
Cybercriminals either "develop an attack on business systems themselves or hire a team of more skilled hackers to escalate network privileges and infect critical hosts in the victim's infrastructure with malware," the report says, with ransomware operators among the first to get on board. The researchers say they have seen prices skyrocket, with some interested buyers offering a commission of 30 percent of potential profit from an infrastructure hack of a large enterprise.
Positive Technologies senior analyst Vadim Solovyov said "large companies stand to become a source of easy money for low-skilled hackers. Now that so many employees are working from home, hackers will look for any and all security lapses on the network perimeter. The larger the hacked company is, and the higher the obtained privileges, the more profitable the attack becomes."
So, do security teams at larger enterprises need to 'think differently' to SMEs when such access to the entire network is being sold to anyone with the cash, and often to those with relatively low hacking skill levels themselves?
"It’s another risk vector that leverages wide ranging spray and pray techniques to phish and capture access to networks and sell the access itself rather than try to gain from it," Yossi Naar, chief visionary officer and cofounder at Cybereason told SC Media UK, "in that sense enterprise networks are at greater risk because of a wider attack surface. The odds of someone falling for spray and pray go up with the size of the network."
Jamie Akhtar, CEO and co-founder of CyberSmart, says that, "as many SMEs use managed or shared networks, this is a very different defence landscape. Within larger enterprises, network access allows attackers to scan for vulnerable devices to further the attack, often looking for outdated operating systems in order to navigate through the network and elevate to higher admin privileges."
"Any ongoing access implies that corporate policies are either being ignored, worked around or are insufficient to detect the threat," Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre) told SC, "since detection of legitimate attacks is a primary goal for any defender, separating malicious actions from those related to normal business operations is key."
Paul Bischoff, privacy advocate at Comparitech, points out that as businesses grow in size, "the likelihood of a rogue or careless employee compromising security increases - with that in mind, organisations need to focus more on access control and remediation."
And finally, James McQuiggan, security awareness advocate at KnowBe4, turns to the 2020 Verizon Data Breach Incident Report which reveals the detection of data breaches within several days for discovery is higher than it was five years ago, increasing from less than 20 percent to over 60 percent. "This result is mainly due to organisations having Security Operation Centres (SOCs) or Managed Security Service Providers (MSSPs) that can effectively monitor network traffic, endpoints, and email," McQuiggan says, concluding that "organisations that have a robust cybersecurity defence programme with these programmes and systems, including a security awareness training programme for employees to empower them to make security decisions, can strengthen the organisation's security culture and defence."