The Hacker-for-Hire Market & Increasing Threats
As every security professional knows, the deep and dark web have made it very easy for hackers to operate online in almost total anonymity. Drugs, weapons and personal information are just a few of the things that can be bought or sold on online black markets today, typically using little more than a Tor browser, Bitcoin wallet and Internet connection.
What they may not realize, however, is that another market is emerging in the same corner of the Web, and that it represents a very serious threat to their business.
What I’m describing is the ‘hacker-for-hire’ market – a place where, as the name suggests, people with intent, but no capability can hand over cash in exchange for the skills they need to conduct a cyberattack.
This is a troubling development – perhaps more troubling than it first appears – for a couple of different reasons.
Two Different Hacker-for-Hire Scenarios
The most obvious scenario in which the hacker-for-hire market might be accessed is when an individual, criminal gang or company wants to steal intellectual property from – or simply cause damage to – another organization.
In the past, these actors had two options – either learn to hack themselves, or cooperate with other cybercriminals face-to-face and risk having their identity exposed. Now, with the emergence of the hacker-for-hire market, they can simply pay a professional to do their dirty work for them, and neither party needs ever reveal who they are. Even if the attack itself fails, the party with intent is theoretically impossible to trace.
All of a sudden, organizations have a lot more to fear from the likes of competitors and hacktivists – actors who may not be veteran cybercriminals, but still have the intent to cause harm.
Another, less obvious – but potentially more serious – hacker-for-hire scenario is the malicious insider. Black markets on the deep and dark Web have the potential to dramatically increase insider threats, because – again – they connect individuals with intent to individuals with capability.
It’s reasonable to assume that a lot of people might want to harm their organizations given the chance. Many may even have a rough idea of how to go about it. But only a few will have the technical expertise to pull off an attack without getting caught.
Add hacker-for-hire markets to the equation, and suddenly it becomes possible for almost anybody to cause damage to their organization anonymously. They could hire a hacker, collaborate with one, or even sell their own assets or services; agreeing to open a phishing email, for example, might easily be worth something to someone.
Imagine a disgruntled employee with the ability to bring your business to its knees, remain anonymous, and get paid for it. That’s a risk worth taking seriously.
How This Affects Your Security
As hacker-for-hire markets gradually become more prevalent and widely accessed, the scenario described above could completely change the nature of insider threats. It’s no longer a small handful of technically accomplished individuals you need to worry about – almost anybody in your organization could choose to pursue a criminal agenda by working alongside a seasoned hacker.
This makes an excellent argument for the use of a zero trust security model. If employees only ever have access to the resources they need to do their jobs, their potential to cause wide-reaching damage – whether in collaboration with an outside hacker or otherwise – can be dramatically reduced. And, with context-aware access controls and global audit logging, it becomes much easier to detect and prevent the abuse of network credentials, as well as trace suspicious activity back to one individual.
Would your business be protected if a malicious insider was looking to collaborate with a hacker for hire?
Learn more about Secure Access solutions from Cryptzone and how you can prevent cyber attacks with a layered network security model.