The Hacker-for-Hire Market & Increasing Threats

February 2, 2016 |
The Hacker-for-Hire Market and How It Increases the Threat (iStock/Tomwang112)

As every security professional knows, the deep and dark web have made it very easy for hackers to operate online in almost total anonymity. Drugs, weapons and personal information are just a few of the things that can be bought or sold on online black markets today, typically using little more than a Tor browser, Bitcoin wallet and Internet connection.

What they may not realize, however, is that another market is emerging in the same corner of the Web, and that it represents a very serious threat to their business.

What I’m describing is the ‘hacker-for-hire’ market – a place where, as the name suggests, people with intent, but no capability can hand over cash in exchange for the skills they need to conduct a cyberattack.

This is a troubling development – perhaps more troubling than it first appears – for a couple of different reasons.

Two Different Hacker-for-Hire Scenarios

The most obvious scenario in which the hacker-for-hire market might be accessed is when an individual, criminal gang or company wants to steal intellectual property from – or simply cause damage to – another organization.

In the past, these actors had two options – either learn to hack themselves, or cooperate with other cybercriminals face-to-face and risk having their identity exposed. Now, with the emergence of the hacker-for-hire market, they can simply pay a professional to do their dirty work for them, and neither party needs ever reveal who they are. Even if the attack itself fails, the party with intent is theoretically impossible to trace.

All of a sudden, organizations have a lot more to fear from the likes of competitors and hacktivists – actors who may not be veteran cybercriminals, but still have the intent to cause harm.

Another, less obvious – but potentially more serious – hacker-for-hire scenario is the malicious insider. Black markets on the deep and dark Web have the potential to dramatically increase insider threats, because – again – they connect individuals with intent to individuals with capability.

It’s reasonable to assume that a lot of people might want to harm their organizations given the chance. Many may even have a rough idea of how to go about it. But only a few will have the technical expertise to pull off an attack without getting caught.

Add hacker-for-hire markets to the equation, and suddenly it becomes possible for almost anybody to cause damage to their organization anonymously. They could hire a hacker, collaborate with one, or even sell their own assets or services; agreeing to open a phishing email, for example, might easily be worth something to someone.

Imagine a disgruntled employee with the ability to bring your business to its knees, remain anonymous, and get paid for it. That’s a risk worth taking seriously.

How This Affects Your Security

As hacker-for-hire markets gradually become more prevalent and widely accessed, the scenario described above could completely change the nature of insider threats. It’s no longer a small handful of technically accomplished individuals you need to worry about – almost anybody in your organization could choose to pursue a criminal agenda by working alongside a seasoned hacker.

This makes an excellent argument for the use of a zero trust security model. If employees only ever have access to the resources they need to do their jobs, their potential to cause wide-reaching damage – whether in collaboration with an outside hacker or otherwise – can be dramatically reduced. And, with context-aware access controls and global audit logging, it becomes much easier to detect and prevent the abuse of network credentials, as well as trace suspicious activity back to one individual.

Would your business be protected if a malicious insider was looking to collaborate with a hacker for hire?

Learn more about Secure Access solutions from Cryptzone and how you can prevent cyber attacks with a layered network security model.

Individualize Network Access to Only the Resources Each User is Authorized to Use. Learn How. Get the white paper.

Back to Blog Home

Leo Taddeo

Leo Taddeo
Chief Security Officer
www.cryptzone.com

Leo Taddeo is the Chief Security Officer (CSO) for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo, former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, is responsible for analyzing the cybersecurity market to help shape Cryptzone’s vision for security solutions. Taddeo provides deep domain insight into the techniques, tactics and procedures used by cybercriminals, to help Cryptzone continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.

Prior to Cryptzone, Taddeo led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.

Previously, Taddeo served as a Section Chief in the International Operations Division, where he managed FBI operations in Africa, Asia and the Middle East. Taddeo has held various roles of increasing responsibilities in the field, including supervising a joint FBI/New York City Police Department Joint Terrorism Task Force and serving as the Legal Attaché in Rome, Italy.

After receiving his degree in applied physics from Rensselaer Polytechnic Institute in 1987, Taddeo served as a tank officer in the U.S. Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for service in the Gulf War. Taddeo then earned a Juris Doctor from St. John’s University and joined the New York law firm of Mound, Cotton & Wollan, where he practiced civil litigation until entering the FBI.

Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He also maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.

Leave a Reply

Your email address will not be published. Required fields are marked *