Uncovering The Cyberattacker, Not Just The Cyberattack

Cybercrime is such a lucrative field that, if it were its own nation, it would have the thirteenth-largest GDP on the planet, according to Bromium researchers.

Cybercriminals make an estimated $1.5 trillion every year from cybercrime. Most of that can be traced back to trade on illegal online markets and intellectual property theft. Trading of stolen data is worth a cool $160 billion, crimeware-as-a-service makes criminals $1.6 billion a year and ransomware results in $1 billion in criminal earnings.

Corporates around the world are expected to spend an estimated $96 billion on cybersecurity efforts this year, but with cybercriminals continuing to rake in the money, that spend may be in vain. It’s a fact that Jeff Spencer, COO of cybersecurity firm HYAS, described as “sad.”

“It’s this perpetual game of Whack-a-Mole,” he said in a recent interview with PYMNTS.

One data breach is remedied, another is discovered. Organizations are spending a lot of time and money to protect data (and their reputations), and yet the moles keep popping up. It’s why HYAS is approaching the enterprise security sphere with the initiative to take the moles out of the game altogether. That is, not only identify cyberattacks and data breaches, but uncover the attackers behind those crimes, too.

Fresh off a $6.2 million Series A funding round led by Microsoft’s M12, HYAS is ramping up its efforts to pull back the veil on the criminals that cost businesses so much money in stolen funds – and countless more dollars lost to damaged reputations and hurt stock prices.

“We are focused on knowing your enemy,” said Spencer. “There are living, breathing, persistent human beings out there that have skill sets that position them to carry out attacks against your organization.”

While one data breach or cyberattack may be stopped, those attackers will continue coming for their targets unless they’re stopped. The effort could be compared to trimming back an overgrown weed, or pulling the plant out by its root.

Identifying cyberattackers adds a layer of complexity to cybersecurity, one that relies on massive troves of data and industry expertise. Spencer said the strategy is to “look for the natural bottlenecks” – that is, head toward the infrastructure on which cybercriminals are managing and controlling their campaigns.

“Something like 98 percent of all malware relies on domains to communicate back to the command, which is how the bad guy controls the botnet,” he explained. “It means they’re going out and registering domains. This is the kind of thing that people can keep track of. We look at all the different places a bad guy can go and use infrastructure.”

He added that HYAS is, in some cases, able to identify attackers down to their home addresses. Those capabilities certainly are valuable to the cybersecurity world, especially to law enforcement, as regulators are constantly sprinting to design legislation appropriate for the constantly evolving world of cyberattacks.

Last year alone, the number of cybersecurity bills introduced across the 50 states more than doubled, according to iGRC research published earlier this year. And yet, cyberattacks – and the money they steal – continue to grow.

Knowing your enemy is not just an asset to law enforcement, however. Spencer noted that being able to identify the attacker behind the attack enables organizations to more accurately predict incoming threats days, months or even years out.

“The efforts are concentrated on understanding how much infrastructure [cyber attackers] have at their disposal at any one point in time,” he noted. “We can find areas with no impacts yet – think of infrastructure that’s dormant, or that has just been registered but is not yet active. These are really important discoveries.”

Admittedly, however, many organizations fail to get serious about a cybersecurity incident until after they’ve already been hit. Spencer said that in HYAS’ case, they are often called in when the C-Suite and board of directors understand the seriousness of a breach or attack that has already occurred, and are in need of reinforcements to mitigate the attack and prevent another from happening.

While it’s true that internal threats are a growing concern for the enterprise, the types of events that HYAS addresses are external, sophisticated, large-scale attacks. In these cases, often, businesses are “on their back foot,” simply waiting for a major breach to take place, he added. Tracing attacks back down to the originating infrastructure enables companies to take a more aggressive stance against perpetrators.

“Not only can you see new attacks headed your way, but you can get an understanding of who the individual is, and what they will throw at you tomorrow, and the day after,” said Spencer, adding that taking the uncommon approach to discovering the perpetrator behind cyberattacks can not only help law enforcement crack down on cybercrime, but can also enhance analysts’ ability to predict incoming attacks and the evolution of existing ones. Identifying malware is important, but determining the infrastructure through which that malware is being controlled is a more pressing concern, according to Spencer.

“It’s a very common approach to say, ‘Hey, I found something bad, let’s clean it up and move on to the next bad thing,'” he said. “Meanwhile, the bad guy is still operating.”