As criminal innovation outpaces defensive efforts, cyberattacks are becoming more ubiquitous and sophisticated, and businesses, governments, and individuals are more vulnerable than ever. In a perspective-shifting new article, “Casting the Dark Web in a New Light” (MIT Sloan Management Review), cybersecurity researchers and scientists Keman Huang, Michael Siegel, Keri Pearlson, and Stuart Madnick offer a new lens through which to consider cybercrime. They apply a value-chain model to cybercrime and persuasively argue that cybercriminals continue to allude defenders because of a lack of understanding and under-investigation of cybercrime’s ecosystems. In this article, they break down their unique value-chain model and provide new avenues for combating attacks.
The authors first dispel the myth of the “fringe-hacker” — skilled individuals who singlehandedly disrupt systems. Instead, the authors reveal that there are two types of players on the dark web: the developers who create the tools and software and the businesspeople who buy these tools and launch the cyberattacks.
“Because today’s cyberattacks are often orchestrated by clever businesspeople who target organizations with something of value to steal or disrupt, they should be treated like other business threats,” the authors write. “Protecting the business and detecting, responding to, and recovering from attacks is not solely the responsibility of technology experts.”
To combat these threats, businesses must first understand how the ecosystem of cybercrime resembles the marketplace value-chain model traditionally used in business. The authors outline the value chain of primary activities needed to create cyberattacks and support activities that make the attacks more efficient and effective, including:
- Life-cycle management operations, which include activities that help select valuable attack targets, organize hackers, manage the distribution of proceeds, hide the operation from authorities, and if disrupted, recover the sidelined operation.
- Hacker human resources services such as hiring, training, and managing trusted hackers.
- Marketing and delivery services that create a trustworthy marketplace for service providers and buyers, a market-based pricing mechanism, and a system for transferring funds.
- Technology support, which offers tools and functional operations such as customer service.
“Examining cyberattacks through the lens of a value chain reveals organized businesspeople using proven business models within a well-defined ecosystem governed by the dictates of supply and demand,” they write. “This cyberattack-as-a-service ecosystem makes mounting targeted, scalable cyberattacks quicker, cheaper, and more difficult to stop. But understanding all that helps organizations reimagine how to combat cyberattacks.”
The authors highlight several ways in which businesses can combat cyberattacks:
- Expand the focus of cyber-threat intelligence: Many cyber-threat intelligence services collect data from enterprise IT environments to detect potential cyber threats. There is some investigation of the dark web, but it is usually limited to harvesting threat information and alerting potential targets. By expanding and investigating more services on the dark web, we can yield insights into new and more effective defense mechanisms.
- Pursue a good offense as the best defense: Cyber strategy in most organizations is mainly reactive. Companies defend themselves after successful attacks have been launched. Defenders can flood the cyberattack ecosystem with deceptive services, making the dark web less attractive for cybercriminals seeking to purchase services. Another offensive strategy is to disrupt select services that are frequently used to create attack vectors, thereby making it difficult and risky to orchestrate an attack.
- Create a cyber-defense service value chain: Cyberattack defense cannot be relegated to law enforcement agencies alone. Instead, it requires an ecosystem aimed at combating cybercrime that includes many actors — individuals, corporations, software and hardware providers, cybersecurity solution providers, infrastructure operators, financial systems, and governments — working together.
- Approach defense as a business problem first, not a technology problem: When business leaders ask, “How can we prepare for unknown cyberattacks?” they often assume that attackers are using new and perhaps unknown technologies. However, frequently the attackers and defenders use the same technologies, and oftentimes, many technologies used in attacks were initially developed by the defense research community to block other kinds of attacks. So attacks should be treated like other business threats. Risk management tools and techniques can shed additional light on what’s driving them, help identify vulnerabilities that attackers may prey upon, and enable potential targets to anticipate next moves.
By viewing cybercrime through this new lens and considering it less of a technological hack orchestrated by lone wolves and more as a sophisticated business market, executive leaders can better investigate the vulnerabilities of their organizations and build a more solid defense.
The authors conclude: “It’s long past time to start beating the bad guys at their own game.”
To read the full article, please visit: MIT Sloan Management Review.
About the authors:
Keman Huang is a research scientist at Cybersecurity at MIT Sloan (CAMS). Michael Siegel is a principal research Scientist at the MIT Sloan School of Management and codirector of CAMS. Keri Pearlson (@kpearlson) is the executive director of CAMS. Stuart Madnick is the John Norris Maguire Professor of Information Technology in the MIT Sloan School of Management, professor of engineering systems in the MIT School of Engineering, and codirector of CAMS.
About MIT Sloan Management Review
A media company based at the MIT Sloan School of Management, MIT Sloan Management Review‘s mission is to lead the conversation among research scholars, business executives, and other thought leaders about advances in management practice, especially those shaped by technology, that are transforming how people lead and innovate. MIT Sloan Management Review captures for thoughtful managers the creativity, excitement, and opportunity generated by rapid organizational, technological, and societal change.