Missed part 1? Read "What You Should Know About EDR"

… and now you don’t – It’s just an ordinary coin in a person’s hand. The better that cybercriminals can seem to be mundane, and so go unnoticed on a computer, the better they learn how and when to make their move.

Why Criminals Love Finding No EDR

How You Might Get Away With It

The old sawing-an-assistant-in-half magician’s trick is an example of how audiences catch on, and so magicians continually up their game to keep fooling folks. The trick is just past a hundred years old – and many variations have piled up over the years. I remember when the feet were obviously fake. Then one day the manikin feet moved (were they manikin feet?) and I was again a bit creeped out.

Like magic’s misdirection and dexterity, cybersecurity has fundamental and proven principles: layered security and multiple copies of your data, as examples. But to stay ahead of actual criminals who are trying to defeat your efforts to defend your organization, the specific tools and techniques need to evolve.

But who are these unknown, hidden cybercriminal figures? Understanding your adversary informs why and how you construct an effective cybersecurity program. So, what can we do to put together a dossier of a criminal hacker?

For arguments sake, there are two main categories of crime, those that require technical proficiency and those that mostly rely on psychology to defraud¹. And for our purposes in creating a general picture of our attacker, let’s look at the aggregated data to partly reveal the most likely culprits.

Map of cybercrime points of origination, Russia has the most perpetrators

A map of the volume of cybercrime (plos.org, image source). WCI (World Cybercrime Index) Score is a volume ranking of geographical origination points of attempted cyberattacks. Most attacks target the US coasts by design as we’ll find out, below.

Technical skills of cybercriminals, Russians have the greatest skills

A chart showing the types of cybercrime and their origin (plos.org, image source). T-score is a measure of the technical abilities of attackers. As can be seen, most attack types involve technical proficiency. Combining this data with the WCI Score volume map, above: most attacks come from Russians with the very highest technical skills.

Cybercriminal researcher Dr Jonathan Lusthaus says of the example of Russia, we’re seeing … cybercriminals coming from there that are highly educated … some of them have multiple degrees, a lot of them are the same types of people that you’d expect to work in the private sector, to work in the technology sector, and some of them actually are the same people.²

Sometimes they were … moonlighting, Dr Lusthaus says, they’re doing both legitimate work and then also working in cybercriminal enterprises, as well. This was purely an economic problem: the education system was was too effective in some sense, and the technology sector was not effective enough. What I mean by that was the job market was weak, they weren’t producing enough good and high-paying jobs to sustain the amount of talent that has been produced. And so what this led to is really this oversupply of technical talent, a lack of opportunity. And so, instead of people being all absorbed into the tech sector, they create their own tech sector, kind of a shadow … a criminal Silicon Valley, where their opportunity comes through effectively cybercriminal startups.³

And so a picture emerges of a criminal that is highly skilled and not being paid enough.

I’ve got no money, a strong education and law enforcement’s weak. Why not earn a bit on the side? –Alexei Borodin, hacker⁴

But why crime? Criminologists have a popular model about why people turn to crime called, Routine Activities Theory (RAT).

According to RAT, computer crime happens when three factors are met:

a motivated offender (being underpaid or feeling wronged are common motivations)
a suitable target (a vulnerable computer system)
the absence of guardians (low risk of punishment)

Ten years ago the size of the cybercrime market in Russia alone [was estimated] to be $2.3 billion. Since hackers take great care not to target people within the area of the former Soviet Union but focus on victims in the United States and Europe, it is not surprising that few arrests are made by Russian law enforcement agencies. The Russian government often does not respond to requests for assistance from foreign law enforcement agencies and frequently protests when Russian nationals are arrested abroad … “Russian law enforcement [has] a very good idea of what is going on and they are monitoring it, but as long as the fraud is restricted to other parts of the world they don’t care,” said cybercrime expert Misha Glenny … [Glenny adds that] malware used by [Russian cybercriminals] “purposefully avoids infecting computers if the program detects the potential victim is a native resident.”⁵

When Russian hackers do target victims in Russia, Moscow’s response is swift and harsh. In 2012, eight men were arrested by Russian police after stealing some $4 million from several dozen banks, including some in Russia. According to security blogger Brian Krebs, “Russian police released a video showing one of the suspects loudly weeping in the moments following a morning raid on his home.”⁶

There is, in fact, a relationship of mutual support between the Russian government and its booming cybercrime industry. The government has been shown to tap criminal hackers to achieve its own financial aims in exchange for turning a blind eye to western targeting.⁷ And so our pockets are being drained to fund the Russian economy.

How to Be a Suitable Target

So we’ve seen all the RAT criteria emerging in our picture of a cybercriminal:

The person is technologically skilled enough to hold down a Silicon-Valley-equivalent job, but only can get low wages
The person is encouraged by their law enforcement system to not attack its own, and protected in attacking people and organizations in the US and Europe
The person is looking for a western target … so far, any US citizen qualifies as a target …

But if you were in this criminal’s shoes, how would you pick a victim?

Of the 2,100 categorized and identified* security incidents (aka attacks) in 2023 that Verizon analyzed, about 43% were directed at small- to medium-sized organizations. Why would smaller businesses be targeted when the most dollars are to be had at the largest businesses? First, those large businesses are hit 57% of the time – of course they are going to be attacked. But not only do the big companies have money, they also have the best security.

It becomes for the criminal a cost-benefit analysis. How much can I get for how much effort? Many small to medium-sized businesses (SMBs) have the misconception that their data is not valuable and that, in turn, they are unlikely to be the target of a cyberattack, according to the Small Business Administration.⁸

What clues would you look for that an SMB has enough money to bother to steal?

What is the industry? Finance, manufacturing and professional services are among the top targets.⁹(‘I can see banks and lawyers, but why manufacturing?,’ you might ask. Criminals see that if a manufacturer gets shut down, there is great incentive to pay a ransom to get production going again.)
What can be gleaned from its web presence, media and social media presence?

What clues would you look for that a smaller organization probably doesn’t have great security?

How about the age of the Operating System? (‘How can they know my Operating System?,’ you might ask. Well, it’s one of those web-browsing trackers you may have heard privacy advocates complaining about.)
Or an unmaintained web site? Is this a clue whether anyone is paying attention to tech things at an organization?
What about data that’s been exposed in a breach? What would a criminal conclude about security protocols if there is a 123456 or similarly weak password revealed?

And How Would You Attack?

The Verizon report shows that even though there are all these top-flight tech workers attacking US businesses, 68% of attacks actually hit because of human error. And this usually means still – and at a growing rate! – someone falling for a phishing email.¹⁰ In other words, the numbers show that criminals see us as the easiest thing to bypass to gain access to a computer. We are the low hanging fruit.

Which leads – now that the computer has been breached – to the criminal’s decision to choose to attack with ransomware: financially motivated threat actors will typically stick to the attack techniques that will give them the most return on investment. Over the past three years, the combination of Ransomware and other Extortion breaches accounted for almost two-thirds (fluctuating between 59% and 66%) of those attacks.¹¹

And as we looked at in part 1 of this series, the way ransomware is delivered is malleable and getting stealthier – including being programmed to watch and wait for bigger opportunities and a bigger payday.

This means that EDR is only growing in its usefulness. Antivirus and anti-malware are good at stopping fixed, known malicious software. But at this time, we’re facing the most technically proficient attacker, who will find antivirus and anti-malware defenses relatively easy to get around.

A new variant of ransomware code analyzed by Bryley partner Huntress EDR analysts. This fragment was written to contain the damage inflicted by this ransomware to systems using non-Cyrillic languages – pretty much proving the origination of the attack to a Russian-sponsored state.

Attackers’ tools and techniques keep changing.

But because the attackers want to steal data for ransom – same as years ago – these movements, these kinds of actions can be recognized.

EDR throws light on those actions that would indicate a security breach.

So next week, in the last installment of this series, we’ll look at how EDR answers criminal attacks, coming up in How EDR Protects Your Organization.

Get more New England-based technology and security information. Subscribe to Up Times by Bryley monthly newsletter.

^{1 cybercrimeology podcast}
^{2 elevenm.com.au podcast}
^{3 cybercrimeology}
^{4 Carnegie Endowment}
^{5 Carnegie}
^{6 Carnegie}
^{7 Carnegie}
^{8 sba.gov}
^{9 2024 Verizon Data Breach Investigations Report}
^{10 Verizon}

^{* Verizon studied over 30,000 industries, approximately 10,000 of which could be defined as targeting either small- to medium-sized businesses or large businesses.}

Subscribe to Up Times by Bryley, the monthly tech newsletter for New Englanders by New Englanders.

Endpoint Detection and Response (EDR):

Bryley’s EDR continuously monitors endpoints and collects data from activities that may mean a threat. Examples of this data are processes running on the machine, analyzing patterns of behavior and registry modification (i.e. have privileges changed?).
That data is then collected and sent to a cloud repository where the heavy lifting of analysis is accomplished without bogging down the endpoint.
Analysis is the key process for any EDR security solution. Machine learning scans for threat patterns. If escalated by the machine-learning software, a team of human analysts handles the threat hunting. EDR analyzes and interprets the data to learn from it in order to detect signs of suspicious behavior.
Last, a rep assists in removing any threat that has been found. Incident response may also be automated, or it’s a combination of a rep and automation.

Per-device features	Basic	Pro*
Response to network-critical issues	Within four hours. Same Day, as the situation requires	Within four hours. Same Day, as the situation requires
Response to non-critical issues	Within eight hours. Same Day, as the situation requires	Within eight hours. Same Day, as the situation requires
Performance optimization	Included	Included
Security optimization	Included	Included
Monitoring and alerts	Included	Included
File and patch updates	Included	Included
Reporting	Included	Included
Administration	Included	Included
Reliability optimization	Partial	Included
Software issues	Partial	Included
Hardware issues	Partial	Included
Network issues	Partial	Included
PC imaging		Included
On-site response		Included