MIT Sloan Management Review Says the Best Offense is a Good Defense

We have observed for the past several years that cybercriminals sell DDoS-for-Hire services on the Dark Web. DDoS-for-hire sites make it significantly easier to launch attacks and the rise in these services has caused a DDoS tsunami. With virtually no technical barrier to entry, because they typically require no knowledge of coding, and their cheap price point – launched for just a few dozen dollars per month – anyone with the motivation can now launch an attack against you.

So it comes as little surprise that Cybersecurity at MIT Sloan (CAMS) researchers recently published an article in the MIT Sloan Review that describes the Dark Web as a Cybercrime Ecosystem, also known as a “cyberattack-as-a-service (CAaaS) marketplace.” Of course, it’s not just about distributed denial of service (DDoS) attacks; there are many forms of attacks, ranging from ransomware, to phishing emails, to malware and beyond.

For those of us in the cybersecurity industry it is well-known that the Dark Web is a sophisticated hidden marketplace, where there are those who build black hat tools, those that sell them, and those that buy and use those tools. The MIT researchers surveyed the Dark Web and discovered some interesting information about what cybercriminals are selling, and for how much money. For example, “a Microsoft Office zero-day vulnerability (that is, a vulnerability not previously discovered and with no known fix) was priced at $30,031, in bitcoin, in a dark web market. A one-day vulnerability (that is, a publicly known vulnerability for which a patch is often available but not deployed) cost around $650, including the exploit.”

The authors wrote, “Understanding how it works provides new, more effective avenues for combating attacks to companies, security service providers, and the defense community at large.” To stem the flow of cybercrime, the CAMS researchers recommend four approaches, which we’ve summarized below, with our comments.

1. Expand the focus of cyber-threat intelligence.

We agree it is wise for cybersecurity researchers to look not only at the evidence of threats, but also the new services provided in the Dark Web marketplace, because those will foreshadow future kinds of attacks whereby criminals can reap financial benefits.

2. Pursue a good offense as the best defense.

This is certainly true, especially given the growing threat of DDoS attacks! Any organization that relies on Internet access for its business and customers should deploy dedicated DDoS protection to ensure maximum online availability.

3. Create a cyber-defense service value chain.

The MIT authors state that “collecting defense services into a value chain would likely motivate more service providers to create and sell as-a-service cyber-defense offerings, expanding the menu of capabilities that could be assembled by defenders to thwart attacks. Fighting fire with fire would be far more effective than today’s splintered efforts.” Their argument is that it takes many stakeholders across the value chain — from government to cybersecurity solution providers to software and hardware vendors, financial systems and infrastructure providers — to create a “defense ecosystem.” We believe it is a combination of marketplace demand and government regulations that will motivate organizations to better protect their stakeholders / customers.

Some governments are levying financial penalties for organizations, across the spectrum, to drive them to deploy better cybersecurity systems, as is the case with the United Kingdom’s Network and Information Systems Regulations 2018 legislation. This can result in organizations being fined up to £17,000,000 for “Any material contravention which we determine has caused, or could cause, an incident that results in a threat to life or in significant adverse impact on the UK economy.”

In response to both market competition and government regulation many Internet Service Providers are adopting a pro-active approach by offering DDoS protection as a service (DPaaS); this gives them a competitive advantage, and it reduces the chance that they could be sued by a customer, for poor service quality, or penalized by a government for lack of diligence.

4. Approach defense as a business problem first, not a technology problem.

Yes, it’s true that most threats are not new, or impossible to protect against. The cyber risks are well-known, and there are solutions to prevent them. Some are technology solutions and some are management processes. Therefore, every organization’s risk management should include a pro-active, preventive, approach to cybersecurity that incorporates not only technology solutions but also management processes.

For the vast majority of cybercriminals, hacking is a business, not a hobby. Where there is a threat, there are cybercriminals harvesting some ill-gotten financial gains for their efforts. And where there is money to be made, attacks will happen. Therefore, organizations can assume, and predict, that at some point their organization will be the target of a cyber-attack. It is certain that cybercriminals will attack, but not which vector they will use. Staying one step ahead of the black hat hackers requires deeper insights into the Dark Web marketplace, as well as the smart defenses that are constantly evolving to outmatch the new vectors it spawns.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.