Friday 5 October 09:30 - 10:00, Green room
Loucif Kharouni (Deloitte)
Deloitte TIA seeks to understand financial relationships as part of a broader criminal enterprise. We believe that interesting observations can be drawn by looking at cybercriminals from the perspective of business operations. We begin by seeking answers to the questions: 'What are the most commonly used tools and services sold on underground markets?' and 'What are the average estimated cost of these tools and services?' From here, we can ask critical questions including: 'Which tools are required to operate real-world criminal enterprises?' and 'What are the estimated operating costs of various cybercriminal enterprises?'. We can then examine and compare these criminal enterprises to determine which are the most affordable - from both cost-of-entry and routine operations standpoints.
We began our investigation by looking at the most common services, enablers and tools independently. This allowed us to gauge the average estimated cost in each of these categories. Next, we explored how these related to one another in the context of a criminal enterprise by identifying which were necessary to perform several of the more common malicious activities.
Our investigation led us to several conclusions. First, the underground economy is a diverse but interrelated ecosystem where nearly every criminal enterprise incorporates multiple related, but discrete tools and services. Even the most basic criminal enterprise requires several different tools or services - and all are readily purchased on the black market. Next, we observed that threat actors generally use two business models. In the first, actors offer a low-cost but broadly used tool or service at a large scale. Conversely, a threat actor can pursue a more specialized service that is offered at high cost to comparatively few clients. Finally, we determined that the operational costs of an efficient criminal enterprise can vary widely based on the skill and resource requirements which underlie the good or service. We estimate that some common criminal enterprises can be operated for as little as $34 a month while others may routinely require nearly $3,800 or more.
Gabor Szappanos (Sophos)
Siegfried Rasthofer (Fraunhofer SIT)
Stephan Huber (Fraunhofer SIT)
Steven Arzt (Fraunhofer SIT)
Simon Forster (Spamhaus Technology Ltd)