By examining cybercrime through a value-chain lens, we can better understand how the ecosystem works and find new strategies for combating it.

With cyberattacks increasingly threatening businesses, executives need new tools, techniques, and approaches to protect their organizations. Unfortunately, criminal innovation often outpaces their defensive efforts. In April 2019, the AV-Test Institute, a research organization that focuses on IT security, registered more than 350,000 new malware samples per day, and according to Symantec’s 2019 Internet Security Threat Report, cyberattacks targeting supply chain vulnerabilities increased by 78% in 2018.1

Wide-scale attacks are becoming more common, too. In October 2016, a distributed denial-of-service (DDoS) attack that hit Dyn, a domain name system (DNS) provider, in turn brought down companies such as PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify.2 In 2017, the WannaCry and NotPetya ransomware attacks affected health care, education, manufacturing, and other sectors around the world. A report from the Department of Health in the U.K. revealed that WannaCry cost it 92 million pounds.3 That same year, while the cyber-defense community was working out how to fight ransomware, cryptojacking — the hijacking of other people’s machines to mine cryptocurrency — arose as a threat. Cryptojacking attacks detected by Symantec increased by 8,500% during 2017.4 During 2018, the value of cryptocurrencies plunged 90%, yet Symantec still blocked four times as many cryptojacking attacks as the previous year.5

Attackers always seem to be one or two steps ahead of the defenders. Are they more technically adept, or do they have a magical recipe for innovation that enables them to move more quickly? If, as is commonly believed, hackers operated mainly as isolated individuals, they would need to be incredibly skilled and fast to create hacks at the frequency we’ve seen. However, when we conducted research in dark web markets, surveyed the literature on cyberattacks, and interviewed cybersecurity professionals, we found that the prevalence of the “fringe hacker” is a misconception.

Through this work, we found a useful lens for examining how cybercriminals innovate and operate. The value chain model developed by Harvard Business School’s Michael E. Porter offers a process-based view of business.6 When applied to cybercrime, it reveals that the dark web — that part of the internet that has been intentionally hidden, is inaccessible through standard web browsers, and facilitates criminal activities — serves as what Porter called a value system.

References

1.Malware,” AV-Test Institute, accessed April 8, 2019, www.av-test.org; and Symantec, 2019 Internet Security Threat Report, February 2019.

2. P. Roberts, “Exclusive: Mirai Attack Was Costly for Dyn, Data Suggests,” The Security Ledger, Feb. 3, 2017, https://securityledger.com.

3. D. Palmer, “This Is How Much the WannaCry Ransomware Attack Cost the NHS,” ZDNet, Oct. 12, 2018, www.zdnet.com.

4. Symantec, 2018 Internet Security Threat Report, March 2018.

5. Symantec, 2019 Internet Security Threat Report.

6. M.E. Porter, Competitive Advantage: Creating and Sustaining Superior Performance (New York: The Free Press, 1985).

7. K. Huang, M. Siegel, and S. Madnick, “Systematically Understanding the Cyberattack Business: A Survey,” ACM Computing Surveys 51, no. 4 (July 2018).

8. J. Seymour and P. Tully, “Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter,” Black Hat USA, 2016, www.blackhat.com.

9.The Next Paradigm Shift: AI-Driven Cyberattacks,” white paper, Darktrace, Cambridge, England, 2018.

10. R. Hackett, “Hackers Have Allegedly Stolen NSA-Linked ‘Cyber Weapons’ and Are Auctioning Them Off,” Fortune, Aug. 16, 2016, www.fortune.com.

11. B. Krebs, “Will the Real Joker’s Stash Come Forward?” Krebs on Security (blog), May 2018, https://krebsonsecurity.com.

12. J. Brandon, “Terrifying High-Tech Porn: Creepy ‘Deepfake’ Videos Are on the Rise,” Fox News, Feb. 20, 2018, www.foxnews.com; and “Deepfake,” Wikipedia, https://en.wikipedia.org; Reddit banned the /r/fakeapp channel in February 2018.

13. J. Caballero, C. Grier, C. Kreibich, et al., “Measuring Pay-per-Install: The Commoditization of Malware Distribution,” USENIX Security Symposium, 2011: 13

14.Behind the Veil — GandCrab Ransomware Partner Program,” LMNTRIX Labs, Feb. 3, 2018, www.lmntrix.com.

15. Cisco, 2016 Annual Security Report, January 2016.

16. T. Moore, “Introducing the Economics of Cybersecurity: Principles and Policy Options,” Proceedings of a Workshop on Deterring Cyberattacks (Washington, D.C.: The National Academies Press, 2010); and M. Yip, N. Shadbolt, and C. Webber, “Why Forums?: An Empirical Analysis Into the Facilitating Factors of Carding Forums,” proceedings of the 5th Annual ACM Web Science Conference, 2013: 453-462.

17. S. Khandelwal, “Dark Web Users Suspect ‘Dream Market’ Has Also Been Backdoored by Feds,” The Hacker News, July 21, 2017, https://thehackernews.com.

i. S. Khandelwal, “Shadow Brokers, Who Leaked WannaCry SMB Exploit, Are Back With More 0-Days,” The Hacker News, May 16, 2017, https://thehackernews.com.

Acknowledgments

This research was supported, in part, by funds from the members of the Cybersecurity at MIT Sloan (CAMS) consortium.