Cybersecurity Researchers Introduce New Model for Fighting Cybercrime in MIT Sloan Management Review Article

The authors examine cybercrime through a value-chain lens to better understand how cybercrime resembles a marketplace of services and to find new strategies for combating it.

News provided by

MIT Sloan Management Review

15 Jul, 2019, 09:13 ET

CAMBRIDGE, Mass., July 15, 2019 /PRNewswire/ -- As criminal innovation outpaces defensive efforts, cyberattacks are becoming more ubiquitous and sophisticated, and businesses, governments, and individuals are more vulnerable than ever. In a perspective-shifting new article, "Casting the Dark Web in a New Light" (MIT Sloan Management Review), cybersecurity researchers and scientists Keman Huang, Michael Siegel, Keri Pearlson, and Stuart Madnick offer a new lens through which to consider cybercrime. They apply a value-chain model to cybercrime and persuasively argue that cybercriminals continue to allude defenders because of a lack of understanding and under-investigation of cybercrime's ecosystems. In this article, they break down their unique value-chain model and provide new avenues for combating attacks.

The authors first dispel the myth of the "fringe-hacker" — skilled individuals who singlehandedly disrupt systems. Instead, the authors reveal that there are two types of players on the dark web: the developers who create the tools and software and the businesspeople who buy these tools and launch the cyberattacks.

"Because today's cyberattacks are often orchestrated by clever businesspeople who target organizations with something of value to steal or disrupt, they should be treated like other business threats," the authors write. "Protecting the business and detecting, responding to, and recovering from attacks is not solely the responsibility of technology experts."

To combat these threats, businesses must first understand how the ecosystem of cybercrime resembles the marketplace value-chain model traditionally used in business. The authors outline the value chain of primary activities needed to create cyberattacks and support activities that make the attacks more efficient and effective, including:

  • Life-cycle management operations, which include activities that help select valuable attack targets, organize hackers, manage the distribution of proceeds, hide the operation from authorities, and if disrupted, recover the sidelined operation.
  • Hacker human resources services such as hiring, training, and managing trusted hackers.
  • Marketing and delivery services that create a trustworthy marketplace for service providers and buyers, a market-based pricing mechanism, and a system for transferring funds.
  • Technology support, which offers tools and functional operations such as customer service.

"Examining cyberattacks through the lens of a value chain reveals organized businesspeople using proven business models within a well-defined ecosystem governed by the dictates of supply and demand," they write. "This cyberattack-as-a-service ecosystem makes mounting targeted, scalable cyberattacks quicker, cheaper, and more difficult to stop. But understanding all that helps organizations reimagine how to combat cyberattacks."

The authors highlight several ways in which businesses can combat cyberattacks:

  • Expand the focus of cyber-threat intelligence: Many cyber-threat intelligence services collect data from enterprise IT environments to detect potential cyber threats. There is some investigation of the dark web, but it is usually limited to harvesting threat information and alerting potential targets. By expanding and investigating more services on the dark web, we can yield insights into new and more effective defense mechanisms.
  • Pursue a good offense as the best defense: Cyber strategy in most organizations is mainly reactive. Companies defend themselves after successful attacks have been launched. Defenders can flood the cyberattack ecosystem with deceptive services, making the dark web less attractive for cybercriminals seeking to purchase services. Another offensive strategy is to disrupt select services that are frequently used to create attack vectors, thereby making it difficult and risky to orchestrate an attack.
  • Create a cyber-defense service value chain: Cyberattack defense cannot be relegated to law enforcement agencies alone. Instead, it requires an ecosystem aimed at combating cybercrime that includes many actors — individuals, corporations, software and hardware providers, cybersecurity solution providers, infrastructure operators, financial systems, and governments — working together.
  • Approach defense as a business problem first, not a technology problem: When business leaders ask, "How can we prepare for unknown cyberattacks?" they often assume that attackers are using new and perhaps unknown technologies. However, frequently the attackers and defenders use the same technologies, and oftentimes, many technologies used in attacks were initially developed by the defense research community to block other kinds of attacks. So attacks should be treated like other business threats. Risk management tools and techniques can shed additional light on what's driving them, help identify vulnerabilities that attackers may prey upon, and enable potential targets to anticipate next moves.

By viewing cybercrime through this new lens and considering it less of a technological hack orchestrated by lone wolves and more as a sophisticated business market, executive leaders can better investigate the vulnerabilities of their organizations and build a more solid defense.  

The authors conclude: "It's long past time to start beating the bad guys at their own game."

To read the full article, please visit: MIT Sloan Management Review.

About the authors:
Keman Huang is a research scientist at Cybersecurity at MIT Sloan (CAMS). Michael Siegel is a principal research Scientist at the MIT Sloan School of Management and codirector of CAMS. Keri Pearlson (@kpearlson) is the executive director of CAMS. Stuart Madnick is the John Norris Maguire Professor of Information Technology in the MIT Sloan School of Management, professor of engineering systems in the MIT School of Engineering, and codirector of CAMS.

About MIT Sloan Management Review
A media company based at the MIT Sloan School of Management, MIT Sloan Management Review's mission is to lead the conversation among research scholars, business executives, and other thought leaders about advances in management practice, especially those shaped by technology, that are transforming how people lead and innovate. MIT Sloan Management Review captures for thoughtful managers the creativity, excitement, and opportunity generated by rapid organizational, technological, and societal change.

Contact

Emily Lavelle


Emily Lavelle Communications


+1-212-390-1328 | [email protected]


SOURCE MIT Sloan Management Review

Related Links

http://sloanreview.mit.edu

Also from this source

New Research From MIT SMR Shows That Men Benefit More From Supporting Colleagues Than Women Do

New Research From MIT SMR Finds Women Are 41% More Likely to Experience Toxic Culture Than Men

Explore

More news releases in similar topics

PRN Top Stories Newsletters

Sign up to get PRN’s top stories and curated news delivered to your inbox weekly!

Thank you for subscribing!

By signing up you agree to receive content from us.
Our newsletters contain tracking pixels to help us deliver unique content based on each subscriber's engagement and interests. For more information on how we will use your data to ensure we send you relevant content please visit our PRN Consumer Newsletter Privacy Notice. You can withdraw your consent at any time in the footer of every email you'll receive. Mit Ihrer Anmeldung erklären Sie sich damit einverstanden, Inhalte von uns zu erhalten.
Unsere Newsletter enthalten Zählpixel, die die Lieferung einzigartiger Inhalte in Bezug auf das Abonnement und die Interessen der einzelnen Abonnenten ermöglichen. Weitere Informationen über die Verwendung Ihrer Daten im Hinblick auf die Zusendung von relevanten Inhalten, finden Sie in unserer PRN Consumer Newsletter Privacy Notice. Ihre Zustimmung können Sie jederzeit in der Fußzeile jeder erhaltenen E-Mail widerrufen. En vous inscrivant à la newsletter, vous consentez à la réception de contenus de notre part.
Notre newsletter contient des pixels espions nous permettant la fourniture à chaque abonné, d’un contenu unique en lien avec ses souscriptions et intérêts. Pour de plus amples informations sur l’utilisation faite de vos données en vue de l’envoi des contenus concernés, nous vous invitons à consulter la politique de confidentialité disponible à partir du lien suivant PRN Consumer Newsletter Privacy Notice. Vous pouvez à tout moment revenir sur votre consentement par le biais des informations situées au bas de chaque e-mail reçu. Регистрирайки се, Вие се съгласявате да получавате информационно съдържание от нас. Нашите бюлетини съдържат проследяващи пиксели, които ни помагат да предоставяме уникално съдържание въз основа на ангажираността и интересите на всеки абонат. За повече информация относно начина, по който ще използваме Вашите данни, за да гарантираме, че Ви изпращаме подходящо съдържание, моля, направете справка с нашето Уведомление за поверителност на потребителския бюлетин на PRN. Можете да оттеглите съгласието си по всяко време в долния колонтитул на всеки от имейлите, които ще получите.