by Bharat Mistry
Over the past 28 years, Trend Micro has led the industry in trying to better understand those who seek to do us and our customers harm. After all, how can we begin to build effective threat prevention if we don’t know what we’re trying to protect against? The latest of our in-depth reports into regional cybercrime underground markets focuses on the Middle East North Africa (MENA) region, and reveals some surprising findings. This is a cybercrime underground united in its goals with members keen to share and help each other; making it particularly dangerous for targets in the West.
That’s bad news for all of us as local MENA players move beyond DDoS and web defacement activity to more nefarious attacks. Against this backdrop, layered security becomes an essential mitigation strategy.
Inside the digital souk
We’ve noticed over the course of our work that marketplaces around the world seem to mirror the societies in which they operate. Thus, MENA forums are a world away from the dog-eat-dog spirit of cybercrime in Russia, China and elsewhere. Dark Web research we released in May, for example, revealed hackers frequently attacking each other; defacing rival sites, stealing confidential data, and even spying on communications from fellow cyber-criminals.
The underground “digital souks” we found in the Middle East and North Africa seem instead to reflect an ideology and culture of brotherhood that permeates the religious make-up of many constituent countries. Commonly understood proverbs, bywords and religious references pepper discourse on cybercrime forums and sites, with some marketplaces even featuring dedicated sections devoted to these shared Islamic beliefs and ideologies.
Incredibly, this sense of brotherhood also leads to the sharing of many hacking tools such as crypters, keyloggers, malware builders, and SQL injection tools for free. Even Supervisory Control and Data Acquisition (SCADA) port numbers were handed out “for the sake of good fortune”. DDoS and website defacement attacks are particularly popular and are often conducted in collaboration with members of such sites for ideological reasons against Western targets as well as local governments.
The products and services that are actually bought and sold are not dissimilar to those in other regions – including malware (27%), fake documents (27%), stolen data (20%), crimeware (13%) and weapons (10%) – although they are more expensive.
The flipside of this ‘brotherhood’, however, is that it’s relatively tricky and time-consuming to join such forums. Users need to register and pay a fee in Bitcoins, as well as familiarise themselves with Arabic, if they want to take part.
What we can learn
Although the size of the MENA market is thankfully not on a par with those in other parts of the world, it’s rapidly evolving. In the future we anticipate closer collaboration with the Russian underground and a diversification of activity beyond mere DDoS and defacement. This should sound the alarm bells for CISOs everywhere.
What can be done? The sheer size and breadth of the modern threat landscape requires organisations to stack up multiple layers of threat protection at the endpoint, network, hybrid cloud server and email/web gateways. There’s no silver bullet in security, so look to incorporate a set of complementary tools including app control, web and file reputation, behavioural analysis, firewalls, IDS/IPS, DLP and machine learning.
Deploy a layered approach to security: each layer detecting a different type of known or unknown threat and sharing intelligence to become more powerful and effective than the sum of their parts.