Know Your Opponent

Know your opponent

In his guest article, Yaroslav Rosomakho from Netskope explains how cybercriminals work and how companies can arm themselves against them.

If the cliché of the lonely, hooded hacker pursuing his menacing activities in the dark basement was ever true, it no longer applies to modern cybercriminals. Today, cybercrime is often just as professionally organized as any other business. Perpetrators are usually not lone wolves, but operate as part of sophisticated and organized groups that collaborate with others within a larger ecosystem of specialists. These groups build significant financial resources over time, and use them to improve subsequent attacks or upgrade their infrastructures. Knowing how cybercriminals operate is not only interesting, but also provides organizations with important insights for formulating their security strategy and designing their IT security solution in concrete terms.

Cybercriminals work in a professional and networked manner


As in normal business, cybercriminals today often work in networked teams: some are specialists in password spying, others are experts in infiltrating data, and others are very familiar with ransomware attacks. Many join forces to form attack groups and constantly develop their methods further. What can companies learn from this? It’s important to stay abreast of current threats and trends while collaborating as effectively as cybercriminals do: If security teams network and share relevant information, they too can be well prepared for their IT security and act quickly when necessary. In the interest of everyone, it is helpful to also work together with competitors and to consider and organize one’s own IT security across departments within the company as well. After all, all too often security tools are not interconnected, which means that the security team may lack the holistic overview to detect an attack incident with multiple vectors. Thwarting well-organized attacks requires integrated security tools that can share relevant information, such as indicators of compromise, in real time.

Attackers are well funded

Cybercrime is big business today: Cybersecurity Ventures, for example, predicts that the global cost of cybercrime will rise to $10.5 trillion per year by 2025. Professionally organized, cybercriminals and attack groups manage to bring in a lot of money in a variety of ways: Sources of money include ransomware profits as well as deals on the dark web where they sell data or special attack services. Others go after paid cybercrime jobs for nation states. Companies need to be aware that cybercriminals are usually well-funded. They need to be matched by a security budget that can ensure a high level of IT security. Particularly in view of the potential financial damage that cybercrime can cause to a company – in addition to possible loss of reputation – well-funded IT security is a good investment.

Cybercriminals use cloud services for their attacks

Cloud infrastructures are flexible, can be set up quickly and cost-effectively – and just as quickly dismantled and set up again elsewhere. This advantage of cloud-based infrastructures and services is not only appreciated by companies, but also by cybercriminals: By using the same cloud services as the companies they attack, they are difficult to detect, especially by legacy security technologies: traditional security systems cannot even differentiate between key components of Microsoft Office 365 – such as instances of Microsoft Teams approved by the organization and third-party accounts. In this regard, companies should use security solutions from the cloud: Not only are they scalable and affordable, they make it much easier for IT security managers to detect an attack. A zero-trust approach is recommended not only for network access, but also for cloud security and data protection.

Malicious actors drive change and innovatio

Cybercriminals are constantly evolving their technologies and methods and trying new things: Ransomware, unheard of a few years ago, now dominates security discussions – and continues to change: instead of using classic extortion, such as “pay us to release your data”, ransomware attackers now more often threaten their victims by releasing corporate data. What’s more, a look back at the first half of 2022 will likely even show a shift from ransomware to other attacks that focus on disrupting data and processes – suggesting changing motivations due to the new geopolitical situation. In light of these changes, defense must not stand still either. Companies need to stay abreast of current attack methods and think ahead to always meet cybercriminals on equal footing. This may mean simply improving patch management hygiene, for example, but it may also mean replacing outdated on-premise security applications with lengthy update and upgrade cycles with modern cloud security services that detect, defend against, and constantly evolve attack techniques using modern technologies such as ML-driven (machine learning) artificial intelligence.

Most cybercriminals are opportunistic

Opportunity makes thieves – the saying goes about real-life crime. A statement that mostly applies to online crime as well. Even though cybercriminals are working in a professional and targeted manner, they don’t like to make things harder for themselves than necessary and prefer easy targets. The lesson to be learned from this is that companies should arm themselves as well as possible so that they do not become easy prey. Good security hygiene is an important key to this, because it makes no sense, for example, to spend a fortune on expensive firewalls and VPNs if company employees leave Google Docs and AWS buckets open in the cloud. The key is to keep the “windows and doors” closed with up-to-date solutions so as not to give cybercriminals an opportunity and make the company an easy target.

Yaroslav Rosomakho


Yaroslav Rosomakho

Field CTO at Netskope