Disrupting the Malware Market

This year, the number of cyberattacks has increased, along with the types of malware used in the attacks. Much of this escalation is due to the proliferation of malware through online markets. These black markets are making it easy and cheap to commit identity fraud, gain information, and launch attacks that are costly for companies, governments, and individuals.

But like any market, the malware market is subject to economic forces. Not only do malware vendors and consumers act on basic laws of supply and demand, but their behavior in response to market events can be studied and observed with the same analysis that we apply to legitimate markets. With an introductory understanding of how malware is bought and sold online, we may be able to apply new tools to regulate, exploit, and disrupt the proliferation of cyberweapons.

Demonstrating Maturity and the Environment for Distribution

Once a disorganized network of peers, the malware market now exhibits efficiency and resiliency, and holds the same operating characteristics as a legitimate market. Attacks require weapons, and high-quality weapons will always be met with consumer demand. Consumer demand is driven by preference and price, and vendors manufacture or distribute products of some degree of quality at a competitive price. Product cycles come and go, and product feedback plays into future development through online forums and reviews.

Hacking tools and kits, intelligence and targeting information, and pilfered data from past hacks are all sold “off-the-shelf” on the darknet, the hidden portion of the Internet only accessible through special tools and methods. With an exploit kit, you can prepare an intrusion similar to that of the 2013 Target breach, a case where hackers bought and tweaked malware to gain access to Target’s point-of-sale data. In 2013, a top of the line exploit kit would only cost you around $2,000. Interestingly enough, many products on the malware market are being offered as a rentable service rather than a single up-front cost, following a common trend that has developed in the technology industry. The innovation demonstrated in product quality and market design indicates market maturity, along with the market’s resiliency and sophistication.

Before taking any action to disrupt the malware market, a responsible economist would first measure the effects that his or her action would have on dependent factors. Think of the host of factors that are calculated before the U.S. Federal Reserve decides to take action: the state of the economy, unemployment, and global market trends, to name a few. In the case of our malware market, we should aim to quantify at least the metrics of volume, product quality, and market options. We should also seek to measure how they affect organizations outside the black market — organizations that could be the potential victims or targets for the products being sold. So we measure the sensitivity potential victims have to products sold on black markets in general. We should ask: how exposed is this organization to attack?

While high-profile hacks continue to make headlines, many organizations are becoming very capable at defending against attacks. This is due in part to information sharing and threat intelligence. When the malware used in the 2013 Target breach was analyzed, researchers discovered unique identifiers that linked it to other attacks. Attacks bear signatures that can be detected and many companies building out basic defense capabilities can easily detect these signatures. In the case of the Target breach, researchers shared the malware’s signature with point-of-sale vendors like Visa who used that threat intelligence to check their logs for past attacks as well as defend against future attacks. A recent report from the consulting firm PricewaterhouseCoopers described large improvements to corporate security measures, practices, and executive involvement in participating in defenses; cybersecurity budgets expanded by 24 percent from 2014, with the average losses accredited to attacks decreasing this year by five percent.

Let’s embrace a hypothetical that may model the actions we can take to undermine the operations of the malware market. Say we develop these trends to the point where most medium-to-large businesses and government entities have the capability and command structure to promote decent defense and security. Let’s also say that the growth and trends of the malware market remain constant — meaning malware vendors will innovate at the same rate, the volume of products will increases at the same rate, and no exceptional improvements in efficiency are developed that change the structure of product pricing or vendor-consumer communication. We can then begin to model possible tools of disruption to be used against malware vendor-consumer business networks and the sites that host them.

Dumping as tools for disruption

Trade organizations such as the World Trade Organization uphold agreements that limit and restrict dumping between nations. Dumping occurs when a predatory foreign company prices a product lower than the similar products offered by companies in the domestic market. This produces an outcome where the predatory foreign company is “dumping” its low-cost products into the domestic market to the point where domestic companies struggle to compete.

With the growth and trends of our malware market remaining constant and the defense capabilities of organizations increasing, let’s project a possible price shock and disruption through an active process of dumping. A popular product rises above the competition, like the exploit kit Angler that grew in popularity in 2015. The Angler exploit kit allows the user to attack a victim by automating the process of searching for a way to break into a victim’s computer. Priced at $1,000, Angler’s production quality allows for a higher success rate when used on targets, with its reuse value fairly high. Given this environment, how might law enforcement seek to exploit the malware market so that it is regulated to a point where they have more control?

Enter our hypothetical darknet disruption vendor. With collaboration from a certain three-letter U.S. agency, our vendor is seeking to disrupt the malware market with the potential goal of assisting law enforcement, and has developed a product that competes with Angler very well: The Mangler Exploit Kit. Mangler is being offered at the low, low price of $300. Obviously Mangler is priced to undercut existing strains of Angler on the market, and it does, perhaps even forcing down the price of the earlier Angler strains.

Organizations may begin to see Mangler attacks. However, due to the investment in their defenses and great information sharing, these corporations are able to detect, isolate, and ward off Mangler fairly easily. Perhaps our disruptive vendor even put unique identifiers that he subsequently handed off to the proper authorities for easier tracking.

Either way, the monitored dumping of Mangler has accelerated the obsolescence of Angler, driving down the price of all similar products in the process. However, with innovation of the malware market held constant, there has not been incredible improvements upon Angler. It seems that Angler occupied a space between the market’s two major tiers: the top tier of expensive, highly-customized tools and weapons versus the lower tiers of cheap, detectable, and minimally effective products. As Angler begins its descent into the lower tiers, a gap widens between the cheap low tier and the expensive high tier; there is no longer a product that satisfies mid-market demand. This creates a higher demand for higher quality products, but with the market growth held constant there are simply not enough talented programmers to create a competitive supply of top-tier goods. Thus, the mid-market tier has been cut out, directing the majority of would-be consumers toward the lower tier of inexpensive, detectable, and ineffective products. Law enforcement can then choose to concentrate on investigating the proliferation of top-tier weapons and attacks, while organizations continue to build out capabilities to defend against the lower-tiered attacks.

Beyond this simulation, can we expect law enforcement to take this active of a role? Law enforcement and authorities across the globe are asserting a more active presence monitoring the darknet. It is common for authorities to create accounts on the darknet, even malware markets, to simply monitor activity and transactions. Many authorities even excel at developing a narrative and rapport with vendors and sellers for the purpose of intelligence gathering. With good understanding of the malware market and darknet (as well as good counsel), it’s not improbable that authorities could execute an operation of this technical capability and scale.

Supply-side disruption

The exploitation of the malware market must work in tandem with organizations’ improvements in cybersecurity. As an organization improves its defenses, attacks often increase in creativity, technicality, and complexity. The more customized the attack becomes, the harder it is to match off-the-shelf products to the client’s need, which can lead the malware vendor to struggle to accommodate many clients of varied capabilities, each with a demand for a customized attack. This can put the malware product being sold at risk for disruption. Intense competition, volatile demand, increased demand for customization, and short product cycles are all catalysts for supply disruption, and such traits are developing among malware vendors and consumers on the darknet. A well-engineered disruptive event could create an exponential amount of instability in the malware market, showing a lot of potential that supply-side economics may have for breaking up malware and cyberweapon proliferation.

These examples of economics being used to thwart malware vendors are exercises of possibility. It’s not realistic to expect black markets to go away, but we can surely get better at monitoring and interacting with them. However, in the long-term, we may be able to cripple the malware market. Research conducted on the long-term market effects of a supply disruption suggest that market sales can decrease as much as seven percent, operating below potential output for some considerable time after the shock. As long as the malware market operates under conditions of instability, insecurity, and recession, the law enforcement organizations that monitor the darknet can advance toward a dominant position in cyberspace that has very real implications for organizations, governments, and individuals.

Related posts