Evolution of the Cybercriminal: From lone wolf to pack hunter

The landscape of cybercrime has expanded in more ways than the technology which enables it, helping the average cybercriminal to evolve—from lone wolf to pack hunter.

Understanding the mind of a hacker and how they think is not just a fun exercise, but also reveals valuable insights into how we can approach cybersecurity within our own organisations. After all, if you want to build a better safe, you need to think like a thief. 
 
Of course, hackers are an incredibly diverse group, hailing from all corners of the world, with skill levels that range from basic computer user to mastery over several programming languages. Their motivations are just as diverse; some are career cybercriminals looking for their next bounty, while others are just hobbyists and pranksters out to entertain themselves. 
 
They often coalesce into like-minded peer groups, giving rise to loosely organised cyber-gangs who may grow into new, more sophisticated criminal operations as ideologies and relationships evolve. Each progressive tier of operations tends to be a feeding pool for the next, providing something like a learning path, or career advancement pathway for the industrious cybercriminal. 

Know your threat actor 

While the types of cybercriminals and their aims are prohibitively granular, we can break these threat actors down into three broader tiers: the lone wolf, the pirates, and the commandos. These categories tend to target people or organisations of a specific profile, and it can be helpful to know which of these troublemakers are most likely to target you. 

Tier 01: The lone wolf 

A blunt instrument with short cyber reach, the lone wolf is an individual who may have basic technical skills—maybe they read a guide, copy/paste command snippets, or are using known exploits—but they lack the experience, resources and desire to plan larger attacks against hardened networks.  

They’re usually not in it for the money, though they wouldn’t say no to a little ill-gained profit. They typically get into hacking because they enjoy the challenge (or love pulling a good prank), and see it as a way to win some prestige in their peer group.  

Shoring up logins with multifactor authentication and a website with DDoS protection, security patched systems and networks with industry standard firewall, virus and email protection, plus a corporate culture of cyber awareness is usually sufficient defense against this type of attacker. 

Tier 02: The pirates 

These threat actors have spent time learning about computers and how they work— they can write and debug code in several languages, and crucially—can also break it.  

They hunt in loosely-organised packs or gangs, usually with other skilled threat actors to target companies, organisations or high-profile individuals. To circumvent more sophisticated adversary defenses, they may also lean on a set of related criminal skills such as identity fraud and money laundering to profit from theft or ransom of sensitive corporate data and personally identifiable information. 

They can quickly scale up their operations with experienced specialists to carry out sophisticated attacks on shorter timeframes. They also seem to enjoy leaving behind a ‘calling card’ of their hacker group, and often claim credit for specific attacks. 

Industry leading systems and network protection are only baseline measures to address the ongoing risk from this type of attacker. Organisations with valuable data to protect should perform a thorough risk versus cost assessment of the need for additional layers of dedicated cybersecurity resources. 

Tier 03: The commandos 

The commandos are the elites: top tier cybersecurity professionals with an extensive hacking background as a blackhat, whitehat, or mixture of both. They're often employed by well-funded private or government organisations to deploy sophisticated malware attacks against enemy nations and rival companies with the goal to spy on communications, or commit acts of digital sabotage against systems, networks and real-world facilities in aid of cyberwarfare operations. 

Corporate and state-backed hacking groups are assembled in much the same way as any other enterprise, with additional security and secrecy around how they operate—making it difficult to report on activities of key players, beyond the few places they leave a trail. 

Offensive actors within state-backed groups build and deploy customised Advanced Persistent Threat (APT) malware across longer timeframes, for ongoing access to targeted systems—enabling their sponsors to gather intelligence, corrupt data and communications, or take control of vital infrastructure. 

They are well-organised and take the time to analyse weaknesses, develop code and devise strategies to compromise specific flaws, then deploy and maintain malware which grants ongoing access to targeted infrastructure—all with the precision and business logic of professional software developers. Each team member has a specialty or discipline that contributes to the overall success of the attack.  

This tier of attacker presents a threat not just to networks and systems, but facilities and infrastructure —refineries, hydroelectric dams, power grids, nuclear plants, even entire cities. While their targets are carefully selected, this type of attacker is very hard – if not impossible – to defend against. They have the time, skill and resources to circumvent nearly any cybersecurity measures. The best way to manage this type of threat is through cyber-resilience – investing in continuity, redundancies and back-up measures to buy time and minimise the impact if they do attack.  

The cyber arms race 

The endless cat-and-mouse game between hackers and cybercriminals has led to major innovations on both sides, and as more and more of our economy and infrastructure digitises, the arms race is only accelerating. While no cybersecurity system can be 100% foolproof, combining appropriate cybersecurity technology with an aware and alert workforce can go a long way to bolstering security. For organisations serious about protecting their data, investing in cyber resilience as well as cybersecurity is one of the most effective security measures they can take.