In the last Virtualization and Cloud Security Podcast, Michael White, a Veeam field product manager, and I discussed the gray market for security attacks. These days, performing an attack against an individual or company is trivially easy. What we used to call script kiddies have become a major business unto itself, sometimes protected by the jurisdiction in which the attack creators live. In some cases, these are seen as legitimate businesses, while in others, they are anathema with harsh penalties. Why is this a big deal, other than the obvious?
There are some significant items about the gray market that make it worth watching for, researching, and knowing about. Unlike the black market, the gray market looks semilegitimate. However, just like in the black market, all funds are untraced. Actually, it is worse than that. None of the funds these days can be traced within the gray market, if payments are made in cryptocurrency. This is a change from a decade ago. Regardless, the gray market has a market value greater than the GDP of all but the top ten or so countries.
Yes, you read that correctly. The market value for attacks is huge. How does the gray market achieve such numbers? Simply put, it offers attacks as a service. You can purchase either a whole swath of attacks or just one. In many cases, there are multiple layers or prongs to each attack. It depends on the attackers’ and attacks’ goals. If the goal is a repudiational attack, that is one set of resources, while if the goal is to gain ill-gotten booty, then there are simpler, more shotgun-style attacks.
In either case, the grey market is a big business with many bit players. In it, you rent time using the tools created by others. If you think this sounds significantly like cloud-based services, you would be correct. That is the crux of the issue. Ordering attacks is incredibly simple—almost too simple. There is no need to program things yourself. There is no need to do anything but take out your method of cryptopayment and place an order, and away the attacks go.
I have seen such attacks used against individuals due to differences of opinion, used within the political arena, and used against businesses for many reasons.
There is so much money passing through the gray cloud that one begins to wonder if this is the reason cryptocurrency was created in the first place. No one knows the originator of Bitcoin. Perhaps the best theory is that it was a benign act. However, lately, given how Bitcoin and the like have been used by criminals (at least by many jurisdictions’ definitions), it seems more likely it was really invented by the gray market to allow for untraceable ways to transfer funds.
More hackers have been caught from tracing the money than through any other means. This implies that a weakness with the gray market was how payments were made. Once you introduce cryptocurrencies, the ability to track diminishes significantly. The attackers are protected and so are those who order the attacks. Now the lightbulb goes off. By trading these currencies, are we not now legitimizing the criminals’ means of becoming untraceable? It also sheds new light on what happened with Mt. Gox. Was it originally set up to be just a scam? We may never know.
In either case, the gray market is worth understanding. Of course, it is not something I suggest anyone use. Understand, yes; use, no. Given the dollars involved, and the simplicity, we need to be prepared to protect ourselves from shotgun and spear-fishing approaches to attacks. How do you do this today? What multiple layers of security do you use to counteract the growing market of attacks?