Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
The seventh annual (ISC)² Global Workforce Survey estimates that there will be a shortage of information security professionals by 2020. Ask any security leader and it will become clear that organizations are struggling to find the talent they need. This search for talent reminds me of the attempts to track down Luke Skywalker in The Force Awakens; the task is arduous – often with no end in sight. The talent struggle isn’t unique to defenders. Adversaries also struggle to find the right talent, which is critical to capturing profits. In response – and perhaps against their desire for anonymity – many cyber criminal organizations have adopted traditional, real-world recruitment techniques. Fortunately, there’s much we can learn from hacker recruitment that improves our own security.
First of all, the underground recruitment industry is about far more than simply hiring developers. In order to profit, there must be an ecosystem of malware writers, exploit developers, bot net operators, and mules. Figure 1-2, for example, illustrates the huge demand for carders, individuals who traffic in stolen credit card data. To get capable individuals who can be trusted is difficult and requires a rigorous application procedure.
Fig 1-1: A post by a “‘digital crime syndicate” seeking hackers for their group.
Recruitment in the underground is startling in its similarities with its legitimate counterpart. While many advertisements are standalone or posted on forums, some exist on specific job boards that have been created for this express purpose. A handful of these job boards actually offer paid job advertisements; simply pay the fee and your advertisement will reach a wider audience.
Fig 1-2: A post on a carding forum, seeking individuals to help with the heavy lifting.
Like defenders, adversaries struggle to find qualified candidates. On forums, the frequent references to skids – “script kids” – alludes to a frustration with the lack of talent. Skids, who possess no legitimate technical skill, must be put through a rigorous process to ensure they are up to the task. There are many instances of recruiters asking for application forms – some even offer an application template. Just like in corporate cyber security hiring, bringing the wrong candidate on board wastes limited resources. Due diligence is required to ensure that only qualified candidates continue through the hiring process.
Fig 2: An example application form posted on a dark web forum.
Should the initial application be successful, it is not uncommon for the candidate to be asked to complete an interview. Skype appears to be a popular tool for this, so long as users’ voices are masked, video is turned off and traffic is ported through services such as Tor. Figure 3 shows the result of a successful interview, simply stating “Interview complete. Welcome.” So that’s it? You’re in? Not necessarily.
Fig 3: A post declaring the successful completion of an interview on a Russian-speaking forum on the clear web.
Simply having the right skills on a cyber criminal resume isn’t sufficient. Those doing the hiring may want to further vet the individual before continuing. In some instances the group insists on a probationary period, just like in corporate IT. Take Figure 4, for example, a job advertisement by a group called DeleteSec states members “must hack a website within 3 months” otherwise they will be “unfollowed and considered inactive.” Even after this probationary period, membership may not be assured.
Fig 4: A post on Pastebin by DeleteSec outlining required skill sets.
These parallels with the recruiting and hiring processes defenders follow are interesting, but the real value for organizations is in understanding what skills these actors are looking for. Take Figure 5 as an example. We can learn that there is a new group planned that intends to “hack high-profile websites as well as simple accounts,” and is “ready to make some money…” There’s also an insight into their TTPs. Skills that the group’s founder is seeking include: distributed denial of service (DDoS), social engineering, cross-site scripting (XSS) and SQL injection (SQLi). After all of these years, the fact that XSS and SQLi persist is an indictment on the security community – but that’s a topic for another blog post. The lesson is that attackers gladly go after these basic vulnerabilities and can hire those with more entry-level technical skills to boost profits even further.
There are also other, more specific requirements that attackers seek, such as insider knowledge of an organization’s operating system. Organizations with abilities to find such advertisements have an added advantage in their asymmetric battle with their adversaries.
Fig 5: A post on a dark web forum from an individual seeking to form a hacker group.
Attackers and defenders have more in common than some might think. Each group has a mission to accomplish and the success of that mission is predicated on the ability to hire and retain staff. When it comes to cybercriminals, they must find a balance between Operations Security (OPSEC) and the ability to recruit. Too much OPSEC leaves little time to identify qualified candidates, so cybercriminals make sacrifices in their path toward profit.
When attackers make these sacrifices, they leave behind clues that defenders can take advantage of to build resiliency into their security programs. In some circumstances, defenders might find specific details about attacks targeting their organization, while in others they might find general attack trends that could bolster their defenses. At the end of the day, tracking the adversary that is recruiting and the skills they most desire can improve the overall maturity of an organization’s security program and make that new recruit’s job that much harder.