Jul 15, 2019 SOURCE: PR NewsWire

Cybersecurity Researchers Introduce New Model for Fighting Cybercrime in MIT Sloan Management Review Article

CAMBRIDGE, Mass., July 15, 2019 /PRNewswire/ -- As criminal innovation outpaces defensive efforts, cyberattacks are becoming more ubiquitous and sophisticated, and businesses, governments, and individuals are more vulnerable than ever. In a perspective-shifting new article, "Casting the Dark Web in a New Light" (MIT Sloan Management Review), cybersecurity researchers and scientists Keman Huang, Michael Siegel, Keri Pearlson, and Stuart Madnick offer a new lens through which to consider cybercrime. They apply a value-chain model to cybercrime and persuasively argue that cybercriminals continue to allude defenders because of a lack of understanding and under-investigation of cybercrime's ecosystems. In this article, they break down their unique value-chain model and provide new avenues for combating attacks.

The authors first dispel the myth of the "fringe-hacker" -- skilled individuals who singlehandedly disrupt systems. Instead, the authors reveal that there are two types of players on the dark web: the developers who create the tools and software and the businesspeople who buy these tools and launch the cyberattacks.

"Because today's cyberattacks are often orchestrated by clever businesspeople who target organizations with something of value to steal or disrupt, they should be treated like other business threats," the authors write. "Protecting the business and detecting, responding to, and recovering from attacks is not solely the responsibility of technology experts."

To combat these threats, businesses must first understand how the ecosystem of cybercrime resembles the marketplace value-chain model traditionally used in business. The authors outline the value chain of primary activities needed to create cyberattacks and support activities that make the attacks more efficient and effective, including:

    --  Life-cycle management operations, which include activities that help
        select valuable attack targets, organize hackers, manage the
        distribution of proceeds, hide the operation from authorities, and if
        disrupted, recover the sidelined operation.
    --  Hacker human resources services such as hiring, training, and managing
        trusted hackers.
    --  Marketing and delivery services that create a trustworthy marketplace
        for service providers and buyers, a market-based pricing mechanism, and
        a system for transferring funds.
    --  Technology support, which offers tools and functional operations such as
        customer service.

"Examining cyberattacks through the lens of a value chain reveals organized businesspeople using proven business models within a well-defined ecosystem governed by the dictates of supply and demand," they write. "This cyberattack-as-a-service ecosystem makes mounting targeted, scalable cyberattacks quicker, cheaper, and more difficult to stop. But understanding all that helps organizations reimagine how to combat cyberattacks."

The authors highlight several ways in which businesses can combat cyberattacks:

    --  Expand the focus of cyber-threat intelligence: Many cyber-threat
        intelligence services collect data from enterprise IT environments to
        detect potential cyber threats. There is some investigation of the dark
        web, but it is usually limited to harvesting threat information and
        alerting potential targets. By expanding and investigating more services
        on the dark web, we can yield insights into new and more effective
        defense mechanisms.
    --  Pursue a good offense as the best defense: Cyber strategy in most
        organizations is mainly reactive. Companies defend themselves after
        successful attacks have been launched. Defenders can flood the
        cyberattack ecosystem with deceptive services, making the dark web less
        attractive for cybercriminals seeking to purchase services. Another
        offensive strategy is to disrupt select services that are frequently
        used to create attack vectors, thereby making it difficult and risky to
        orchestrate an attack.
    --  Create a cyber-defense service value chain: Cyberattack defense cannot
        be relegated to law enforcement agencies alone. Instead, it requires an
        ecosystem aimed at combating cybercrime that includes many actors --
        individuals, corporations, software and hardware providers,
        cybersecurity solution providers, infrastructure operators, financial
        systems, and governments -- working together.
    --  Approach defense as a business problem first, not a technology problem:
        When business leaders ask, "How can we prepare for unknown
        cyberattacks?" they often assume that attackers are using new and
        perhaps unknown technologies. However, frequently the attackers and
        defenders use the same technologies, and oftentimes, many technologies
        used in attacks were initially developed by the defense research
        community to block other kinds of attacks. So attacks should be treated
        like other business threats. Risk management tools and techniques can
        shed additional light on what's driving them, help identify
        vulnerabilities that attackers may prey upon, and enable potential
        targets to anticipate next moves.

By viewing cybercrime through this new lens and considering it less of a technological hack orchestrated by lone wolves and more as a sophisticated business market, executive leaders can better investigate the vulnerabilities of their organizations and build a more solid defense.

The authors conclude: "It's long past time to start beating the bad guys at their own game."

To read the full article, please visit: MIT Sloan Management Review.

About the authors:
Keman Huang is a research scientist at Cybersecurity at MIT Sloan (CAMS). Michael Siegel is a principal research Scientist at the MIT Sloan School of Management and codirector of CAMS. Keri Pearlson (@kpearlson) is the executive director of CAMS. Stuart Madnick is the John Norris Maguire Professor of Information Technology in the MIT Sloan School of Management, professor of engineering systems in the MIT School of Engineering, and codirector of CAMS.

About MIT Sloan Management Review
A media company based at the MIT Sloan School of Management, MIT Sloan Management Review's mission is to lead the conversation among research scholars, business executives, and other thought leaders about advances in management practice, especially those shaped by technology, that are transforming how people lead and innovate. MIT Sloan Management Review captures for thoughtful managers the creativity, excitement, and opportunity generated by rapid organizational, technological, and societal change.

Contact



            Emily Lavelle



            Emily Lavelle Communications



            +1-212-390-1328 | emilylavellecommunications@outlook.com

View original content to download multimedia:http://www.prnewswire.com/news-releases/cybersecurity-researchers-introduce-new-model-for-fighting-cybercrime-in-mit-sloan-management-review-article-300884436.html

SOURCE MIT Sloan Management Review

Related News

MIT Sloan Boston Alumni Association Announces New MIT Sloan CIO Digital Learning Series

motorCortex.ai wins first ever MIT $50K Collaborative Intelligence Competition

New MIT Sloan Management Review study finds many leaders lack essential skills to effectively lead digital transformation.

Why do people vote the way they do? Unhappiness, says MIT Sloan behavioral scientist, outweighs all other factors

New research from MIT Sloan and Northwestern Kellogg reveals the devastating economic consequences of businesses unable to work remotely

MIT Leaders for Global Operations announces new industry partnership with Rivian

MIT Leaders for Global Operations announces new industry partnership with ResMed

MIT Sloan CIO Symposium Announces 2021 Leadership Award Nominations

View all News

Latest Procurements

Delivery of the Forestry Workforce Training Program

Engagement of a Supplier to deliver activities against the recommendations of the Forestry Workforce Training Program Scoping Study.

Certificate IV in Government Investigations and Defensive Tactics Training

LONG TERM COMMONWEALTH LEASE IPSWICH QLD AND SURROUNDING AREAS

Exceptional Leasing Opportunity COMMONWEALTH LEASE

View all Procurementsp

Agenda

October

United KingdomCopthorne Tara Hotel, London, UK

International Dismounted Soldier, 29-30 October 2024, Copthorne Tara Hotel, London, UK

Navigating the Evolving Battlespace: Enhancing the Capabilities of the Dismounted Soldier The modern battlefield...

September

United KingdomHilton London Syon Park, London, UK

Defence Transformation Conference, 24-26 September 2024, Hilton London Syon Park, London, UK

Returning for its 8th year, Defence Transformation 2024 will feature an updated format that will address all aspects of...

June

FranceParc des Expositions de Paris Nord Villepinte ZAC Paris Nord 2, 93420 Villepinte – France (Halls 5a – 5b – 6)

Eurosatory 2024, 17 - 21 June 2024, Parc des Expositions de Paris Nord Villepinte ZAC Paris Nord 2, 93420 Villepinte – France (Halls 5a – 5b – 6)

Eurosatory 2024 There can be no sustainable world without peace and security. Founded in 1967, the exhibition...

View All Events

Companies

Group 4 Al Zahem W.L.L. - شركة جروب فور الزاحم للحراسة والأمن والسلامة ذ.م.م

Carrocerias Valentina S.A.

Inmarsat Solutions B.V.

View All Companies