The skills shortage has hit the attacking community too, with cyber-criminals also struggling to find the right talent.
According to research by Digital Shadows, attackers need an ecosystem of malware writers, exploit developers, botnet operators and mules, but finding individuals who can be trusted is difficult and requires a rigorous application procedure.
This has led many to adopt traditional recruitment techniques to identify top talent to meet their needs. This includes job ads on forums or boards, and weeding out people with no legitimate technical skills.
The research found that the recruitment process often requires strong due diligence to ensure that the proper candidates come through the process. Speaking to Infosecurity, Digital Shadows’ Vice President of Strategy Rick Holland said that in the untrusted environment of the attacker, reputation is as significant as in the online world and if someone does a bad job, then script kiddies and those who have inflated their abilities will be called out.
“Reputation is key, and that is why we see a multi-stage vetting process from interview to demonstrating their ability to make sure they hire right candidates,” he said.
“Also if you hire in the traditional world it can take time, but hiring as a cyber-criminal is a short time. If you steal credit cards then there is a short window to monetise them and if you have people without the right skills then you lose that window as fraud and policy are on to it. There is a sense of urgency to deliver profits.”
Holland explained that there is a need to build up a persona and brand, and a person that for a person who is good at running botnets or setting up mules, reputation is important to them. But also while creating a profile, it requires some level of anonymity and takes time to be vetted.
Asked what the required common skills are, Holland said that it is the common attacker motivations, such as exploitation of cross-site scripting and SQL, but not for the most advanced capabilities.
He said: “They are using same thing that has been used for decades and it is good, but those who are hiring are not going after bleeding edge or technical knowledge, instead go after the low hanging fruit as they have a finite time to monetise the data.”