Let me tell you about a great business plan I ran into recently. It’s not the traditional “we’re all going to make millions” operation, but it has some characteristics you’ll relate to if you have ever tried to pitch a startup idea to a VC …
This is a business that has remarkably innovative financing and sales/marketing operations. Almost a bootstrapping model, getting the business started does not require any more than an initial investment of let’s say $1,000 (now that is something you don’t see a lot of with VC pitches). Are you interested yet? This $1,000 goes into the basics – infrastructure and the initial “wages” for your sales channels. (Yes – we are building on a pure channel partner program, as we are not that great in direct sales….) You’ll plan on recovering these in a short term of let’s say a couple of months, if not doubling your investment by then.
Okay, I’m not going to keep you waiting for too long – the business I’m talking about is one that I have spent days (and nights) researching and analyzing over the past year. It’s the business of making money online – e-crime. This business is really close to you – you’ve seen it on sites such as CNN, eBay, your online banking provider, and other major news/finance/entertainment portals. You’re closer to it than you may realize, as the “channels” I have mentioned earlier are in full utilization and can get to YOUR favorites list. And this is not all sci-fi – I have had a chance to spend some quality time with a few law enforcement agencies and correlate my data with their findings. There’s nothing like seeing an organization chart of the national organized crime at a police intelligence office, and overlapping it with the e-crime data brought in from the security research side!
Covering this area is an intriguing mix of business, finance, and a lot of technical forensics that really provides a view of the big picture. From understanding and following the distribution payout business models, through the internal update mechanisms of custom toolkits (and their “phone home” licensing mechanisms – see the image below showing how Neosploit is contacting it’s licensing server as seen from an IDA disassembly of the toolkit).
All in all, I would say that this area of research is one of the most challenging I have had a chance to be involved with. The variety of skills required (technical, business, finance and sometimes social…) is what I perceive would be required from any modern security researcher getting into this field (and us veterans know that the adaptation is fun!). Getting into the details of the kind of operation that has such a direct impact on how web security is perceived by the general public, by corporations who get hit by targeted ROI-driven attacks, and by security vendors and researchers trying to find the right solutions and stay ahead of the curve, has proven to be a real eye-opener. And this is coming from a guy that used to do UNIX security, then network stuff, application security in the heyday of 2000, and now business/technical of e-crime.
Looking forward to seeing a lot of old (and new) friends while I’ll be presenting at BlueHat v8 this October, and until then – promise to keep collecting anecdotes and code for what I hope will be an entertaining and informational talk.
Iftach Ian Amit
Director, Security Research, Aladdin