Division of labor in criminal enterprises leads to high-volume, low-cost attacks

Craig Taylor

Henry Ford revolutionized automobile manufacturing a century ago by dividing complex assembly tasks into specialized roles.  This dramatically lowered production costs and made cars affordable for the masses.  Likewise, today’s cybercriminals are adopting a similar division of labor.

Initial Access Brokers (IABs) are the latest specialists in the cybercrime assembly line. These actors focus solely on infiltrating corporate networks. They subsequently sell their access cheaply and at high volume to ransomware groups and data thieves. This specialization enables cyber attackers to operate more efficiently and economically.  This significantly reduces the cost and time required to launch damaging attacks against organizations of all sizes.

Understanding this alarming shift toward specialized cybercriminal roles is crucial for businesses to understand.  If you want to protect your networks and your data from increasingly accessible and affordable cyber attackers, please read the rest of this article.

What Are Initial Access Brokers?

IABs specialize in infiltrating computer systems through methods such as social engineering and brute-force attacks. However, instead of exploiting these breaches themselves, they sell the access to other cybercriminals, such as ransomware groups and data thieves. This division of labor allows IABs to concentrate on their core competencies while minimizing their exposure to law enforcement. Operating primarily on dark web forums, they serve as a crucial hyper-efficient link in the cybercrime ecosystem.

The Shift to High-Volume, Low-Cost Sales

Traditionally, IABs targeted high-value organizations, selling access at premium prices. However, recent data reveals a strategic pivot:

• Pricing Trends: In 2024, 86% of access listings were priced under $3,000, with 58% below $1,000. While the average price increased slightly to $2,047 due to a few high-priced sales, the median price remained low, indicating a focus on volume.
• Target Diversification: IABs are expanding their reach beyond traditional sectors. In 2023, the business services sector accounted for 29% of attacks, but this dropped to 13% in 2024, suggesting a broader distribution of targets across various industries.

Implications for Cybersecurity

The advent and adoption of IAB organizations that specialize in compromising individuals, companies, and networks is very troubling.  As you’ll see below, there are almost a dozen concerning implications associated with this division of labor in cyber crime ecosystems.

• Increased Risk for Smaller Organizations: Lower-priced access makes it feasible for more cybercriminals to purchase and exploit network access, putting smaller organizations at greater risk.
• Rapid Deployment of Attacks: By providing ready-made access, IABs enable ransomware groups to launch attacks more quickly, reducing the time between infiltration and exploitation.
• Challenges for Law Enforcement: The move away from public forums to private dealings makes it harder for authorities to track and disrupt IAB activities.
• Complexity of Attribution: The increased layers of specialized roles obscure who is ultimately responsible for breaches, complicating legal and forensic efforts.
• Scalability of Cybercrime: Specialized roles allow cybercriminals to rapidly scale their operations, exponentially increasing attack frequency and reach.
• Market-driven Innovation: Competition among specialized actors fuels innovation in attack techniques, increasing sophistication, adaptability, and impact.
• Rising Cost of Cyber Insurance: Greater ease of executing successful breaches will drive insurers to increase premiums and impose stricter requirements.
• Increased Need for Threat Intelligence: Organizations will need real-time threat intelligence to preemptively identify indicators associated with specialized attackers and IAB activities.

Defensive Measures

To mitigate the threats posed by IABs, organizations must consider the following strategies to protect themselves.  The 2023 Verizon Data Breach Report did a longitudinal analysis of breach data over the past 20 years. It concluded that the same attacks were happening in 2023 as in 2003.  Phishing emails were by far the most common method used to successfully breach a company followed by poor password hygiene.  When reviewing the defensive measures below, place heavy emphasis on the human risk factors to properly prevent breaches!

• Conduct Employee Training: Educating staff about phishing and other social engineering tactics can reduce the likelihood of successful attacks.
• Implement positive-reinforcement Phish Testing:  the most powerful reinforcement technique known in psychology is the “variable ratio reinforcement schedule“.  To put this inside a concept everyone can identify with – think of “slot machines or gambling.”  Therefore, when teaching employees how to phish, adopt a positive, variable ratio reinforcement schedule.  This has the least extinguishing effect for behaviors.
• Implement Multi-Factor Authentication (MFA): Adding an extra layer of security can prevent unauthorized access even if credentials are compromised.
• Regularly Update and Patch Systems: Keeping software up to date closes known vulnerabilities that IABs might exploit.
• Monitor Network Activity: Using intrusion detection systems can help identify unusual behavior indicative of a breach.
• Deploy Intrusion Detection Systems (IDS): Monitor network traffic for anomalies indicative of potential breaches.
• Enhance Endpoint Security: Employ advanced antivirus and endpoint detection and response (EDR) solutions to identify and mitigate threats quickly.
• Establish Incident Response Plans: Clearly defined procedures enable rapid response and containment of cyber incidents.
• Utilize Threat Intelligence Services: Proactively identify potential threats and indicators of compromise through real-time intelligence feeds.
• Practice Data Segmentation: Limit damage from breaches by restricting access and segmenting critical data and systems.

Conclusions on the Division of Hacking Labor Markets

As Henry Ford’s innovations brought immense efficiency to automotive production, cyber criminals have similarly leveraged specialized divisions of labor to intensify and expand their malicious operations. By understanding and addressing these evolving threats through strategic countermeasures and continual vigilance, businesses can better defend themselves against the increasing specialization, expertise, and impactful capabilities now prevalent within the cybercriminal ecosystem.  

CyberHoot can assist in building robust defense-in-depth cybersecurity programs at affordable prices using our virtual Chief Information Security Officers.  Reach out to Sales@cyberhoot.com for more information.

Craig Taylor is the co-founder and CEO of Cyberhoot.