Enterprises have a tough time filling positions for security professionals, yet somehow attackers are able to recruit new talent. How do they do it? In a report issued today at the RSA conference in San Francisco, Digital Shadows examines hackers' recruiting methods, finding they do not approach recruiting that differently than enterprises.
"Cybercriminal and defender recruiting efforts are more similar than one might initially think," Rick Holland, VP of Strategy, Digital Shadows, told eSecurity Planet. "We observed a very similar process of job posting, advertising, interviewing and trial periods."
In enterprise IT there is a constant drumbeat of news and reports about the lack of talented cybersecurity professionals. Digital Shadows didn’t observe specific complaints about being able to find talent. However, because of the recruiting efforts it observed, there’s clearly a formidable effort for both good guys and bad guys to attract talent, Holland said.
It's important to understand the cyber crime ecosystem as a whole, he said. There are many low-skilled individuals who can offer support services such as carding and muling. However, far fewer have the ability to code their own exploits.
"The existence of extensive checks and balances may illustrate that groups find it too costly to hire poor quality individuals," Holland said. "A rigorous application procedure is used to ensure that only the most talented individuals are recruited. "
In the enterprise IT world, placing job ads on recruiting sites is a common recruitment technique. There is a corollary for cybercriminals, and Holland said such underground recruiting efforts are startling in their similarities with the legitimate counterpart.
"While many advertisements are standalone or posted on forums, some exist on specific job boards that have been created for this express purpose," Holland said. "A handful of these job boards actually offer paid job advertisements; simply pay the fee and your advertisement will reach a wider audience."
Digital Shadows encountered paid-job boards on general hacking forums, with the language obscured. For example, on one Russian-speaking forum, one individual spoke about the need for a “pianist,” a likely reference to a hacker.
Enterprise IT can learn some lessons and best practices from observing hacker recruiting activities. In particular, tracking the activities of cyber criminals can help inform enterprise security strategies.
"We observed the desire for criminals that can exploit SQL injection, which has been a problem for decades," Holland said. "Enterprise IT should be focusing on the low-hanging fruit that criminals actors exploit, so application security should be a fundamental component of their security program."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.