Report: Cybercrime orgs look more like firms than gangs

So sophisticated have cybercrime organizations become that they more and more resemble the companies they are attacking, according to a new study out Monday.

So sophisticated have cybercrime organizations become that they more and more resemble the multinational companies they are attacking, according to a new study out Monday.

“Cyber criminals look to maximize their profits and minimize risk,” reads the report, from Hewlett Packard Enterprise Security Research. “They have to compete on quality, customer service, price, reputation, and innovation.”

“The attackers have become almost corporate in their behavior.”

Take recruitment. “Any corporation that wants to expand has to recruit the brightest and the best,” Rob Roy, public sector chief technology officer for HPE Security told FedScoop in an interview. “So do these guys.”


“Obviously they can’t advertise in the newspapers,” Roy said, but instead they will recruit on underground forums — “completely virtual and mostly anonymous.”

The forums — the best of which are members only — are vital to the criminal ecosystem since they create an environment in which criminals can develop a public reputation.

“While they are lawless, they have their reputation to protect,” said Roy. “It takes a while to earn” and that creates a disincentive for criminals to cheat or steal from each other. 

There is, in other words, honor among thieves.

Like cyber defenders, online criminal gangs have to deal with demand and supply equations in the labor market, but “The barriers to entry are a lot lower [in the cybercrime world] … Defending is a much harder job and the costs of training and education are significant.”


By contrast “It is trivial to download free attack tools and practice with them,” said Roy.

“There are plenty of countries around the world without a good job market, but with a modern internet infrastructure.”

That imbalance between the ease with which attacks can be conducted and the difficulty of defending against them has helped drive cybercrime to a $300 billion a year business, said Roy.

“You can’t stop everything,” he said. “The way to do this [defense] is to think of them as competitors. … My job is to make them hate their job.”

Roy quoted Sun Tzu: “If you know your enemies and know yourself, you will not be imperiled in a hundred battles.”


“Over the decades, we’ve come to know ourselves pretty well. This report is to help us get to know them. That’s the next step.”

Download the HPE report here.

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. 

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts