Back in the day hackers hacked to see what was possible. Why did they do it?
Because it was there.
I’m pretty sure Robert Morris said that. A lot of the most interesting and epic hacks in the early days of software were about pushing boundaries or learning systems for the simple joy of understanding how they worked. There are still a couple of areas like that left: the incredible checkm8 research comes to mind. Almost everything else out there is monetized. Remember when virus writers wrote viruses to wreak havoc? Their goals might have been to destroy data, or cause chaos, or to spread the love . Now viruses and worms have been weaponized and monetized into ransomware.
In the early days an attacker might collect servers globally in order to break past VPNs, or to cover their tracks. Clifford Stoll describes an incredible hunt through the Lawrence Berkeley National Laboratory to hunt down an attacker with access to their computers in the (true) story The Cuckoo’s Egg. This, too, has been monetized. Hackers now collect massive Botnets to attack servers with DDOS attacks.
Data breaches used to be about collecting insider information for the world to see. Information that was then shared freely over BBSs and on floppy disks. After all, Information wants to be free . Data breaches are now piped to the dark web and information black markets. Stewart Brand might have been right that information wants to be free, but he was also right that information tends to be expensive. Credit cards and other PII are primary targets for online theft now. In fact, credit cards are now the most common piece of information sold on the dark web, fetching $5-50 per card number, depending on how much additional information is included.
How is all of this useful to you? Well, do you want to know where the bad guys are going to attack you next? Follow the money.
What on your network has value? What can be bought and sold? What would you pay a ransom to restore? What products and services do you pay for that an attacker would love to get access to?
Once you identify the list of your most valuable assets, you’ll know what the attackers are eyeing inside your enterprise, and then you can invest in ways to protect them.
When in doubt, just follow the money.