1 | welcome
Congratulations on the first step of your new career with Hacking, Inc., world leader in the fast-growing industry of cybercrime.
Though our early roots were in hobby hacking—there’s no faster way to gain knowledge than to reach out and take it—we have evolved from a collection of curious teenagers in hoodies into the acknowledged experts in everything from identity theft and data harvesting to the penetration of financial, corporate, and public infrastructures. Our clients include governments, for-profit entities of all sizes, and lesser hacking collectives who come to us for our reach and expertise. Like other best-in-class companies, we are driven by performance, and every one of us is dedicated to profit and professionalism. We have our own chain of command, best practices, and revenue goals. Some of us even wear suits.
As a result of this evolution, we now realize a 1000+-percent return on investment1 and the acutely vertical bottom-line growth of breakout Silicon Valley startups, with profits in the billions and the cost to our targets in the trillions. Like the first explorers of the Wild West or the first men in outer space, we consider ourselves pioneers.
You have joined the preeminent player in a dynamic industry. We aim to take our place atop the Fortune 500 by dragging the Fortune 500 to the bottom of the field. Our motto:
Inc., we win
Our business is to be up in yours.
2 | core values
As we continue to storm new defenses from our adversaries (like HPE Security, Hacking, Inc.’s Enemy #1), our prime directives are to develop creative new attacks and identify soft targets.
We focus on magnifying our impact, which we measure in ransoms collected, profits garnered, reputations damaged, businesses immobilized, and more.
Operating virtually, we do business across multiple geographies and industries. See the section ‘Our Growth’ to visualize our success.
We strive for reliability and invisibility. We compromise the security of our targets—never our own. Any security breaches in which we’re involved have to be outgoing, not internal.
3 | the problem
We’re doing better than ever before, but like any company, we sometimes meet obstacles that force a paradigm shift in our approach. We’re talking about the firms whose aims are to frustrate and disrupt our work, the firms that you’ve likely already encountered in your independent projects. The name you’ll see again and again is HPE Security: As the tip of the spear for disruptive initiatives—like data encryption, application security, advanced threat detection programs, information governance, backup, and recovery—HPE Security works with governments and corporations to present a very real, ongoing complication to the health of our business.
The best place to study our adversary is online, at www.hpe.com/security. Their products and defenses are state-of-the art. And as their recent Cyber Risk report shows, they have their eye on us. With that in mind, please note the specific policies we have put in place to counter HPE Security in the sections that follow.
Should any wayward employees get any smart ideas, the laser-armed sharks circling the entrances to our server room should make them think again.
We employ a range of security measures to keep our adversaries out of our office space, including, but not limited to, lava moats, dogs, and the latest digital surveillance technology.
4 | global reach
Because most of us work from home, Hacking, Inc. has been able to expand worldwide without increasing our physical footprint. In our virtual workplace, you could be exploiting targets from Albania to Zanzibar. Developing countries are increasingly on our radar, as many of them are adopting new technology without thinking so much about security.
Learn more about the escalating cost of cybercrime to organizations globally as well as the top ways we impact them via HPE’s annual Cost of Cyber Crime research.
global reach: breakdown of attacks by region (2015)2
At Hacking, Inc., everything can be a target! Ask Bob Smith in marketing about how he infiltrated a vast, corporate network via an unprotected smart toaster.
targets by industry (2015)3
impact by the numbers
cost to our targets for every sensitive record we breach4
percentage increase in our operations since 20125
percentage increase in average time spent resolving our attacks over the past six years, from 4 days in 2010 to 46 days in 20156
average cost to our targets of every “malicious insider” we recruit
average cost to each of our targets in 20157
By joining Hacking, Inc., you can be upgraded from your parents’ basement to a building with natural light!
Please have your employee badge, fingerprints, retinal and palm-vein scans, and four passwords ready for security clearance every day at work.
5 | department directory
While you might not ultimately work with every other member of Hacking, Inc., it’s important to understand our organizational structure. No matter which team you’re joining, there is room to move up and around, but please don’t hack internally to find out more information about other departments. Our HR team would be happy to answer any questions that you might have.
- senior leaders
- .select targets and defines company-wide priorities
- .manage profit distribution in our chain of command
- .manage departments (see below)
- product developers
- .build programs, malware, and other hacking tools
- .distribute our products to interested third parties, as we move into the software-as-a-service market
- sales and marketing
- .sell hacking projects, manage publicity (where advisable), cultivate clients, and executive media buying plans in the deep web
- .creative strategy and proposals for new-business acquisition
- learning and development
- .educate employees about hardware and software, security, backup and recovery, and more
- .offer opportunities for training and advancement
- .create and distribute propaganda
- fraud structures
- .initiation of hacking procedures through phish, spam, and ad fraud processes
- .forward-thinking innovation to defeat new security tech/protocols
- it services
- .network maintenance, including server anonymity, database support, and feeding the laser-equipped security sharks
- .tech support for detection and defeat of target/adversary defenses
- human resources
- .recruitment and vetting services, security screening and enforcement, retaliation against turncoat employees3
- .determining the value and type of projects, secure delivery of fee for services
- .generating fake credit card numbers for corporate accounts
- .predict, assess, and defend against potential costs and consequences of sensitive projects, especially aggressive hacktivist and espionage programs
6 | best practices
As they strive to bypass security measures, our hackers must also maintain a standard of professionalism equal to that of our targets and adversaries. Whether the objective is breaching a target system, damaging a personal or corporate reputation, obtaining private information and data, or bringing business to a standstill, here are a few guidelines to help you thrive as a member of the Hacking, Inc. family.
1 targeting companies
With 62 percent of our cyber attacks last year targeted at small- to medium-sized businesses, younger, fast-growing targets are less likely to have IT resources or a security relationship with our adversaries. That said, also look out for older companies that may have outdated security systems.9
2 varying the data
Combining such data types as bank accounts and personal addresses, as in the case of one 2014 breach yielding 70 million data sets, allows us to expand our objectives.10
3 honing in on apps
Data is often encrypted when stored in a database, but our targets are becoming more exploitable in apps. Look for entry through an application or when target data is in transit.
4 catching human error
Search for missing patches and updates, misconfigured networks, weak and predictable user information, and a demonstrable lack of cybersecurity expertise. These are leading indicators of vulnerability.
5 balancing gain and exposure
Know when to cut company losses if a target or adversary becomes a threat. It’s easier, safer, and less time-consuming for us to retreat before we steal information than after.11
1 encrypted data
Be as ambitious as you can, but don’t keep trying to crack highly encrypted data. It’s a waste of time and effort.
2 hardened apps
Applications are an ideal target because many developers aren’t security experts and leave gaping security holes. But avoid them if they’ve been hardened at the code level. Abandon the effort if you see evidence of HPE Security Fortify’s application-security testing tools.
Avoid targeting organizations with intelligent security operations that leverage real-time correlation and advanced analytics to detect and respond to threats. These organizations use HPE ArcSight to thwart our efforts at every step of our attack life cycles.
4 lack of professionalism
As our continued prosperity depends on subtlety, and many of you may be client-facing, please keep your own company credentials work-appropriate (no DarkLord666, Hax4Lyfe, AllUrDataRBelongToUs, etc.).
Learn more about how hackers today are working to breach major organizations as well as the latest tools and trends from HPE’s annual Cyber Risk Report.
7 | rules of thumb
Though you must have shown significant promise to be onboarded at Hacking, Inc., be aware that we’re under constant threat from our adversaries. Be vigilant, and keep learning everything you can about what they’re doing to disrupt our operations.12 They’re at it 24/7.
Our targets are implementing a growing number of strategies that have the potential to disrupt our operations. ou can learn more about what they’re doing by reading the How to Disrupt the Business of Hacking report.
Look for evidence of enterprise-wide cybersecurity education. The more training employees have in data breaches and resiliency, the harder the target will be to breach.
Be wary of frequent updates. Targets that continuously update and manage access to their systems (new forms of identification, limited data privileges) are likely to be protected by several layers of security.
Use extra caution with a target that gathers and analyzes its cyber event data. These organizations are more likely to detect unusual activity or evidence of Hacking, Inc. code.
8 | looking ahead
As the digital revolution accelerates, so will Hacking, Inc., but our adversaries are moving faster as well. Many private institutions are shoring up their own security measures, using third-party vendors and services to protect their data and systems. As HPE Security is our leading adversary, please familiarize yourself with their tactics here.
At Hacking, Inc., you are joining an institution that’s increasingly organized, effective, and ubiquitous, but our continued operations depend on our ability to outpace our targets and adversaries as they implement broad security measures, both preventive and reactive. We hope you will enjoy a long and profitable career with us, but make no mistake: You’re joining an increasingly contentious battlefield where the players are multiplying, and you’ll need to be self-motivated, courageous, and forward-thinking to help us come out on top.
this message will now self-destruct.
- 5Cost of Cyber Crime Study, 2015
- 6Cost of Cyber Crime Study, 2015
- 11HPE UBM Security Research Report, 2016