The Future of Dark-Net Markets

February 2, 2019

featured-image

In This Issue:

Equity firm goes on infosec vendor buying spree

Dropgangs: what they are, why you should care

If you live in Japan, Big Brother is hacking your IoT device

Equity Firm Thoma Bravo on the Prowl for Infosec Vendors

Thoma Bravo, LLC is a private equity firm which specializes in buying tech vendors. They own Barracuda, Centrify, DigiCert, Infogix, Imprivata, LogRhythm, Qlik, Symantec Identity Services (Merged with Digicert), and Veracode. They have a minority stake in McAfee, and alongside tech private equity powerhouse Silver Lake, they took SolarWinds private. There are many other companies in their stable.

Thoma Bravo has recently refilled their fund, hitting the hard cap they set for themselves: Thoma Bravo raises $12.6 billion for latest private equity fund. This means that Thoma Bravo is once more on the hunt for companies to acquire.

This is causing rather a lot of speculation. Some individuals, for example, feel that Thoma Bravo is considering snapping up Symantec proper. Given that Symantec's market cap is currently north of $13 billion, and the fund has hit its hard cap, this particular hypothesis seems unlikely.

What is worth noting, however, is that Thoma Bravo doesn't shy away from interfering in the affairs of the companies it acquires. The most obvious example of this is when Thoma Bravo acquired both Motus and Runzheimer, merging them into a single entity in an apparently successful attempt to create a company that can dominate the mileage reimbursement technologies space.

Thoma Bravo's actions matter to information security just as much as those of any tech titan. But Thoma Bravo does not behave like a tech titan. Tech titans acquire smaller players – usually startups – to get their technology or their engineers or both. The acquired companies are slowly integrated into the parent company, and in most (but definitely not all) cases, the acquired entity stagnates, fails to innovate, and is eventually replaced by a newer acquisition.

That isn't how Thoma Bravo – and many other private equity firms like them – operate. These companies may dabble in strategic direction, or merge a few of their acquisitions, but for the most part, they tend to hold the companies they own at arm's length.

The organizations in question don't operate as a single entity, because the purpose of their acquisition wasn't to help flesh out the portfolio of the parent company; it was to generate ongoing revenue for that parent company.

Private equity firms come in flavors. These range from long-term thinkers that put serious effort into rehabilitating companies, to asset strippers. The rehabilitation-leaning firms seek return on investment in reasonably straightforward ways: growth in the value of the company, reselling the company for more money than they purchased it, merging it with another company in order to drive value, or recapitalization schemes.

The asset-stripping private equity firms want companies that are profitable, or which can be made profitable in relatively short order; and they’re increasingly gobbling up vendors in the technology space.

It's too early to tell how Thoma Bravo's information security acquisitions will play out, though it is worth noting that they purchased Bomgar, and then subsequently sold it without doing too much damage. Thoma Bravo only really started getting going in 2015, but they now control many important vendors in the infosec space, and are on the hunt for more.

Countermeasure:

Add Thoma Bravo to your list of companies whose M&A activity you monitor. Start regularly looking at the activities of large and midsized private equity firms to see who has started buying up tech companies; the answers may surprise you, as tech companies are now popular assets. Each of these firms must be monitored, just as we would monitor Cisco, Dell, or any of the other tech titans.

If an infosec company that is part of your supply chain – which may include a supplier to your suppliers – is gobbled up by a private equity firm better known for asset stripping than corporate rehabilitation, take appropriate action.

Dropgangs: a New Security Threat

Bruce Schneier has drawn attention to an interesting post: dropgangs, or the future of darknet markets. This post lays out the evolution of underground markets over the history of the Internet.

In many cases, underground markets are used by criminals. At the very least, these markets are used to evade scrutiny by law enforcement, or even by one's spouse. As law enforcement becomes more skilled at penetrating darknets (such as those found on TOR), underground commerce is evolving, and dropgangs are the new black.

Dropgangs make extensive use of instant messaging, dead drops, cryptocurrencies, and any legally protected means of traditional currency transaction. In Canada, for example, Interac e-transfers are widely used as an alternative to cash, in part because pulling the records on those transactions is more of a pain for law enforcement than pulling the data on credit card transactions. (The high fees charged by credit card companies has a lot to do with it, too.)

Countermeasure:

Alert your recon teams to the new dropgang threat. Most large organizations have recon teams that monitor darknets to see if any of their data has shown up on the Internet's underground. Now they have additional targets to keep an eye on.

Japanese Government to Hack its own Citizens

It was bound to happen eventually: The Japanese government is going to openly and publicly hack IoT devices to figure out just exactly how many of them there are, and how insecure they are.

This is the first step in getting a handle on the problem, and is ultimately part of a move towards strengthening Japanese national security by reducing their attack surface. While some might quibble over the ethics of the approach, at least the Japanese are taking the threat seriously.

Countermeasure:

This effort by the Japanese is a useful piece of politics for those organizations working to pressure governments into regulating the IoT space. If your organization is contributing to these lobbying efforts, consider integrating the actions of the Japanese government in this regard into your campaign. If your organization isn't contributing to lobbying for regulation of the IoT space, consider donating to organizations which do.