RSAC 2025: Fortinet Deconstructs Cybercrime Mobs, Business Models

RSAC 2025: Fortinet Deconstructs Cybercrime Mobs, Business Models

Attackers behave more like businesses every year, doing market research (reconnaissance), targeting prospects (manufacturing), and adding new products (DDoS-as-a-Service), says Fortinet's Derek Manky.

Terry Sweeney, Contributing Editor

May 7, 2025

RSAC CONFERENCE 2025 — SAN FRANCISCO — Attackers behave more like businesses every year, doing market research (reconnaissance), targeting prospects (manufacturing), and adding new products (DDoS-as-a-Service), according to new research from Fortinet.

And like any business that wants to grow, money is fueling cybercrime's growth and sophistication, said Fortinet's Derek Manky in a conversation with Dark Reading's Terry Sweeney. "This is what's fueling it, what's pushing them to innovate, create new tools, specifically crime services," Manky said. "It's all about monetization for cybercriminals."

And like any business, they have software developers and create tools they can use in an attack. "Once developed, then they simply monetize that," Manky said. "They put it into a SaaS-like model and sell it — we've seen that with ransom-as-a-service, DDoS-as-a-service. In our report, we highlight new ways that they're doing that, specifically with reconnaissance-as-a-service."

In that vein, Fortinet's research showed an 18% increase in reconnaissance activity in 2024 over 2023. Network scans were the most visible tactic, probing to find the weak holes in the armor. And automation helped them to be more relentless about. There were more than 36,000 scans per second on average throughout the entirety of 2024, Manky says. "What that tells us is they're adjusting their tactics and techniques to shift left and really stay on more of that pre-attack phase so that their attacks can be more efficient," he explained. "And of course, they're using AI for that as well."

Derek Manky leads FortiGuard Labs' Global Threat Intelligence Team at Fortinet, bringing over 20 years of cybersecurity experience. He has established frameworks in the security industry including responsible vulnerability disclosure, which has exercised the responsible reporting of over 1,000 zero-day vulnerabilities. Manky has been with the Cyber Threat Alliance since it was founded in May 2014. For more than 15 years, he has been highly engaged with collaborative industry efforts including the CTA, FIRST.org, NATO NICP, MITRE CTID, INTERPOL Expert Group, and the World Economic Forum Partnership Against Cybercrime (PAC). His vision is applied to help shape the future of proactive cybersecurity, with the ultimate goal to make a positive impact on the global war on cybercrime.