Rise of as-a-service lowers bar for cybercriminals

Criminal market changes with as-a-service offerings via exploit kits

glowing box
Credit: Thinkstock

As-a-service offerings for things such as DDoS and malware -- including ransomware -- via exploit kits has seriously lowered the bar for entry into the criminal market. Hackers no longer need to have sophisticated skills in order to gain entry into the world of cybercrime.

According to Geoff Webb, vice president of strategy at Micro Focus, the industrialization of the processes and the availability of the tools has created this expanded forum that allows non-technical people, anyone really, to enter into the digital crime market. 

And there are a myriad of super inexpensive kits available. "Whether it's the ability to quickly crack passwords or find pre-mapped enterprises to get a look inside an organization and see where their services are and what services are running, or rent a by-the-hour DDoS attack, it's made the cost of entry much lower," Webb said.

The availability of these sets of tools means that capabilities and knowledge are readily available for hire or purchase, even for those non-skilled criminals. "They are industrialized, well known, and understood. An attacker can run everything that is vulnerable to this particular attack and tailor these tools to their targets," Webb said.

For pretty cheap money, virtually anyone is able to "Take advantage of unmatched systems, unmodified administration accounts, privilege escalation, or SQL injection attacks," said Webb. 

These types of attacks work, said Webb, because organizations continue to struggle with implementing those basic controls.

More sophisticated hackers are using what Webb called a 'scalpel' attack. These are often state sponsored hackers or they are working for state sponsored organizations. "They use very sophisticated technology to establish a foothold," Webb said.

What the industry is seeing now with the rise of these as-a-service exploit kits is a 'sledge hammer' style of attack. "The complexity of mitigation is the same as it's always been, but the scale is the challenge for organizations," Webb said.

What allows for the automation of these attacks, said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, is the exploit kits, "With beautiful interface that infect websites with the single push of a button. They determine the vulnerability and distribute the malware, and they can leverage them without any technical knowledge."

Because attackers no longer need a technical skill set to leverage these attacks, "The people who may take advantage of that might be the folks who were once focused on more physical crime who didn’t think of the internet as a way to profit," Simkin said.

If traditional criminals are transitioning into the world of cybercrime in a way that hasn't been seen before, how will that impact enterprise security?

"Exploit kits and automated attacks, offering fully functioning RaaS, pay someone to conduct a ransomware campaign and they do profit sharing. If you can outsource this fast paced concept as an attacker, that’s pretty innovative,"  Simkin said.

Since they can access lots of resources in an easier way, there is a higher volume of attacks. Simkin said, "From the defender perspective, they are looking at more data and more alerts and more things that they have to parse through and decide what to take action on."

That's why prevention is making a comeback. Returning to the days of focusing on prevention rather than detection and response, said Simkin, should be the first approach.

"It’s all about prevention, having the right systems and policies in place so that they are getting leverage from the things they deploy, not the people they throw at it. They have to be thinking about the prevention-first approach, from end to end," Simkin said.

Given that attackers are lowering the bar, Simkin said, "Let's raise the bar for the security industry. We have a shared interest in sharing intelligence. It's better for the community as a whole."

The continued rise of as-a-service availability is not going to stop, said Simkin, "Over the next 12 to 24 months we are going to see all of the as-a-services increase. As an organization, their approach needs to be about prevention and how do they support prevention."

Because these services have been so successful, said Greg Martin, CEO of JASK, "Security teams now have a smaller number of threats to keep up with. The market has moved to less than 10 of these providers. There's a smaller amount of malware overall but a volume increase."

Even though these exploit kits are not delivering government grade malware, it’s still very dangerous because it's basically a tunnel into their network, said Martin.

A lot of these guys sell access to the machines they are able to compromise. Martin said, "They will advertise on the dark web, and someone can just buy that access for $5, $10, $20. The price is so low because of time to detection."

AI holds promise as a solution to the increased volume of attacks. "How do we take the best humans in the game and teach a machine to function at 30 percent of what our best analysts can do? A machine doesn’t need sleep. Humans can’t get through it all because it’s so much, so they need to shift more to automation just like the attackers have," Martin said.

Martin echoed the idea that intelligence sharing will benefit the community. "It takes a village to protect yourself. They need to get out of their silos and share information, collaborating through ISAC organizations or intelligence communities because they want to know when that next version of malware comes out and what it supports," Martin said. 

Dave Chronister, founder of Parameter Security, though, said that this concept of lesser-skilled attackers is really nothing new. "From an enterprise security standpoint, the threats are still the same. The difference is the amount of actual attacks you may have," Chronister said.

Because they should all have backups, "Ransomware should be at the maximum a hassle. They are not going to find the extremely sophisticated attack that can allow someone to bypass the security controls in place, except maybe in DDoS," Chronister said.

Even though they are able to capture or rent a fairly large botnet for a pretty low price and cause some significant outage, Chronister said, "I've never heard of a legitimate case where DDoS has allowed someone to gain access. There should be no greater risk."

Backing up the data on premise and segmenting the network are solutions that should stop a lot of these attacks. "But replication is not backup. If they are using DropBox or Google Drive, that's replication, not back up."

Chronister said that basic controls stop a lot of this. "It's really easy to get concerned. These risks are always going to be there with criminals renting or writing the attack. We have to keep our environment secure and never pay a fee for ransomware."

A ransomware attack is the easiest thing to prevent, said Chronister, "And if they have to pay, consider it their fine for not backing up."

Sorry no such service for commenting, except to head to our Facebook page.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?