Cyber crime has been commercialized. Infecting computers with ransomware or using an advanced persistent threat to pilfer intellectual property no longer requires deep technical knowledge. Just use Google to learn how to access the Dark Web, and you can find hackers who, for a price, are more than happy to write malware, create highly effective spear phishing campaigns and develop bogus websites for harvesting login credentials.+ Also on Network World:\u00a0DDoS-for-hire services thrive despite closure of major marketplace +Major companies (think Fortune 500 organizations) understand that cyber crime as a service has changed how they handle defense. But for organizations still maturing their defensive measures, here\u2019s what the transformation of cyber crime into an industry means for how you approach information security. \u00a0You\u2019re enemies aren\u2019t script kiddiesSecurity and IT professionals need to accept that they\u2019re not facing inexperienced hackers. The good guys typically realize that adversaries are skilled but don\u2019t fully realize their technical prowess. Script kiddies are still out there, but I\u2019d argue that they\u2019re not going after enterprises.The real threat is from the group of hackers who worked for the Russian government, realized their skills could command a high price in the private sector, and now sell their services on the Dark Web. For them, hacking isn\u2019t a pastime. It\u2019s their profession. Often times they get paid only if the mission is successful, giving them an incentive to make sure the goal is achieved. If you\u2019re a defender, adopt the perspective of the enemy. Think what points you would try to exploit if you were on the offensive side.Better walls doesn\u2019t lead to better securityWith professional hackers behind the keyboard, infiltration is guaranteed. Security and IT professionals should accept that attackers will eventually find a way in, regardless of how great your defenses are. This can be hard for companies (even major ones) to understand. There\u2019s a belief that better information security means building higher and thicker walls. So, you add firewalls and antivirus software. When those aren\u2019t enough, you add next-generation antivirus, intrusion prevention systems and some other next-generation technology.But adversaries will figure out how to get around all of those products. You build a bigger wall; they just dig a tunnel under it. You can\u2019t fight every threat or the entire internet. This realization isn\u2019t meant to discourage information and IT professionals who are diligently trying to protect their companies. Instead, I hope they\u2019ll adopt a different perspective on how to handle advanced adversaries.Use a security incident to your advantageIf the bad guys are destined to infiltrate your company, what kind of defense can you mount? To start, have a current incident response plan in place. This means updating it to include any major changes at a company and reviewing it to make sure key personnel are included.For example, does your incident response plan include notifying public relations staff to handle media inquiries or contacting a government agency due to regulations? And make sure the people involved in the plan know how to use it. The first time people see it shouldn\u2019t be during an incident. Run through the incident response plan at least once a year.Next, look for adversaries who are already in your environment. As sophisiticated as attackers are, they\u2019re not invisible. They will always leave some trace, no matter how small. As defenders, your job is to discover those tiny clues and use them to figure out the attacker\u2019s complete plan.Try to learn how the attackers evaded your defenses, what they\u2019re after and what systems have been compromised. Your goal here is to stop the entire attack, not just one component of a much more elaborate campaign. Partial remediation means the attackers still have a foothold in your environment.Don\u2019t focus on attack attribution. That doesn\u2019t do much to improve your security. If you\u2019re in the midst of a crisis, your priority should be helping your organization return to normal business functions as quickly as possible, not figuring out whether the Russians or Chinese stole your intellectual property.When and if you find evidence of attackers, don\u2019t treat this discovery as a defeat. Security incidents\u2014even major ones like a data breach\u2014are an opportunity to improve your defenses. Security budgets typically aren\u2019t increased as a result of everything going right in your organization. Knowing the gaps in your defenses gives you the opportunity to plug them.Cyber crime as a service means the good guys must change their approach to information security. Defense is no longer a zero-sum game, with every breach equalling a defeat. And winning doesn\u2019t mean stopping all the attackers. If the enemies are bound to get in, use this to your advantage by treating it as an opportunity to discover their full plan and improve your defenses.