A faceless person, wearing a hoodie, sitting behind a screen. Such is the universal and overused image that represents cyber criminals. A lazy image; it is designed to tell us absolutely nothing about the people behind the malicious endeavours, and many would argue this is because the criminals are fundamentally unknowable. But this isn’t true, and it behoves us all to become more familiar with these people in our efforts to defend our organisations from their attacks, writes David Fairman, CSO APAC at the cloud security product company Netskope.
The first thing to know is that cyber criminals are not a separate species from the rest of the criminal underworld. They are part and parcel of a well organised ‘industry’. Just as Ocean’s 11-style safe cracking or contortionist skills can be bought for the right price, so can technical skills.
Criminal networks are economically motivated. Established and successful organised crime groups go where the money is, and in the last few decades that has meant fewer armed robberies and Brink’s Mat style ambushes, and more digital attacks. At the same time that organisations the world over have ploughed huge amounts of effort and cash into digital transformation projects, so criminal groups have invested time and effort in working out the weaknesses in digital infrastructure, and resultant opportunities for economic crime.
We hear much about a skills crisis – too few among the legitimate workforce have the digital skills demanded by industry. This is something that criminals and their victim organisations have in common. And just as businesses have increasingly turned to the X-as-a-service model to reduce their requirement for in-house skills, so criminals have done likewise. Enter: Crime-as-a-Service (CaaS).
CaaS is a model where experienced and skilled cybercriminals build and develop sophisticated tools, platforms and capabilities and then sell or rent these to other criminals who do not have the technical knowledge to create these themselves. CaaS provides skilled operators with funding from established criminals and in return criminal groups can up-skill quickly and easily. CaaS is driving the volume and sophistication of attacks in the threat landscape today, and the barrier of entry into cybercrime and the illegal economy is lowering.
Criminals can often exploit bleeding edge capabilities with greater ease and velocity than legitimate businesses can, as they do not operate within the same boundaries and constraints. They are not regulated or governed, but are often well funded and coordinated.
Most of us don’t spend a lot of time on the Dark Web, and it can seem incredible to talk of the tools of a cyber attack being casually sold to criminals as easily as we buy a book from Amazon. But this is exactly what happens. Here are just some of the common services that can be readily sourced as CaaS.
Phishing Kits/Platforms
Phishing is one of the top attack vectors used to compromise organisations, so it is little wonder that these capabilities have become commoditised. Phishing kits and phishing platforms are readily available on the Dark Web for as little as US$2-$10 to facilitate the attack on an organisation.
Exploit Kits
These include the development of exploit code and tools to exploit known vulnerabilities. One of the most popular kits, RIG, is just US$150 a week to use and can spread ransomware, trojans, and other forms of malware. It has a large network of resellers with a complex business structure making it accessible and affordable for criminals.
DDoS Services
A criminal group no longer needs to build up a botnet to launch an attack on a target. Today, they can rent these services on demand. The time it takes to launch an attack is minimal and the infrastructure can be spun up and spun down quickly and efficiently using cloud infrastructure, making it harder to track and defend against. DDoS services are also cheap and accessible with many providers offering subscription plans on the Dark Web. All of this makes DDoS services especially dangerous to legitimate organisations due to the ease with which they can be carried out by malicious actors, and the profits they can create for criminals, with some estimates putting margins at 95 per cent per attack!
Ransomware as a Service
Similar to DDoS services, cybercriminals can leverage purpose-built ransomware services to target a victim, alleviating the need for a lot of technical knowledge. These services provide not only the technical depth and skills but also all the information needed to carry out an attack. In some cases, they will also provide a dashboard and reporting on its status. KPIs and SLAs in the criminal underworld! Ransomware as a Service has varying prices and payment models, with some being subscription-based, flat fee, or profit-sharing. Prices can be as low as US$40 and range upwards into the thousands for large targets.
Looking at this malicious menu is an eye opening experience. For those of us who spend our waking hours building and securing networks against attacks it is almost insulting to see the bane of our life sold so cheaply. And the mechanisms of purchase are of course very straight forward too. The Crime-as-a-Service industry has the perfect untraceable payment system in cryptocurrencies – easy to use, anonymous and untied to international borders or restrictions. In 2015, a Europol report stated that Bitcoin was used in more than 40 per cent of illicit transactions in the European Union, a number that has doubtless risen since then.
While this may all be uncomfortable reading, it is also illuminating and fascinating. Those of us who are responsible for securing an organisation against cyber criminals must make it our business to understand the operating model of our adversaries. Just as cybercriminals share information, coordinate, and evolve their capabilities, understanding their targets and operationalising cutting edge techniques quickly, so must we. If the attack has become so affordable for criminals, we cannot afford not to defend appropriately.
