Cyber threats are growing in velocity and volume at an unprecedented pace. Cybercriminals have taken every advantage of new capabilities to grow and prosper, which, coupled with the pandemic and a sharp increase in remote work and cloud access, has opened the door to new vulnerabilities. If there's one thing that fuels the actions of bad actors, it's an opportunity to strike.
Less-experienced threat actors are entering the space in hopes of easy returns, but an even bigger challenge is how quickly these experienced professionals engage in crime-as-a-service (CaaS). These professional individuals and criminal organizations are developing advanced tools and packaged services and then selling them to other criminals who are usually less experienced. These hackers can then carry out complex attacks at desired scale and on selected victims.
Monitoring for these threats is the challenge that organizations, governments, and their security teams battle on a daily basis. The first step to addressing the issue is understanding the most common and trending CaaS services. The six most common CaaS services include:
Phishing continues to be one of the top attack vectors used to compromise organizations, so it is little wonder that the commoditization of these capabilities has dramatically increased. Phishing kits, as well as phishing platforms, are readily available on the Dark Web for as low as $2 to $10 to facilitate the attack on an organization. Furthermore, these kits and platforms are customizable with little knowledge or skill required and have various levels of automation making these very attractive to criminals.
These include the development of exploit code and tools to exploit known vulnerabilities. One of the most popular kits, RIG, is just $150 a week to use and can spread ransomware, Trojans, and other forms of malware. It has a large network of resellers with a complex business structure making it accessible and affordable for criminals. However, due to the increase of automatic updates in browsers and the reduction of Flash usage, since 2016 exploit kits have become less prevalent.
No longer does a criminal group need to build up a botnet to launch an attack on a target. Today, they can rent these services on demand. The time it takes to launch an attack is minimal and the infrastructure can be spun up and spun down quickly and efficiently, making it harder to track and mitigate. Services that are built around distributed denial of service (DDoS) are also cheap and accessible with many providers offering subscription plans on the Dark Web. For example, plans on the cheaper side run for $5 a month with one concurrent attack at a 300-second attack time. More expensive plans are $60 a month with one concurrent attack at a 10,800-second attack time. All of this makes DDoS services especially dangerous due to the ease with which they can be carried out, and the profits they can create for criminals, with some estimates putting margins at 95% per attack.
Similar to DDoS services, cybercriminals can leverage purpose-built ransomware services to target a victim, alleviating the need for a lot of technical knowledge. These services provide not only the technical depth and skills, but they provide all the information needed to carry out an attack. RaaS has a varying amount of prices and payment models, with some being subscription-based, flat fee, or profit-sharing. Amounts can be as low as $40 and range upward into the thousands for large targets.
This involves legal or illegal collection of information on targeted victims as well as the resale of stolen personal data, such as compromised credentials. It can also include the selling of information about potential exploits within software or systems.
Cryptocurrencies are a widely used method by cybercriminals in order to transfer and collect funds due to their anonymity, ease of use, and lack of international borders and restrictions — things that make using a traditional bank difficult for criminals. Cryptocurrency accounts generally do not require the user to provide any personal information and their location, and also allow the usage of multiple accounts at once.
Lessons From Banking
The next step is insisting on something often talked about but far less easily enabled: collaboration. We have seen good examples of how cybersecurity teams are working more closely with other internal parties, especially in the banking sector. Some of the major UK and European banks have been operating with an organizational structure where financial crime and cybersecurity teams have been part of the same business unit for over 10 years, driven by the natural synergy between these functions.
This has created significant progress. With the convergence of cyber and financial crime teams, the industry has seen the emergence of the fusion center which can be thought of as an advanced version of the security operations center (SOC) management model, unifying several different teams within an organization, such as fraud, financial crime, and cyber. By bringing together these units, organizations can increase situational awareness, share analytics and threat intelligence more easily, have increased attractiveness to talent, and have a standard framework for procedures.
Combating cybercrime and disrupting the illegal economy can then be done to a more effective degree by having more transparent management, establishing an end-to-end operating model, and allowing easier collaboration and consolidation on relevant threats and actions. Another benefit of the fusion center is the removal of otherwise undetected duplicated resources and labor, improving efficiency and saving costs.
This is one tangible example of how a lot of good ideas and discussion become collaborative action that creates positive change. Just as cybercriminals continue to share information, coordinate, and evolve their capabilities, so must we.