Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Connect Directly
E-Mail vvv

Look to Banking as a Model for Stopping Crime-as-a-Service

The first step toward prevention is understanding the six most common CaaS services.

Cyber threats are growing in velocity and volume at an unprecedented pace. Cybercriminals have taken every advantage of new capabilities to grow and prosper, which, coupled with the pandemic and a sharp increase in remote work and cloud access, has opened the door to new vulnerabilities. If there's one thing that fuels the actions of bad actors, it's an opportunity to strike.

Less-experienced threat actors are entering the space in hopes of easy returns, but an even bigger challenge is how quickly these experienced professionals engage in crime-as-a-service (CaaS). These professional individuals and criminal organizations are developing advanced tools and packaged services and then selling them to other criminals who are usually less experienced. These hackers can then carry out complex attacks at desired scale and on selected victims. 

Related Content:

Banks and the New Abnormal

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

Monitoring for these threats is the challenge that organizations, governments, and their security teams battle on a daily basis. The first step to addressing the issue is understanding the most common and trending CaaS services. The six most common CaaS services include:

Phishing continues to be one of the top attack vectors used to compromise organizations, so it is little wonder that the commoditization of these capabilities has dramatically increased. Phishing kits, as well as phishing platforms, are readily available on the Dark Web for as low as $2 to $10 to facilitate the attack on an organization. Furthermore, these kits and platforms are customizable with little knowledge or skill required and have various levels of automation making these very attractive to criminals.

Exploit Kits
These include the development of exploit code and tools to exploit known vulnerabilities. One of the most popular kits, RIG, is just $150 a week to use and can spread ransomware, Trojans, and other forms of malware. It has a large network of resellers with a complex business structure making it accessible and affordable for criminals. However, due to the increase of automatic updates in browsers and the reduction of Flash usage, since 2016 exploit kits have become less prevalent.

DDoS Services
No longer does a criminal group need to build up a botnet to launch an attack on a target. Today, they can rent these services on demand. The time it takes to launch an attack is minimal and the infrastructure can be spun up and spun down quickly and efficiently, making it harder to track and mitigate. Services that are built around distributed denial of service (DDoS) are also cheap and accessible with many providers offering subscription plans on the Dark Web. For example, plans on the cheaper side run for $5 a month with one concurrent attack at a 300-second attack time. More expensive plans are $60 a month with one concurrent attack at a 10,800-second attack time. All of this makes DDoS services especially dangerous due to the ease with which they can be carried out, and the profits they can create for criminals, with some estimates putting margins at 95% per attack.

Ransomware-as-a-Service (RaaS)
Similar to DDoS services, cybercriminals can leverage purpose-built ransomware services to target a victim, alleviating the need for a lot of technical knowledge. These services provide not only the technical depth and skills, but they provide all the information needed to carry out an attack. RaaS has a varying amount of prices and payment models, with some being subscription-based, flat fee, or profit-sharing. Amounts can be as low as $40 and range upward into the thousands for large targets.

This involves legal or illegal collection of information on targeted victims as well as the resale of stolen personal data, such as compromised credentials. It can also include the selling of information about potential exploits within software or systems.

Digital Currency
Cryptocurrencies are a widely used method by cybercriminals in order to transfer and collect funds due to their anonymity, ease of use, and lack of international borders and restrictions — things that make using a traditional bank difficult for criminals. Cryptocurrency accounts generally do not require the user to provide any personal information and their location, and also allow the usage of multiple accounts at once.

Lessons From Banking
The next step is insisting on something often talked about but far less easily enabled: collaboration. We have seen good examples of how cybersecurity teams are working more closely with other internal parties, especially in the banking sector. Some of the major UK and European banks have been operating with an organizational structure where financial crime and cybersecurity teams have been part of the same business unit for over 10 years, driven by the natural synergy between these functions. 

This has created significant progress. With the convergence of cyber and financial crime teams, the industry has seen the emergence of the fusion center which can be thought of as an advanced version of the security operations center (SOC) management model, unifying several different teams within an organization, such as fraud, financial crime, and cyber. By bringing together these units, organizations can increase situational awareness, share analytics and threat intelligence more easily, have increased attractiveness to talent, and have a standard framework for procedures. 

Combating cybercrime and disrupting the illegal economy can then be done to a more effective degree by having more transparent management, establishing an end-to-end operating model, and allowing easier collaboration and consolidation on relevant threats and actions. Another benefit of the fusion center is the removal of otherwise undetected duplicated resources and labor, improving efficiency and saving costs.

This is one tangible example of how a lot of good ideas and discussion become collaborative action that creates positive change. Just as cybercriminals continue to share information, coordinate, and evolve their capabilities, so must we.

David Fairman, CSO, APACDavid Fairman is the Chief Security Officer for the APAC region of Netskope - the leading security cloud. He is an experienced strategic advisor, investor and coach in the global financial services sector and has held CSO/CISO roles at the National ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
PUBLISHED: 2021-05-13
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
PUBLISHED: 2021-05-13
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
PUBLISHED: 2021-05-13
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
PUBLISHED: 2021-05-13
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.