CaaS is a model where experienced and skilled cybercriminals build and develop sophisticated tools, platforms and capabilities and then sell or rent these to other criminals who do not have the technical knowledge to create these themselves. CaaS provides skilled operators with funding from established criminals and in return criminal groups can up-skill quickly and easily. CaaS is driving the volume and sophistication of attacks in the threat landscape today, and the barrier of entry into cybercrime and the illegal economy is lowering.
Criminals can often exploit bleeding edge capabilities with greater ease and velocity than legitimate businesses can, as they do not operate within the same boundaries and constraints. They are not regulated or governed but are often well funded and coordinated.
Most of us don’t spend a lot of time on the Dark Web, and it can seem incredible to talk of the tools of a cyber-attack being casually sold to criminals as easily as we buy a book from Amazon. But this is exactly what happens. Here are just some of the common services that can be readily sourced as CaaS.
Phishing is one of the top attack vectors used to compromise organisations, so it is little wonder that these capabilities have become commoditised. Phishing kits and phishing platforms are readily available on the Dark Web for as little as US$2-$10 to facilitate the attack on an organisation.
These include the development of exploit code and tools to exploit known vulnerabilities. One of the most popular kits, RIG, is just US$150 a week to use and can spread ransomware, trojans, and other forms of malware. It has a large network of resellers with a complex business structure making it accessible and affordable for criminals.
A criminal group no longer needs to build up a botnet to launch an attack on a target. Today, they can rent these services on demand. The time it takes to launch an attack is minimal and the infrastructure can be spun up and spun down quickly and efficiently using cloud infrastructure, making it harder to track and defend against. DDoS services are also cheap and accessible with many providers offering subscription plans on the Dark Web. All of this makes DDoS services especially dangerous to legitimate organisations due to the ease with which they can be carried out by malicious actors, and the profits they can create for criminals, with some estimates putting margins at 95 per cent per attack!
Ransomware as a Service
Like DDoS services, cybercriminals can leverage purpose-built ransomware services to target a victim, alleviating the need for a lot of technical knowledge. These services provide not only the technical depth and skills but also all the information needed to carry out an attack. In some cases, they will also provide a dashboard and reporting on its status. KPIs and SLAs in the criminal underworld! Ransomware as a Service has varying prices and payment models, with some being subscription-based, flat fee, or profit-sharing. Prices can be as low as US$40 and range upwards into the thousands for large targets.
The Crime-as-a-Service industry has the perfect untraceable payment system in cryptocurrencies – easy to use, anonymous and untied to international borders or restrictions. In 2015, a Europol report stated that Bitcoin was used in more than 40 per cent of illicit transactions in the European Union, a number that has doubtless risen since then.
Those of us who are responsible for securing an organization against cyber criminals must make it our business to understand the operating model of our adversaries. Just as cybercriminals share information, coordinate, and evolve their capabilities, understanding their targets and operationalizing cutting edge techniques quickly, so must we. If the attack has become so affordable for criminals, we cannot afford not to defend appropriately.