Though it’s a natural evolution, the very existence of cybercrime-as-a-service (CaaS) shocks people. Never mind the annual global costs attributable to CaaS, or how much it hampers innovation. In his keynote at the 2017 CyberCrime Symposium, McAfee Chief Scientist Raj Samani made sure attendees understood the CaaS threat — calling his content the “most depressing 45 minutes” they’d ever get at a security event — by mapping its rise and rapid expansion.
Since its first sighting in 2005, CaaS has become a thriving services economy, fueled by a global marketplace featuring a breathtaking range of services. It’s also swelled the criminal ranks, thanks to high salaries for developers, exploding revenues for CaaS companies, and complicit buyers, ever-more willing to show the money.
Without question, said Samani, CaaS has changed the game for criminals around the world. On the sell-side, CaaS providers aren’t just operating on the dark web — a good number sell services on commercial websites. In fact, many model themselves after commercial IT services providers, working with resellers, offering tiered pricing, and providing help desk support.
Invest in Marketing? Or a DDoS Attack?
The buy side, meanwhile, can include just about anybody — no skills required. There’s mounting evidence, Samani said, that “commercial companies are paying criminals to go out and attack commercial sites.” Picture an SMB getting squeezed out by a fast-moving competitor. Pressured to deliver a dizzying counterpunch, leadership may more readily succumb to the CaaS value proposition.
“These companies can spend marketing dollars, lower their prices, or, for as little as $2 an hour, they can hire DDoS services professionals to bring that competitor down,” Samani said.
A Powerhouse Portfolio
CaaS offerings, said Samani, fall into the three general categories:
- Research: While legitimate businesses offer, for instance, zero-day research services, they sell only to buyers that meet eligibility requirements, like law enforcement. CaaS guys don’t discriminate. If someone meets their price, they’ll identify zero-day vulnerabilities. They’ll also find email marketing lists that support specific campaign objectives and facilitate sophisticated attacks by uncovering digital details about an organization, its employees, and its IT environment.
- Crimeware: This segment’s diverse services include selecting the most-effective threat types for a campaign’s target and objectives, translating spam content into various languages, and developing malware to exploit new system vulnerabilities. Crimeware includes malware variants, Trojans, rootkit services, ransomware, known vulnerability exploits, and counter-antivirus services.
- Infrastructure: This category comprises services that deliver payloads, execute post-breach commands, and generally support criminal campaigns. Services include supplying botnets, mail relays for delivering huge numbers of spam emails, and back-end systems that host and launch malware. Among those offering these services are “bulletproof” hosting providers — so-called because they’re happy to provide infrastructure services to CaaS companies.
Of course, Samani added, “not everyone wants to build a campaign from scratch,” in which case they can opt to outsource the entire effort. Many do, because campaigns can require multiple developers with varied skillsets, IT ops specialists, significant infrastructure, and a lot of time. DDoS attacks, for one, are good candidates for end-to-end CaaS outsourcing.
Always On, Always Evolving
In the October 2017 hit on Taiwan’s Far Eastern International Bank, research services played a leading role in the effort’s success. According to Samani, the criminals behind the attack learned everything they could about the bank’s infosec ecosystem — its vendors, software versions, and IT environment.
Another big contributor was an emerging threat type, dubbed “pseudo-ransomware.” A CaaS provider can now use ransomware — designed to encrypt files so perpetrators can extort payment in exchange for decryption keys — to disrupt operations, destroy systems, and serve as a smokescreen for a larger attack. By infecting the bank’s servers with ransomware, the criminals forced IT teams to scramble to decrypt data. Then, thanks to their research, they disabled the bank’s security systems, withdrawing $60 million through a backdoor.
What’s a CISO to Do?
While they understandably fear state-sponsored attacks, security leaders must recognize that some very talented individuals make a career out of bringing companies to their knees. “Some nation-states have a great deal of offensive cyber-capability, but there are criminals available for hire who can take out any organization,” said Samani.
He urged attendees to use everything in their arsenal, from practicing basic cyber-hygiene to engaging in peer-group efforts to better anticipate CaaS moves. “When bad guys come up with something new, we’re forced to develop new defenses,” he said. “Instead of always monitoring cybercriminals, we've got to work together to anticipate innovations so we’re prepared to counter them.”
In fact, it was a cross-industry team that launched NoMoreRansom.org in 2016. Already, the global cooperative, whose shared objectives include eliminating ransomware’s profit motive, has assembled a rich set of free resources for preventing and recovering from attacks.
Previously, victims had two options, both bad: either pay the ransom or forfeit their data. This initiative provides a viable third option, centered on helping targets retrieve their encrypted data while denying attackers their reward.
“In one year, we’ve gone from seven tools to 52, and can now decrypt 84 families of ransomware,” said Samani. To date, they’ve decrypted 29,000 infected computers, thwarting criminal enrichment to the tune of $9 million.
Perhaps most critical in this battle, though, is the right business mindset — one that believes “IT risk is business risk” and treats the CISO role accordingly.
“Security and privacy are at the heart of every modern business, but how many CISOs are board members?” Samani asked attendees. “How many become CIO, CTO, or CEO?” Until org charts reflect this view of security risk, companies will struggle to create a safety-centric culture that’s also agile and adaptable — traits they’ll need to counter those already mastered by CaaS providers.
This is the second post in our series presenting key takeaways from our 2017 CyberCrime Symposium, held November 2-3, 2017. The program was packed with an incredible line-up of speakers discussing the latest tools and techniques being used by cybercriminals, and most importantly, what attendees could do to enhance their organization's cyber resiliency. If you couldn’t get a seat at the event — centered on the need to “Think Global, Act Local” — or want a refresher on various sessions, this is a not-to-be-missed series!