What You Need to Know About Crime-as-a-Service (CaaS)
Cyber crime is on the rise and is expected to cost roughly $6 trillion annually through 2021, according to Cybersecurity Ventures. This is truly a staggering number and difficult for many people to comprehend.
Factors like growing Ecommerce, IoT and the increase in sensors (these are predicted to exceed 50 billion by 2020) are all contributing to this spike.
But there’s another trend that’s really been gaining momentum as of late – Crime-as-a-Service (CaaS).
What is CaaS?
This is where an experienced cyber criminal develops advanced tools or services which are put up either for sale or rent to other, often less experienced cyber criminals. As a result, even those with limited knowledge and expertise are able to carry out attacks with relative ease.
For example, someone might develop a ransomware kit that’s capable of encrypting important files where the victim must pay a ransom. They will then sell or rent that kit to other lower level cyber criminals, thus enabling them launch attacks.
This way the original individual who develops the tools or services is able to profit along as the individual who purchases it. It’s very lucrative for everyone involved.
This is disturbing because it now means that a person doesn’t need to have sophisticated coding skills or technical expertise to launch an attack. They can simply use CaaS.
Even more alarming is just how inexpensive many of these tools are to procure. IT security expert Jeremy Kirk points out in BankInfoSecurity that kits can be purchased for as little as $175 (USD).
This means that virtually anyone with a little bit of cash and a strong enough desire can perpetrate an attack and profit from it. And of course the original cyber criminals who create these tools want to keep it up because they’re making money with minimal risk on their end.
You could argue that this has created a dramatic shift in the cybersecurity landscape and is going to make it even more perilous in the future. With CaaS becoming more and more mainstream, it’s definitely something that should be on your organisation’s radar.
Common Types of CaaS
CaaS offerings can run the gamut, but some of the more common varieties include the following:
This is where a cyber criminal writes malicious code that encrypts a user’s files and allows others to use it for a small fee. In turn, the cyber criminal is able to get a cut of each ransom.
Tech expert Bill Connor writes in Forbes that this tends to be one of the more popular attacks because it requires very little skill, and it’s not necessary to have expensive equipment. Combine that with the fact that there’s often a faster payout than stealing payment card information, and it’s easy to understand why RaaS has become so common.
Connor also points that ransomware attacks increased from just 4 million in 2015 to 638 million in 2016 making it one of the fastest growing forms of cybercrime.
Distributed denial-of-service (DDoS) is an attack where a cybercriminal sends a flood of requests to a server from many different sources, which renders it unusable to legitimate users. For businesses, this means costly downtime and often a blow to their reputation.
DDoS-as-a-Service makes it so that even cybercriminals with minimal experience have access to their own “botnet,” which is a number of infected Internet-connected devices. In turn, they can seamlessly launch an attack.
This happens to be one of the favourites for dubious competitors looking to sabotage other companies in their industry or may even be executed by disgruntled employees.
2017 has been a year of unprecedented phishing attacks. Even Google and Facebook fell victim and were taken for $100 million (USD) each.
A big reason for this trend is simply the fact that many modern phishing attacks are so sophisticated. Small Business Trends even found that a staggering 97 percent of employees may not be able to spot a phishing email.
If it can happen to Google and Facebook, it could happen to anyone.
Another reason is because of the rise of professional phishing kits, which consist of materials to help cyber criminals impersonate legitimate organisations. For instance, individuals can obtain incredibly realistic looking PayPal login pages with fake messages intended to lure victims in and obtain sensitive information.
Finally, there’s the classic malware. Things like viruses and Trojan horses have been plaguing computer users for years.
But now that threat is elevated due to the fact that cyber criminals can buy malware kits from professional developers, thereby dramatically increasing the potential for damage.
Senior reporter at ZDNet Danny Palmer explains that malware-as-a-service is becoming one of the more popular tools for crooks. Most of the kits feature a rental-based business model where an individual pays for an account. They’re then able to manage and monitor their nefarious “campaigns” from their dashboard.
What are the Implications?
It’s pretty simple. CaaS has already contributed to a spike in cyber attacks and will continue to do so for the foreseeable future.
It’s like pouring gasoline on the fire of an already serious problem.
IT and cybersecurity authority Steve Durbin explains that CaaS is starting to become more commoditised, which signals that it’s reaching a level of maturity that hasn’t been seen before.
He also mentions that the market is getting more saturated, which is resulting in decreasing price points for CaaS offerings. As the competition inevitably increases, CaaS will become more and more affordable.
When you put all this together, it creates an extremely volatile combination. With so much to be gained monetarily for both cyber criminal experts as well as novices, you can bet that this will be an escalating problem.
Countless companies have already felt the impact, and there’s no doubt that even more will suffer a cyber attack moving forward.
What Can You Do?
Although there’s nothing you can do directly to stop cyber attacks from occuring as a whole, there’s plenty you can do to protect your organisation. It all revolves around a two pronged approach – cyber crime prevention and post-incident containment.
Cyber Crime Prevention
One of the best things you can do to prevent an attack is to perform routine penetration testing on web applications, mobile applications, your network, etc. This is where registered ethical hackers will attempt to exploit vulnerabilities and access your company’s data assets but in a secured environment.
From there they will be able to pinpoint specific issues and offer suggestions on how to heighten security. This is critical because it provides you with the chance to eliminate flaws before actual hackers can exploit them.
Another thing you can do is use managed security monitoring to identify potential security gaps in your network. Anytime weaknesses are discovered, you’ll be promptly notified so you can take immediate action.
It’s also wise to invest in employee security training. With employee negligence being the root cause behind roughly 80 percent of all data breaches, it’s vital that your team understands the ins and outs of cyber attacks. Phishing should be a particular area of focus.
This is huge for staying one step ahead of cyber criminals and reducing your chances of becoming a victim.
In the event that your organisation does suffer a cyber attack or data breach, it’s essential that you react quickly to mitigate the damage.
Your best bet for post-incident containment is to establish a set of policies and procedures so that your entire team knows how to respond. Have a chain of command in place so that everyone within your organisation knows which actions they must take and who’s responsible for what.
Network analyst Jay Botelho explains the importance of finding the root of the attack, which can be done by capturing all traffic around the time the incident occurred and having administrators search through archived traffic for any anomalies. You may also be required to provide information to the authorities as well as notify any customers that may have been impacted.
It’s also smart to have a business continuity plan in place so that you can resume operations as quickly as possible. This includes things like performing a business impact analysis, developing recovery strategies, plan development and testing.
Doing so should reduce any frustration for your customers and ensure that your brand reputation doesn’t a major hit.
Getting Your Team Ready
Cyber attacks have been a thorn in the side of many enterprises throughout much of the 21st century. So much so that it’s a new reality that must be embraced.
CaaS represents a new phase in the evolution of cyber attacks and is only going to intensify an already serious problem.
Therefore, it’s something that your organisation needs to be aware of and address. By being proactive about cyber crime prevention and having a framework for post-incident containment in place, you can operate with greater confidence and peace of mind.
Which specific types of cyber threats are you most concerned about in 2018? Please share your thoughts: