Cyber criminals are making hacking an easily outsourced option for anyone, changing who attacks you, how often, and what they can do
We all like things that are easy. From doing our taxes, to driving our cars, we love it when there’s a simpler route to take. This is one of the reasons that Software-as-a-Serivce (SaaS) has taken off. Companies can have someone else worry about the development, deployment, upgrading, and maintenance of a capability, while they conveniently access the service from any internet connected device. From Salesforce.com, to Microsoft’s Office 365, to DropBox, the number and variety of SaaS offerings are exploding.
Hackers are capitalizing on this concept by offering Hacking-as-a-Service (HaaS). HaaS is essentially the outsourcing of hacking services. It has been around for a while, but limited to underground cyber message boards and sites offering hackers-for-hire. Recently, however, it is becoming more mainstream.
Cyber criminals are now offering the ability to cheaply conduct sophisticated attacks. For example, criminals are offering DDoS-for-hire services that rent out access to a network of enslaved devices, which are used as a platform to launch DDoS attacks. A 2016 Dell SecureWorks study on underground hacker marketplaces found that criminals are offering DDoS attacks for as little as five dollars.
Recently, Cyber Criminals have developed Ransomware-as-a-Service (RaaS). Under this criminal model, hackers provide the platform and the necessary technology to launch a ransomware attack. They then sell this capability, and either take straight payment for the service, or take a share of the profits. RaaS customers do not have to be technically savvy to use the service and it can be purchased cheaply; one Ransomware package offers a lifetime license for the low price of $39.
Why it matters
Making hacking easier is reshaping the threat environment in three fundamental ways:
Proliferation: As with any “as-a-service” model, HaaS is expanding the market for attacks by making it easier. Profitable attacks, such as RaaS, will expand at a faster rate. A recent Trend Micro report shows that ransomware attacks brought in over a billion dollars in 2016, with 752 new families of ransomware being reported (up from 29 in 2015).
Diversification: By making hacking more accessible, the type of criminals is diversifying. You no longer need a sophisticated, or even tech-savvy, adversary. Attacks can now be launched by anyone from disgruntled employees, to small-time crooks, to competitors. This diversification will not only promote attacks, but will make them harder to predict and prevent.
Specialization: One strength of an “as-a-service” model is that the provider can focus on expanding the technology and capabilities of their service. If hacking becomes more of a service model, the cyber criminals’ focus will turn from executing specific attacks to improving their “services” and technology. This will increase the sophistication and potency of attacks.
As cyber criminals emulate other industries and markets, they are learning to be more efficient, effective, and specialized. They are formalizing their business models, which in-turn, is reshaping the threat environment. Cyber criminals are learning to make hacking so easy…it’s scary.