Software-as-a-Service. Infrastructure-as-a-Service. Platform-as-a-Service. You name it and it seems like you can get it as a service. For hackers it’s Cybercrime-as-a-Service. The phrase might come across as the latest marketing buzzword, but it’s actually an evolution in the Industrialization of Hacking and it’s compounding the challenges IT security professionals face in combatting attacks.
The Industrialization of Hacking has created a faster, more effective, and more efficient sector profiting from attacks to our IT infrastructure. By monetizing malware with cryptocurrency these professional, entrepreneurial, and resourceful hackers have created cybercriminal business models that share many similarities with legitimate businesses. They have a revenue stream, a budget, market researchers, a global pool of developers, QA analysts and testing, help desk support, and even guarantees.
With these tried and true business practices they’re creating and selling effective cybercrime tools and, in the process, closing the gap between sophisticated and unsophisticated attackers. Now anyone is capable of buying and launching a damaging attack relatively easily. We’ve seen this most recently in a renewed rise in exploit kits and a proliferation of ransomware, the proceeds of which allow hackers to innovate faster and target victims with a never-ending stream of unknown attacks.
The Angler Exploit kit is a prime example of cybercrime-as-a-service. Since the takedown of the highly effective Blackhole Exploit Kit, ‘customers’ have been taking care to invest in exploit kits known to be technically sophisticated in terms of evading detection. And attackers are realizing it may be wiser to trade dominance for elusiveness, avoiding the spotlight and attraction of authorities as the number one kit and continuing to modify kits to maintain fourth or fifth position. The Angler Exploit Kit fits the bill. Angler improves upon previous exploit kits because it has the capability of integrating new exploits, including zero-days, quickly and effectively. It also uses a new technique called Domain Shadowing. After stealing users’ domain registration logins to create subdomains without tipping off the actual owner, Domain Shadowing rotates subdomains to hide the IP address of the server. Angler avoids standard detection by overloading traditional web security technologies with large numbers of these subdomains that are pointed at malicious servers.
Ransomware is another example of an extremely lucrative business. The malware alerts the victim that data files, such as photos, videos, and documents on their computer have been encrypted and that in order to decrypt the files the victim must pay a ransom. Amounts vary according to the target, maybe a couple of hundred dollars for an individual or thousands for a corporation or government entity. Targeting high-value files makes ransomware very effective in getting users to pay the ransom.
Cryptolocker was the first piece of malware to successfully use encryption but now multiple threat actors, such as Cryptowall and Teslacrypt, are jumping in to claim a portion of an ever increasing ransomware market. According to the FBI, CryptoWall attacks cost victims in excess of $18 million between April 2014 and June 2015.
So what are we doing about it? If you read up on the topic or attend industry conferences you’ll learn of multiple examples of law enforcement officials and IT security experts coming together to tackle the problem. Sharing information and collaborating, they are focused on zeroing-in on the masterminds behind these attacks and bringing them to justice. IT security professionals charged with protecting their organization’s digital assets need to take a similar approach, sharing information and collaborating – but in this case across security technologies and threat intelligence feeds – in order to take action.
Most organizations have deployed security technologies across some combination of networks, endpoints, web and email gateways, virtual systems, mobile devices, and the cloud. Typically these technologies can’t – and don’t – interoperate. Relying on a ‘silver bullet’ to address attacks, for example expecting blacklisting technologies alone to thwart exploit kits, will prove ineffective. These attacks are designed to evade them. Further, many security teams are stretched so thin they don’t even have the resources to cover the security basics like patching, configuration management or, in the case of dealing with ransomware, good backup polices.
In order to deal with whatever new challenge cybercrime-as-a-service serves up, what’s needed is visibility and control everywhere and all the time: across attack vectors and the full attack continuum – before, during, and after an attack. This is done by gathering and analyzing telemetry data continuously, going beyond signatures to identify known attacks, and looking at file behavior to surface indicators of compromise that would otherwise go unnoticed. Local data needs to be woven together with global intelligence for greater insights into the nature of the attack. Information needs to be shared across the environment and multiple control points to speed detection and response before data files are stolen or encrypted.
Once you can see what files are doing and can identify them as malicious, even after an attack, then you need retrospective security in order to marginalize the impact of an attack by identifying the point of entry, determining the scope, containing the threat, eliminating the risk of re-infection, and remediating.
Cybercrime-as-a-Service is increasing the sophistication and frequency of attacks to the point where they seem to be pervasive. When evaluating your approach to security in light of this increasingly popular approach to attacks, seek out solutions that are equally pervasive – providing visibility and control everywhere and all the time.
