Arguably nothing in tech has changes the landscape more than ‘as a Service’ offerings, the subscription-based IT service delivery model, In fact, the ‘as a Service’ offering has made its way into the cybercrime landscape. And cybercrime, for its part, has evolved beyond a nefarious hobby — today it’s a means of earning for cybercriminals.
Organized cybercrime services are available for hire, particularly to those lacking resources and hacking expertise but willing to buy their way into cybercriminal activities. Underground cybercrime markets have emerged, selling cyberattack tools and services ranging from malware injection to botnet tools, Denial of Service and targeted spyware services.
To protect your business from the cybercrime for hire threat vector, let’s understand how the Cybercrime as a Service model works.
The Cybercriminal Value Chain Model
A value chain is any process or series of activities that a person or organization gains value from. It certainly applies to cybercrime. The cybercrime value chain can be seen as a portfolio of cybercrime activities at various levels of the attack kill chain:
- The technology stack
- Community support
- Attack lifecycle management
- Attack delivery
From a value chain perspective, it is important to understand that cybercrime is not limited to sophisticated botnet attacks by organized cybercrime rings and state-sponsored entities that operate these resources at a large scale. Instead, any hobbyist or financially motivated hacker can find a presence in the underground Cybercrime as a Service marketplace, sell their tools and services to the willing buyers and cause damages on three fronts, compromising:
- The human element, which is likely the weakest link in your cybersecurity defense chain.
- The operational level, disrupting your daily business operations.
- The technology level, which includes the tools, virus and botnets accessible to individuals with a criminal intent.
The cybercrime value chain model categorizes activities into primary and secondary actions.
Cybercrime as a service: Primary activities in the attack lifecycle
These actions, tools and services are directly involved in conducting a cyber-attack or relevant supportive activities designed to bypass and overcome the security defense capabilities of your organization. The key activities include:
Vulnerability discovery as a Service
Vulnerability discovery tools are used to identify potential vulnerabilities in the security network of an organization. Hackers may use network analysis tools such as Wireshark or otherwise obtain information around technologies and software versions used in the network.
When hackers identify a zero-day exploit or known vulnerabilities in older technology packages, they can trade this information on Dark Web cybercrime communities.
Exploitation Development as a Service (EKaaS)
In this phase, cybercriminals package an exploit kit, which contains the tools and virus necessary to compromise a system by exploiting a known technology vulnerability. Additional attack payload may be used to spread the attack.
Operational weaknesses are also set up: these may include a fake wifi network or spyware that compromises the human element before delivering the attack payload onto the target systems.
- Exploitation Delivery as a Service (EDaaS). The exploitative packages from the EKaaS service are delivered to the target systems. The attack may be conducted by deploying botnets, redirecting traffic and using bulletproof hosting services in loosely regulated locations that could host and initiate an attack when required.
- Attack as a Service (AaaS). The attack avenue on the target system is exposed following the attack delivery (EDaaS). The attack is designed to leak sensitive information such as IP and domain knowledge documentation; disrupt target network operations; and monetize the attack activity against a ransomware or DoS attack.
Secondary activities in cybercrime technology support
Secondary activities are the services that indirectly support the Cybercrime as a Service ecosystem. Activities are focused on building a marketplace, community and a wider ecosystem that helps cybercriminals monetize their efforts and tools. These activities can be categorized as follows.
Operations and lifecycle management
Services that allow cybercriminals to enable and sell their tools and services to potential buyers. The attack lifecycle is managed by cybercriminals to ensure that the financial objectives of the Cybercrime as a Service ecosystem or platform are achieved with minimal cost and risks. Cybercriminals are actively focused on:
- Identifying the most valuable targets.
- Organizing hackers with relevant services.
- Managing the distribution of financial proceeds.
Forums that allow the cybercrime community to engage with each other. Unlike a marketplace, these communities demonstrate some form of hierarchical organizational structure. This structure allows community members to work individually without associating with a cybercrime ring — and it also reduces the entry barrier to support from fellow hackers.
Marketing and delivery
The digital gains are traded among attackers on the Dark Web marketplaces. Benefits may be realized in the form of goods and services, cryptocurrency and other tooling and technical support that assists cybercriminals in selling their services.
Defending against cybercrime services
Several challenges exist when it comes to defending against cybercrime activities in the digital age, where cybercrime ecosystems are thriving and collaborative cybercrime support delivered as a service is easily accessible on the Dark Web.
Individuals, corporations and regulatory authorities have their own responsibilities, misaligned incentives, information asymmetry and externalities that prevent them from tackling organized cybercrime activities available to any willing buyer. How do you defend against Cybercrime as a Service?
Unlike other cybersecurity threat vectors, it’s important to recognize the industrialization of cybercrime. The Cybercrime as a Service ecosystem has allowed hackers to focus on their own unique expertise — writing a virus and making it available on the Dark Web — without having to worry about selling and monetizing an individual cyber-attack. The lower barrier to entry means that cybercrime activities are likely to increase.
Put simply: instead of worrying about individual hackers, state-sponsored entities and organized cybercrime groups, you must be prepared to defend against anyone with a malicious intent.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.