Beware of This New “as-a-Service”!

Mike Winslow, Senior Consultant, SecureITsource, Inc.

SaaS – Software-as-a-service, IaaS – Infrastructure-as-a-service, and PaaS – Platform-as-a- service, are just a few of the current “as a service” offerings that companies around the globe are taking advantage of to run their businesses and manage their data. By purchasing only what they need, they are able to keep their costs down and profit margin up. However, over the last couple of years another “as a Service” has gained momentum and even though most businesses will never use it, they are still being negatively impacted by it every day. So, what is this new service? CaaS!

CaaS or Crime-as-a-Service is similar to Software-as-a-Service except that the software being offered by CaaS includes things like DDoS-for-hire, rootkits, malware, and other types of packaged services. Need some ransomware? You can rent it. Need a Call Center to support a Microsoft License Expiration scam? You can rent that as well, background soundtrack included. Everything that used to require a talented hacker with an extensive coding background is now available on the “Dark Net” via CaaS.

Europol, the European Union’s law enforcement agency, issues an annual threat assessment called the “Internet Organised Crime Threat Assessment” (IOCTA) For the last several years, they have flagged CaaS as a major facilitator of serious online crimes.[i] In an Online post for CSO Online, Charles Cooper states that “Cybercrime-as-a-Service — along with attacks-as-a-service, malware-as-a-service and fraud-as-a-service — has opened a wide digital door to anyone looking to score a quick, illicit buck on the internet.”[ii] The most obvious result of making this technology available to a novice criminal is that the number of attacks a company sees will continue to increase. The attack vectors and technology being used hasn’t changed, but the number of participants increases daily. And according to Cooper, “Many online marketplaces on the dark web actually tout the technical support they can supply to anyone who requires extra handholding. The cybercrime-for-hire business appears to be so robust that hacker gangs reportedly are hard-pressed to keep up with demand.”

While there is a growing threat of CaaS, the good news for most enterprise organizations is that CaaS hasn’t opened any new attack vectors. That means that whatever your company’s current cyberstrategy is you should be protected from the increased number of attacks. That is unless you are a small to medium sized business (SMB). Per a 2016 report by the Ponemon Institute, a survey of 598 individuals in companies with a headcount from less than 100 to 1,000, 55 percent had experienced a cyber-attack within the past 12 months and 50 percent had suffered a data breach during that same time frame.[iii] And for a number of reasons, it is only going to get worse for the SMB’s.

Many SMB’s struggle just to keep the doors open. When it comes to CyberSecurity, they simply can’t afford to spend what a large enterprise does to protect their data. The expense of security tools such as CyberArk, SailPoint, and ForgeRock aren’t within their budget. Their IT teams don’t consist of specialized security and IT professionals. The SMB IT guy wears many hats and doesn’t have time to focus on a single product or specific attack vectors. Most of the time they are just trying to keep the system up and available to worry about possible attacks. They are focused on fighting fires, not preventing them.

The other threat of CaaS to the SMB is that it has exponentially increased the number of potential attackers that they will come up against. Novice criminals that just rented their first ransomware package aren’t going to try and go up against General Motors or Bank of America. They’re going to target the SMB’s where the security is weaker and the chance of scoring a financial benefit is greater. You aren’t going to get BofA or GM to cough up a ransom easily even if you did somehow manage to encrypt their data. The small guys though can’t afford to bypass a ransomware attack and are faced with either losing their data or paying the ransom. Most will pay the ransom. In a report by the Herjavec Group, $24 million across nearly 2,500 ransomware cases was forked over by cybercrime victims. In the first three months of 2016 that amount had gone up to $209 million and was estimated to finish the year at nearly $1billion.[iv]

The final threat of CaaS to the SMB is that with the anonymity of the “Dark Web” and the use of “cryptocurrency”, the risk of getting caught is low. Many local law enforcement agencies aren’t equipped to handle cybercrime and the federal agencies with jurisdiction don’t have the resources to investigate every single instance of cybercrime reported. Cybercrime is the digital equivalence of shoplifting. The cost of investigating and prosecuting far exceeds the cost of the merchandise involved. $5,000 may be a lot of money to the SMB but doesn’t justify expending many times that amount to try and recover it. Unless you are victimized by a criminal ring that is being actively investigated the probability of catching and recovering money from someone that is renting tools of the trade via CaaS is going to be close to zero. You can report the attack but don’t plan for an active investigation. Many SMB’s just quietly pay the ransom and hope they can prevent it from happening again.

So, what does an SMB with an underfunded IT cybersecurity team do to meet the rising threat of CaaS? The first step that any business, regardless of size, should take to create an incident response plan and keep it current. IRP’s force a company to evaluate their all aspects of their business, not just their cybersecurity. It doesn’t help to build a wall so thick that no one from the outside can penetrate it if you don’t consider the employees from within that may knowingly or unknowingly allow an attacker inside. A good IRP will take this under consideration and add it to their defense. The step by step instructions for building a plan are beyond the scope of this article. But there are many excellent resources online that can help you get started creating a plan if you don’t have one or need to reevaluate what you have.

Understand that the creation of an incident response plan won’t stop an attack. In fact, based on the CaaS business model, it would be best to assume that your plan is not going to sit on the shelf waiting to be updated once a year but will be actively used throughout the year. A plan won’t necessarily stop an attacker from successfully getting inside your network. But done properly, the IRP allows you to evaluate where your business is most at risk, what the potential attack vectors are, and how well prepared you are to deal with those attacks. It allows you to build and strengthen your defenses where they are most needed. Your plan provides guidance on where to spend your limited budget dollars.

Also, make sure that your employees know what the plan is and what their role, if any, is in its implementation. You don’t want them to discover their role the day after an incident. If possible, have regular drills and practice what to do in case of an incident. You may not have a large budget for all the fancy bells and whistles of a cybersecurity system but that doesn’t mean you can’t have well prepared employees and a strong defense that will reduce the damage and exposure you will face from an attack.

Finally, once created, the IRP isn’t something that sits on the back of your desk to be pulled out after an attack. It should be reviewed and updated quarterly if not monthly. Your business changes daily and so do cybercrime attack vectors. If the attackers decided to come through a side door it isn’t going to do you any good to continue keeping your defenses watching the back door. You need to know what is happening and how to adjust for changes. Read security blogs such as COS Online and Sophos’ Naked Security. The better informed you are of current trends, the quicker you can adjust your defense to protect against them. You may not have the budget that Bank of America does to implement a cybersecurity plan with all the bells and whistles, but that doesn’t stop you from creating, implementing, and using an IRP which is the foundation of any good cybersecurity plan.