The escalation of cybercrime as a service has major ramifications

As technology evolves, so does cybercrime. In fact, most people don’t realize that today’s cybercriminals exploit the same technologies, business models, and service offerings that mainstream, non-criminal businesses use. Similar to the software as a service (SaaS) model where consumers access software and services in exchange for a monthly or recurring fee, the cybercrime as a service (CaaS) market is growing rapidly. Attackers can rent sophisticated cybercrime technologies and platforms (e.g., phishing-as-a-service, ransomware-as-a-service) as a subscription-based model.

Cybercrime-As-A-Service trivializes cybercrime

The days when attackers needed superior technical knowledge to design nefarious cyber attacks are long gone. Budding cybercriminals can now hire phishing templates, hosting services for fraudulent websites, credential theft tools and phishing delivery mechanisms to as low as $50. This scenario can be considered a win-win in the sense that service providers and sophisticated criminal organizations can easily scale their business using these free agents without investing time in studying soft targets. These cybercriminals are also less likely to be caught since they do not directly execute the attacks themselves. On the other hand, inexperienced cybercriminals can now launch a professional phishing or ransomware attack without sweating over the infrastructure or skills needed to create malicious campaigns.

How did this evolution come about?

At some point, cybercriminals likely ran into a problem that many traditional businesses face: scalability. They had a few smart people, but they were burning money and resources coding malware, maintaining infrastructure, designing phishing emails, laundering money, dodging law enforcement order and everything that goes into the management of illegal operations. Since cloud platforms offered a service-based model, someone in the hacker community had a eureka moment: offering a phishing service or a ransomware service in exchange for a monthly fee. The idea led to the emergence of a very popular cybercrime as a service marketplace, where like-minded criminals can partner with organized criminal syndicates and leverage their service or platform in exchange for compensation or profit sharing. Some of these ransomware gangs have matured into complex entities who are increasingly adopting the same standard business practices of the organizations they target.

The escalation of cybercrime has major ramifications

It’s no secret that the cybercrime economy is already extremely profitable. The proliferation of cybercrime as a service will essentially open the floodgates to new cybercrime activities. Hobbyists no longer need access to vast amounts of resources or infrastructure to execute an attack. All they will need is to rent tools from the dark web, click and run a phishing or ransomware scam or run a advanced persistent threat. Previously, the high cost of cybercrime (specialized tools and knowledge) meant that only high-value targets were likely to fall victim to it. Today, the escalation of cybercrime means that even small businesses and individuals can be targeted. This may well be a plausible explanation for why phishing attacks have almost tripled in 2021 compared to 2020, when ransomware attacks have almost doubled.

The Response to Cybercrime: Defense in Depth

Cybercrime as a service threats will most likely escalate and there will never be a silver bullet for ironclad cybersecurity. Companies should therefore invest in a defense-in-depth approach that primarily includes three elements: technical controls, security awareness training and phishing simulations, and policies and procedures.

Technical controls involve having sophisticated tools in place such as multi-factor authentication, VPN use, and opt-out remote desktop protocol (RDP)next-generation firewall deployment, endpoint detection and response, military-grade backup, anti-phishing training, data loss prevention, and in-depth security monitoring (log analysis, spot checks, vulnerability scanning).

As all humans are vulnerable and 85% of offenses involve human error, it is important that users do not rely on anything at face value. Businesses need to teach people how to recognize a phishing scam, report suspicious activity, practice password hygiene, and understand the impact their actions can have on the organization. Finally, all companies should have a regularly updated, living document with security best practices, key contacts, and security procedures in the event of a security incident. The idea is to be prepared for any eventuality.

Unfortunately, no one is immune to cyberattacks. If you are concerned, contact law enforcement immediately. Consider getting cyber insurance and contact your local FBI field office or the Internet Crime Complaint Center. Detailed advice on responding to ransomware is also available on the CISA website.

Written by Stu Sjouwerman.
Did you read?
4 Strategies to Accelerate Your Finance Digital Transformation Efforts by Chen Amit.
Hopeless positivity defined by Dr. Salla Vijay Kumar.
Can our negative emotions provide an inner superpower by Mark Berridge.
In 2022, What does it take to be a moral-minded leader by Frank C. Bucaro.

Follow the latest news live on CEOWORLD magazine and get news updates from the United States and around the world. The opinions expressed are those of the author and not necessarily those of CEOWORLD magazine.