Want to become a cyber criminal but don’t have the technical skills? Don’t worry, there is a service provider out there willing to help!
For years I was often involved in the implementation of what was then considered a major IT project. Many months would be taken up on the design, development, deployment and testing of a customer relationship management system (CRM) or a management information system (MIS). These projects required an ever increasingly large team of people, from me, the customer, to a software vendor, who would provide the software and the necessary engineers to install and configure it. They would be complimented by a hardware vendor to install the necessary servers to make keep it all running, and then there would be in in house team of advisors constantly changing their minds on how the whole things should work. It was a nightmare.
Major software vendors realised that this drawn out process of getting their software onto the desktops of customers needed improvement, even though they liked the support contracts and the upgrade sales. The process was so unwieldly that many companies, I’m sure, didn’t even attempt to purchase and install such software. The barriers to entry were just too great. Meaning although there was a desire for their products software vendors had to change their approach in order to grow.
So thankfully things changed. The ‘software as a service model’ (Saas) came along and most of us have never looked back. With SaaS, all the pain went away, users could be set up in minutes and pointed to a website. They logged in and away they went with all the functionality they needed but with none of the overheads for the jaded IT depertment. Companies like Salesforce, Google and Microsoft could now change per user per month, with no huge set up fees and no need for companies to have their own hardware. It was a most welcome change.
This evolution to service orientated software has been so successful in fact that it has found new advocates in the cyber security world, they have developed ‘hacking as a service’ (HaaS) Yes, if you now want to hack somebody, no need to learn how to do it, no need to have all the equipment, the software and the team of engineers, just pop along to a website, set up an account, pay some cash and launch a DDOS attack on an organisation or company that you don’t care for.
The barriers to entry have been dropped to a level that even a relatively inexperienced individual can become a cyber criminal. Don’t believe me? Just pop along to YouTube ,search on ‘Professional DDOS service’ and watch open mouthed at the services available to you, the armchair cyber criminal.
The cyber security industry is brutally aware of this new threat, meaning that cyber criminals can literally come from anywhere. One of the largest threats, a disgruntled employee, could theoretically launch an infrastructure attack on their former employer with relative ease. Kaspersky, one of the fastest growing cyber security companies, published extensive research on how the Adwind RAT (remote access tool) was being distributed using a ‘service model’ similar to SaaS. Their research suggested that this process had been used in attacks against almost 450,000 private users, commercial and non-commercial organisations around the world. They also estimated that there was approximately 1,800 users of this specific ‘service model’ at the end of 2015.
What does this new evolution mean for companies who are already strengthening their cyber defences? Nothing specifically, expect that with barriers to entry having dropped, then the likelihood is that the number of attacks will increase.
These HaaS platforms, will like their SaaS inspirations, continue to add new functionality and commoditise what had been previously complex processes down to a few clicks and selection of options. The criminal gangs behind the HaaS platforms want to get regular customers and regular income and will continue to take inspiration from the successful business model for SaaS and mirror it for criminal gains.
The overall trend here is that as soon as a new evolution in technology provision gains wide adoption, then those processes will be adopted and used for crime. Viruses used to be spread by disk, CD and removable media, then as the internet gained greater adoption they too moved online! Email marketing came about and then was swiftly followed by phishing and other criminal derivatives. So it was almost obvious that cyber crime would develop a service offering.
But it’s not all bad news! Even though the criminals are starting to be service providers, companies who are internally wrestling with their cyber security challenges can move to a service provider. The major IT vendors, who pioneered the SaaS model, will now manage all aspects of a companies security for them. It seems that no matter what you want to do, be that good, or bad, then somebody is out there to be completely ‘at your service’.