The ins and outs of ‘cyber-attacks as a service’

By now business leaders and directors across New Zealand are familiar with the concept of ‘- as a service’. That’s because software, technology infrastructure and outsourced support delivered as a service offers multiple benefits, such as cost efficiencies, flexibility and greater accessibility. It just makes good sense.

Turn that on its head and the benefits make just as much sense for the bad guys.

That’s the reality of the emergence of cyber-attacks offered as a service. The evolution of cybercrime over the years has seen it move from the early days jimmying the system for free phone calls, towards increasingly organised and professionalised groups.

Just as small businesses such as Microsoft or Apple in 1976 progressed towards formal structures and infrastructure, so too have the ‘bad actors’ behind cybercrime. The only major difference is the organisation of the cybercriminals has taken place outside the limitations and requirements of the law, though the structures, tools and technologies are often startlingly similar.

Make no mistake: cybercrime is big business. One estimate puts the amount ‘earned’ (stolen from others) from cybercrime at US$1.5 trillion in 2022 alone. Cybersecurity Ventures expects global cybercrime costs on businesses to reach US$10.5 trillion annually by 2025.

New Zealand is not immune to this enterprising industry. Kordia’s research found 55 per cent of Kiwi businesses surveyed suffered a cyber-attack or incident in the past 12 months.

Along with evolution into organisations with hierarchical structures employing people and operating out of tower blocks much like any other corporation, hacking groups have diversified, specialised and professionalised.

They use artificial intelligence and powerful cloud computing solutions, and have some of the smartest and most capable computer programmers available to their teams. It is all about making as much money as possible from their activities, whether directly or by providing cyber-attacks as a service.

This is where it starts getting interesting. On the dark web, marketplaces exist where hackers go to buy, trade and sell the services required for carrying out an attack.

It’s almost like a dark version of Trade Me, where bad actors will search for vendors of various tools or services, complete with rankings on how well they have performed their criminal activities. The tools are essentially available to anyone who knows how to get onto the dark web and wants to set themselves up in the cybercrime business.

Just like legitimate ‘as-a-service’ delivery made the best software and other services accessible to anyone, cyber-attacks as a service dramatically lowers the barrier to entry for a threat actor, while driving up the quality or likelihood of success.

It provides the best tools and services to anyone willing to pay for them, and because there is competition in the threat actor community, those services and tools have downward pressure on pricing. We’ve seen some of those adept at building tools focusing on their talent, hiring out specific attacks and making a stream of income derived from supplying other criminals.

Over the years, this has evolved into a segmented marketplace where various components and tools can be assembled for a complete attack. This might involve compiling lists of users of a specific application and vulnerability, credit card details and personal data for identity theft, pre-drafted phishing materials and the email addresses of company directors, keylogging software, ransomware, and more.

Or there’s the option to buy the entire attack as a service, rather than building it from various components.

Specifically, “Ransomware as a service” has become popular, outsourcing a criminal organisation to run a complete ransomware campaign.

While this development and evolution is fascinating, it also means an escalated threat environment for everyone – both organisations and individuals. This means a comprehensive and unrelenting approach to cyber security is necessary. You should ensure all the basics are in place, combined with regular reviews of your posture, the evolving threat environment, and your organisation’s risk exposure.

Knowing what is out there is the first and most effective step towards mitigation. Cyber-attacks as a service are only going to increase in the future, so its important directors are across this evolving landscape, so they can support their organisations to deploy the right level of cyber security measures to manage these attacks.