Cybercrime-as-a-Service: Where Do We Go from Here?

Today the cybercrime economy is estimated to be worth anything from $600bn to over $1.5 trillion. “Estimated” is the key word here, because in many ways it’s impossible to know for certain just how much money is made off the back of fraud, data theft, ransomware, crypto-mining etc. But what we do know is that the “as-a-service” model is a key component, enabling unskilled criminals to cash in on the cyber-craze and get rich relatively quickly off the back of poor corporate security and fallible consumers.

For a recent feature I interviewed some experts to better understand the scale of the problem, and what hope there is of some kind of comeback for good guys.

The web of profit

One of the best recent reports into the cybercrime economy was the Bromium-sponsored Into the Web of Profit analysis by University of Surrey senior lecturer, Michael McGuire. He explained that the popularity of the cybercrime-as-a-service (CaaS) model boils down to the sheer range of opportunities it affords the criminal fraternity.

“If you accept cybercrime as a hi-tech crime then you need hi-tech tools and methods to facilitate it, and the CaaS model is opening this market up. There are many extremely well organised criminal groups that are developing these tools, and the everyday man on the street is able to make use of their work as a result,” he told me.

“Given the wide range of perpetrators that are looking to make use of some form of CaaS, there really aren’t many types of cybercrime activity where it doesn’t play a role. Everyone can now get hold of various types of attack and varying levels of sophistication. Of course, it isn’t just malware – we are seeing all sorts of CaaS that is helping money laundering and breaking into banks.”

SANS-certified instructor Matthew Toussain explained that CaaS has rapidly matured over the past 10 years.

“The service offerings originally began over a decade ago as Distributed Denial of Service-for-hire before growing into exploit kit rentals and now ransomware as a service. Now the model and process for attackers has settled into a highly mature state where iteration of process and method is no longer necessary for intrusion sets to maintain these services,” he told me.

“Often the differentiator today is which malicious ‘provider’ offers more features or lower prices. These systems are generally driven by a modern web interface. While transactions are generally handled in Bitcoin it is not uncommon to see PayPal used as a method of payment.

Hope for the future?

For those who believe that cybercrime is a relatively harmless form of criminal activity in the grand scheme of things, McGuire had some home truths. His report explained that cyber-criminals often re-invest their profits, not just into online activities but narcotics, human trafficking and more.

“Anything that furthers criminal activity, whether it is CaaS or more guns on the streets is bad for society, and CaaS is certainly doing just that,” he added. “CaaS is also growing the potential opportunity for crime – even people that don’t have a criminal background can now contribute towards cybercrime. It is raising the criminal threat to a level where organisations, and even nation states that can make use of these tools.”

So is there any hope of a fightback by governments, organisations and law enforcers? Not according to Toussain.

“Law enforcement is by its very nature reactive, and for many organisations this may already be too late. Moreover, law enforcement has failed to effectively combat existing threats and continues to allow these black-market services to grow into a burgeoning industry,” he said. “There are a host of difficulties including international and extradition restrictions imposed upon the law enforcement community that make it unlikely we will see a marked improvement in the short-term.”

In fact, many experts suggested that a bigger impact on the problem could be made if organisations just got better at cybersecurity, making themselves a harder target.

“Law enforcement tries to disrupt trust in the black markets. These are anonymous activities, so if people don’t trust the seller, the market goes away. But the are many, many markets,” said James Lewis, director of the technology and public policy program at thinktank the Center for Strategic and International Studies. “Better security is always good, and this includes basic hygiene and thinking about encryption and backup to manage ransomware risk.”

Bromium CEO, Gergory Webb unsurprisingly believes that security technology can play a part here, providing innovative solutions to help keep corporates safe.

“The platform criminality model is productising malware and making cybercrime as easy as shopping online. Not only is it easy to access cyber-criminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as The Web of Profit continues to gain momentum,” he explained. “We can’t solve this problem using old thinking or outmoded technology. By focusing on new methods of cybersecurity that protect rather than detect, we believe we can make cybercrime a lot harder.”

However, responsibility lies not just with law enforcement, CISOs or the security industry, but also the online platforms like Facebook that are abused by cyber-criminals to steal personal data, spread malware, trade attack tools and techniques, launder money and more.

“In terms of industry, the reactive security posture that many firms adopt is not enough and must improve if we are to disrupt hackers’ revenue channels, whether that is software enabled or developing better security skills for staff members,” concluded McGuire.

“But the missing element of responsibility is what legitimate platforms themselves can do. They have to get organised with regards to cybercrime and step up to the plate with better measures and much more transparent data practices.”