Hacking-as-a-Service (HaaS) is fast becoming a business enterprise driven by consumer demand, as well as a competitive development of quality goods and services.
The professionalization of this marketplace supports much of the hostile activity being observed on the Internet. These underground repositories are competitive, offering products of varying price points and capability for the consumer.
Perhaps more disconcerting is the fact that this type of model allows actors with no discernible hacking skills to purchase the capability, thereby enabling any individual to become a hacker, if the price is right.
A 2014 RAND Corporation study on the underground marketplace highlighted this evolution, asserting that hacker markets are operating much like any other legitimate economic system where consumers place orders, suppliers deliver them, and competition among vendors to provide “satisfaction guaranteed” deliverables are becoming more common.[i]
Some prominent foreign languages spoken in underground markets include Brazilian Portuguese,[ii]Chinese,[iii] and Russian.[iv] However, specific underground marketplaces continue to surface despite law enforcement efforts to break them up and arrest their leadership.
The Real Deal (a site featuring 0-day exploits for sale),[v] and the Hacker’s List (a site seeking to match up hacker services to consumers)[vi] are just two examples of how these marketplaces are evolving.
Once disparate islands in cyberspace, the professionalization of the underground markets is ultimately making them more resilient. Proper vetting, quality products, customization, and price points that are tailored for all levels of customers have made hacking-as-a service a big business.
Of particular notability is the fact that it is not just cyber criminals benefitting from these outlets. There has been an increasing overlap between traditional cyber criminals and cyber espionage actors.
Indeed many of the tactics, techniques, and procedures (TTPs) employed by both sets of actors are remarkably similar.
Both actor sets have been known to employ spear phishing and socially engineered e-mail messages tailored to the recipients, as well as using the same tools, to increase their success in compromising targets.[vii]
What this means is that groups suspected of being sponsored by or in the employment of a nation state may be using or purchasing the same tools as cybercriminals to impede attribution efforts, or to further complicate matters, HaaS facilitates the overlap of mission areas of these actor sets who may engage in both criminal and espionage activities.
Indeed, both Chinese and Russian hackers involved in espionage activities have been also linked to profit-motivated cybercrime.[viii]
Examples of Hacking-as-a-Service Threats
The emergence of HaaS is changing the threat landscape by bringing with it a new, growing collection of increasingly more complex threats. In the mid 2000s, we observed the emergence of botnets being available for hire.
Initially, they carried a relatively high price tag, but with their proliferation over the years to come, the prices have dropped significantly and botnets have become one of the most popular commodities traded on the black markets.
One of the most notorious botnets was the Gameover Zeus[ix] peer-to-peer botnet that is believed to have caused at least $100 million in damages, with main focus on the financial sector.
Another major threat pose the Remote Access Trojans (RATs). These allow the cybercriminal in control to remotely access an infected system and assume control of it. RATs often feature a wide range of tools that can be abused to further compromise the target system.
A recent report on the financial state of Trojans by Symantec[x] points out that although the infections caused by Trojans are declining, the threats are increasingly more sophisticated, while simultaneously more widely available[xi] and much easier to operate for crooks with limited computer-savviness.
Mobile Trojan platforms also appear to be growing, with majority targeting the Android system. A good example is the recent iBanking RAT that was offered on the basis of the hacking-as-a-service model for a rather high price of $5,000. Among other features, it offered a very user-friendly, web-based command & control interface.
In recent years, we have observed threats based on the recently disclosed AlienSpy[xii] framework. This particular Trojan took RATs to the next level. AlienSpy targeted both consumers and enterprises.
Delivered mainly via phishing campaigns, the Trojan was very flexible and could be tailored to a specific industry, such as banking or manufacturing. The AlienSpy platform featured a simple to use interface that was easy to use even for customers who are not technically inclined.
The creators of AlienSpy have good business skills and learned from their non-illegal counterparts to put emphasis on usability, support, user interface, and many other sought-after aspects commonly found in successful enterprises.
One particularly interesting feature of this specific HaaS platform was that it provided its users with a way to share intelligence about successful attacks – likely including successful targets and attack vectors for each.
This makes it more dangerous and harder to track down the attacker – because there are often multiple instances of the attackers found in a single system compromised system.
Ways for Organizations to Defend Themselves
The more actor sets overlap and converge, the more imperative it is for enterprises to develop a viable cyber security strategy to address these threats. No longer can an organization be confident in knowing that certain actor sets do not pose a threat to its interests.
HaaS has facilitated hacking to the degree that anyone, regardless of individual aptitude, can leverage this capability. According to a survey, the estimated “survival time” of an internet-connected computer running Windows without security patches is just four minutes.[xiii]
The products and services the underground provides continue to tilt this reality in favor of hostile actors. Regardless, there are some basic steps organizations can take toward reducing this threat:
- Resiliency is the Key: Perfect cybersecurity is unattainable. In today’s environment, perfect cybersecurity is unattainable and many believe it’s a foregone conclusion that an enterprise regardless of size will be compromised. Organizations that will be able to quickly identify, mitigate, and recover from intrusions will be best positioned to operate in today’s digital environment.
- Develop and Implement a Cybersecurity Strategy: There are no one-size fits all security models. Enterprises need to identify key information and accesses that it possesses and design a security plan around it. This will include technological as well as policy solutions. Part of this strategy is to be prepared for any and all situations, from a DDoS attack to a breach. If the company is ready and everything is in place, response time will be minimal and therefore reduce the damage done.
- Understand the Cyber Threat to Your Organization: Technical and threat intelligence is important to help organizations understand the actors intent, capability, and historical activity that can be help an organization inform risk management assessments and thereby devise proactive defensive strategies.
- Make Cybersecurity a Part of the Business Culture: Data security is the responsibility of everyone, as any employee may be the target of hostile actors seeking to exploit the weakest link of a security chain – the human element. Regular user awareness training to include periodic updates highlighting the latest attack trends should be administered to an organization. Also, organizations should ensure that there is a formal process in place for employees that are leaving or have been terminated in order to reduce the insider threat.
A flexible risk management approach to addressing cyber threats is something that every organization should conduct in order to understand the threat to its unique position.
Weighing and evaluating these threats can better position an organization to allocate financial and personnel resources accordingly, while enabling them to be adaptive to the dynamism associated with hostile cyber threat activity.
Executive leadership has to be able to acclimate to an ever-changing landscape to make the best decisions for their organizations.
Find more cyber security articles at securechannels.com
Co-Authored by Ondrej Krehel, CISSP, CEH, founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He’s the former Chief Information Security Officer of Identity Theft 911, the nation’s premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters—from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal and The New York Times, among many others.
[i] “Market For Cyber Crime Tools and Stolen Data,” RAND Corporation, March 24, 2014, http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf.
[ii] “The Brazilian Underground: A Market for Cybercriminal Wannabees?,” Trend Micro, November 18, 2014, http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/brazilian-underground-market-for-cybercriminal-wannabes
[iii] Sara Peters, “In China, Cybercrime Underground Activity Doubled in 2013, September 3, 2014, http://www.darkreading.com/in-china-cybercrime-underground-activity-doubled-in-2013/d/d-id/1306921
[iv] “The Russian Underground Revisited,” Trend Micro, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-revisited.pdf#sf25040664
[v][v] “New Dark Web Marketplace Offers Zero Day Exploits to Hackers,” The Hacker News, April 17, 2015, http://thehackernews.com/2015/04/underground-exploit-market.html
[vi] Matthew Goldstein, “Need Some Espionage Done? Hackers Are for Hire Online,” The New York Times,January 15, 2015, http://dealbook.nytimes.com/2015/01/15/need-some-espionage-done-hackers-are-for-hire-online/?_r=2
[vii] Kelly Jackson Higgins, “Cybercrime, Cyber Espionage Tactics Converge,” Dark Reading, February 24, 2015, http://www.darkreading.com/analytics/threat-intelligence/cybercrime-cyber-espionage-tactics-converge/d/d-id/1319203
[viii] David Venable, “State-Sponsored Cyber Crime: A Growing Business Threat,” Dark Reading, May 26, 2015, http://www.darkreading.com/vulnerabilities—threats/state-sponsored-cybercrime-a-growing-business-threat/a/d-id/1320555
[ix] Nicolas Falliere and Eric Chien, “Zeus: King of the Bots,” Symantec, 2010, http://courses.isi.jhu.edu/malware/papers/ZEUS.pdf
[x] Candid Wueest, “The state of financial Trojans 2014,” Symantec, March 3, 2015, http://media.scmagazine.com/documents/111/state-of-financial-trojans-201_27711.pdf
[xi] “iBanking: Exploiting the Full Potential of Android Malware,” Symantec, May 20, 2014, http://www.symantec.com/connect/blogs/ibanking-exploiting-full-potential-android-malware
[xii] “Ratting on AlienSpy,“ Fidelis Security, April 8, 2015, http://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf
[xiii] “Getting Serious About Cyber Risk,” First Clearing, May 2013.