Crime-As-A-Service Is Leveling Up – And Businesses Aren’t Prepared

Cybercrime is big business. Not just because of the payoffs from breaching organizations, but from the knowledge share industry that’s grown up around it. Thanks to online marketplaces that exist on the dark web, you don’t need advanced IT skills to compromise an organization. All you need is an internet-connected device.

This has lowered the barrier of entry to cybercrime. Now someone with a few hacking skills of their own can buy everything they need online. What does this mean for cybersecurity teams? Expect attacks to increase in both volume and sophistication.

There are a lot more businesses can (and should) be doing to level up their defenses against this rising tide of threats.

Teamwork Makes the Scam Work

In the legitimate business world, it’s impossible to find an organization that operates as an island. Most will outsource tasks, use the expertise of third parties or buy software-as-a-service (SaaS). Cybercrime is exactly the same. Hackers can pick and choose from various vendors worldwide to create their perfect hack.

Some will specialize in open-source intelligence (OSINT) to find the best targets and assess vulnerabilities. Others might be hackers-for-hire who help to create an initial breach or be willing to sell the ransomware payloads they’ve designed and built. Vendors come armed with trust scores, reviews and success stories – just like a legitimate online marketplace.

Anyone Can Be a Hacker

In the past, you might expect someone who’s compromised a significant organization to have expert system hacking skills or the ability to build advanced ransomware. Consider a modern scenario in which someone based in a foreign country wants to target a large business within the US or Europe with ransomware.

Through the dark web, they can purchase OSINT on the target business, a readymade ransomware payload, plus a phishing kit complete with email templates and automation tools. Phishing is a gift to these types of cyber-criminals, as it allows them to target the human layer of an organization. It’s far easier to get a phishing email in front of an employee than it is to hack a security system.

Going through a crime-as-a-service (CaaS) marketplace costs a prospective hacker money in the first instance, but the gains they stand to make from a successful attack are much more significant. So, what should you be doing to stay safe?

Don’t Be Marked as an Easy Target

It’s naïve to think being hit by one attack means criminal gangs will move on to another target. In fact, it’s the total opposite. Cyber-criminals within the crime-as-a-service community talk, and they know who the easy targets are. If a business has been successfully hacked, it’ll soon become common knowledge how they were breached, what was taken and where it may be vulnerable to future attacks.

This is especially true with ransomware. Research has shown that 80% of organizations hit by ransomware are targeted by a further attack – and 46% are targeted by the same cyber-criminals who hit them originally! Even if data is decrypted after a ransom is paid, attackers may have also exfiltrated data to sell or keep for further blackmail.

On top of that, criminals keep a close eye on who has cyber insurance so they can be in line for a large payout in the event of a breach. This is driving up premiums and even stopping businesses with weak cybersecurity from getting cyber insurance in the first place.

Being hit even once can leave a target painted on your back. This is why it’s so important to think proactively and focus on prevention.

Businesses Need to Step up Their Defenses

An Egress survey of enterprise IT security leaders revealed only 52% feel their organization understands which areas of their business are most vulnerable to attacks. This is a concern. For starters, are you aware of what OSINT is available about your organization online? You might be surprised.

Our survey also showed 59% of IT security leaders believe they can keep their organizations safe through video training, email reminders and VPNs. This shows a lot of faith in individual employees to defend against phishing. Yet, in the face of crime-as-a-service, people need more help from technology.

Email is the favored attack vector to target the human layer as it’s free and simple to use – plus people readily make the same mistakes over and over again, despite years of cybersecurity training. Unfortunately, traditional anti-phishing technology like secure email gateways (SEGs) isn’t up to the task of defending your human layer against the most sophisticated attacks we see today. They’re too reactive and only able to respond effectively to known threats.

You need to be looking to more advanced tools that rely on machine learning and natural language processing to detect the sophisticated tools and templates being sold in the crime-as-a-Service marketplace.