It’s long been said that when botnets first appeared, they were the first usable forms of cloud computing. Now with hindsight they fit the NIST definition of cloud computing very well and have become rapidly scalable and on-demand.
More recently criminal malware has taken a turn towards being more akin to enterprise-grade software through its entire lifecycle. It’s not unusual to find your rental of a botnet now comes with 24x7 support and channel reseller margins. Buying exploit kits, renting botnets, and using enterprise-grade cloud technology, Crime-as-a-Service (CaaS) has become part of the latest breed of XaaS, offering the same benefits of cost and complexity reduction as well as lower barriers to entry. Using CaaS gives anyone an instant criminal business model in the cloud.
What we know today, is that CaaS is starting to have its own marketplace, run by well organized criminal mega-gangs; support contracts for purchasers are not uncommon.
CaaS has been given much publicity since the 2014 Internet Organized Crime Threat Assessment (iOCTA) report from Europol described the commercialization and availability of the technology and how it’s impacting legitimate enterprises in real time.
The rise of CaaS is another step on the roadmap of the crimeware that has been instrumental in many of the most recent attacks, where Zeus and its variants like Citadel and Gameover have led to significant loss of data. What we know today is that CaaS is starting to have its own marketplace, run by well-organized criminal mega-gangs; support contracts for purchasers are not uncommon, nor are healthcare and pension plans for employees.
This threat takes how we think about our own protection to a new level. The high-profile breaches of the last twelve months all managed to evade well known or best of breed corporate defenses, so it’s no surprise that enterprise IT managers and CIOs are starting to lose sleep about their next big breach. In many cases, this fear is born out of a realization that platforms like CaaS have become rapidly more advanced than the protections they have within their own environments.
Targeted Threat Protection is once again at the top of the agenda, for C-level managers, as well as those who deploy and run the technology. The sophistication of the attacks means we can no longer sit back and wait for our protection to do its job. We all need to become much more actively defensive – not offensive, but active in our defenses.