The security landscape has evolved to a point where
most IT threats occur with the intention of generating financial gain for their
creators and financiers. Based on this premise, various attack or
threat types have proliferated and evolved to affect a greater number
of users and organizations.
THREAT CREATORS ARE EXTENDING THEIR PORTFOLIO INTO
A MARKET WHICH IS REQUESTING THIS TYPE OF SERVICEThe cybercrime “business
model” is based on creating a value chain that offers new methods, for
example cybercrime as a service, that is, the practice of
facilitating illegal activities via services. In other words, anyone could
acquire everything they need to organize frauds or cyberattacks, whatever their
skills or technical knowledge.
Cybercrime services for the highest bidder
The services sales model represents the natural
evolution of the offer into a market which is responding to a constantly
growing demand. This means that IT threat developers, as well as those
monetizing stolen data or kidnapping data, have begun to extend
their portfolio, activities and operations into a market that is
requesting this type of service, whether it be to affect companies, industries,
users, or even governments.
·
Fraud as a
Service (FaaS)
In the cybercrime arena, one of the industries most
affected by fraud is banking. A significant number of threats in the digital
era have been developed to generate losses for the users, mainly in the credit
and debit card sector, although fraud is not only limited to this
transaction option.
Similarly, the range of threats goes from stealing
cards, skimming and social engineering to attacks by phishing, malware such as PoS (Point of Sale)
and banking trojans – all with the intention of obtaining banking
data. In this context, fraud as a service can be offered, from the sale of
tools to carry out skimming to malicious codes especially developed to steal
financial data, such as Zeus.
·
Malware as a
Service (MaaS)
Additionally, some years ago malicious codes began
to be offered as a service, developed for specific activities and in parallel
with exploit kits. Once they have infiltrated systems via vulnerabilities,
they can insert malware to steal data and passwords, spy on
users’ activities, send spam, and access and remotely control the infected
equipment using an entire command and control (C&C) infrastructure.
This same principle has been used to begin to
propagate ransomware, that is, malicious codes designed to kidnap files or
systems and ask for a payment to retrieve them, thus taking the principle
of extortion, as applied to the digital environment, to a new
level. Exploit kits or botnets such as Betabot have begun to diversify their
malicious activities.
·
Ransomware as
a Service (RaaS)
The main idea of ransomware as a service focuses on
the fact that the people who develop this threat are not those who propagate it
– their task is limited to developing tools which are
capable of generating this type of malware automatically. Consequently, a
different group of individuals is involved in using these tools to create and
propagate it, whatever their skills or technical knowledge.
In this business model, both the developers of the
tools for generating ransomware and the individuals who distribute it enjoy
financial gains, in a “win-win” relationship. A well-known example
of ransomware as a service is Tox.
·
Attacks as a
Service (AaaS)
In the same context, attacks can be offered as a
service. For example, different attacks such as distributed denials of service
(DDoS) may be the result of a large number of infected systems belonging
to a botnet which are offered and hired out so that this type of attack can be
carried out. Moreover, they can be used to propagate more malicious codes, send
unwanted mass mails, or even be used to mine bitcoins.
Cybercrime development and cybersecurity
paradigms
As is apparent, there are a wide range of IT
threats that can interact to offer new options to the cybercrime industry, and
which are available to anyone who has enough resources to
acquire them.
In the cybersecurity sector, it is important to
emphasize that the new conditions that have been evolving over recent years
bring two sides face to face: those responsible for protecting key assets in
organizations, against specialized, organized groups who invest resources such
as time and money in developing these cybercrime services, in a market
which continues to need them.
In this context, data security management has gone
from wondering whether the organization may or may not be affected to a focus
which assumes that the organization will be attacked, it is
only a matter of time before it occurs. So, from this perspective, protection
measures can be proactive, that is, coming up with realistic scenarios in which
data or other critical assets may be affected, so that the processes and data
need to be protected through a holistic focus.
This also involves developing defensive, offensive,
reactive, and proactive strategies, to try to avoid or resolve security
incidents and reduce risk to an acceptable level, in line with each
organization’s risk aversion or propensity. The focus, moreover, takes security
to be a process which cuts across the business’s essential
activities and which needs to improved on an ongoing basis.