Cybercrime has industrialised to a point where non-skilled criminals have the help and support of skilled professionals to grow their attacks.
In the past, these people were called ‘script kids’ because they found tools other people created and used them without knowledge of how they worked.
The difference now is that the tool creators have industrialised their business with proactive operations and customer support. In fact, an MIT study suggests that these cybercrime-as-a-service groups have an operational structure that includes organisation and target selection, and a support structure that includes human resources, marketing, delivery, and technology support.
For a small amount of money, unskilled hackers can get a full service. Not only the tools they’ll use to hack your business, but support around them. If the tools don’t work, or they can’t figure something out, the service providers have a useful helpdesk to iron out problems, upsell capability, and train the hacker. We already know we need to be diligent against state-sponsored attackers; now we need to recognise another persistent threat with a different operating model — an active network of criminals looking to monetise hacking.
So what does this mean for security professionals?
An essential shift in thinking
We need to accept that bad actors no longer need skills to cause significant destruction or loss. Recently the focus has been on state-sponsored attacks (and these should still worry us) and we’ve taken our eye off script kids, dismissing them as minor irritations. We need to remember that all an attacker needs now is a willingness to break the law and a few dollars in their bank account to pay a company to provide training, malware, and support.
As organisations like BT have realised this, our operations and intelligence has shifted to look for organised patterns. We’re now seeing innovation in the criminal space, when a known attack is tried over-and-over, and then fails. When it fails, the attackers report back to the helpdesk, the attack is adjusted by the criminal developers, and a new attack is launched. Within our own security environment, we’ve had to adjust the threat profiles of our attackers. Advanced Persistent Threat (APT) is a colloquialism for nation state, but it shouldn’t be any longer. We now should see criminals and script kids as another form of APT, because their attacks are both advanced — they change as we prop up new defences — and persistent.
Of course threat intelligence companies are diligently working on identifying and updating attack signatures to counteract this new development. But the iteration of attacks, multiplied by the scale of willing attackers, means cyber criminals selling crime-as-a-service are a real threat that must be identified and broken up.
Unlike nation state threats, criminals — when identified — can be brought to justice. Just because our adversaries are getting more talented doesn’t mean we’re not in a position to stop them.
Partnership is the way forward
It’s easy to say what we should do: we should support each other and the police with intelligence to help identify, arrest, and prosecute criminals running crime-as-a-service.
However, it’s hard to actually do it. There needs to be a safe space for organisations and police, working together, to share intelligence without losing competitive advantage.
If we do work together, we’ll be able to support the break-up of these crime-as-a-service groups, meaning the willing, but unskilled, hackers will lose their ability to get training and support from these vendors. If all wanna-be hackers had to develop their own exploits, the threat would be reduced. While it’s unlikely that this will happen, we must strive to make their lives as hard as possible — and that can only be done through coordination with each other and the police. We’re working hard in this space, and we’ve recently formed a partnership with INTERPOL to share intelligence. Perhaps this could become an effective way forward.