As-a-service offerings for things such as DDoS and malware -- including ransomware -- via exploit kits has seriously lowered the bar for entry into the criminal market. Hackers no longer need to have sophisticated skills in order to gain entry into the world of cybercrime.
According to Geoff Webb, vice president of strategy at Micro Focus, the industrialization of the processes and the availability of the tools has created this expanded forum that allows non-technical people, anyone really, to enter into the digital crime market.
And there are a myriad of super inexpensive kits available. "Whether it's the ability to quickly crack passwords or find pre-mapped enterprises to get a look inside an organization and see where their services are and what services are running, or rent a by-the-hour DDoS attack, it's made the cost of entry much lower," Webb said.
The availability of these sets of tools means that capabilities and knowledge are readily available for hire or purchase, even for those non-skilled criminals. "They are industrialized, well known, and understood. An attacker can run everything that is vulnerable to this particular attack and tailor these tools to their targets," Webb said.
For pretty cheap money, virtually anyone is able to "Take advantage of unmatched systems, unmodified administration accounts, privilege escalation, or SQL injection attacks," said Webb.
These types of attacks work, said Webb, because organizations continue to struggle with implementing those basic controls.
More sophisticated hackers are using what Webb called a 'scalpel' attack. These are often state sponsored hackers or they are working for state sponsored organizations. "They use very sophisticated technology to establish a foothold," Webb said.
What the industry is seeing now with the rise of these as-a-service exploit kits is a 'sledge hammer' style of attack. "The complexity of mitigation is the same as it's always been, but the scale is the challenge for organizations," Webb said.
What allows for the automation of these attacks, said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, is the exploit kits, "With beautiful interface that infect websites with the single push of a button. They determine the vulnerability and distribute the malware, and they can leverage them without any technical knowledge."
Because attackers no longer need a technical skill set to leverage these attacks, "The people who may take advantage of that might be the folks who were once focused on more physical crime who didn’t think of the internet as a way to profit," Simkin said.
If traditional criminals are transitioning into the world of cybercrime in a way that hasn't been seen before, how will that impact enterprise security?