You’ve likely heard of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and numerous other “as-a-service” platforms that help support the modern business world. What you may not know is that cybercriminals often use the same business concepts and service models in their own organizations as regular, non-criminal enterprises; i.e., the same practices the majority of their intended victims use.
As senior threat research analyst Kelvin Murray explains to Joe Panettieri, editor of Channel E2E and MSSP alert, in our most recent Hacker Files podcast, cybercrime-as-a-service “essentially follows the same path as most as-a-service things in business.” He goes on to explain, “If you were a small company in 2002 and needed to set up email, you’d set up a mail server, a mail relay, mail clients, and you might hire an email admin. And then you might have to set up things like spam filters yourself. People like Microsoft figured out that they could just provide all of [these services] from a web page and rent it out to companies and take all the hassle out of companies’ hands.” That’s the as-a-service model in a nutshell.
According to Kelvin, a very similar thing happened in the cybercriminal space. Effectively, talented criminals who’ve written successful malicious code have begun renting access to their own cybercrime “solutions” to lower-level criminals who either don’t have the resources or know-how to design, write, and execute cyberattacks on their own.
Of course, the people providing the so-called service don’t do so out of any goodness in their hearts; they do it for a cut (sometimes a significant one) of any profits made in an attack that uses their code.
Hear more about the evolution of cybercrime-as-a-service in the full podcast. Be sure to check out other discussions and recordings in our Cybersecurity Sound Studio.