It’s not uncommon for CEOs and other C-level executives to view spending on IT infrastructure and cybersecurity as a necessary evil, while speaking very proudly of security efforts and roadmaps. Falsely believing that the dangers aren’t real, even IT security is often pushed to the sidelines–as a matter to be dealt with later on, once the organization is not so busy with growing the business itself. The fear is minimized by the wishful thinking that hacking into a company’s network is an extremely difficult task that requires many skilled attackers and a specific interest in their company. Precisely this type of reasoning is what often results in businesses being ill-prepared for even a not-so-complicated type of an attack.
With most organizations today expecting their enemies to be sophisticated organized hackers or groups of hackers, it’s not hard to imagine just how unprepared organizations would be to defend themselves against cyberattacks that can be carried out by practically anyone.
The Hacking-as-a-Service (HaaS) model has been around for quite some time, but recently it has come to the attention of mainstream media with the discovery of AlienSpy–an online platform allowing any interested user with an internet connection and a credit card to carry out a potentially high cost attack on any organization of their choosing.
It also enforces a new cyber ecological balance, where profit driven by hacking has higher revenue generation than IT security budgets. According to various studies, organized cybercrime gangs collect over 400 billiondollars a year in the US (in 2014, according to a study by the McAfee Institute).
Rise of HaaS to the Mainstream
The emergence of tools and platforms such as the AlienSpy are worrying and many businesses struggle to understand the dangers and the importance of being properly prepared. These platforms are no longer just found on servers, found only on the Deep Web. They are becoming ever more mainstream and easy to find for the less technically savvy attackers. Similarly, whereas in the past users interested in using similar hacking tools had struggled to purchase them (usually, the only forms of payment accepted were bitcoins), they are now able to purchase them with a credit card, just like they would buy their groceries.
In addition, the user interface is rather appealing and easy to use, attracting users who are not particularly computer/tech-savvy–after all, they no longer need to be.
The capabilities and feature set on these tools is rather impressive, as well. AlienSpy, in particular, was built on a modular framework and is easily upgradable with additional plugins, greatly extending its capabilities. Additionally, these tools are highly flexible in terms of what systems they are able to attack. This one in particular has the ability to infect Windows, Linux, Mac OSX, and even Android devices. What’s more, it employs new anti-detection techniques that adapt to the environment it is deployed in. These include the detection and disablement of antivirus software and other security services via registry key changes and User Account Control bypass.
"The AlienSpy platform allowed anyone with little to no technical understanding to carry out a potentially high cost attack. Additionally, there are increasingly more websites sprouting around the web that feature a marketplace for hiring hackers”
Another reason tools like these are gaining popularity is the fact that they are inexpensive, really inexpensive. In fact, a malicious person could use this particular tool for only $19.99 a month (with prices going up to $219.99 for additional features). At this low of a price point, many see it as a quick way to make some extra money. What’s also very disconcerting is the fact that often, once one attack on a particular organization is successful, this information appears to be shared with other users using the same platform. As a result, companies may be facing more than one attacker using precisely the same tool–often at the same time. This makes it harder to defend and harder to do a proper forensic analysis, not to mention the fact that the costs of the data breach will rise significantly.
Hackers for Hire
Tools similar to AlienSpy are not the only threat that practically anybody has access to. There are increasingly more websites sprouting around the internet that feature a marketplace that offers hacking services. Sites such as hackerslist.com offer customers a way of achieving their (usually illegal) goals despite their lack of hacking skills. In this scenario, the hired hacker is only a tool used to accomplish the goal. A quick glance at the website reveals there are new hacking jobs posted multiple times an hour and include jobs such as website drive-by download exploits and complete server hacking and theft of sensitive company files
Prepare Now, Not Once it’s too Late
In the examples above, it’s clear to see that it’s getting easier for a regular person with little to no technical understanding to carry out a damaging cyberattack on almost any organization they wish. This is a dangerous trend and one that organizations need to be aware of. Only then can they understand the risk and undertake the proper steps necessary to improve their cybersecurity posture.
My recommendation is for organizations to seek out professional help in hardening the network defenses against attacks of this type. Many cybersecurity companies offer staff training, but my recommendation is to look for one that offer proactive, military style training for your employees and IT teams. In addition, proper policies where files with attachments and other file containers that can carry malicious payloads are inspected by a high-quality security appliance are a must. Also, policies that prevent users with low trust levels from receiving any executable files in email are recommended.
These solutions are only effective when properly implemented. Suggested approach is to consult a cybersecurity company that specializes in this area, practices a proactive approach, and investigates and remediates such persistent actors’ hackings regularly. A mistake I often see is that organizations want to save money and rely fully on their internal IT team. These teams are often not trained to perform tasks such as these and their goal is to manage the internal security program. At the end of the day, it takes a sniper to take down a sniper.