Everything in IT seems to be moving toward an "as-a-service," or cloud-based, delivery model. Most organizations are by now familiar with the different parts of the cloud stack:
- Infrastructure-as-a-service: The delivery of compute, storage and networking resources from remote third-party (public cloud) or on-premises/colocated corporate (private cloud) site, via self-service Web interfaces.
- Platform-as-a-service: Access to application development tools over an IP network, as an alternative to the company-purchased hardware and software assets traditionally used for making software.
- Software-as-a-service: Programs completely and centrally managed (i.e., updated and maintained) by a cloud service provider and made available through a Web or native application client.
This trio is by no means comprehensive. Similar naming conventions have been given to solutions billed as "database-as-a-service" or "identity-as-a-service," for example. Still, IaaS, PaaS and SaaS cover a wide range of cloud capabilities, from basic IT resources to sophisticated applications for end-users.
Many organizations have some combination of these three in mind as they plan for the evolution of their IT departments, as demonstrated in the results of the 2015 edition of the State of the Cloud Report from RightScale. The study found that an impressive 93 percent of the more than 300 large enterprises surveyed had been experimenting with IaaS. Moreover, 88 percent were using the public cloud and 13 percent were running at least 1,000 virtual machines in the cloud.
"As-a-service" comes to malware
There has been no dearth of attention to cloud security ever since companies began thinking about moving at least some of their data off-premises. Companies such as IBM, which has been trying to compete with Amazon, Microsoft and others in this space, have identified security as one of the overarching challenges of the cloud era.
"Cloud computing introduces another level of risk because essential services are often outsourced to a third party, making it harder to maintain data integrity and privacy, support data and service availability, and demonstrate compliance," explained an entry on IBM's official developerWorks Web page.
Meanwhile, cyber criminals have not only looked to take advantage of data kept in the cloud – incidents such as the ones affecting iCloud and Evernote in recent years speak to the intent and ability to do just this – but also imitate its distinctive scalability. Hence the rise of "malware-as-a-service."
MaaS theoretically brings the convenience of SaaS to viruses, worms, distributed denial-of-service attacks, etc. Just as an SaaS app like Dropbox or Slack offloads the burden of having to constantly manage and scale the supporting infrastructure, MaaS does something similar for planning and executing a cyber attack.
Think of it as a sort of do-it-yourself starter kit for cyber crime. More specifically, MaaS may provide access to botnets, support hotlines and servers that regularly update and test malware strains for efficacy. It is easy to see cyber threats evolving to become a lot like the cloud-based software that is increasingly a staple of enterprise IT environments.
Malware-as-a-service as a troubling business model
Like cloud itself, MaaS is both a new technical approach and the basis for a novel business model. The handful of individuals that dominate this growing market – the U.S. Federal Bureau of Investigation has estimate that there are fewer than 200 of them around the world – are profiting from the creation and sale of ready-to-use tools to people and organizations looking to carry out cyber attacks. In the larger context of the ongoing commodification of the resources needed to distributed malware, this trend should be one that security teams keep an eye on in the years ahead.
To see what is happening, consider the parallels to the consumer PC market. Remember when desktop computers cost thousands of dollars apiece? The Apple Lisa, for example, retailed for an astonishing $9,995 when it first hit shelves in 1983, making it more expensive, in inflation-adjusted terms, than even the 18 karat gold-plated Apple Watch Edition that now sells for up to $17,000 in 2015. But now, one can buy a highly capable PC for a few hundred bucks, or make one from scratch for even less using something like the Raspberry Pi.
A similar trajectory toward commodification has happened with DDoS attacks and malware creation. These threats once required a would-be perpetrator to have some combination of deep technical know-how, considerable hardware and software resources and an effective vehicle for delivery (e.g., compromised physical media like a CD-ROM or USB stick). The shift to MaaS has eliminated many of these requirements. We are seeing the industrialization of cyber crime in event such as:
- DDoS attacks can currently be contracted out to parties on the Dark Web for as little as $25 hour; even the usage-based pricing of this MaaS scheme matches up with that of legitimate cloud services, making tools readily available for one-off attempts.
- A botnet of 10,000 computers can now be had for $1,000, thanks to intense competition within the MaaS realm that has gradually brought down the prices of once-expensive machines and technical wherewithal.
- Last year, a powerful banking Trojan for Android was discovered within Russia's cyber criminal underworld; it was packaged as part of a $5,000 MaaS subscription, receipts from which had helped it evolve from a simple SMS stealer into a sophisticated program that could geolocate infected devices and record and upload their audio.
Overall, the evolution of MaaS is a lot like that of cloud computing at large. Matters of technical maintenance and execution have been offloaded to cloud service providers that charge fees based on what solutions are used and for how long. The result is on-demand access to vast pools of IT resources, which in the case of MaaS can be directed toward enterprise networks as part of a damaging DDoS attack or malware distribution campaign.
What malware-as-a-service means for enterprise IT, and what can be done about it
MaaS creates a problematic, asymmetrical relationship between attacker and target. Take DDoS for instance. Whereas a DDoS perpetrator can orchestrate an attack for a pittance, the cost to the victim can be huge in comparison.
Neustar's 2015 release of its DDoS Attacks & Impact Report found that for 40 percent of businesses, a DDoS incident could cost them more than $155,000 per hour – a 470 percent increase from last year. Moreover, these attacks are lasting longer and are increasingly part of multi-pronged strategies, in which DDoS is often just a mask for other activity going on in the background.
On that note, more than half of firms that have been victims of DDoS have also seen ensuing theft of their intellectual property and/or other corporate data, according to the same Neustar report. One of its preparers specifically cited the "six dollars a month" pricing of Lizard Squad, a website stressor service, as a precipitating factor in the rise of frequent, high-bandwidth DDoS attacks.
What an enterprises do to beat back the tide? For starters, ISPs must be brought into the conversation and kept up-to-date with information about the source of any given attack, so that it can be more quickly mitigated and it command-and-control centers brought down. In addition, cloud security software will be vital to shielding the organization from the viruses that MaaS can introduce into systems while a DDoS campaign is occuring.