The transformation from racks of physical hardware hosting sites and services to cloud computing has provided organizations with better flexibility and reduced costs. Attackers have seen the benefits to this model and are also taking advantage of cloud computing to make more money, evade detection and empower new threat actors.
There are probably few security professionals that don’t have a list of “clean” and “dirty” hosting providers. Many of us can recognize IPs that come from these dirty providers on sight. We know the ones that don’t ask questions, don’t patch their software, and look the other way when a flood of attack traffic comes from one of their data centers.
Technology evolves and more and more organizations are using cloud services from multiple vendors. Each provide flexibility, as well as a cost reduction.
Attackers evolve too, even if their end goals often remain the same. Attackers quickly learned how to compromise and take advantage of hosted providers. Savvy attackers turned to cloud infrastructure as a way of providing for new types attacks. DDoS-as-a-service, malware- as-a-service, and ransomware-as-a-service are all options available to attackers in the underground economy and on the dark web today. Other attackers use stolen credit cards or other credentials to buy time on a cloud service provider. This allows them to spin up an attack quickly and then move on when the credentials are locked or the cloud instance is purged.
In many ways this migration mirrors that of legitimate businesses. It is much less financially advantageous for attackers to maintain large botnets and maintain the knowledge and expertise needed to avoid detection and grow the bot. The fact that it is much easier to pay somebody else to maintain these things and simply rent time should sound very familiar to anybody that uses a cloud service application like Salesforce or Oracle. The advantages for the attackers are very similar to the advantages gained by a legitimate business. Attackers can offer chunks of their botnet or attack infrastructure for sale. They can gain more money, usually bitcoins, by segmenting their entire bot and selling time on it individually.
DDoS-as-a-service has been around for quite some time and was probably the first foray into the attack-as-a-service model. DDoS-as-a-service was very successful because it removes the necessity for maintaining a large botnet from the attackers themselves. Bot herders could focus instead on growing their botnet and modifying the malware that they used in order to exploit new systems rather than worrying about how much an individual attack was going to impact the botnet as a whole.
From there it was a very short jump to segmenting the bot and allowing for multiple customers to use chunks of it as they needed, rather than throwing the full weight of the bot at a given target. Many of these services operate under the aegis of a “stressor service” for websites to make sure their sites work under load. However, this was merely a fig leaf for the real purpose which was allowing anybody with bitcoin or a credit card to purchase time on a bot and direct attack traffic to a website of their choosing.
The success of this model drove other types of attacks to migrate to the service mode. Ransomware-as-a-service became a very profitable endeavor. Ransomware authors sell turnkey solutions to anybody that has money and provides secure communications, and in some cases even technical support for the victims.
Today, we see a large number of different types of attacks-as-a-service and this makes it very easy for low sophistication attackers to use very high sophistication tools and techniques. Skilled malware authors can use very advanced techniques that would normally be out of the reach of low sophistication attackers, and rather than worrying about being targeted by law enforcement, can simply sell a subscription or a turnkey solution.
This evolution creates new challenges for defenders.
In the past, it would be easy for researchers and security teams with some experience to identify hosting solutions that were known to originate attacks and put them into a network blacklist. This was an easy way to blunt a large number attacks, however as attackers move to cloud services, the fact that there are so many different tenets on these cloud services makes it difficult or impossible to block these IP ranges, and so the first chance of an attack getting past network list is increased dramatically. Additionally, this type of business makes it possible for low sophistication attackers, or attackers without any knowledge at all, to be able to wield very complicated attack tools against targets simply by paying for a license key.
New technologies are constantly reshaping the business landscape, but business leaders also must consider how these can enable new attacks – or make old mitigations obsolete.
(Mike Kun, information security manager, Akamai Technologies. Kun is the manager of Akamai’s Customer Security Incident Response Team (CSIRT). He is also responsible for directing threat intelligence gathering activities and researching the tactics, techniques and procedures of many types of attackers. Kun is a veteran of Akamai Technologies and has previously worked with the Enterprise Security and Information Security teams.)