Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
It's a real thing. Here's how to fight back.
The concept of a mercenary dates back to ancient Egypt and has been a long-standing method for governments (or other groups) to supplement their military might.
So, it should not come as a surprise that a new type of mercenary has arisen in the cyber wars that are now waged daily. Wherever there is demand, someone will find a way to fill it, so now ‘Attack-for-Hire’ services proliferate, and you should account for their eventuality in your cybersecurity strategy. What Is Attack-for
What Is Attack-for-Hire?
A CSO article reported how easy it is to “Hire a DDoS service to take down your enemies” and stated: “The advent of DDoS-for-hire services means that even the least tech-savvy individual can exact revenge on some website. Step on up to the counter and purchase a stresser that can systematically take down a company.”
It is cheaper than you may think. BleepingComputer reported “DDoS Attacks Are $10 per Hour on the Dark Web” and provided a price list of other hacking services:
Account hacking program: $12.99
Hacked Instagram accounts in bulk: 1K-10K for $15-$60
Blow Bot Banking Botnet: Monthly rental of $750-$1,200 plus $150 support
Disdain exploit kit: $80 for a day, $500 for a week or $1,400 for a month
Stegano exploit kit: $2,000 for a day with unlimited traffic or $15,000 for a month of unlimited traffic
MS Office exploit builder: $450 for Lite version and $1,000 for full version
WordPress exploit: $100
Password stealer: $50
Android malware loader: $1,500
Western Union Hacking bug: $300
DDoS attacks: $500-$1,200 for week-long attack
ATM Skimmer, Wincor, Slimm, NCR, Diebold: $700-$1,500
Hacking tutorials: $5-$50
With this proliferation of attack-for-hire service availability and the very low costs, it stands to reason that the impact in real damage is potentially huge.
Caught in the Act
The good news is that crime doesn’t always pay. According to security commentator Brian Kreb, “Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different ‘booter’ or ‘stresser’ sites — attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.”
But this may just be the tip of the iceberg, as it appears that another 45 different booter service providers are still at large.
“In a complaint unsealed today, the Justice Department said that although FBI agents identified at least 60 different booter services operating between June and December 2018, they discovered not all were fully operational and capable of launching attacks. Hence, the 15 services seized this week represent those that the government was able to use to conduct successful, high-volume attacks against their own test sites.”
Obviously, prevention is superior to remediation. So, deep inspection and analysis methods which can interpret and detect malicious code in real time and immediately block threats, preventing unwanted code affecting your IT infrastructure are the only way to go.
Your solution should ensure that every line of code is evaluated, making evasion techniques ineffective. The bottom line is that your organisation will be much better protected from attack-for-hire services.