Defending Against the Expanding as-a-Service Threat Landscape

Written by

The concept of crime-as-a-service started more than a decade ago with fake antivirus software. Next came botnets-as-a-service, and, at this point, criminals realized they had built a lot of infrastructure and sought to monetize it further. They added DDoS-as-a-service and expanded from there. Today, cyber-criminals have expanded their ‘as-as-service’ repertoire to include everything from ransomware-as-a-service (RaaS) to reconnaissance-as-a-service and even money laundering-as-a-service (LaaS).

We’re seeing the vast proliferation of more sophisticated and scalable attack vectors based on this premise. Malicious actors are developing strategies to weaponize emerging technologies at scale by combining them with advanced persistent threat techniques. They are aiming not only for the standard attack surface but also outside conventional network environments. To avoid detection, intelligence and controls, they are also devoting more time to reconnaissance. 

In short, cyber risk is increasing and security teams must be just as quick-thinking and methodical as their attackers. Let’s examine what’s on the horizon for those teams to tackle in terms of criminal-as-a-service offerings.

Crime à la Carte

A growing number of new attack vectors will be accessible as-a-service via the dark web to support a considerable expansion of cybercrime-as-a-service (CaaS) based on the success of RaaS. There will be an increase in one-off services. Threat actors of all skill levels find the business model of CaaS appealing since they can quickly take advantage of turnkey services without spending time and money developing an original attack strategy. And for experienced criminals, offering attack portfolios as-a-service offers a straightforward, fast and recurring payout. 

Here are two new services to watch for:


As attacks grow more targeted, threat actors could employ dark web ‘detectives’ to find information on a specific target before launching the attack. Similar to the knowledge one could acquire by hiring a private investigator, reconnaissance-as-a-service could offer attack blueprints. To help an attacker conduct a highly targeted and effective attack, this would include service offerings, including an organization’s security schema, the number of servers they have, known external vulnerabilities, key cybersecurity personnel and even compromised logins for sale, among other information. Stopping attackers earlier during reconnaissance will therefore be crucial.

Money Laundering-as-a-Service

Leaders and affiliate programs of cyber-criminal organizations use money mules to help launder money. Setting up money mule recruiting campaigns has traditionally taken a lot of time since cyber-criminals would have to fabricate bogus firms’ websites and job postings to give the impression that their operations are real. But soon, they will use machine learning for recruitment targeting, allowing them to identify potential mules more quickly and accurately. Automated services that transfer money via many crypto exchange layers will take the place of manual mule campaigns, making the transaction faster and harder to track. LaaS, a component of the expanding CaaS portfolio, may soon become widely used.

Practical Defense Measures

Cybersecurity awareness education and training are two of the most crucial ways to combat these advances. Also, keep in mind that remote workers, not just organizations, are susceptible to cyber-attacks. Everyone can benefit from continual education on best practices to protect people and organizations. While many businesses give basic cyber hygiene security training, they should consider adding new courses that teach employees how to recognize evolving threats like AI-enabled attacks.

AI and automated threat detection are essential tools for enabling enterprises to neutralize threats quickly and effectively at scale, especially across individual endpoints. Zero trust methodologies must be deployed to provide secure access for WFH employees.

Cyber-criminals can be lured with the aid of deception technologies, which can be used to combat both RaaS and CaaS during the reconnaissance stage. Organizations can learn more about their adversaries and gain an advantage using cybersecurity deception. 

To better prepare for up-and-coming attack types, it will be crucial to look outside the organization for hints. Digital risk protection (DRP) services are essential for doing external threat surface assessments, identifying and fixing security flaws, and gaining contextual insights into present and impending dangers before an attack occurs. Similarly, IT security teams must collaborate with other defenders via knowledge sharing to stay one step ahead of the bad guys.

Defeating the as-a-Service Menace

The realm of cybercrime and, more broadly, the attack strategies used by cyber adversaries continue to rapidly expand. The growth of criminal as-a-service offerings, in particular, will increase the threat volume and require new defensive strategies. AI should be included in security tools to improve their ability to recognize attack patterns and thwart threats in real-time. In the current threat environment, a collection of point security solutions is ineffective. Reducing complexity and boosting security resilience requires a comprehensive, automated and integrated cybersecurity mesh platform. It can make it possible for tighter integration, greater automation, and a quicker, more organized and effective response to threats network-wide. With a cybersecurity platform approach, organizations will be better positioned to protect against as-a-service attacks.

What’s hot on Infosecurity Magazine?