CDN and AI in Network Exploitation (Pt.2)

[https://threatpost.com/how-shared-pools-of-cloud-computing-power-are-changing-the-way-attackers-operate/138108/]

In many ways this migration to the cloud mirrors that of legitimate businesses.

It is much less financially advantageous for attackers to maintain large botnets and maintain the knowledge and expertise needed to avoid detection and grow the bot. The fact that it is much easier to pay somebody else to maintain these things and simply rent time should sound very familiar to anybody that uses a cloud service application like Salesforce or Oracle. The advantages for the attackers are very similar to the advantages gained by a legitimate business. Attackers can offer chunks of their botnet or attack infrastructure for sale. They can gain more money, usually bitcoins, by segmenting their entire bot and selling time on it individually.

DDoS-as-a-service has been around for quite some time and was probably the first foray into the attack-as-a-service model. DDoS-as-a-service was very successful because it removes the necessity for maintaining a large botnet from the attackers themselves. Bot herders could focus instead on growing their botnet and modifying the malware that they used in order to exploit new systems rather than worrying about how much an individual attack was going to impact the botnet as a whole.
From there it was a very short jump to segmenting the bot and allowing for multiple customers to use chunks of it as they needed, rather than throwing the full weight of the bot at a given target. Many of these services operate under the aegis of a “stressor service” for websites to make sure their sites work under load. However, this was merely a fig leaf for the real purpose which was allowing anybody with bitcoin or a credit card to purchase time on a bot and direct attack traffic to a website of their choosing.

The success of this model drove other types of attacks to migrate to the service mode. Ransomware-as-a-service became a very profitable endeavor. Ransomware authors sell turnkey solutions to anybody that has money and provides secure communications, and in some cases even technical support for the victims.

Today, we see a large number of different types of attacks-as-a-service and this makes it very easy for low sophistication attackers to use very high sophistication tools and techniques. Skilled malware authors can use very advanced techniques that would normally be out of the reach of low sophistication attackers, and rather than worrying about being targeted by law enforcement, can simply sell a subscription or a turnkey solution.
This evolution creates new challenges for defenders.

In the past, it would be easy for researchers and security teams with some experience to identify hosting solutions that were known to originate attacks and put them into a network blacklist. This was an easy way to blunt a large number attacks, however as attackers move to cloud services, the fact that there are so many different tenets on these cloud services makes it difficult or impossible to block these IP ranges, and so the first chance of an attack getting past network list is increased dramatically.

Additionally, this type of business makes it possible for low sophistication attackers, or attackers without any knowledge at all, to be able to wield very complicated attack tools against targets simply by paying for a license key.

New technologies are constantly reshaping the business landscape, but business leaders also must consider how these can enable new attacks – or make old mitigations obsolete.