Malware-as-a-service (MaaS) has grown into a booming business for cybercrime organizations. The ransomware plague is estimated to have cost the world over $1bn in 2020, with attackers using MaaS to target large enterprises with critical or sensitive assets – which is known in the industry as “big game hunting.”
MaaS has become popular because it is powerful and instantly ready to use. Malware creators handle the development and maintenance of MaaS, emboldening less sophisticated threat actors by removing the need for exploit-writing technical skills. Similar to the software as a services (SaaS) revenue model, MaaS offers access to botnets that distribute malware. The paid service usually includes a personal account where non-technical cyber-criminals can control the attack and get technical support.
Beware: “Medium-Severity” Does Not Mean “Medium-Risk”
MaaS typically targets low- to medium-severity vulnerabilities that allow attackers to infiltrate under-protected corporate environments. Traditional remediation techniques focus on addressing the “most severe” vulnerabilities first, yet risk assessment is more complicated than severity alone – an insight that threat actors are now exploiting.
Enterprises using the Common Vulnerability Scoring System (CVSS) frequently chase high-severity issues while leaving medium-severity vulnerabilities unpatched for prolonged times. However, Skybox Research Lab found medium-severity vulnerabilities account for 41% of total vulnerabilities globally. Attackers know organizations are not addressing all their weaknesses, so they use the “less severe” vulnerabilities to infiltrate networks.
Looking at the volume of new malware samples in 2020, it is clear that the pandemic has energized criminals: New ransomware samples increased by 106% year-over-year, and all trojan types grew by 128%. Multiple incidents suggest that nation-states and international crime syndicates are turning to MaaS as a cash cow. Historically, MaaS was typically associated with novice attackers, but more recently, North Korea’s Lazarus Group reportedly leveraged Trickbot’s MaaS to carry out successful attacks.
Act Now: Double-Down on Breach Prevention and Scalability
Security teams that leave medium-risk vulnerabilities unguarded effectively open the “tills” for threat actors to “rob their stores.” To make any progress, organizations must concentrate on breach prevention. This can be achieved with three points of focus:
- Achieve complete attack surface visibility: Security teams cannot protect what they cannot see. Gaining comprehensive visibility of the enterprise environment is the foundation of a successful security program. It is critical to mitigating risks across traditional and hybrid networks spanning physical, virtual, and multi-cloud assets.
- Understand each vulnerability’s exposure level: Today, it is possible to simulate attacks before they happen through an offline, contextually aware model of the network and its security controls. A complete and detailed picture of the attack surface empowers security teams to seek out vulnerabilities in highly complex environments. By zeroing in on exploitable and exposed vulnerabilities, enterprises can know how to seal off their vulnerable assets.
- Incorporate up-to-date, accurate intelligence: According to IBM's fifth annual Cyber Resilient Organisation Report, on average, enterprises deploy 45 cybersecurity-related tools on their networks. Aggregating and analyzing data from all sources into a single solution is critical to securing modern, complex organizations. By continually collecting and aggregating configuration and security control data across disparate infrastructure, security teams can walk the path of a potential breach.
Given the expanding threat landscape, effective vulnerability management is mission-critical to protect the business. Instead of focusing solely on “big threats” with high CVSS scores, security teams can quickly identify and quickly remediate vulnerabilities that are not protected by security controls and most likely to be exploited. By addressing medium-severity risks, security teams will make MaaS less successful and consequently less appealing to both amateur and sophisticated threat actors.