GUEST ESSAY: Here’s what every business should know — and do — about CaaS: crime-as-a-service

By Jack Chapman

It doesn’t matter if you want to learn a new language or figure out how to fix your broken clothes dryer; the tools, tutorials, and templates you need are available online.

Related: Enlisting ‘human sensors’

Unfortunately, with crime-as-a-service, the same is true for people interested in trying their hand at cybercrime. The dark web provides virtually everything potential attackers need to make their move.

Let’s look closely at precisely what crime-as-a-service (CaaS) is, why it’s so dangerous, and how your business can defend itself.

CaaS variants

Experts define  CaaS as what happens when sophisticated hackers and criminals work together to create technology, toolkits, and methodologies geared toward carrying out cyberattacks. CaaS is happening with increasing regularity. For example, an Illinois man recently faced conviction for running a website that allowed users to buy subscriptions to launch distributed denial of service (DDoS) attacks against computer networks.

Some criminals specialize in particular areas of cybercrime activity on the dark web, allowing wannabe hackers to choose from a list of crime “vendors” to execute a successful attack. For example, a hacker may choose one vendor whose specialty uses open-source intelligence (OSINT) to identify the most lucrative targets for phishing scams. In contrast, other hacking vendors may focus their efforts on planting ransomware.

What makes CaaS especially problematic is that it brings cybercrime to the masses. No longer are sophisticated hacks relegated to the world of the most technically savvy. That means even novice hackers with less-evolved hacking skills can break into business systems. Accessing and wreaking havoc in an organization can start with something as simple as a phishing email.

Mounting a strong defense

So, how does your business mount a strong defense against the growing number of cybercrime attacks? First, you must realize the risks are genuine and commit to investing in processes and technologies to defend your organization.

One good place to start is with OSINT. Determine what kind of open-source intelligence is available for your organization, as this is the first place a potential hacker is likely to look when considering an attack.

Next, you must put in place intelligent email technology to help prevent your employees, business, and network from falling victim to phishing attacks.

Why the specific focus on defending against phishing? Because it’s much easier for a hacker to dupe a human email user than it is to hack into a highly secure IT system. Meaning, sending a phishing email is a low effort, potentially high reward way for a cybercriminal to launch simultaneous attacks. In fact, that’s how over 90% of ransomware attacks are set into motion.

In response, organizations need intelligent technology that uses a zero-trust model to analyze every email’s content before it arrives in the end users’ inbox.

Savvy businesses are taking things a step further and insisting on security solutions using machine learning and natural language processing (NLP) to identify potential threats. Unlike reactive technology like secure email gateways (SEGs) and social graphs technology, which can only detect threats based off the information users or administrators give them, intelligent email security can recognize even the most sophisticated phishing attempts.

This includes attacks that use open-source intelligence or compromised accounts, making intelligent email security an invaluable tool in your defense arsenal. This technology can detect the most up-to-date templates and toolkits that hackers use.

Training component

Training is critical for protecting your organization against phishing attacks. But our employees are just human, like the rest of us, and even with training they will miss a malevolent phishing email.


That’s because most security awareness training is delivered at a single point in time, and you’re relying on people to be paying absolute attention and then to remember their training when they’re “out in the field”, doing their day jobs and under a whole range of different pressures.

To ensure training modules are genuinely effectively, they should be complemented with ongoing insights delivered by your security software. For example, explaining to users why an email is phishing attack directly within their mailboxes (without allowing them to do any harm with it!).

Crime-as-a-service has empowered even unsophisticated attackers to perpetrate potentially devastating phishing attacks. Most organizations are already trying train their employees to effectively detect and act against phishing threats.

But you can’t stop there; ensure your organization invests in defense technology that takes a zero-trust approach to phishing, and uses natural language processing (NLP) and machine learning. By using the right technology, you’ll be taking the steps necessary to protect your business from today’s attackers leveraging crime-as-a-service toolkits.

About the essayist: Jack Chapman is vice president of threat intelligence at Egress Software Technologies. Prior to joining Egress he co-founded anti-phishing company Aquila, where he was the CTO. Aquilai was acquired by Egress in 2021.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone