Skip to main content

How It Works

How does our service work? Well, we engage with these entities to understand how they work and then strip away from Criminal Software-as-a-Service (CSaaS) frameworks that perform automated attacks against companies the key details needed to thwart them.

How does our service work? Well, we engage with these entities to understand how they work and then strip away from Criminal Software-as-a-Service (CSaaS) frameworks that perform automated attacks against companies the key details needed to thwart them. We don't just seek out comprehension from the frameworks, but view the entire process from sourcing to monetization as the puzzle to decipher. 

Sourcing

How CSaaS frameworks derive what targets to victimize is as important to us as the actual operational targeting. As we mention in "Why You Need This", its how you will break the CSaaS' ability to operate effectively against you.

A core component of criminal decision making revolves around data availability, especially data that is already in a pre-formatted or streamlined package. But data that is fed into the CSaaS frameworks doesn't show up that way. It begins the journey to becoming the critical information used by CSaaS to victimize a target in a couple of key ways:

Info stealer

Strengths: Coherent and structured data. Requires little refinement. Easy adoption to CSaaS frameworks.
Weakness: Limited variety. Randomness of victim requires cleaning and parsing.

The simplest and most commonly acquired source to feed CSaaS frameworks. Info stealer activity is mostly un-targeted activity and after infection and the upload of stolen data, goes through one of the longest data journeys. It begins life as an archive of stolen data and then is parsed and recompiled into everything from a ULP Log file to initial access details that open the door to company enterprises.

Web Compromise

Strengths: Focused, coherent and structured data. Requires little refinement.
Weakness: Higher investment.Scam pages, website clones and other names are doppelgängers of this activity. In short, criminals collect crucial details from victims who unknowingly provide this data.

Highly-Focused

This data is very focused on an individual brand or technology.

Recon

Strengths: Focused, coherent and structured data. Requires little refinement.
Weakness: Limited variety. Higher investment.Performing research and reconnaissance on potential victims is a norm for all slices of the criminal population. This activity whether done through custom tools or mainstream ones is resold, making its way into CSaaS hands.

Exploit Enrichment

This data is normally paired with exploits to raise its value in the criminal marketplace. In many cases, recon data is sold the inverse way, by exploit paired with viable targets.

Data breach

Strengths: Variety of data.
Weakness: Can be incoherent. No focus. Requires cleaning, parse, and enrichment. Random in nature, it can contain the breadth of useful to useless information.

Perhaps the simplest source to point out is the masses of data that enter into criminal spaces when a leak or extraction of data occurs. While rich in the data needed, the information is poorly structured to fit CSaaS frameworks. Outside of some standouts, the data from the breach has to be cleaned, parsed, and then enriched to become useful.

AI-Enrichment

Criminals continue to find new ways to link the escalating growth and capability of AI to their own needs. Enriching data with the missing components needed to wield in an attack is only one of the ways this integration is occurring.

Operation

CSaaS operational security is strong. The criminal enterprise is a lucrative one and most frameworks operate in an organizational model that reduces the impact and chances of infiltration or internal disputes. Still, each CSaaS has its own favorites that it pulls on for sourcing targeting information. Knowing who is providing the logistics for a CSaaS framework can point to who is being targeted, as well as the origination of that data. As we mention in "Why You Need This", you will use this information to predict and show down the areas where the the CSaaS' is gaining the ability to operate effectively against you.

Rolling 24-month Study

We've watched this data and coordinated with customers for years. In doing so, we have seen that more than 60% of the activity customers observe is driven by the CSaaS frameworks. This alone means you can predict with strong certainty what attacks are inbound inn a regular and predictable way.Why only 24 months? While we have performed this activity across four years now, the pace of innovation has reduced the effective polling window to two years. Thus, we keep a rolling 24-month of operational activity and work with customers to understand how much of this activity they are detecting with their security stack.

Monetization

CSaaS are money making operations. They either resell victims they have found or take in payment to attack a specific company. Their post exploitation activity has its own market, auctions and sign boards for communities. CSaaS also focus hard on conversion tactics, aiming to convert buyers of their service to pre-paying users of the service.

Closed Communities

Owning their own markets, auctions and communities means you don't find frameworks lingering on Tor websites or shady ClearNet links. Yes, they definitely source from Tor, Telegram, and dozens of other common criminal locations, but they don't perform their mainstream moneymaking activity there. Exclusivity and closed-communities means higher trust and durability to takedown and disruption.