“MaaS” – Malware as a Service

We’re familiar with the “as a service” offerings that are commonly used to support or augment our IT applications, platforms, and infrastructure:

1. “Saas” – Software as a Service – Typically, these are best known as cloud applications. These days, we use these more than we use software installed on our own premises.  These services provide cost and scalability benefits through a browser interface.
2. “IaaS” – Infrastructure as a Service – Also well known, these offerings are typically used to expand our infrastructure. Example may include augmented computing, storage, and network capabilities, provided by a third-party and appearing as a seamless expansion.
3. “PaaS” – Platform as a Service – The least common service offering, PaaS is generally used to develop and deploy solutions. The primary purpose PaaS is to support the entire web application lifecycle.  The service typically supports the design, development, testing, and deployment of the solution.

Over the last several years, an additional service has begun to appear, “MaaS” or Malware as a Service.  What is MaaS?  This service provides the illegal lease of software and hardware designed to carry out cyber-attacks.  Typically, owners of the MaaS provide the attackers a botnet service that offers the ability to disseminate malware.  In return, the MaaS providers are paid for the use of this service.

You most likely will not find MaaS providers in a typical web search.  These entities hide on the Dark Web.  These services are dangerous because it allows the criminal to distribute the malicious code without deep technical knowledge or development skills.

What can we do to protect our organization from Maas?

With the existence of MaaS, the variable most likely to change is frequency.  It is important to focus on keeping our cybersecurity controls updated and current.  These would include:

1. Training and Education that highlights the impact of Malware
2. Applying Infrastructure, Software, and Operating System Patches as prescribed
3. Maintaining up to date Malware protection
4. Implementing appropriate and current web filtering and email scanning utilities

At the end of the day, most Malware depends on the actions humans take to allow it to penetrate their environment.  Remain vigilant and understand the risks.