The fastest way to get CISSP Certified. Join our bootcamp
We’ve become accustomed to a world where almost everything is a service. We have infrastructure as a service, platforms as a service, software as a service, functions as a service, and so much more. Unfortunately for us, the cybercrime industry has also moved in the direction of hyper-specialization. Illicit hacking organizations now offer access as a service (AaaS), which essentially involves selling direct access to a target organization’s network. We often call these cybercriminals initial access brokers (IABs).
Access as a service differs from more conventional forms of cybercrime. Sometimes a group will perform the entirety of an attack by itself, while at other times hackers penetrate an organization, steal data, and then sell it on the darknet. IABs play a somewhat different role in AaaS. They simply do the first few steps and then sell their access over to customers who can do what they want. The criminal customer can then steal data themselves, penetrate further into the network, sabotage the systems, and more.
If we look at the lifecycle of a sophisticated attack, it generally involves something like the following stages:
- Initial compromise
- Establish foothold
- Escalate privileges
- Perform internal reconnaissance
- Move laterally
- Maintain presence
- Perform malicious action
- Cover tracks
An IAB performs some of these steps for other cybercriminals, which saves them time, or augments their skills. In some cases, the IAB will just perform the initial compromise and establish a foothold. In others, they will keep going through the steps, escalating privileges, performing internal reconnaissance, and moving laterally. The more that the IAB does, the more the final service will cost. If they have burrowed deeply into the network of a high-value organization and escalated their privileges, the cost of access will obviously be much higher than low-level access to a Mom and Pop store.
What does access as a service mean for infosec professionals?
One of the main takeaways is to be wary of the hyper-specialization provided by AaaS and similar hacking services. If you run an organization with fairly robust security, you may think that only a very sophisticated attacker will be able to breach you. However, under a paradigm where attackers can simply outsource a bunch of the effort and chain multiple malicious services together, they don’t need anywhere near as much sophistication.
This reality has significant ramifications for smaller organizations that are attempting to do much of their security in-house. If hackers can do a bunch of outsourcing, do you really have the resources and skills to match their extended abilities? In many situations, smaller organizations may decide that the only way they can keep up with the threat landscape is to outsource more of their protections to trusted security providers.
The easiest and fastest way to pass the Security+ exam
Build Your Cybersecurity Foundation. Our team has helped thousands of professionals succeed with advanced certifications like CISSP and CCSP. Now we've taken that same proven and tailored it specifically for Security+!
Win a FREE Security+ Exam
Enter to win a $370 Security+ exam and kickstart your cybersecurity career!
Or share this with someone who might be interested.
Act fast—promotion ends July 31, 2025.
Prepare to Pass CCSP: Get the Right CCSP
APP
Studying for the CCSP? Big news! We’ve just added 1,000 brand-new questions to our CCSP Exam Prep App—giving you even more ways to test your knowledge and boost your confidence. Whether you're brushing up on cloud security concepts or getting serious about exam day, the updated app is packed with fresh content that reflects the latest exam trends. Study anytime, anywhere, and get one step closer to becoming CCSP certified.
Free CCSP Data Center Design Mini MasterClass
If you’re interested in cloud security, check out our new FREE Mini MasterClass. It digs into data center design.
It’s based on the CCSP certification requirements, but even if you’re not thinking of getting certified, what you learn is very useful in practice if you ever need to deal with data centers.
