Are cyber attacks becoming more sophisticated?
If you read cyber security related stories in the news, or receive any kind of sales or marketing brochures from cyber security companies, you will doubtless hear that cyber attacks are becoming more ‘sophisticated’. Additionally any company that ever has to publicly admit to being hacked will make this claim – ‘the attack was sophisticated’. Sophisticated in this context is a word I don’t like for a number of reasons.
Firstly, there are no metrics (that I know of) to measure ‘sophistication’ when used like this, so really the assessment of one attack being more sophisticated than another, or for sophistication increasing over time, is subjective. Secondly, it is not terribly useful for you as a defender when you are told you are facing an increasingly sophisticated threat. What does that mean in terms of things that hackers actually do? And what does it mean in how you should organise defences and, importantly, spend money. Finally, I don’t like the ‘increasingly sophisticated’ narrative because I’m not sure I see any evidence of it. Cyber attacks and threats change, as do most things over time. However the techniques that hackers use, even the most capable, nation state level threat actors, haven’t really changed all that much over time.
However, I don’t want to die in a ditch on the last point as
a) some people may point to new tools being more ‘sophisticated’ (though I’d say show me the metrics) and
b) I do agree that the threat landscape is changing, and there are more capable attackers out there than there used to be.
Also I think the more salient point is my second one – what does it mean for you as a defender? So instead of using a single word, I want to explore why I think the cyber threat landscape is changing, and what it means for people trying to protect their organisations.
1. Hackers are getting more imaginative in what they can achieve
Hacking has used been used for espionage, extortion, activism, theft, insider trading, pump’n’dump schemes, political influence, disruption and even causing physical damage. Gone are the days when hacking was some niche activity conducted by the curious for the hell of it. It’s an industry now, and people are learning that you can achieve a lot once you’ve got compromised a domain admin account (a highly privileged user who can do almost anything they like to an MS Windows environment) at a victim organisation.
As more hacking related activity hits the front pages more groups with a grievance, or a criminal inclination, are going to realise they can further their aims by doing similar.
2. There are more things to hack
When I were a lad there wasn’t really much to hack. Messing around with the BBC Micro network at school was about the limit. However we now live in a world where the FBI recently issued a warning to people to ensure they keep their cars fully patched (seriously). There are lots more things to hack now, and planes, trains and automobiles are really just the start. Everyone has a smart phone, and there are more and more home automation systems being deployed. Industrial control systems and CCTV are all being connected to the internet. If you’ve not seen it before head over to Shodan and have a look – where Google is used to search for information on the internet, Shodan specialises in letting you search for connected things.
3. More people realise hacking is not that hard
This underpins point 1 & 2. Learning to hack is really quite easy. There are lots and lots of tutorials online (both paid and free, reputable and less so), and plenty of freely downloadable tools to play with. Most of these are aimed at security testers who act legally, and I’m certainly not arguing for controls on ethical hacking tools and training, merely making the point that there is lots of guidance available for the aspiring hacker.
Understanding why the threat environment is changing is, I hope, more useful than merely being told hackers are becoming more sophisticated. Thinking about the above points from a defender perspective allows us to consider the various devices we have that are now connected to a network, and to think more imaginatively about the different things hackers might try and achieve when targeting us. This can inform our defensive measures and incident response planning.
Thanks for reading