You might think that the hackers bringing down organizations and infrastructures are government trained, highly advanced coders. The truth is far less dramatic- but of far greater concern to security professionals. Many powerful exploits have found their way into the hands of amateurs, who would never have been able to create them themselves. It’s the cyber equivalent of letting kids play with matches.
This threat from “script kiddies” joins traditional threats from recreational hackers and professionals as the main cybersecurity threat actors. Here’s a rundown of each threat- and the risk they pose to organizations.
Script kiddies are novices who don’t know how to code but use existing software to launch attacks. The flexibility, widespread popularity and power of open-source programs is a double-edged sword. We’ve seen how these technologies have been easily usurped to launch a DDoS attack. Script kiddies who learn HTML and web development can launch their own fake sites or phishing attacks, similar to methods the Russians used against the DNC. Although most script kiddies are just looking for a good time, the great “democratization” brought about by easy-to-use open source software means more people can exploit vulnerabilities even if they aren’t pros.
Recreational hackers are people who can program and target specific sites for personal reasons such as holding a grudge against a particular company or wishing to make a statement. These are attacks designed to cause embarrassment (e.g., hacking a security company) or publicize a political message (e.g., posting “Fur kills” on the luxury store’s website), rather than make money.
Professionals are almost always in it for the money, although some will go after large, more secure networks to prove their skills or to make a point. It’s important to remember that professionals often work in teams, with specific targets in mind, planning to either steal money or data that can be turned into money easily. Professionals may be financed by other criminals, with proceeds being split after a crime is committed.
Despite their differences, these hackers have one thing in common: they tend to go after the targets they can handle that offer the greatest reward with the least the effort involved. In other words, script kiddies and recreational hackers will be looking for tried and true ways into networks, with the often kiddies using the easiest tricks possible. Even the professionals may be looking for open doors, rather than locked ones.
Looking for Threats in All the Wrong Places
News stories about cybersecurity these days tend to focus on the high profile zero-day vulnerabilities and security breaches. While both are interesting, the former doesn’t always lead to the latter. In fact, the current over-hyping of zero-day threats is what we’ve referred to as “looking for bugs in all the wrong places.” It’s not just that Zero-Day threats represent only 3% of all new vulnerabilities in 2019 so far, it’s that they divert attention from the vulnerabilities that are actually being exploited in the wild. Going after Zero-Day threats first is like focusing only on vulnerabilities that have a “Critical” CVSS rating -- it generally means ignoring the most serious threats to your business. It’s essential to focus your limited resources on the vulnerabilities that pose the greatest risk to your specific network and its assets.
More often than not those threats are due to already known vulnerabilities, and not the Zero-Days. Both the catastrophic Equifax and WannaCry breaches were caused by known vulnerabilities. In the case of Equifax, the attack lasted 76 days, starting 5 days after the exploit was observed in the wild and a solution had been posted. During this time hackers stole the personal data of over 148 million consumers. Likewise, with WannaCry, the solution was posted 2 months before the attack. In the first case, not only was a door left open, but thieves had already begun making use of it, with the owner in the house attending to something else. Although Zero-Day vulnerabilities may get exploited, the vast majority of attacks make use of already known vulnerabilities.
Constant Vigilance Is The Best Defense
Hackers of all types look for the easy way into networks. For script kiddies, the simple way may be the only way, but they can be painfully good at it. Even in high-profile breaches such as the ones mentioned, hackers with sizable ambitions will still take advantage of what is familiar and known and exploit it.
To hold an advantage over hackers in this day and age is no small feat, they’re canny, ruthless and are keeping a close eye on your vulnerabilities. A good risk-based vulnerability remediation solution that continuously monitors threats, assesses vulnerabilities and drives forward remediation is the only way to ensure that your enterprise won’t fall by a preventable attack