Attack skillsets are changing – but you still can’t trust the bad guys
08:00 Monday, 22 November 2021
UK Cyber Security Council
Being a cybercriminal is a highly lucrative business. According to one report, there were five ransomware attacks somewhere in the world every minute in 2020, and the collective world-wide cost of recovering from such attacks is destined to hit $20 billion in 2021. Similarly, the City of London Police reported that in the 12 months to March 2021, cybercrime and online fraud cost victims over £34 million: 156 people were arrested for such crimes as part of a national effort, and 2,000 web sites taken down.
The days are gone when the person hacking your system was a bright teenage boy in a hoodie and a basement, who was looking around the internet for something he could break into for fun. And this is not least because that kind of person is easily tracked down by the authorities: if the authorities could track down Matthew Broderick in the movie WarGames in 1983, they'll certainly find the average computer-literate youth 30+ years later.
Those days of hacking for fun are gone, then. Instead, and because cybercrime makes money, it is becoming increasingly professional. And commoditised. Oh, and automated: LexisNexis's 2021 report notes that between January and June 2021, human-initiated attacks had decreased by 29% based on the same period the previous year, while automated attacks went up by 41%.
So now we are being attacked by robots (and not those nice ones that bring you sushi) from every angle. Not only that but with the introduction of Ransomware as a Service (RaaS) we are being hit by people with a much lower skill level than used to be the case. Even when a human being is perpetrating an attack it is likely that they are first using some kind of scanning tool to trawl the web looking for vulnerable systems to which they can direct their organic brain power and keyboard skills.
This brings us a problem when we come to defend ourselves against attacks, because the skills requirements needed by our team have changed radically in just a few years. We no longer seeing person being pitted against person (or people) to try to figure out how an attack is being perpetrated and why, and what the attacker might do next. Clifford Stoll's story of tracking down attackers is now the exception rather than the rule, and even more so are the likes of Tsutomu Shimomura's story of the pursuit of his cyber-nemesis back in the 1990s.
In some ways this skills shift is a good thing, because the traditional belief was that the defender needed largely the same skills - both hard and soft skills - as the attacker. They needed to understand how the attack was being done, but also what the attacker was thinking - at least to some extend in the latter case. Why was this a problem? Simple: even back in the day, some attacks were really, really complex. This correspondent - a Comp Sci graduate who was working in IT at a university at the time - was asked by an IT magazine to write a feature explaining how the attack on Shimomura's attack was carried out. It took quite a few hours of research to understand it (bear in mind that this was pre-Google). And that was just one attack technique among dozens.
So yes, we will still need a decent level of technical understanding so we can figure out what is happening when we are attacked, but having the knowledge of a traditional hacker is not really required any more, because most modern hackers don't have that knowledge level - they're just using readily available tools to commit their crimes with little or no technical knowledge. The urge to offer cyber security jobs to ex-hackers, which many have questioned for a long time anyway, has largely receded.
Instead, we are looking away from technical skills and into analytical and inter-personal skills. If you read Cliff Stoll's book The Cuckoo's Egg, you realise that he was not an IT guy but an astronomer: he found the source of the attack through logical deduction and his ability to dig into things and learn how they worked. Today, we need the ability to identify requirements, find tools that might be useful to us (the best way to bat off an attack by a machine is to employ a machine, as a human can't think quickly enough), evaluate them and manage their installation. And alongside that it's our analytical and communication skills that enable us to figure out what is going on and work with the right people to identify and stem the attack and recover from it.
By the way: will those inter-personal skills help us negotiate with ransomware attackers when we wake up one morning and find our world encrypted? No. Don't touch that with a bargepole. There are professional companies who will do that should you take the extreme decision to pay the ransom. But anyway, ransomware attackers cannot be relied on to give your data back - according to a report from Sophos, although 96% of those whose data was encrypted got their files back, paying the ransom resulted in only 65% of data being restored on average.
It turns out that you can't trust criminals after all.