Years ago the typical hacking scenario involved a lone attacker and maybe some buddies working late at night on Mountain Dew, looking for public-facing IP addresses. When they found one, they enumerated the advertising services (Web server, SQL server and so on), broke in using a multitude of vulnerabilities, then explored the compromised company to their heart's content. Often their intent was exploratory. If they did something illegal, it was typically a spur-of-the-moment crime of opportunity.
My, how times have changed.
When describing a typical hacking scenario, these days you must begin well before the hack or even the hacker, with the organization behind the attack. Today, hacking is all crime, all the time, complete with bidding markets for malware, crime syndicates, botnets for hire, state actors, and cyber warfare gone amok.
Here are the nine biggest threats facing today's IT security pros.
Threat No. 1: Cyber crime syndicates
Although the lone criminal mastermind still exists, these days most malicious hacking attacks are the result of organized groups, many of which are professional. Traditional organized crime groups that used to run drugs, gambling, prosecution, and extortion have thrown their hats into the online money grab ring, but competition is fierce, led not by mafiosos but several very large groups of professional criminals aimed specifically at cyber crime.
Many of the most successful organized cyber crime syndicates are businesses that lead large affiliate conglomerate groups, much in the vein of legal distributed marketing hierarchies. In fact, today's cyber criminal probably has more in common with an Avon or Mary Kay rep than either wants to admit.
[Related: FireEye 2.0: Cyberhumans as a Service]
Small groups, with a few members, still hack, but more and more, IT security pros are up against large corporations dedicated to rogue behavior. Think full-time employees, HR departments, project management teams, and team leaders. And it's all criminal, no more funny messages printed to the screen or other teenage antics. Most operate in the open, and some -- like the Russian Business Network -- even have their own Wikipedia entries. Kind of makes you wish for yesteryear, doesn't it?
Specialization and division of labor are at the heart of these organizations. A single mastermind, or an inner circle, will run the collective. Sergeants and subdivisions will specialize in different areas, with an arm dedicated to creating malware, another dedicated to marketing, another that sets up and maintains the distribution channel, and yet another in charge of creating botnets and renting them to other evildoers (see below).
It's little wonder why popular IT security practices just don't work against today's malware, given that cyber crime has evolved into a multilevel, service-oriented industry with the blatant goal of fleecing companies and people out of their money and intellectual property.
Threat No. 2: Small-time cons -- and the money mules and launderers supporting them
Not all cyber criminal organizations are syndicates or corporations. Some are simply entrepreneurial in nature, small businesses after one thing: money.
These malicious mom-and-pop operations may steal identities and passwords, or they may cause nefarious redirection to get it. In the end, they want money. They initiate fraudulent credit card or banking transactions and convert their ill-gotten gains into local currency using money mules, electronic cash distribution, e-banking, or some other sort of money laundering.
It's not hard to find money launderers. There are dozens to hundreds of entities competing to be the one that gets to take a large percentage cut of the illegally procured loot. In fact, you'd be surprised at the competitive and public nature of all the other people begging to do support business with Internet criminals. They advertise "no questions asked," "bulletproof" hosting in countries far from the reaches of legal subpoenas, and they offer public bulletin boards, software specials, 24/7 telephone support, bidding forums, satisfied customer references, anti-malware avoidance skills, and all the servicing that helps others to be better online criminals. A good number of these groups make tens of millions of dollars each year.
Many of these groups and the persons behind them have been identified (and arrested) over the past few years. Their social media profiles show happy people with big houses, expensive cars, and content families taking foreign vacations. If they're the slightest bit guilty from stealing money from others, it doesn't show.
Imagine the neighborhood barbeques where they tell neighbors and friends that they run an "Internet marketing business" -- all the while social engineering their way to millions to the consternation of IT security pros who have done just about everything you can to protect users from themselves.
Threat No. 3: Hacktivists
Whereas exploit bragging was not uncommon in the early days, today's cyber criminal seeks to fly under the radar -- with the exception of the growing legions of hacktivists.
IT security pros have to contend with an increasing number of loose confederations of individuals dedicated to political activism, like the infamous Anonymous group. Politically motivated hackers have existed since hacking was first born. The big change is that more of it is being done in the open, and society is acknowledging it as an accepted form of political activism.
Political hacking groups often communicate, anonymously or not, in open forums announcing their targets and hacking tools ahead of time. They gather more members, take their grievances to the media to drum up public support, and act astonished if they get arrested for their illegal deeds. Their intent is to embarrass and bring negative media attention to the victim as much as possible, whether that includes hacking customer information, committing distributed denial of service (DDoS) attacks, or simply causing the victim company additional strife.
Political hacktivism is most often intent on causing monetary pain to its victim in an attempt to change the victim's behavior. Individuals can be collateral damage in this fight, and regardless of whether one believes in the hacktivist's political cause, the intent and methodology remain criminal.
Threat No. 4: Intellectual property theft and corporate espionage
Most IT security pros have to contend with the large group of malicious hackers that steal intellectual property from companies or perform straight-up corporate espionage. Their method is to break into a company's IT assets, dump all the passwords, and over time, steal gigabytes of confidential information: patents, new product ideas, military secrets, financial information, business plans and so on. They pass along valuable information to their customers for financial gain, and they stay hidden inside the compromised company's network for as long as possible.
To reap their rewards, they eavesdrop on important emails, raid databases, and gain access to so much information that many have begun to develop their own malicious search engines and query tools to separate the fodder from the more interesting intellectual property.
This sort of attacker is known as an advanced persistent threat (APT) or determined human adversary (DHA). Few large companies have not been successfully compromised by these campaigns.
Threat No. 5: Malware mercenaries
No matter what the intent or group behind the cyber crime, someone has to make the malware. In the past, a single programmer would make malware for his or her own use, or perhaps to sell. Today, there are teams and companies dedicated solely to writing malware to bypass specific security defenses, attack specific customers, and accomplish specific objectives. They're sold on the open market in bidding forums.
Often the malware is multiphased and componentized. A smaller stub program is tasked with the initial exploitation of the victim's computer, and once securely placed to ensure it lives through a reboot, it contacts a "mothership" web server for further instructions. Often the initial stub program sends out DNS queries looking for the mothership, itself often a compromised computer temporarily acting as a mothership. These DNS queries are sent to DNS servers that are just as likely to be innocently infected victim computers. The DNS servers move from computer to computer, just as the mothership web servers do.
Once contacted, the DNS and mothership server often redirect the initiating stub client to other DNS and mothership servers. In this way, the stub client is directed over and over (often more than a dozen times) to newly exploited computers, until eventually the stub program receives its final instructions and the more permanent malicious program is installed. This setup makes it very difficult for IT security pros to defend against their wares.
Threat No. 6: Botnets as a service
Botnets aren't just for their creators anymore. Having more than likely bought the malware program that creates the bot, today's owners will either use the botnet for themselves or rent it to others by the hour or another metric.
The methodology is familiar. Each version of the malware program attempts to exploit up to tens of thousands of computers in an effort to create a single botnet that will operate at the creator's bidding. Each bot in the botnet eventually connects back to its command and control (C&C) server(s) to get its latest instructions. Those instructions often include dropping off a ransomware program. Botnets have been found with hundreds of thousands of infected computers.
Now that there are so many active botnets (tens of millions of infected computers each day), botnet rentals are fairly cheap, meaning all the more problems for IT security pros.
Malware fighters will often attempt to take down the C&C servers or take them over so that they can instruct the connecting bots to disinfect their host computers and die.
Threat No. 7: All-in-one malware
Sophisticated malware programs often offer all-in-one, soup-to-nuts functionality. They will not only infect the end-user but also break into websites and modify them to help infect more victims. These all-in-one malware programs often come with management consoles so that their owners and creators can keep track of what the botnet is doing, who they are infecting, and which ones are most successful.
Threat No. 8: The increasingly compromised web
It's not entirely a matter of webmasters' computers being exploited that's leading to the rise in web server compromises. More often, attackers find a weakness or vulnerability in a website that allows them to bypass admin authentication and write malicious scripts.
Common website vulnerabilities include poor passwords, cross-site scripting vulnerabilities, SQL injection, vulnerable software and insecure permissions. The Open Web Application Security Project Top 10 list is the authority on how most web servers get compromised.
Many times it isn't the web server or its application software but some link or advertisement that gets hacked. It's common for banner ads, which are often placed and rotated by general advertising agencies, to end up infected. Heck, the malware guys sometimes buy ad space on popular Web servers.
Because many of the evildoers present themselves as businessmen from legitimate corporations, complete with corporate headquarters, business cards and expense accounts, it's not always so easy to separate the legitimate ad sources from the bad guys, who often begin advertising a legitimate product only to switch out the link in the ad to a rogue product after the ad campaign is under way. One of the more interesting exploits involved hackers compromising a cartoon syndicate so that every newspaper republishing the affected cartoons ended up pushing malware. You can't even trust a cartoon anymore.
Another problem with hacked websites is that the computers hosting one site can often host multiple sites, sometimes numbering in the hundreds or thousands. One hacked website can quickly lead to thousands more.
No matter how the site was hacked, the innocent user, who might have visited this particular website for years without a problem, one day gets prompted to install an unexpected program. Although they're surprised, the fact that the prompt is coming from a website they know and trust is enough to get them to run the program. After that, it's game over. The end-user's computer (or mobile device) is yet another cog in someone's big botnet.
Threat No. 9: Cyber warfare
Nation-state cyber warfare programs are in a class to themselves and aren't something most IT security pros come up against in their daily routines. These covert operations create complex, professional cyber warfare programs intent on monitoring adversaries or taking out an adversary's functionality, but as Stuxnet and Duqu show, the fallout of these methods can have consequences for more than just the intended targets. We now even have nation-states, like North Korea, taking down and exploiting a Fortune 500 company because it didn’t like a particular movie.
Crime and no punishment
Some victims never recover from exploitation. Their credit record is forever scarred by a hacker's fraudulent transaction, the malware uses the victim's address book list to forward itself to friends and family members, victims of intellectual property theft spend tens of millions of dollars in repair and prevention.
The worst part is that almost none of those who use the above malicious attacks are successfully prosecuted. The professional criminals on the Internet are living large because the Internet isn't good at producing court-actionable evidence. Even if it could, the suspects are living outside the victim’s court jurisprudence. Most hacking is anonymous by default, and tracks are lost and covered up in milliseconds. Right now, we live in the "wild, wild west" days of the internet. As it matures, the criminal safe havens will dry up. Until then, IT security pros have their work cut out for them.