Cybersecurity is a subject which gained a lot of popularity with the broad public starting around the years 2007, 2008. Why is that? Let’s analyze the history of some events and see whether we can come up with an explanation.
The hacker culture originated at MIT in the 1960’s. Back then, computer systems were pretty fragile in terms of architectures and a lot of stuff was permitted to the astute architect or programmer. We are making reference here to a certain robustness. The first hacking to have ever occurred was in a MIT computer system, Multics (grand-grand-grandfather of Unix), that had a password check procedure which verified the length of a specific cryptographic string. The 20 years that followed lead to the development of several hacking cultures throughout the world. Some good hackers were in Australia, some in the US and some in Germany. As computers started to gain popularity, Russia and Kazakhstan took traction.
The NSF in the U.S had pretty much control of all the nodes and DARPANET was slowly declassifying the networks and making them accessible to the public at large (the creation of the internet as we know it).
First, there was the “word”… the sound
2600. The baud rate of the modem. By understanding simple principles of physics, one was able to hack just by modulating the right signals.
Around 1997, Kevin Mitnick starts to heavily hack a lot of environments by combining technical skills and social engineering.
Afterwards, the world faced a completely quiet time when it comes to computer hacking. The question that naturally presents itself is “What happened, did hackers disappear? No, they didn’t!
From 1999 to around 2007, United States Intelligence Agencies started looking closer at the phenomenon. The booming of online traders such as eBay and Craigslist gave birth to script kiddies. How did this work?
The real hackers used to sell scripts to script kiddies who would in turn use these scripts for financial gains.
It is very much true that during those years some Nessus and Nmap scans used to get you “root”, but the fact is that the world evolved so the attention of the Intelligence Agencies shifted to a better understanding of the phenomenon. Then, starting in 2007, another transformation took place. The whole world moved to web applications.
Obviously, these were taken by storm by the serious hackers who exploited the apps with techniques such as SQL injection (officially discovered in the year of 1997, actually practiced in the 1980’s at some branches of the DIA), cross site scripting and last but not least remote command execution. A vast majority of these actions went under the radar because they were performed by real hackers, and not by script kiddies. At some point the real hackers created tools to exploit web applications and these tools were used by script kiddies. Granted, they were used for financial gains and this called the attention of the FBI and some other law enforcement agencies. At this point in time, intelligence agencies started recruiting real hackers in order to understand the scenarios. Law enforcement was just coming into the scene.
The expansion of online business attracted more online fraud. Hence, the necessity for cyber protection took birth, in a somewhat forced fashion. Let’s analyze this claim for a second.
Why are we saying “forced fashion”?
Because major technology vendors felt overwhelmed with the pressure of coping with these attacks. So, who did they hire? They hired people with backgrounds in computer engineering. Obviously, it was some start, but not the best approach. Why?
I remember, back in 2008, I had an interlocutor who was a possessor of various licenses, such as MCSE, CCNA, CCNE and a bunch of other fancy licenses that were enough to put one in the 300K plus per year income bracket in the US.
I took out a USB stick with something called a BIOS level rootkit. This type of rootkit (advanced remote-control software, usually clandestine) is not detected by anything in the world. No software. Why? Because there is no Antivirus or any sort of protection at the BIOS level. By plugging in this USB, I had access to absolutely everything on the victim computer. My interlocutor, who was a SAC (Special Agent in Charge with some FBI cybercrime office) looked astonished and humbly stated that his intelligence level related to offensive maneuvers where the equivalent of the intelligence of 10 years old when presented with such threats.
The conclusion is inevitable as the famous saying goes:
“You sow what you reap!”
The law enforcement agencies created a culture that confronted the problem by employing the people with the wrong mindset. It was a start. We do not blame them, but we do applaud those who took a departure from the norm.
Nowadays we are in the possession of a reach market which offers us solutions for every single problem:
1. We have WAF (Web Application Firewalls);
2. We have smart switches;
3. We have AI (Artificial Intelligence systems) that analyze network traffic;
4. We have EDR (Endpoint Detection and Response), or otherwise known as antivirus;
5. We have DLP (Data Loss Prevention).
But do these solutions suffice when dealing with a skilled offensive actor? Absolutely not!
They are there to prevent 95% of the known threats. And we say “known threats” because we have vulnerabilities also called “N days”.
If N=0 then we have a 0 day. A vulnerability which is not yet known by anybody except the one who discovered it, and the one who discovers a zero day may choose not to disclose the discovery.
Then we have “N days” exploits where N is bigger than 0. That is why vendors have patches.
However, to the professional hacker these security mechanisms do not matter. Let me offer a quick example which can illustrate the statement.
Every second or fourth Tuesday of the month, Microsoft patches its systems. If a hacker listens to the patching process then binary diffing is performed (a technique that shows clearly which DLL or executables within the OS were changed). All a hacker has to do is exploit code against those changed executables. In theory, is not a zero day because Microsoft is patching it, so it is an “N day”, where N equals the number of days it takes to exploit it. However, please take into consideration, in a corporate environment consisting of thousands of machines, how often are systems patched? This sounds like a problem.
We need to ask ourselves: if we purchase a respectable security solution, how effective is this solution, when faced with a skilled attacker?
Unless this solution is administered by people who have the appropriate skills in the offensive game, then this solution will be as effective as the level of the attacker.
There is also something else worth mentioning. We are being bombarded with news about security incidents every day. However, none of these are the actual real threats. The real threats are not made public nor do they reveal themselves to people coming from a culture to where nowadays one acquires a couple of security licenses and is deemed an expert.
Lately, there is no talk about APTs (Advanced Persistent Threats) because they are not discovered with the existing skills set, not because they do not exist.
The message of this article is clear: Only skilled attackers playing defenders are able to protect systems from other skilled attackers. If it were otherwise, you wouldn’t hear of security breaches every day. Most of the organizations that are attacked are in the possession of protection technology.
Unless that technology is deployed correctly by somebody who understands the playground, it is ineffective and we shall keep on hearing about security incidents.