Ovum has been thinking about how cyberattack methodologies and the technology used to withstand them have changed over the years. More to the point, we have been trying to find a way to classify the different stages of this evolutionary process so that end-user organizations can survey the security technology they are using today and see where they may have fallen behind the latest and best products available.
In doing so, we have come across a way of talking about the process that uses the notion of generations, an approach that appeals because it makes levels of cyber-resilience readily visible and referenceable, even in conversations with people in an enterprise who are not security experts. This could and should include the board.
Cyberthreats are an ever-moving target
The cyberthreat landscape is in continual evolution. We have come a long way from the days of the “script kiddies”, antisocial adolescents in back bedrooms who took impish delight in planting bogus messages and jokes on the websites of the Pentagon or the FBI, with nothing more than notoriety among their peers as their goal.
Today’s threat actors are a variegated cast of professional cybercriminals (some of them belonging to massive crime networks), politically motivated hacktivists such as Anonymous, and cyberwarriors backed by nation states.
Not only are they worlds apart from the foolhardy teen pranksters of yore, but they are also far more numerous. There are now tens, if not hundreds of thousands of cyberattackers, many of them acting full time in this capacity and drawing paychecks from private or state employers.
Moreover, the threat landscape has grown infinitely more complex, with new exploit types and attack vectors emerging daily. The expansion of the dark web means exploit kits can now be acquired for very little money, and the purchaser needs only to tweak the code to evade existing malware signatures to be ready to mount a low-cost attack. Equally, the development of the cloud and the “botnet-for-hire” economy that it enables has made it possible to marshal whole armies of compromised machines to launch huge distributed denial-of-service (DDoS) attacks.
But how did we get from those early, almost innocent times of mischief to the current scenario? Cyberwarfare is now as integral a part of a country’s offensive arsenal as conventional weaponry. Massive data breaches can scythe fortunes from the stock prices of major enterprises and force C-level executives to fall on their swords (or at least temporarily to join the ranks of the unemployed) to assuage their corporate shame. Has anyone charted the different stages of this history?
The generational approach to the evolution of attacks
Various seasoned cyber observers and industry luminaries have proposed a generational approach to telling this story. They have identified five distinct “generations” of cyberattack: "amateur hour", "build the wall", "I know your weakness", "shapeshifting unknown unknowns", and "where we are today".
In the late 1980s, hackers mounted virus attacks, usually propagated via floppy disks, on standalone PCs. They affected private users as well as businesses and drove the development of signature-based antivirus (AV) products.
Build the wall
By the mid-1990s, fast-spreading worm attacks came directly from the ever more ubiquitous internet, requiring companies to install a firewall at the perimeter of their infrastructure to keep the bad guys out.
I know your weakness
In the first years of the millennium, attackers began to exploit vulnerabilities in applications, potentially affecting all the companies using those applications. It was also around this time that attackers’ motivation changed from recognition to remuneration and the whole field became more of a business. Early examples of botnets were used, particularly for sending spam. This generation of attacks led to the development of intrusion detection systems (IDS), which themselves quickly added remedial capabilities and became intrusion prevention systems (IPS). IDS/IPS was still based on signatures.
Shapeshifting unknown unknowns
The latter years of the last decade saw the rise of targeted attacks for which there were no signatures. This led people to adopt a phrase coined by then US Secretary of Defense, Donald Rumsfeld, in 2002 in a speech about the lack of hard evidence of weapons of mass destruction in Iraq, when he referred to the “unknown unknowns” in the situation. The quality of malware code improved significantly at this time and the first rootkits started to appear. Many of the most successful attacks in this generation were polymorphic shapeshifters that changed their characteristics to evade detection. The response from the infosecurity industry was the development of network-based sandboxes, as well as bot defense systems (botnets were starting to proliferate).
Where we are today
Since 2017, there have been large-scale, often state-sponsored mega attacks that have the potential to affect many companies, because most enterprises are still stuck in the second- or third-generation cybersecurity tools, characterized by point solutions.
Attackers who are not sponsored by nation states also now have access to the same powerful infrastructure that enables these attacks, raising the prospect of the greater use of these strong-arm tactics against many more targets.
To respond to these exploits, a fifth generation of security is required that provides a unified, integrated security architecture across which threat intelligence can be shared in real time to enable fast, real-time, inline protection the first time an attack takes place.
Fifth-generation attacks benefit from the underground economy
One of the underpinnings of this fifth generation of attacks is the existence of an active underground economy around cybercrime centered on the dark web. The dark web is a set of accessible, albeit anonymously hosted, websites that exist within the deep web (areas of the internet that require a password to access them).
These sites are not indexed by normal search engines and so can be accessed only with special software that disguises the user’s IP address, the most common example of which is The Onion Browser, commonly referred to as TOR.
The dark web is much smaller than the deep web and is made up of a variety of sites, including marketplaces that sell drugs or weapons, but there are also bazaars where the paraphernalia of cybercrime is available to sell or hire.
The existence of this bustling marketplace, where users can publish reviews of an exploit kit’s efficacy and score it out of ten, while the providers offer service level agreements and even helpdesks to facilitate the use of their technology, has lowered the barriers to entry for a career in cybercrime and has greatly complicated the life of the cyberdefenders. Examples of the user-friendliness and ease of entry of the underground economy are:
- Cybercriminals have their own social networks with escrow services
- Malware can be licensed and receive tech support
- Users can rent botnets by the hour, for their own personal crime spree
- Pay-for-play malware infection services that quickly create botnets are available
- There is a lively market for zero-day exploits (unknown vulnerabilities)
Ovum is a fan of the idea of generations of cyberattacks
Ovum likes the use of the notion of generations of cyberattacks for a variety of reasons. First, it helps focus the minds of defenders, in the same way that using generational talk in the mobile phone market made it clear what a given network and/or phone was capable of (users knew a 2G phone wouldn’t be able to handle a lot of things that a 3G one could).
Second, it should help those same defenders analyze their security infrastructure and see where it falls short of today’s requirements. If a lot of what you are operating on are second- or third-generation security platforms, your cyber resilience is clearly below par.
All too often, Ovum finds that enterprises are running multiple silos of discrete, “best-of-breed” security tools that have their own management consoles and cannot report to a common management layer, let alone talk to each other. Threat information needs to be handled centrally, with all the different tools activated from a central point to respond to it.
The IT security industry has spent the last two decades being beaten back from a preventive stance to one of detecting and responding to threats that have already made it into an enterprise’s infrastructure. The joined-up approach required by the fifth generation of threats could actually go some way toward reversing that trend and enable companies to think about keeping the bad guys out, rather than identifying them once they’re in and practicing damage limitation until they have been exorcised from the environment.