The Industrialization of Hacking: Part 2 – The Cybersecurity Arms Race

This is the second installment of our four part series on The Industrialization of Hacking. Previously, I introduced the concept of the Industrialization of Hacking, creating a faster, more effective and efficient criminal economy.

The Industrialization of Hacking is the result of a natural evolution, with attackers launching new types of exploits with increasing frequency and defenders quickly innovating to stay ahead of them. The motives and persistence of attackers have increased along with their understanding of classic security technologies, their applications, and how to exploit the gaps between them. As IT environments have increased in complexity, exploits have grown in sophistication. And with significant money to be made, hacking has become more standardized, mechanized, and profit driven.

In the early 1990’s, viruses targeted mainly operating systems. A decade later came self-propagating worms, which moved from machine to machine via enterprise networks and across the Internet. Spyware and rootkits – malicious software designed to gain privileged access to a computer and run stealthily – also emerged. Methods such as port and protocol hopping, encrypted tunneling, droppers, sandbox evasion, blended threats and techniques that use social engineering demonstrated increasingly sophisticated ways to penetrate networks. Today, the 2015 Cisco Annual Security Report finds that attackers are more proficient than ever at discretely leveraging gaps in security to hide and conceal malicious activity. Snowshoe spam, spear phishing and malvertising campaigns are just a few examples of new ways that attackers are combining a savvy use of technology and IT infrastructure with a detailed understanding of user behavior to reach the intended target and accomplish the mission.

Cisco 2015 Annual Security Report Overview

The result of these evolving cyber threats and defenders’ efforts to foil them defines today’s cybersecurity arms race, which is in full sprint mode, and many organizations are failing to keep up with the attackers. Why? Because most organizations continue to rely primarily on security tools that look for attacks at a singular point in time to detect malicious activity. But advanced attacks do not occur at a single point in time and security technologies cannot detect every possible attack; a compromise is an ongoing and evolving crisis that requires tools and techniques capable of continuous scrutiny. Cyber criminals go to great lengths to remain undetected, continuously morphing and using technologies and methods that result in nearly imperceptible Indications of Compromise (IoCs).  Traditional blocking- and prevention-based techniques (e.g., antivirus), and signature and policy-based mechanisms (e.g., firewalls) on their own lack the visibility and control defenders need to implement an effective security policy that addresses advanced threats. As a result, most enterprises are ill equipped to detect and respond to breaches when they inevitably occur, resulting in longer “dwell times” by the attacker and increased compromise of corporate data. 

In our next installment I’ll discuss The Attack Chain. View previous installments of The Industrialization of Hacking series:

• Part 1: An Introduction

Gain more insights into threat intelligence, cybersecurity trends, and how you can operationalize security.

January 2015 Issue of FOCUS Magazine: Cybersecurity