The Oncoming Cyber Storm

It’s been a long time since I actually mused on who is responsible for the recurrent waves of cyber crime that plague modern businesses and unsuspecting consumers. In fact, for the longest time, I actively didn’t think about it. Consigning it to the bucket of ‘how undesirables make money’, it meant I had more mental cycles available for the real work – specifically, continuing to think creatively about how to use the tools we security professionals have to maximum effect.

But then I do keep going back to the Hacking Team breach of 2015. If you haven’t checked out the specifics, then take a look at the exact anatomy of the attack. Effectively, judging the Hacking Team as deserving of attention, a lone hacker named Phineas Fisher compromised their systems and published over 400Gb of data, including proprietary source code. The sophistication of the attack, coupled with the measured and surgical way it was conducted, made it clear to me again that we are faced with adversaries who have vast resources and incredible skills at hand.

Similarly, going back to the early days of the Dark Web, most of the items on offer on The Silk Road are still available if you know where and how to look. Representing this as ‘expected frictional crime’ does not properly convey the sheer bare-faced criminality involved. If we examine just these types of trafficking in illegal commodities, then we might be tempted to believe that the pimps, pushers and knee cappers of yore had come of age and learned tech.

But then, what about attacks like the ones on Sony in 2011? Not only hugely sophisticated, multi-faceted and including some incredible counter-measures, but devastatingly effective. These are highly evolved, logistical operations commandeered by project management talent that the private sector would pay a premium for. Of course, enforcement for late delivery probably involves physical violence rather than change control requests, and this does tend to focus the mind.

Moving from that to nation-state sponsored operations, leveraging the sorts of tools that were surfaced when The Shadow Brokers pilfered the NSA networks. I’m specifically minded of the J-20 stealth jet that was unveiled on a Chinese runway long before ostensibly the same machine was revealed on an American one. The scale, detail, difficulty and logistics associated with not only stealing the plans, but selling them to a suitably equipped bidder still staggers me, no matter how often I hear of attacks of such audacity.

I come back repeatedly to the fact that regardless of my opinion as to how these people make their money, they are a rare breed with undeniable skill. After 25 years in IT my estimate would be that there are probably less than 1,000 truly elite hackers on the planet.

Witness the specifics of the Hacking Team breach for a detailed breakdown of the types of capabilities that a lone hacker needs to breach the best-protected network. These are people who have master level skills in ALL aspects of IT, from database operations to application architectures through networking and firmware engineering. The fact that ATP groups are carefully segmented by competence augments their impact, offering individuals the chance to focus on social engineering, coding, reconnaissance or monetization of stolen content.

It is incumbent on all security professionals to remember this fact. If we are not passionate about taking the war to these individuals, we should change jobs. If we underestimate them, we miss a multitude of potential loopholes. Most importantly, if we lose sight of who funds them, we are fools.

This is a junction where the highest technology meets the most unashamed criminality, and we are in the middle of the battlefield.