When someone says the word “hacker”, most people picture something similar in their heads. We’ve seen it in the movies a thousand times: a lone hooded figure surrounded by multiple computers and typing furiously on his keyboard, text scrolling down his monitors at lighting speeds. Capable of breaching both governments and private corporations with a few key strokes, this character of a lone “savant-hacker” has become the most recognizable image associated with cyber threats.
In the past this stereotype was, at least to a certain extent, true. One attacker could do a lot of damage even to a large corporate entity. We were early in the lifecycle of modern information technology: security loopholes were rampant, systems vulnerable and IT infrastructures simple. Most people didn’t give cyber security a second thought – some didn’t even fully grasp the meaning of the term. What’s better than a target who doesn’t take you entirely seriously, or who doesn’t have the slightest understanding of what you do? Overall, it was much easier to be a “guru” hacker.
Everything has changed within the past few years. People caught on. IT infrastructures have become drastically more complex, while companies’ investment into cyber security has increased year by year – Gartner estimates that worldwide information security spending will reach over 90 billion in 2018.
This has spelled death for the romantic idea of a solitary hacker. Although some very accomplished people out there are still capable of inflicting major damage on their own, most solo operators can’t compete with companies’ modern security measures. No matter your skill level, it’s difficult to come out on top when you’re a single individual facing modern cyber security software and dedicated IT personnel.
Some people might mistake this for a sense of security. If we are shielded against these types of attackers, surely we’re safe? Wrong. Hackers have evolved too – and most of them don’t work alone anymore.
According to F-Secure’s Principal Security Consultant Tuomo Makkonen, modern cyber attackers can be roughly divided into two categories:
1. Regimented, highly-organized entities
2. Wild hordes of amateur hackers bound together through forums and the dark web.
Both can pose your company an incredible amount of danger.
The news has been filled with stories of crimes committed by well-organized hacker groups: the DNC hack during the US elections, Cloud Hopper, Platinum… Be their objectives related to politics or money, these attackers operate with the efficiency of military organizations or cut-throat private companies – some take their corporate mentality to the level of having standardized working hours and holiday plans.
Despite various countermeasures, most companies still have vulnerabilities that capable attackers can exploit. Advanced social engineering tactics, or well-made phishing emails leading to compromised websites, can allow hackers to breach your network through a single careless user. From there they can often exercise lateral movement through the utilization of tools such as keyloggers, attempting to gain access to more vital personnel within the target organization. Makkonen says that skilled attackers can often stay hidden for months – in extreme cases even indefinitely. All the while exfiltrating your data and monitoring your activities.
Some hacker groups take their operations even further – they might conduct physical surveillance into your premises or disguise themselves as employees in order to infiltrate your organization. In this sense, the line between “crime” and “cyber crime” is getting increasingly blurry. This is something businesses need to understand – you might not be facing a single computer nerd hiding in his parents’ basement, but rather a group of cunning career criminals. The game has changed, irrevocably. Watch the video below to see how F-Secure’s red teams might simulate a sophisticated cyber attack.
On the other side of cyber operations, there are the wild bunch: people who crawl through forums, searching for leaked attack tools and tips from pros they could exploit for monetary gain or chaos. Different ransomware-as-a-service and IoT botnet schemes have grown in popularity during the past few years, allowing even amateurs to cause major havoc.
The 2016 Dyn cyber attack, which caused wide-spread issues for various web platforms and services, is often attributed to hobbyist hackers operating without a discernible motive. In the end, it doesn’t really matter whether the attackers targeting you are professionals or over-eager kids, if it still results in significant damage to your business.
How to protect yourself?
According to Makkonen, it’s always best to start with the fundamentals. Many threats, such as most types of malware and ransomware, can be caught by solid endpoint security software. You also need to ensure that all of your software applications are up-to-date, and that attackers are not able to breach your organization through weak passwords. Good endpoint solutions usually include automatic patch management, while the problem of weak passwords can be dealt with a password manager. It’s also crucial that you create and enforce a sensible operations security program among your employees – you don’t want your greatest business secrets leaking due to a single careless phone call or sloppy email protocol.
When it comes to preventing more advanced attacks, the playing field is a whole lot more complicated. If your organization is specifically targeted by an organized hacker group, you can’t rely on endpoint protection alone to keep you safe.
This is where you need a more “human” approach. When you are defending yourself against a team of professionals who know every trick in the book, you need some experts in your corner as well. Although your company would have qualified IT personnel, the harsh reality is that they simply don’t have the time or resources to become specialists in all aspects of cyber security on top of their other duties. This is not the case with accomplished cyber security companies – they serve as an effective counterpoint to even the most advanced attackers.
Makkonen highlights many areas where skilled cyber security consultants can help you stay safe. Services such as red teaming and security assessments, for example, allow you to effectively pinpoint and re-enforce your organization’s specific weaknesses. Incident response and forensic services can, in turn, help you with damage control should your company get hit. For 24/7 threat coverage, look into managed detection & response. Each industry and organization has unique security needs, but all should effectively strive for full 360° protection.
Maintaining effective cyber security is an arduous process – you are never done, and there are always new threats on the horizon. In the end, everyone has to decide for themselves which kind of products and services they need to ensure their business stays secure and protected.
Our opinion? Better safe than sorry.
If you wish to learn more about our approach towards cyber security, click below: