To stay ahead of the race and gain a competitive edge, every year businesses are innovating more and more, adopting new process and technologies to tackle different challenges. This has been amplified almost tenfold this year due to the widespread shift to remote working.
However, any innovation or major technological overhaul opens up a pandora’s box of issues and comes at a damaging price: how can you keep secure what you don’t fully understand? Coupling this with the fact that security and compliance are still often seen as a disabler, it is easy to see why cybersecurity is still such a major issue today. It is also the case that hackers themselves have evolved, adapted and become smarter over the past few years. This is a difficult landscape to unpick and one that is, yet again, often overlooked by business leaders.
With so many moving parts and a dramatically altering landscape, it is critical that we now take a step back and look at how things have changed, particularly when it comes to how hackers have evolved and some of the tools they are using. This will help businesses identify the areas they need prioritise in 2021 and also offer an answer to the question we get asked most: are China targeting me?
The who and what of hacking
Let’s start by bringing it back to basics – who and what is a hacker? Simply put, a hacker is a computer expert who uses their technical knowledge to achieve a certain goal, or overcome a certain obstacle, in a computerised system. In other words, hacking refers to activities that seek to compromise digital devices, such as computers, smartphones, tablets, and even entire networks.
While hacking may not always have a malevolent aim behind it, most definitions of hacking (and by default hackers), portray it/them as unlawful activity by cybercriminals, which are predominantly motivated by financial gain, protest, gathering information or even just for the ‘fun’ of the challenge.
Cybersecurity is, therefore, by extension usually considered an arms race; hackers vs. corporate security. It usually refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorised access by hackers or hacking groups.
Are hackers getting smarter…?
With high profile security breaches seeming to hit the headlines on an almost weekly basis, it often appears that businesses are being either outgunned or underprepared to come out as victors in any battle. As a result, one of the questions often asked by business leaders and in-house tech teams is: ‘are hackers just getting smarter?’
The simple answer is, yes, they are. The very definition of a hacker is that you find new and innovative ways to attack systems – their very job is to get smarter. But how they are getting smarter is a more pertinent question that should be on every business and security teams lips, as it will help them adapt more effectively.
Firstly, not only are hackers are making it harder to be detected, but they are also making it difficult to be attributed and finding better ways to monetise attacks. Secondly, they are constantly testing organisations, checking to see whether they are doing the basics right, whether they are investing in the right level of protection or whether they can find vulnerabilities in legacy systems. However, our data suggests that making it harder to be attributed is arguably the most important evolution over the past few years, as it can help us answer the question of how they appear to be getting ‘smarter’.
In the past, hackers often used their own custom tools and wrote their own custom code and malware. However, more recently, our data suggests that this has been changing, as using a custom code gives a fingerprint of a particular attacker and makes it easier to be identified.
Consequently, hackers are now getting ‘smarter’ by using ‘off-the-shelf’, open-source tools that anybody can use. On the one hand, by using these tools hackers can easily test the maturity of systems. If they get detected, then they know a company has a fairly mature security model. If they don’t, then they know the company could be using out-of-date technologies or they aren’t configured correctly. On the other, this is making it more difficult to attribute any sort of attack back to the individual or hacker group.
Am I really being targeted by China…?
As a slight caveat here, another question we get asked a lot is ‘am I being targeted by China?’ This is understandable for a number of reasons. Firstly, China is a very cyber-hostile – they tend to have a name for themselves around nation-state style attacks and are notorious for having state-backed hacking groups. We also know that there have been many different hacks attributed back to China.
However, as mentioned, hackers are making it more difficult to attributed, which can be a gift and a curse, particularly when trying to answer the China question. With the use of, for example, anonymous proxies and geolocation spoofing, it’s quite difficult to link it back to a particular group or individual and hackers are often deliberately trying to put you off the scent. Yes, it is the case that a large majority of breaches are linked to Chinese groups, but it doesn’t mean you have been targeted, it is just they are the easiest to hide behind.
…Or are hackers becoming lazy?
Whilst hackers are making their own advances and making it more difficult to become detected, a further consideration is that they’re often simply exploiting the same old flaws or misconfigurations they always have.
Opportunistic hackers in particular are targeting low hanging fruit, easy wins, meaning they are often just scouring the internet for assets and vulnerable systems that they can just rinse and repeat. Default credentials are a significant vulnerability, with Bulletproof’s recent study showing that just 3 username and password combinations accounted for 85 percent of attacks against its honeypot network.
What should I invest in throughout 2021?
Despite these threats and everchanging landscape, security and compliance are often still being seen as a tick box exercise, rather than an enabler for businesses. This is surprising, given that Bulletproof’s latest research also showed that 86 percent of UK organisations expect attacks to increase significantly in 2021.. With remote working likely to endure long into 2021 and hackers likely to evolve even further, there are several steps leaders should be looking to take next year.
Firstly, getting the basics right is an absolute must. We are all aware of the threats and breaches that are getting publicised all the time and yet, it would seem, organisations are still struggling to implement security by design, leading to an increased attack surface and unnecessary risks. The importance of threat detection is a priority and is still the best way to keep ahead of the hackers. Too many organisations are operating blind and failing to see the threats, let alone prevent them.
Secondly: Penetration test. Penetration test. Penetration test. We cannot stress the benefits of this enough. By regularly simulating a malicious hacker – and combining this with vulnerability scanning – you can ensure that you keep a good understanding of what your latest security posture looks like and how big your attack surface area is.
Finally, where possible we would strongly advise using a trusted security partner that can help to understand the requirements for your business and becomes an extension of your team, as opposed to just another vendor that just sells you off-the-shelf solutions and leaves you to deal with the problem.
Kevin Timms, Chairman and CEO, eacs
Oliver Pinson Roxburgh, CEO, Bulletproof