Who is the Sophisticated Attacker?

At a conference a few weeks ago, I listened to the keynote speaker bemoan the fact that we are all going to be breached, I heard the words “Sophisticated Attacker” being tossed around with reckless abandon, so I decided to count the number of times I heard the term at every session and vendor discussion I had that day.  When all was said and done, I had noted 47 occurrences.  Obviously, this “Sophisticated Attacker” is someone not to be trifled with; someone we should all be afraid of. If the voices of the day are to be believed, there is absolutely no possible way to defend oneself from this incredibly advanced adversary.  Scary indeed.
A quick search shows that our “Sophisticated Attacker” has been hard at work. According to Anthem, Home Depot, Target, Sony, JP Morgan, and a host of other “victims”, all of their breaches were the result of the “Sophisticated Attacker” that targeted them like the Terminator going after an unsuspecting Sarah Conner.  
Back before the internet, when 2,400 baud modems were the pinnacle of technology. “Sophisticated Attackers” war dialed hundreds of numbers hunting for a system that would answer.  Security was not much of a concern back then, which made accessing some pretty cool systems incredibly easy.  Early systems on the internet were just as easy targets, but then it started to get difficult, and many of the “Sophisticated Attackers” hung up their black hats.
But did it really get harder to attack systems?  We used to laugh at the so-called script kiddies back in the day, those who didn’t know enough to write their own attacks and instead relied on others to create their tools, but has much changed?  Most hackers just download and use MetaSploit now.  In fact, even penetration testing teams are using it.  
Let’s look at some of the recent “sophisticated attacks”.  First of all, did any of them use a new zero-day or previously unknown attack?  No.  Almost all of them started with a simple email.  I won’t even call it phishing.  Think about it: a simple email message is sent to someone in your organization.  The recipient clicks a link or opens an attachment and there you are: the breach has occurred.  Sophisticated?  I don’t think so.
Did you know it takes an average of 150-180 days for an organization to patch a vulnerability?  That is after a patch is released by the vendor.  On average, a vendor takes 150 days to release a patch, after they are made aware of a vulnerability.  That means it takes about a year for organizations to patch to vulnerabilities. One year.  That’s too long.  In 2016, 17,147 vulnerabilities were discovered in 2,136 products from 246 vendors.  Have you patched all of the affected systems in your organization?  
It would seem that our “Sophisticated Attackers” are taking advantage of how unsophisticated we are.  How sophisticated would our adversaries need to be if they could no longer simply send an email to us to gain a toehold into our networks?  How is it that we allow organizations to blame a nebulous actor for what really comes down to them not doing their jobs?   
Somewhere along the way, we lost sight of what is right in front of us.  The majority of these breaches could have been prevented with some basic security controls in place.  I’m sure there are very smart people out there who are using sophisticated techniques to penetrate networks, but the vast majority are not.  Our adversaries are the new script kiddies, those who just point and click to launch an attack.  We’ve simply enabled them.
What can we do?  We have built skyscrapers of security tools on a foundation of sand.  Until we shore up that foundation with basic security hygiene regimes, we will continue to see breaches.  We can prevent at least 85% of targeted cyber-attacks by implementing these four basic security controls1:

  1. Use Application Whitelisting to help prevent malicious software and unapproved programs from running.
  2. Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office products.
  3. Patch operating system vulnerabilities.
  4. Restrict administrative privileges to operation systems and applications based on user duties.

That’s it: back to basics.  Build a strong security foundation from the ground up, and that will prevent the majority of “Sophisticated Attackers” from taking advantage of us.  When we fail to perform the very basic security measures we should have been doing for years, we create the environment in which attackers are able to thrive.  

1 These controls are recommended by The Canadian Cyber Incident Response Centre.