Sophistication of attack tools, and Asymmetry of attack and defense

Sophistication of attack tools

An adage within the cybersecurity industry is that tools that are only available to the elite hacking teams of nation-state intelligence agencies today will be available to teenage script kiddies within five years. “Script Kiddie” is a derisive term to describe an individual who uses sophisticated scripts and applications developed by experts to attack information systems while having no real understanding of the underlying functionality of those tools. Put another way, a “script kiddie” is a “point and click” hacker.

Attack tools are increasingly sophisticated. These automated exploit tools are relatively straightforward to procure and take little in the way of expertise to use. Whereas in the past access to basic tools required gaining access to select communities on hidden bulletin boards or Internet Relay Chat (IRC) channels, today it doesn’t take an enthusiastic amateur more than a few minutes to the results of the right search engine queries to get started. Should they need to learn more about the tools they have acquired, there are hundreds of hours of video tutorials available on the web to assist them.

While sophisticated attack tools are available often for free, there is a paucity of similar tools available for defenders. While the process of launching a basic or even moderately complex attack against an organization’s information systems may be as simple as a mouse click, the defender’s process of securing the configuration of those information systems is manual, complex, lengthy, ongoing, and requires a good deal of expertise.

Asymmetry of attack and defense

Within the cybersecurity landscape, there is an asymmetry between attacker and defender. Asymmetric in that the resources required for an organization to be reasonably assured that they are protected from the vast majority of intrusions vastly exceed the resources required for a competent attacker to perform a successful intrusion.

One key understanding of the cybersecurity landscape is that the vast majority of attackers are unsophisticated and are using automated vulnerability scanners and exploit tools. Put another way, most attackers by volume are likely “script kiddies” rather than professional hackers. As the vulnerabilities those automated tools attempt to exploit are often already addressed by vendor updates, if an organization is diligent and applies consistent effort to its security posture, it will be able to protect its information systems against the common attacker.

Put another way, if you take an ongoing and systematic approach to secure your organization’s information systems, it’s reasonably unlikely that “script kiddies” will be able to compromise your system. A diligent well-resourced defender is likely to be protected against all but the most highly resourced and persistent attacker.

While there is an asymmetry in terms of the effort required to properly secure information systems, it is possible to reach a stage where your organization’s systems security posture is such that those systems are impervious to all but the most skilled and well-resourced attackers. With time and effort, you can protect yourself against the amateurs, who randomly attack organizations to see if they can get access. With greater time, effort, resources, and skill you’ll be able to protect your organization’s information systems against more competent attackers that deliberately target your organization.

The unfortunate reality is that even when organizations have highly skilled personnel, that personnel are rarely given the necessary amount of time and resources to ensure that the organization’s information systems are configured in the most secure manner possible. The existing problem of asymmetry between attacker and defender is made worse by organizations not giving their defenders the resources they need to do their job.