This month Barracuda Networks celebrates its 15th anniversary. So it would seem like an opportune moment to take stock of the past decade-and-a-half to see how the threat landscape has changed. Over that time, it’s fundamentally been driven by two major inter-connected themes: technological change and the motivations of those doing the attacking. The former has opened up major new opportunities for the latter, drawing in an ever-more diverse spread of criminal, hacktivist, and nation-state actors.'Over the last 15 years, the threat landscape has been driven by technological change and the motivations of the attackers, as the former has opened up major new opportunities for the latter.' @philmuncasterClick To Tweet
The good news is that as threats evolve we’ve become better and better as an industry at stopping them. The challenge is to ensure the majority of boards understand the importance of investing enough and in the right areas of people process and technology to adequately manage cyber risk.
The view from 2003
Back in 2003 we were in many ways just starting to see the emergence of trends set to shape the future of the threat landscape. Hacktivist collective Anonymous was formed and would go on to cause cybersecurity challenges for organisations all over the world — mainly through DDoS, site defacements and the theft and publication of sensitive information. That same year the newly formed Department of Homeland Security (DHS) launched a National CyberSecurity Division to formulate a US-wide strategy.
However, the threats themselves were very different. Back then worms were among the biggest risks to users: 2003 saw the likes of Slammer, SoBig and Blaster do the rounds. Many of these were more about testing what was possible than causing actual lasting damage. Think hackers motivated by notoriety, mischief and curiosity rather than financial gain.'Spam was one of the biggest money-makers for #cybercriminals in 2003, forcing lawmakers to pass the Can-Spam Act.' ~@philmuncaster Click To Tweet
However, that’s not to say all hackers at that time were mere script kiddies. The BugBear.B worm spotted that year targeted financial institutions with keylogging and backdoor functionality. Spam was also a big money-maker. By 2003 it was one of biggest threats out there, forcing US lawmakers to pass the Can-Spam Act.
The cloud era
Over the years as computing systems became more powerful and internet speeds accelerated, more organisations put more of their business online, consumers flocked to interact with them and — following the money — so did the bad guys. The transition to cloud, mobile and app-based services has perhaps brought about the most significant change. Back in 2003, Amazon Web Services was still just a glint in Jeff Bezos’ eye. But today, 88% of UK organisations use cloud services. The cloud helps drive productivity, IT flexibility business agility and customer-centric innovation. But it has also created extra complexity which in turn has led to security gaps the hackers are only too ready and able to exploit.
More data than ever is stored in the cloud today, potentially sitting behind an unlocked door or one that can be broken very easily. And as organisations came to rely on this data and these cloud systems, so they became susceptible to any attacks which threatened to put them out of reach: ie DDoS and ransomware. The cloud is also a fantastic tool in its own right for cyber-criminals, offering on-demand, highly scalable computing power to help crack passwords, host malware, run botnets and much more.
The cybercrime economy
As this infrastructure developed and online became the default setting for businesses and their customers, so cybercrime evolved and professionalised. Back in 2003 it was concentrated in relatively few, highly skilled hands. But as the riches on offer became clear, more and more traditional crime groups migrated to the online world: attracted not only by the money on offer but also the anonymity of the web. Why rob a bank when you can steal millions from bank accounts anonymously from the other side of the world?'One of the more dangerous innovations over the last 15 years has been the advent of 'as-a-service' cybercrime; allowing any non-techies to get rich quick off the back of poor corporate and consumer security.' @philmuncaster Click To Tweet
Soon, data became a monetizable commodity. Underground forums evolved and the advent of more advanced anonymising technologies like Tor gave rise to the dark web. On various non-indexed sites and marketplaces cyber-criminals can now buy and sell virtually anything: from stolen data to guns, drugs and hacking tools. More dangerous still has been the advent of “as-a-service” cybercrime; allowing any non-techies to get rich quick off the back of poor corporate and consumer security.
This democratisation of cybercrime is costing the global economy an estimated $1.5 trillion annually. There’s even evidence that the funds are invested in human trafficking, narcotics and other criminal ventures.
The lines between nation-state attacks and cybercrime are also blurring, especially in countries like Russia where it’s suspected that hackers are sometimes hired so that the government can maintain plausible deniability of attacks. The tools developed by states can also leak onto the web, causing more damage. The NSA’s EternalBlue vulnerability helped power WannaCry and has become a favourite tool of the hacking community.
Against this backdrop the modern CSO is under tremendous pressure. No organisation is 100% safe from a determined attacker: there are simply too many tools at their disposal, and phishing remains a frighteningly effective tactic. The onus is therefore on boards to understand the importance of good security to advancing digital transformation efforts — and ensuring adequate funds are spent in the right places. That means a focus not just on advanced cloud-generation firewalls, sandboxing, SD-WAN and more, but also on underlying policy and process, especially end user education. Fail in this and your customers will increasingly vote with their feet if your organisation suffers a major security breach.
So what of the future? The new Internet of Things (IoT) era is bringing with it a whole new range of threats: most notably the prospect that cyber-attacks could impact the physical world. Imagine a connected car being remotely driven off the road, or a fleet of delivery drones hijacked to bring down an aircraft. Pretty soon that might not just be the stuff of research papers. In this rapidly transforming world, AI will witness a new arms race: as security firms develop ways to spot phishing attacks and threat patterns while black hats look for AI-driven ways to outwit them.
This stand-off between attackers and defenders is the way it’s always been. And as long as there’s money to be made from cybercrime, there’ll be plenty to keep IT security teams busy over the coming 15 years.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.