One question that we run into on a fairly regular basis, especially after we’ve demonstrated how easy it is to compromise a client, is “Why aren’t more people hacking companies if it’s that easy?”
First, there’s the obvious answer: “They are, you’re just terrible at detecting it.” That’s obviously true given the data that always comes out in the Verizon Data Breach and Mandiant M-Trends reports. It takes companies 200+ days to detect intrusions and frequently the notifications come from outside. However, even with how easy it is to get in and how terrible everyone is at detecting it, the numbers are still seemingly a lot lower than we’d expect.
So at that point, the second obvious answer is that they’ve already stolen everything from your company and have left, so there’s nothing to detect. While that may be true for a single adversary, I’d have a hard time believing that every organization or individual willing to do evil has already compromised the given target and all decided to leave without leaving calling cards.
And then this is where my theory comes in.
Hang On, Wild Speculation!
First, we look at the group of people with the technical skillset to break into these companies. Obviously, I’m included in this bucket as are my coworkers and a significant portion of the offensive security community. Also included are countless others that remain in the shadows, be it government Computer Network Operations staff, criminal hackers, etc.
Second, we’ll talk about people with the ethical flexibility to commit these actions. Just because you can commit a crime doesn’t mean that you will, obviously. However, the sorts of people willing to commit crimes for their own benefit includes a large range of people that have nothing to do with computers, such as bank robbers. But criminal hackers also fall into this bucket.
Third, we need to talk criminal contacts. I was on an engagement where I’d gained access to an enormous amount of the customer’s money (like “go buy an island” money). And then I gave them the access back and told them how to fix it so no one could duplicate that. Even if I’d wanted to be evil, how do you use that information? You could … Uh … Wire it to a bank account? Okay, but obviously not my bank account, right? That would be stupid. So at that point I’m sitting on Google searching “how do I launder money?” And then I’m building an enormous trail of digital evidence that points right to myself. So you look at the number of people who have ready access to criminal contacts to help them to handle their ill-gotten gains without being easily captured and see where that intersects with the other two circles.
When you combine them all, you’ve got a much smaller pool of people who have the technical skills to break into companies’ networks and gain access to their most valuable resources, the ethical flexibility that allows them to steal for their own benefit, and the criminal contacts that allow them to monetize that information. And thankfully for the community, I don’t think that pool is all that large. That said, it’s still large enough to worry about - because you are a target.
The Fourth Variable
The fourth variable, for lack of a better term, is OPSEC. Some folks do it well and others do it poorly. Some people brag about committing felonies in an IRC room full of FBI informants and other people continue breaking into organizations and never tell anyone.
Aiding in this fact is the duration that attackers spend on a target. When you look at attack campaigns like MiniDuke that operate for years at a time on the same toolset and targets, they take their time. Criminals (especially novice ones) on the other hand are interested in the smash and grab approach to network exploitation. This is much noisier, much more readily detected, leaving much clearer forensic evidence, which leads to those unpleasant visits from the FBI and the USSS Electronic Crimes Task Force. It probably has a good bit to do with HD Moore’s Law and the toolset choices made by novice criminals.
The one thing that I think helps out the security of Internet connected companies is that there are a not-insignificant number of people in that middle bucket who have a critical lack of OPSEC, get caught, and end up doing pretty serious jail time. Now, whether they take up that life of crime on the other side of jail is certainly open for discussion, but I think in general the pool of motivated, skilled attackers out to do evil with the contacts to capitalize on their exploits is small enough that the world isn’t yet burning.
Unfortunately for us, that group is only going to grow as time progresses, so we’d better start getting a lot better at defense. And you can’t do that unless you understand how attackers work.