CHAPTER 7: TECHNICAL THREATS
Most of the time, when people think about cyber security, they think of technical threats first. The media regularly features stories of vast data breaches that are eventually traced to some hardware or software vulnerability, both obscure and otherwise. In 2011-2020, malware increased by a staggering 1,634%.9 In less than two months, one million phishing emails were reported to the UK's National Cyber Security Centre (NCSC) alone.10
Although the NCSC successfully blocked or took down thousands of malicious websites, undoubtedly many more new ones have since appeared in their place. Unfortunately, attackers often have the upper hand, having to find and successfully exploit just one vulnerability when defenders need to protect themselves against every type of attack. The expression that your security is only as strong as your weakest link is very apt here.
7.1 The attackers
Before you can protect yourself, you need to understand who is attacking you and what their weapons are. At the most basic level, criminal hackers concern themselves with finding and exploiting flaws and vulnerabilities in hardware and software. There is no shortage of flaws to find, either - no piece of software or hardware is truly immune, and new vulnerabilities are identified every single day. Zero-day vulnerabilities (a vulnerability that the vendor is not yet aware of) are a favourite target of criminal hackers, as attacks are more likely to be successful.
Criminal hackers are a disparate group encompassing everything from the stereotypical basement-dwelling nerd to state-supported 'hacker teams' with extensive resources. To better classify the threat posed by each type of criminal hacker, they are usually categorised as follows.
7.1.1 Script kiddie
This term refers to low-skilled, often young hackers who use prebuilt tools to carry out low-sophistication attacks, often without any real understanding of the underlying principles. Although this does not make them any less threatening - their tools are built by skilled hackers who know exactly what they are doing, after all - it does mean that the vulnerabilities they exploit are usually common ones for which fixes are likely already available, and against which basic cyber security measures such as regular patching (see 12.6.2) often offer protection.
A notable proportion of cyber crime occurs in exactly this way - inexperienced malicious actors purchasing simple tools or botnets to carry out low-level attacks that, despite their simplicity, still present a tenable threat to the organisation, particularly if you use out-of-date hardware or software, with potentially serious consequences. Many script kiddies have little or no appreciation of the wider effects of their attacks or the principles that underpin them, in part because it is so easy to buy hacking tools and malware kits online. They have little concept of the real effect or cost of their attacks and will often claim that the attack was only done 'for the lols'.
7.1.2 Black hats
Skilled criminal hackers who identify new vulnerabilities and develop the tools used to exploit them are known as 'black hats'. Financial motivation is common - many black hats sell the hacking tools they develop on the dark web, though they may also carry out attacks themselves in the hope of extorting payment (for example, via ransomware) or selling stolen information to other criminals.
Unlike script kiddies, black hats know exactly what they are doing and usually have a clear idea of what they want to achieve from a given attack. As a result, they are some of the most effective and feared attackers.
7.1.3 Hacktivists
A 'hacktivist' is more a classification of motivation than of skill or ability. Hacktivists carry out attacks to promote an agenda, though the ideology behind the agenda is often ill-defined and may vary over time. Hacktivist attacks are difficult to predict, not only because of the disparate nature of the groups themselves, but also because of the wide range of potential targets. Notorious hacktivist group 'Anonymous', for example, has conducted attacks on the Church of Scientology, Sony Online Entertainment, the Islamic State and Donald Trump, to name but a few.11
7.1.4 State actors and cyber warfare
Cyber warfare may seem like something out of a science fiction novel, but cyber attacks carried out by nation state actors are increasingly common. In July 2019, Microsoft reported that it had notified almost 10,000 customers (84% of which were enterprise accounts) that they had been "targeted or compromised by nation state attacks" over the course of the previous year.12
State-sponsored attackers often have access to extensive funding and equipment, and may operate with actual or tacit legal immunity in their country, making them very difficult (but not impossible) to bring to justice. Nation state attacks also tend to be highly targeted and focused on achieving specific goals, such as disrupting critical infrastructure or exfiltrating intellectual property. The 2010 Stuxnet attack on Iranian nuclear facilities is an infamous example of cyber warfare in action. This targeted the programmable logic controllers that managed the centrifuges, changing spinning speeds and causing the centrifuges to disintegrate.13 More recently, during the race to find a vaccine for Covid-19 in 2020, both the Chinese14 and Russian15 governments were accused of sponsoring criminal hackers to attempt to steal British, American and Canadian coronavirus research.
7.1.5 Ethical hacking
Not every hacker is a cyber criminal. Ethical hackers use the same tools and techniques as criminal hackers to search for vulnerabilities, but instead of exploiting them, they inform the system operator so that the vulnerabilities can be fixed. This approach, known as 'penetration testing', helps organisations identify and resolve vulnerabilities before they fall victim to an attack.
Penetration testing is discussed in more detail in 13.1.3.
7.2 Malware
Malware has existed in one form or another since computers became commonplace. Self-replicating software was first conceived in the 1940s, and one of the first viruses, known as the 'Creeper', was created in the early 1970s, infecting US government computers and displaying "I'm the Creeper, catch me if you can" on the screen.
Since then, there has been an explosion of malware. Sites on the dark web offer a vast array of malware programs for sale, and new malware appears daily, taking advantage of the latest vulnerabilities in a never-ending arms race between the malicious actors that craft it and the cyber security professionals who defend against it. 'Malware' as a category encompasses a range of malicious programs, each of which operates differently.
7.2.1 Virus
Viruses are self-replicating programs designed to spread from computer to computer and deliver a payload. Viruses are not standalone programs - they are bits of code that need to be hidden in other programs to function and replicate. When the user runs the 'host' program, the virus infects the system and sets about doing its work.
Once it has infected a system, the virus has two goals: replicate itself as much as possible and deliver the payload, preferably without being spotted. Some of the earliest viruses were called 'boot sector' viruses, as they infected sections of a drive that were read when a computer booted up, making them hard to detect, and were often spread through the sharing of floppy disks (which were common at the time).
Some of the most common viruses of the Internet era are 'macro' viruses - viruses written in the scripting language found in Microsoft Office and embedded into Office files, such as Excel spreadsheets or Word documents. Opening the document allows the virus to infect the system, with potentially catastrophic results. Emails featuring infected Office documents have been a common attack vector since the early '90s, so much so that 'do not open suspicious attachments' has become a cyber security maxim.
7.2.2 Worms
If the principal characteristic of a virus is that it is a self-replicating program that must be embedded in another program to function, then a worm is a virus with that limitation removed. Worms do not need to be embedded in other programs and can replicate without user interaction, making them especially dangerous.
One of the best-known worms in recent years is Stuxnet, which was briefly discussed in 7.1.4.
7.2.3 Ransomware
Ransomware exploded into the public consciousness with the worldwide WannaCry attack in 2017. Ransomware is a payload, usually transmitted by self-replicating worms or Trojans, that encrypts or otherwise prevents access to the user's files until a ransom is paid (usually in Bitcoin). Some ransomware will take a copy of the user's files and threaten to publish them, but the effect is the same - pay up or lose out.
Before the WannaCry attack, ransomware primarily targeted individual consumers. The 2017 attacks marked the beginning of a shift in focus, with 81% of ransomware attacks in 2018 targeting organisations, not consumers.16
7.2.4 Trojan horses
Trojan horses, or just 'Trojans', are a type of malware that pretend to be something else. The name arises from the ancient Greek story about the wooden horse that led to the fall of Troy.
Trojans...
