Two decades ago, life was harder for malicious actors. They had fewer tools and far fewer targets. People had fewer passwords and lived less of their life online. Online banking and eCommerce were not widely used, and cloud computing was barely available. Botnets were already common, but attackers otherwise enjoyed only a handful of tools to mount attacks. Not surprisingly, there were far fewer attacks, and those attacks generally had less impactful consequences. There were few, if any, instances of entire national hospital systems or global multinationals frozen in their tracks by a cyberattack.
Today, the game is different. In June 2017, for example, the NotPetya worm forced global logistics and shipping company Maersk to effectively cease operations for several days. In May 2021, a ransomware attack forced Ireland’s national health system to shut down its computer systems and significantly curtail care delivery. By almost any measure, malicious actors have gained ground. We are seeing a trend toward more attacks that are more serious and of a wider variety, with more vulnerabilities and higher-dollar value targets. But these trends aren’t happening in isolation.
In this post—the first of a five-part series investigating the big picture problems and potential solutions within the cybersecurity industry—we’ll explore the variety of reasons malicious actors have been able to dramatically enhance their ability to execute and profit from attacks, including technology, social, and monetary factors.
Fueling the growth in attacks is the parallel growth in technical debt experienced by all organizations with IT and technology infrastructure. Organizations running large volumes of software inevitably succumb to technical debt as new systems are built on top of old ones and the programmers and network administrators who built older systems leave without leaving behind detailed documentation. The net result is a growing pile of aging technology that weakens security posture and provides a rich vein of vulnerabilities for attackers. What’s more, security teams may struggle to get their arms around these vulnerabilities because no one remaining at the organization has detailed knowledge of the code. And product groups hate to deprioritize new feature velocity to address problems with old code.
Today, entire organizations can be taken down for days, weeks, or months by attacks. Some businesses have even been shuttered as a result of attacks that completely compromised or locked them out of their own digital assets, most of which are now connected directly or indirectly to the public internet. For example, in the Spring of 2022 the Conti ransomware group openly declared cyberwar against Costa Rica and attacked key financial targets inside the government. While Costa Rica is a small nation, this demonstrates that the playing field has shifted radically and nothing is safe.
In fact, attacks on healthcare institutions are literally causing fatalities. In 2020, a patient in Germany died as a result of having to be diverted to a different hospital, when the first hospital was locked out due to ransomware. A 2021 lawsuit alleges that a baby died in the United States when ransomware shut down critical care systems.
Before this modern era, attacks rarely targeted critical infrastructure. Now those attacks are becoming normal. The Colonial Gas Pipeline in the U.S. was shut down in May 2021 after its operator could no longer accurately bill for shipments. This caused the knock-on effect of gas shortages and panic buying along the East Coast. Rogue groups operating in nations with weak law enforcement, like Russia, Ukraine, and Bulgaria, are responsible for almost all of these disruptive attacks.
An explosion of open-source technology for network management and observability, data manipulation, and more has given malicious actors a broad selection of freely available software. Attack kits for every conceivable type of exploit, from ransomware and malware, to trojan horse and distributed denial of service (DDoS) attacks, are available for purchase or free download on the dark web. Cyberattack tools built by national spy agencies, like cyber-surveillance software allegedly built by the U.S. National Security Agency (NSA), have also appeared online.
Cloud computing, containers, and the growth of connected and Internet of Things (IoT) devices have given malicious actors a vast platform to launch any type of attack or build massive attack networks on the fly. In the near future, the majority of electronics will be connected to the Internet in some capacity—and tens of billions already are. Virtual systems and ephemeral computing will push the number of exploitable systems at any given moment into the trillions across cloud, serverless, devices, smartphones, and IoT.
Smart cities are becoming the norm, where everything from traffic lights, water systems, and parking meters are connected to each other via IP-powered wireless networks. Vehicles increasingly connect wirelessly to other systems and, in the future, will likely connect to each other to communicate and share information for safety or data connectivity. This future will present more and more attack surfaces for malicious actors to exploit.
The rapid digitalization of life has made it impossible for humans to manage their security. We juggle dozens of passwords and hundreds of accounts, well beyond our cognitive capability. Even developers frequently expose critical secret keys and codes used for cloud computing access. We also have grown accustomed to trusting digital intermediaries and messages, so much so that we are naive in the face of clever attacks. This gives attackers an enormous and expanding surface to deploy malware via social engineering attacks. Artificial intelligence (AI) will introduce an even greater challenge in humans’ abilities to detect attacks. Deep fake attacks using voices of people we know and trust to encourage us to take actions that compromise our security are now becoming more common.
Money adds another element. Attackers have far more options to build businesses around malicious online activity and far more ways to get paid. Not surprisingly, we see a proliferation of sophisticated business offerings built around cyberattacks and the creation of a disturbingly vibrant dark economy. This includes the availability of SaaS-like arrangements for various attack types—most notably, ransomware-as-a-service (RaaS). As conflicts in the geopolitical landscape have spilled over into the cyber realm, attacks against enterprises that seek to exfiltrate sensitive intellectual property have become both bolder and more frequent. And the line between state-sponsored hacking crews and sophisticated criminal gangs has continued to blur.
For cashing out, attackers have many more options. Cryptocurrency, loyalty points, and in-game currencies are just a few of the ways bad actors can easily launder money and transfer value without easy detection. While authorities have had recent success clawing back Bitcoin payments made for ransom, the variety of ways to get paid is far more than law enforcement can easily cover—and growing more numerous by the month. Today there exist many more markets where attackers can easily buy and sell valuable goods, while avoiding scrutiny—from premium sneakers and jewelry to luxury goods and Netflix account login information.
While the future of cybersecurity may look dark right now, we think there are actually many positive trends. Understanding the full arc of how we got here and how different technology shifts will further impact our position is the key to creating a more secure cyber infrastructure in the near future.
Stay tuned for subsequent posts, which will dive deeper into the four key trends we believe are helping to drive the increase in attacks:
- Rapid expansion in attack surface
- Ever-increasing levels of technology debt
- Unsustainable cognitive overload and system complexity
- The emergence of a vibrant marketplace for cyberattack tools and services
We will explore the root causes of these trends and suggest possible solutions for security leaders and their teams. We will also provide observations and hypotheses based on our research on some over-the-horizon topics including:
- The inevitable emergence of AI-powered cyberattack tools and services and what that means
- Potential solutions to the cybersecurity labor force challenge
- System-level solutions to root causes of breaches and successful attacks