As a sign of their growing sophistication, hackers are spending the time to specifically target high-value targets instead randomly using bots to spread malware and seek an opening, according to Sophos.
Analysing such attacks the past year, the British-based cybersecurity firm has seen more methodical efforts by not just state-backed hackers but regular criminal gangs to infiltrate systems and get victims to pay up.
In the past, more than 90 per cent of hackers had relied on bots that scoured the Internet for vulnerable victims, said Chester Wisniewski, principal research scientist at Sophos.
However, that number is now much lower at about 80 per cent and “declining fast”, he told Techgoondu in a recent interview in Singapore. “It’s more like a hybrid model now.”
More often now, humans are involved in directly gaining access, say, by manually looking for loopholes through what is essentially a typical penetrative test.
Though they take more time than random bot scans, these “pen tests” reveal vulnerabilities that can let hackers get deeper into a network. The reward is a potentially bigger payoff.
By hitting a e-commerce or database server, hackers can potentially threaten to shut down a company’s business. This is more damaging, say, than holding it ransom over a few workstations that can be more easily replaced.
Only 20 per cent of victims pay an average of US$400 each, according to Wisniewski, so the criminals need to infect on a large number of workstations that way. However, if they gain control of a mission-critical server, they could ask for tens of thousands of dollars each time, he added.
Hackers also know a little bit of tradecraft these days, he noted. For example, they might access the victim’s computers after office hours to avoid being detected.
Though much of this was in the domain of expert hackers often acting on behalf of nation states, there is growing evidence that criminal gangs are also upgrading their skills as organisations beef up their cyber defences.
“The more sophisticated criminals are doing what a ‘pen tester’ would do,” said Wisniewski, “but instead of a report, they are just analysing to find a loophole to exploit.”.
Pen test skills were limited to a few thousand experts in the field about 10 years ago, he noted.
However, many of the tools today to learn and develop skills are freely available, allowing more people – including hackers – to find vulnerabilities like an expert.