As cyber hostility increases in volume, it’s easy to forget that the increases span the spectrum of sophistication. Zero day exploits and multi-million dollar ransoms might grab headlines, but the cost and ease of executing simple attacks is only getting cheaper and more accessible. Therefore, the digital security threats prevented by basic hygiene and sound configurations are only getting more prevalent.
It’s never been easier to be a digital attacker. The anonymity of the dark web has provided the fertile ground for sophisticated criminal economies to flourish. Just as companies today can take advantage of online services for both hardware and software to pursue their business goals, digital attackers can find providers of services and tools for ransomware, malware, DDoS campaigns, and other exploits at shockingly low prices. Flashpoint reported that renting a 10-minute DDoS attack could cost as low as 35 cents, and HP research has recently found a majority of exploits and malware kits sell on the dark web for under $10. Marketplaces advertise stolen RDP credentials for as little as $5 – which is extra frightening considering Censys’ 2022 State of the Internet Report found that weak or unencrypted authentication pages among the most common risks on internet hosts. Even the instructions for carrying out attacks can be found and bought for a few bucks.
While it’s also true that the higher end of the market has seen increased costs for the most novel and potentially profitable attacks, the proliferation of tools and services at lower prices suggests more attacks of all kinds are to be expected and prepared for. Indeed, SonicWall showed that in 2021 attacks rose in variety and frequency, notably a 105% increase in ransomware attacks. As ransomware can gain a foothold in a variety of ways, this increases the pressure on solid hygiene with respect to patching, configuration, and credentials.
For security managers, this places emphasis on getting exposure basics right. Like parking lot car thieves, the bad guys will have means of discovery of their own (even our own Censys scanning data has a free version), but they are financially motivated and their techniques are about breadth, not depth. It still takes time and money to do much more than check every door and window, so it’s worth it to make sure that there are no easy entry points. The waves of low cost commoditized threats won’t have the resources to perform sophisticated reconnaissance. And as always, staying ahead of threats with automated exposure discovery and management tools is a key weapon against the strengthening tides of cyber hostility. More rapid and comprehensive awareness of internet-facing services is one place where the organization’s defense has a potential advantage, and where cyber criminals will have a hard time competing at scale. Finally, here’s where the economics play in favor of the defense.