Like 100 million other Americans, I sat and watched what passes for Presidential debates these days. As is normally the case, both candidates spoke at levels too basic and high to mean much of anything. Getting up to turn off the TV and go to bed, I heard the siren call of defending all The Cybers. Admittedly, you and I, would refer to different aspects of cyber security when talking about security. We might talk about attack vectors, campaigns, advanced persistent threats, social engineering, but our candidates, who may or may not understand the basics beyond that of email passwords, were the ones addressing the future of America’s cyber security posture.
Instead of going to bed, I sat there just waiting for this part of the debate to end until, I heard the age old reference to the mythical 400 pound hacker.
I haven’t heard calls about fat shaming yet.
This mythical beast must be real! Why else would American leaders and those who influence the media continually bring up this 400 pound hacker? This lone Monster soda-drinking, Doritos-eating, reinforced-chair sitting hacker who is responsible for the largest and most discussed hacks must be out there. She must be out there! He must be out there! I must find them!
We need more women in STEM related fields!
Following in the footsteps of all those great mythical beast researchers, I went to the first person accounts. I searched and searched and searched hoping that I would find a picture, a sole authored malware taxonomy, anything that could prove the existence of this mythical creature. Sadly, I found nothing. Sure, there are amazing pieces of code that have been written, and it is undeniable that there are many skilled individual hackers out there. But I came up short.
So I went to the next place that researchers of the unbelieved go to; legends.
Today we know these as blogs or magazines that provide montages rather than traditional reporting
Combing through these blogs, I couldn’t find any solid evidence that the 400 pound hacker ever existed. When talking about Conficker, the Storm Botnet, and Waledec we are talking about numerous authors. Even when talking about the recent hacks of Sony and the U.S. Office of Personnel Management we are talking about teams that were able to hack into these organizations, not a mythical 400 pound hacker. Lastly, looking at current security risks and hacks against the U.S.’ state election systems, the main antagonists are are organized hacking groups.
At this point, I had to close my laptop and end my research in the same state as those who are trying to find Big Foot: dejected. All of the conclusive evidence points towards multistate long term attacks that are focused on strategic objectives as being the most impactful hacks of our time. These attacks follow the traditional threat intel lifecycle.
Yet, while all sophisticated nation states are advanced persistent threats, not all advanced persistent threats are sophisticated nation states. Unfortunately, this was not the discussion. Rather than the debate that was had, we should have discussed our cyber security posture like we would any other national existential security risk.
I might not have been able to find this mythical 400 pound hacker, but that does not mean that this search was wasted. Rather some constants were found throughout the research that could be boiled down into several key points:
In order to combat these long term cyber security risks, organizations across industries must work together to share threat information.
While APT actors display sophisticated technical skills, the ultimate differentiator is their operational capabilities and coordination.
The landscape is changing rapidly and there is no reason to believe that the threat actor sophistication and motivation evolutionary process will abate.
- As technology evolves and new attack surfaces appear, the good guys will have to follow into those realms and defend them
If you liked this article, please like The Inveterate Veterans Facebook page!