Laziness is the Strategy of Cyber Criminals

One truth that we have come across again this year has more nuances than perhaps expected: Basically, how lazy cybercriminals are and how agile they are becoming at the same time when it comes to reacting quickly to situations and profiting from new developments. The cases handled by our Incident Response Team in recent months clearly show that criminals tend to swim with the tide, switching mainly between using stolen credentials and exploiting unpatched vulnerabilities.

Victims make it easy for cyberattackers

This is no wonder, after all, why should attackers go to unnecessary trouble and take a difficult route when their potential victims make it easy for them? Ergo is the easiest way also the most popular. However, if the path of least resistance was directly linked to the availability of high-profile exploits at the beginning of the year, and now their rarity is driving criminals to resort to credential theft, then this knowledge helps us to build an effective defense.

Firstly, we should spend more time patching all externally vulnerable systems and secondly, we should establish multi-factor authentication on all externally accessible systems. With every additional protective function, we can increase the hurdles for attackers in two ways. Defense measures not only protect, they also cause costs for cyber criminals and therefore deter many players in the highly profitable scene.

Time between intrusion and attack decreases

Another important finding from 2023 is that we need to waste much less time, or ideally no time at all, when defending ourselves. The average time it takes an attacker to penetrate a network and trigger the final phase of their attack has fallen from ten days in 2022 to eight days in the first six months of 2023 – and the trend continues to fall. We therefore need to become even faster in detecting and responding to attacks in order to stop them as early as possible.

However, cyber criminals have also understood that speed is a trump card for successful attacks. The groups are therefore increasingly specializing in certain subtasks and cooperating in complex networks in order to achieve their goals as quickly and efficiently as possible. To make matters worse, the huge sums of money stolen are attracting more and more talented hackers to break through a defense.

Too many easy targets and gateways

The most important lesson of 2023 is that a lot of what was wrong is still wrong. While we have been able to solve some important problems, such as exploiting Flash and Java to compromise PCs or the lack of internet encryption through the almost universal use of TLS, unfortunately there are still too many easy targets and gateways for cybercriminals.

Figuratively speaking, if we leave doors and windows unlocked, we should not be surprised if intruders suddenly find themselves standing in the living room. The steps that have been taken to collectively improve our security have been proven to work. Now we need to build on these successes and make it increasingly difficult and costly for criminals to achieve their goals. Critical success factors include fast and complete patching of all systems, strong user authentication and effective 24/7 monitoring and recovery services.

Chester Wisniewski

is Director Global Field CTO at Sophos.