The Darwinian Effect in the Threat Community
By Augusto Barros, Vice President Cyber Security Evangelist at Securonix
Among the typical predictions for the upcoming new year, we often see something like “threats will keep growing.” A prediction like this is like saying there will be some rainy days next year, or that some place in the world will suffer from drought. But with all the investment we do in security, why do we keep seeing threats growing?
First, it is important to understand the nature of threats. Threat existence and intensity is mostly independent from an organization’s security effort. Those efforts can reduce the risk from a threat causing harm, but they won’t reduce the threat itself. Sometimes, if a large portion of the potential targets implement a certain control, that “herd immunity” can affect the overall threat intensity: If there are no chances to be successful with a certain approach, threat actors are likely to abandon that approach to try something else.
Another reason why threats keep growing is related to how threat actors evolve their capabilities. Threat actors are good at advancing their capabilities because they operate as a syndicate. The level of information sharing in the “threat community” is far higher than what we have on the defense side. Why? Threat actors do not have concerns about legal implications, mandates, privacy or IP protection. If sharing information makes sense for them to achieve their goal, they will do it, regardless of the implications.
Threat actors also advance their capabilities to counteract the evolution of defense practices, but they don’t necessarily need to produce more advanced attack techniques. They need to produce more effective techniques. If there’s low hanging fruit, they will go for it; no need for a high tech alternative when simple and manual will do it. They optimize towards their final objective, not towards a specific path to it. If they want to make money, they can move from trying to steal it directly from bank accounts to simple extortion when that produces more money at a lower cost. They don’t need to evolve to break all the barriers put up by defenders around those bank accounts if there is a cheaper and more efficient manner to get money.
Because of all points above, the threat community acquires a certain evolutionary, Darwinian aspect. Just as species will not necessarily evolve towards better, advanced eyesight, speed and strength to survive, threat actors may not produce more advanced TTPs either: They just need to survive – or, in their context, achieve their objectives. While objectives are easily reachable, no evolution is necessary.
Finally, the potential outcome of threat activity is also something that grows continually. Cyber-attacks are one of the ways criminals can perform financial fraud, for example. If there is more money circulating, it will attract more criminal activity, and criminal activity these days is one of the major drivers behind cyberthreats. There are more potential targets, as the world becomes increasingly connected. It is natural to see more attempts to cause harm online when there are more things that can be harmed that way.
The ability of threat actors to evolve their practices, more and bigger targets available, combined with how limited the target organizations are in affecting threat presence or intensity are clear explanations about why it is so easy to predict that threats will keep growing. So don’t be surprised if you see it, but also there is no need for defeatism. Common criminal activity has been around for years, but it doesn’t mean that our law enforcement does not work. Threats, just like crime, are part of our existence in the connected world. We must do as much as possible to keep the risk of suffering from those threats under control, but at the same time, keep in mind that it will be a continuous effort that will never reach a point where the problem is “solved”.
About the Author
Augusto Barros is an established security professional, currently serving as VP Cyber Security Evangelist at Securonix. In this role, Barros works to strategically deliver the best threat cloud native detection and response solutions. He helps customers around the globe leverage the latest SIEM advancements with best-in-class analytics to avoid cyber threats and optimize ROI. Before coming to Securonix, he spent five years as a research analyst at Gartner talking to thousands of clients and vendors about their challenges and solutions on security operations. This role led him to Securonix, as he watched the company grow and evolve as a visionary and leader in the space. Previous positions held include security roles at CIBC and Davis and Henderson, Credit Solutions Group. Augusto can be reached online at: https://www.linkedin.com/in/apbarros/ and at our company website: https://www.securonix.com/