Every breach report contains the words “sophisticated attack.” Security pros like me see it as pure spin. Here’s why.
First, if I’m a guy who works for a place that just got breached, the last thing I’m going to say is that it was some amateur. That’s throwing yourself and your colleagues under the bus if you say that.
Second, if I provide a technical description of any attack to someone who works in public relations, it’s going to sound like a sophisticated attack to them even if it’s not. For that matter, it may sound like a sophisticated attack to most people in modern IT departments.
I remember sitting in a workshop where a colleague was teaching us how to evade detection by antivirus. He introduced us to a “hacking tool” called UPX. The presenter was taken aback when a look of recognition came over me.
“Why do you know about UPX?” he asked me. To him, I was a logging guy who’d never expressed a modicum of interest in red-team penetration testing.
Of course I answered that it’s a compression utility, or a packer. You use it when your hard drive is too small. I’ve been using packers since the 1980s to fit more stuff on too-small floppies, or too-small hard drives. There’s not much need for them anymore now that SSDs cost less than 50 cents a gig and old-fashioned hard-drives cost about $25 a terabyte, but when hard drives cost $5 per megabyte and I made $4.80 an hour, I did what I had to do, and from time to time I’ve had to dip back into that old bag of tricks.
“Sophisticated attack” is often a euphemism for an attack that evades antivirus. By that definition, since I know how to download a common exploit, open a command prompt and type upx myevilexploit.exe and then copy it where I want it to go, I’m a sophisticated attacker.
My idea of a sophisticated attacker is one who uses vulnerabilities unknown to the general public and exploits them, but honestly, if an off-the-shelf, known exploit will work, they’re going to use that first before burning a 0-day. One attack isn’t really enough to judge the sophistication of an attacker, in my professional opinion.
But, since “sophisticated attack” can mean anything from a repackaged off-the-shelf exploit to writing your own 0-day, and everything in between, it’s a meaningless phrase. It means the attacker didn’t walk in, grab the database server, and walk back out of the building with the database server and drive off.
Then again, if I were really careful how I described it, I might even be able to turn physical theft of a database server in broad daylight while the company’s employees were watching into a sophisticated attack. It’s all about the spin.