The field of cybersecurity has changed dramatically over the course of the past 30 years. In the early days, cybersecurity mostly consisted of making sure that no one with bad intentions was able to dial into a bulletin board system with 300-bit-per-second (bps) modems. Beyond that, the focus of cybersecurity was to secure the old mainframes, AS/400s, Commodore 64s, TRS-80s and TI-94s, among others. Any outside connections were usually made through modems and phone lines. Microsoft and Apple were an exponential fraction of the companies they are today, and networking was considered sharing a 5.25-inch floppy disk (that held 98.5 kilobytes) with coworkers.
The era that followed was defined by personal computers (PCs) that ran a simple graphical interface over a Microsoft disk operation system (MS-DOS). Security was not much of a concern during this period. There were major leaps forward with Windows 3.1, Windows for Workgroups, the Novell NetWare networking system, and IBM’s OS2 operating system (OS). With its own applications and email platforms, Novell NetWare was popular, that is, until Microsoft started offering networking technologies in its OS. Cyberprofessionals in this era may have had experience with token ring and bus topologies with Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) and NetBeui protocols. Networks were built on early types of Ethernet called 10BASE5 and 10BASE2. These new products were easily hackable by anyone with a little technical expertise and a bootable floppy disc. During this era of 5 or 6 years, many people used dial-up modems and America Online (AOL) for their early Internet connections.
Then came Windows 95, 98 and 2000. The Internet was booming, more people were “connected,” and cybercrime was beginning to make steady gains across the globe. However, cybercrime in the early days was still quite different than in 2022. The stereotypical threat actor in the 1980s and 1990s liked for people to think they were super-smart and could hack into almost anything within a remarkably brief time. This person was typically characterized as an unscrupulous male who wore hoodies all the time, lived in mom and dad’s basement, slept until early afternoon, loved being an underachiever, and had little or no motivation other than impressing friends. However, it should be noted that most of these people are doing well in the infosec world today and have become functional citizens. Some of them are probably reading this article right now.
Examining the Modern Threat Actor
For the most part, turning a profit was not a motivation for early threat actors. It was more about showing everyone what they could do with a computer and keyboard. Today, things are vastly different. Threat actors are motivated by money, so they will attack if they can profit from it. It is that simple. More than 86% of threat actors are completely motivated by financial gain1 and, as such, they target organizations that have considerable financial resources. This phenomenon is encapsulated by a quote from infamous US bank robber Willie Sutton, who was once asked why he robbed banks. Sutton simply replied, “Because that’s where the money is.” This is referred to as Sutton’s Law.2 Threat actors attack enterprises for the same reason.
Over the past several years, cybersecurity has made its way onto every organization’s radar. Hardly a week goes by without another high-profile breach,3 and with each new headline, cybersecurity budgets across the globe grow ever larger.4
Hardly a week goes by without another high-profile breach, and with each new headline, cybersecurity budgets across the globe grow ever larger.
Today, threat actors can be anyone and live anywhere. While it is true that many threat actors engage in criminal behavior and will do just about anything for money, others may be out-of-work programmers or web developers. Threat actors may be male or female, and more recently, certain threat groups have achieved a high degree of organization. Threat groups often offer good pay, benefits, bonuses and paid holidays. A threat actor will often work 8am to 5pm, Monday through Friday. The threat actor may work from home or in an office—just like anyone else.
A threat actor may find their job on a job board on the Internet or in a newspaper. A seemingly legitimate job posting such as “Needed: Web programmer. Great pay, good hours, bonus potential” could be an advertisement posted by a threat group.
Changing Attack Methods and Threat Group Organization
A threat actor in 2022 does not need to reinvent the wheel every time they attack. They may use previously developed malware or Malware as a Service (MaaS). They may purchase malware on the dark web where they will receive detailed instructions on how to use it. An end user can receive exceptional technical support for dark web purchases. Most threat actors do not have the high level of technical expertise that they may have needed 20 or 30 years ago.
Today, cybercrime is more organized than ever before. In 2021, it overtook the drug trade to become the most profitable illegal industry in the world.5 It is estimated that cyberattack victims in the United States paid more than US$350 million in 2020 to groups using ransomware trojans—and that is just 1 attack vector.6
Threat groups are well equipped and well-funded, and they have the tools and knowledge needed to get the job done. But cyberprofessionals only need to know 1 thing to truly understand threat actors: their motives. They use ransomware to extort money from their victims or they steal data that can be sold on dark web markets. In either case, this is vastly different than during the early days of cybersecurity. In fact, the strategies of modern threat actors are constantly changing as they make moves to increase their payouts. Threat groups seem to understand business strategy. Consider how ransomware strategies have changed over the past 6 or 7 years. Today, if someone pays a ransom, they are likely to receive the necessary decryption keys from the threat actors who have victimized them. Previously, there was perhaps a 50/50 chance that the victim would receive the decryption keys. What is the reason for this change? Threat groups know they will be able to collect more ransom payments if they are considered trustworthy. Some threat actors, after having received the ransom, will even tell their target how they breached the network. Apparently, there is a degree of honor among these thieves.
But cyberprofessionals only need to know 1 thing to truly understand threat actors: their motives.
Cyberprofessionals Must Respond
As threat actors have changed, so have cybersecurity professionals—out of necessity. Today’s cybersecurity professionals are just as diverse as their counterparts. Unlike the early days of cybersecurity, when cybersecurity professionals could get by with a good amount of technical knowledge and little else, a modern cybersecurity professional must have many skills and be a quick thinker. They must be able to respond quickly to rapidly changing situations and, ideally, be able to think like a threat actor. Good cybersecurity professionals have become more difficult to find in 2022. Traditionally, the skills needed to be a good cybersecurity professional take years of experience to develop. There is a worldwide shortage of cybersecurity experts7 and too many threat actors.
Today, cybersecurity professionals wear many hats and require diverse skill sets to build defenses and strategize proper cyberresponses. A cyberprofessional must have robust technology skills, especially for use with any security tools they have deployed. They must be part techie, nerd, strategist, advisor, defender, firefighter, threat actor, scientist and sleuth. In addition to possessing these traits, the cybersecurity professional of today must be committed to constant learning and training. Technologies develop at a rapid pace. A cyberprofessional who does not constantly acquire new skills will soon become obsolete and find themselves out of work. The cybersecurity professional’s ability to remain relevant in a shifting landscape is especially important given the rapid pace of change in cybersecurity and threat vectors.
Cyberattacks are on the rise, and drastically so. As threat actors get bolder and more creative, cybersecurity professionals must attempt to stay 1 step ahead. There has been a massive increase in demand for cybersecurity experts globally. According to recent data,8 there were approximately 500,000 open jobs related to cybersecurity between April 2020 and March 2021.9 And the demand for qualified individuals is only likely to increase.10
Endnotes
1 Carlson, B.; “Top Cybersecurity Statistics, Trends, and Facts,” CSO, 7 October 2021
2 Bohmer, R.; “Sutton’s Law of Medicine: A Bank Robber’s Hidden Message,” Journal of the American Academy of Physician Assistants, vol. 32, iss. 10, October 2019
3 Informationisbeautiful.net, “World’s Biggest Data Breaches & Hacks,” September 2022
4 Security Magazine, “Cybersecurity Budgets Not Rising In Line With Threats,” 22 March 2016
5 Morgan, S.; “Cybercrime to Cost the World $10.5 Trillion Annually by 2025,” Cybercrime Magazine, 13 November 2020
6 Lee, N.; “As the U.S. Faces a Flurry of Ransomware Attacks, Experts Warn the Peak Is Still Likely to Come,” CNBC, 10 June 2021
7 Legg, J.; “Confronting the Shortage of Cybersecurity Professionals,” Forbes, 21 October 2021
8 Cyberseek, “Cybersecurity Supply/Demand Heat Map”
9 Emerson, M. S.; “Eight Cybersecurity Skills in Highest Demand,” Harvard Extension School, Cambridge, Massachusetts, USA, 3 November 2021
10 Emerson, M. S.; “Five Reasons Why You Should Consider a Career in Cybersecurity,” Harvard Extension School, Cambridge, Massachusetts, USA, 3 November 2021
Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP
Is an incident response principal consultant for Secureworks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures and mechanisms to respond to security events of any size.