The Median Cyber-Attacker isn't Even Remotely as Skilled as the Public Thinks
We will start off this year’s briefings with a thesis that will seem counterintuitive to many outside of the information security community: The median cyber-attacker is both technologically and strategically incompetent. This stands in somewhat stark contrast to the recent mainstream narrative of intimidatingly intelligent professionals being funded by criminal organizations or governments.
Median vs Average
Before we get into the actual argument, let’s define two important words: Median and Average. In spoken language, they are often used interchangeable, but they describe something very different. To find an average, we add all the values in a set and then divide then by the number of values. To find a median, we sort all the values and then pick the one in the middle. For most practical purposes, the results will be similar, but averages are skewed much more heavily than medians in uneven sets. For example when looking at the sequence [1,2,3,4,1000], the average value is 202 while the median value is 3.
This distinction is important because there are doubtlessly extremely skilled attackers at work in the world today. And some of their experience, skill, talent and funding is so vast that it shifts the skill attributable to the “average” cyber attacker significantly upwards. However in this briefing we look at the common everyday attacks that make up the vast bulk of all cyber attacks - and thus we look at the median attacker.
A curious hack in Germany
Let’s use a recent incident in Germany as an example.
At the beginning of December 2018, an unknown individual began leaking personal information of German politicians and public figures on Twitter. This information ranged from relatively harmless things such as office phone numbers and official mailing addresses, to private addresses and cell phone numbers to email messages the individuals had written. This incident quickly evokes images of government-sponsored cyber-attacks like the ones that have hit the US, France and Germany in the past years. However, on second glance, this case is different.
Firstly, it took roughly a month before the leaks were even noticed. While the attacker began publishing files on Twitter at the beginning of December, it took until early January for authorities to notice. This, by itself, illustrates that despite all of the grandiose language currently used by nations when describing their cyber-defense strategy, almost everyone remains unprepared.
Secondly, the attacker was caught after only a few days - likely because he linked his primary cell phone number to a number of online services connected to the attack. It turns out that the hacker was not a criminal mastermind funded by a foreign government but a disgruntled 20 year old.
Lastly, the methods used in the attacker were not sophisticated abuses of unknown vulnerabilities but “hacking methods used to bypass passwords”. While no official details have been released, it isn’t unreasonable to assume that this means the attacker guessed passwords for email accounts and then used password reset features to access further accounts.
In short, the attacker that briefly sent Germany’s political elite into a frenzy likely had no technical skills that the average 20 year old doesn’t possess. This makes him a perfect example for the median attacker.
Why this isn’t good news
Knowing that the median skill level of cyber attackers is low may sound like good news. However it is just the opposite. These basic attacks performed by barely competent individuals still succeed. They still cause real leaks and real damage. They highlight how unprepared most governments are for an actual large-scale cyber attack. While governmental networks are under close surveillance and strict policies, the individual politicians are often unfamiliar with modern technology to the point where hacked email accounts go unnoticed for months.
At the same time, while the median skill level of attackers may be low, there doubtlessly are highly skilled, motivated and funded attackers working right now. Considering the success-rates of their unskilled counter parts, it is likely that the vast majority of professionally performed attacks currently go unnoticed.