The Median Cyber-Attacker Isn't Even Remotely as Skilled as the Public Thinks

Despite the almost ubiquitous adoption of advanced persistent threat (APT) and zero-day threat actor motifs into cyber security culture, it remains true that the vast majority of cyber-attackers are incapable of even executing the most basic of attacks. 

First Published 11th January 2019  |  Latest Refresh 14th May 2021

Getting into hard-to-reach places by accident doesn’t necessarily make you a successful hacker, or does it?

4 min read  |  Reflare Research Team

Just Give it a Go!

We will start off this research brief with a thesis that will seem counterintuitive to many outside the information security community: The median cyber-attacker is both technologically and strategically incompetent. This stands in somewhat stark contrast to the recent mainstream narrative of intimidatingly intelligent professionals being funded by criminal organisations or governments. 

The Median Vs. The Average

Before we get into the actual argument, let’s define two important words: Median and Average.

In spoken language, they are often used interchangeable, but they describe something very different. To find an average, we add all the values in a set and then divide them by the number of values. To find a median, we sort all the values and then pick the one in the middle.

For most practical purposes, the results will be similar, but averages are skewed much more heavily than medians in uneven sets. For example, when looking at the sequence [1,2,3,4,1000], the average value is 202 while the median value is 3. 

This distinction is important because there are doubtlessly extremely skilled attackers at work in the world today. And some of their experience, skill, talent and funding are so vast that it shifts the skill attributable to the “average” cyber attacker significantly upwards.

However, in this briefing we look at the common everyday attacks that make up the vast bulk of all cyber-attacks – and therefore we look at the median attacker.

A Curious Hack in Germany

Let’s use one particular incident in Germany as an example.

At the beginning of December 2018, an unknown individual began leaking the personal information of German politicians and public figures on Twitter. This information ranged from relatively harmless things such as office phone numbers and official mailing addresses to private addresses and cell phone numbers to email messages the individuals had written.

This incident quickly evokes images of government-sponsored cyber-attacks like the ones that have hit the US, France and Germany in the past years. However, on a second glance, this case is different.

Firstly, it took roughly a month before the leaks were even noticed. While the attacker began publishing files on Twitter at the beginning of December, it took until early January for authorities to notice. This, by itself, illustrates that despite all of the grandiose language currently used by nations when describing their cyber-defence strategy, almost everyone remains unprepared.

Secondly, the attacker was caught after only a few days - likely because he linked his primary cell phone number to a number of online services connected to the attack. It turns out that the hacker was not a criminal mastermind funded by a foreign government but a disgruntled 20-year-old.

Lastly, the methods used by the attacker were not sophisticated abuses of unknown vulnerabilities but “hacking methods used to bypass passwords”. While no official details have been released, it isn’t unreasonable to assume that this means the attacker guessed passwords for email accounts and then used password reset features to access further accounts.

In short, the attacker that briefly sent Germany’s political elite into a frenzy likely had no technical skills that the average 20-year-old doesn’t already possess. This makes this particular individual a perfect example for the median attacker.

Why This Isn’t Good News

Knowing that the median skill level of cyber attackers is low may sound like good news. However, it is just the opposite. These basic attacks performed by barely competent individuals still succeed. They still cause real leaks and real damage. They highlight how unprepared most governments are for an actual large-scale cyber-attack.

While governmental networks are under close surveillance and strict policies, individual politicians are often unfamiliar with modern technology to the point where hacked email accounts go unnoticed for months.

At the same time, while the median skill level of attackers may be low, there doubtlessly are highly skilled, motivated and funded attackers working right now. Considering the success rates of their unskilled counterparts, it is likely that the vast majority of professionally performed attacks currently go unnoticed.

Building the IT security capabilities of your non-tech users of your networks and systems is a critical line of defence to decrease the probability of unsophisticated attacks being successful. However, unsophisticated staff often enable unsophisticated breaches, hence why they just keep happening. 

Learn how to mitigate risks of specific attacks before you find yourself on the back foot by checking out our research briefs on other relevant topics.