The cybersecurity industry is often rife with hype around the topic of automation, with both IT security teams and malicious hacking groups steadily incorporating more tools and processes that can rapidly and automatically scan networks or process large datasets at speeds far faster than humans.
However, according to CrowdStrike’s new Global Threat Report, the old-fashioned way of hacking – with hands on keyboards – isn’t going out of style anytime soon. The company’s OverWatch platform has observed a fourfold increase in interactive intrusions over the past two years, with nearly half of that increase driven by an explosion in e-crime like ransomware and business email compromise.
Such “interactive” attacks tend to be more creative and thus successful at bypassing the more automated detection and monitoring processes put in place by many organizations. While instances of both e-crime and state-sponsored intrusions have gone up since 2019, financially motivated hacking alone accounted for around 80% of the intrusions CrowdStrike tracked last year. This spike indicates “these adversary groups, and methods for defending against their TTPs, deserve a great deal of attention in the coming year,” the report states.
The numbers also provide a needed counterweight to the argument that automated hacking (or defense) can be a tonic for everything in the cyber realm. Scripted programs can dramatically increase the speed and reaction time of attacks and cut down the time it takes to execute a successful attack from days or weeks to mere hours.
Automation is becoming a major feature within some ransomware campaigns, where gangs like LockBit have been observed using scripted scanning tools to identify and prioritize high-value systems in a victim’s network that may increase the likelihood of payment.
It also happens on the back end of ransomware attacks, after an organization has been infected. The Carbanak group, for instance, sets up automated programs that advertise and leak stolen data after a set amount of time. When businesses learn they have been infected and reach out to negotiate with ransomware groups, operators often opt to deploy bots who can field frequently asked establishing questions from their victims until the discussion becomes more promising.
“It’s actually rather robotic. When I say they have a playbook, it’s not just a playbook; it’s often a script,” said Kurtis Minder, CEO and co-founder of GroupSense, which offers ransomware negotiation services to businesses, last October. “Sometimes you’ll get these templated responses for a while before get somebody who actually puts in time into typing on a keyboard for you.”
Still, CrowdStrike’s data indicates that while cybercriminals and nation-state hacking groups continue to explore new ways to increase the speed of their attacks and lateral movement through systems with scripted programs, many still see plenty of value in the agility and creativity of their human operators.
John Shier, senior security advisor at Sophos, told SC Media that highly skilled attackers tend to prefer the hands-on approach because it provides them a higher level of control over an intrusion and allows them to react more quickly to unforeseen problems or issues once they’re inside a network. Unsurprisingly, automation tends to be more heavily relied on by those on the lower end of the spectrum who lack the skills to execute a complex attack. Over time, this creates a feedback loop between the two groups.
“Tools and techniques that get developed by the skilled criminals tend to trickle down to the amateurs in the form of automation. This means everyone can get in the game,” said Shier in an email. “As those tools and techniques become detected and obsolete, the balance shifts back to the skilled professional criminals, with unskilled amateurs left to picking the lowest of the low hanging fruit.”
Vinny Troia, founder of Night Lion Security, told SC Media that criminal and state-sponsored hackers often deploy automation for many of the same reasons that defenders do. Mapping out a victim’s network and assets can be grueling work and finding a way to automate those parts not only saves time, it frees up the best and brightest operators to use their brainpower to find novel or unique methods for breaking into a system that can’t be replicated by a machine.
“It’s the super creative people that are writing the scripts, so they’ve written the scripts just to deal with the mundane tasks that they don’t want to deal with anymore, and so once they get the mundane stuff out of the way, then they kind of go in and deal with the bigger, more challenging stuff that you’re can’t automate,” he said.