While some security consumers still think of SQL attacks as Plebeian, they should remember that in Verizon’s 2013 Data Breach Investigations Report™ (DBIR), 76% of network intrusions exploited weak or stolen credentials. Please remember that these stolen credentials are being posted by the millions into publicly shared cyberspaces, largely downstream of an SQL injection. Furthermore, it would be ludicrous to think that a foreign intelligence service doesn't have a desk devoted only to exploiting these leaked credentials – it’s free access. And beyond that, consider they may also have a budget to maintain cyber-criminal persona for directing contractors at targets or purchasing stolen information.
|Credentials stolen over approx 12 month period by a single non-state actor (courtesy Veraxes)|
Regardless of these first hand experiences of security practitioners, security buyers still bifurcate cyber threats into “APT” and “everything else”. In this case, “everything else” means Botnets, Drive-by downloads, Zeus infections, Defacements, and “Script kiddie” attacks on websites. I have heard decision makers in the security organization tell me these are just a low-threat hygiene problem. Perhaps in the past this was true, but threats evolve. [soapbox]Personally I think this is just fallout poisoning from over-aggressive marketing used to educate people about the difference between real intrusions and anti-virus solutions.[/soapbox] Regardless, the idea that malware and script-kiddies are not dangerous is dead wrong.
Before discounting SQL injection, WordPress backdoors, and Drive-by’s as the work of script kiddies or“just cybercrime”, consider that every one of these is a vector for targeted attacks. Of the thousands of credentials for Fortune-500 companies posted to the Internet in the last few months, how many have been subsequently used by hackers to access email or corporate portals?
We are witnessing accelerated exploitation economics. Knowledge about compromises, no matter how small, will now quickly disseminate across a vast network of blackhat consumers - many of which have the means to leverage small cracks into massive breaches. I have seen a mass WordPress defacer install credential stealers that were then used for lateral movement to other servers. I have seen an SEO scammer sell server access to an interested 3rd party. We have to see beyond malware and look at the threat - a threat has his hands on the keyboard. So, when a drive-by download installs Citadel (a Zeus variant) on the network, the corporation is being targeted for IP theft. When a script kiddie puts a webshell on the website, the user credentials are being targeted for follow-on attack and lateral movement. When employee PII is compromised, ask who is downloading thousands of employee emails? How will this data expose your company to greater risks?
Every attack matters. The script kiddie is dead.