When people talk about specific cyber attacks, they very often focus on how sophisticated the hack was. Many newscasters love to discuss how refined a hacker's methods are, propping the cyber criminal up as a highly intelligent individual who found his or her way to the wrong side of the law. While it is true that many cyber criminals are smart and use high-level techniques in their attacks, stating that all cyber attacks are sophisticated is missing the point.
A hacking attempt doesn't have to be sophisticated to be successful. Rather, attackers will always be focused solely on using tools and techniques that will work regardless of how sophisticated they are.
It doesn't have to be fancy, it just has to work
The point that a lot of people don't get is that hackers aren't out there to impress people. For the most part, the biggest thing they care about is getting the job done as efficiently and as effectively as possible. A great example of this is the hacking of French television network TV5 Monde.
The tools used to hack TV5 Monde weren't sophisticated in the slightest. In fact, Trend Micro Chief Technology Officer Raimund Genes reported that the malware that was used in the attack was made with a simply VBScript toolkit and had an instructional video on YouTube. In an era where multiple educational tools are moving online, this is a frightening concept. People no longer need to know how to write sophisticated malware in order to hack a national television network.
Although the idea of hacking tools being found readily available online is scary enough, it isn't the only unsophisticated way of gaining access to private information. John Brennan, the director of the CIA, found this out the hard way when his AOL email account was hacked by a teenager. The hacker used social engineering, a technique that scams people into giving out sensitive information simply by lying to them.
In that particular case, the cyber criminal called Verizon posing as a technician working on Brennan's account. The New York Post reported that the teenager said he needed some information to keep working, and conned Verizon into giving him Brennan's personal details. Once he got access to this data, the hacker simply called AOL saying he was locked out of his account and needed a password reset. He used the information gained from Verizon to trick AOL into thinking he was Brennan and quickly gained access to the email account.
This incident shows just how effective an unsophisticated attack can be. Although the teen must have had some conversational ability to trick two companies into thinking he was someone he wasn't, the point here is that access to the CIA director's personal email account was only two phone calls away. Why utilize highly-refined cyber crime techniques if something as simple as this works equally well?
What's to be done?
The sad reality of the situation is that an organizations simply cannot protect against every single cyber attack lobbied at it. There are obviously preventative measures companies can take to lower the risk of an attack, but the sheer number of cyber criminals out there means that at least some hacking attempts are going to make it through the front lines. Finding these hackers after they've already gained access seems backwards, but many times it's the only option.
Hackers are out there and they are constantly trying to take the private information of citizens and companies alike. People need to start realizing that even unsophisticated attacks pose a very real threat to their information, and they need to start taking steps to mitigate this risk. As Genes stated in his August 2015 article: "An intrusion detection system is no longer a luxury, but a necessity."