The Myth Of The Sophisticated Hacker

On Tuesday, the U.K.’s Labour Party became the latest in a decade-long line of victims to claim they were targeted by a “sophisticated” cyberattack that wasn’t, actually, very sophisticated.

The big picture: It’s the latest lexical stretch for an adjective that’s widely used in reports of cybersecurity incidents — and widely loathed by researchers as a result. If everything is sophisticated, nothing is sophisticated.

Driving the news: Labour ultimately faced what’s known as a denial of service attack, a way of overwhelming servers with a ton of traffic. It’s a digital blunt force attack — harmful, yes, but hardly sophisticated. Labour was not alone.

In the last year or so, victims blamed “sophisticated” hackers for breaches at the Australian Parliament; a hamburger chain; a bank; another bank; yet more banks and universities in Australia, the U.S. and UK; a 1,200-student high school; newspapers; Amnesty International; WhatsApp users; a medical center; an electronics supplier; an embassy; and a community college, among others.

Be smart: Some of those hackers were, in fact, sophisticated. Others weren’t. But overusing the word dilutes its meaning.

The sophisticate who cried wolf: For network defenders trying to follow what’s going on across the industry, it’s important to know when actual sophisticated hackers emerge. “There’s a boy who cried wolf situation,” said Dylan Owen, senior manager for cyber services at Raytheon.

Sophistication’s siren song: As soon as a breach is announced, companies are on the defensive, left to justify to users, investors and employees how data that was supposed to be kept secret suddenly wasn’t.

  • “No one is going to say they were breached by average hackers,” said Chris Scott of IBM’s X-Force IRIS incident response team.
  • Sophisticated often gets used as a synonym for “our organization shouldn’t be blamed for missing this.”

But, but, but: Sophistication isn’t the only way to breach even high-tech defenses. Persistence is just as powerful as technical acumen.

  • “We see relatively simple attacks able to get by good defenses all the time,” said Owen.
  • Some of the most effective hacking groups in history — including all but the most recent of Iran’s efforts in hacking — were not considered particularly technically skilled.

When experts say “sophistication,” they use it very differently from average people.

  • For experts, a sophisticated attack is one that’s layered, bespoke and studied — one that cleverly and efficiently achieves its goals. It can refer to work before or after a breach, how an attacker maneuvers inside a network, speed or stealth.
  • For the public, sophistication sounds like someone is simply using unbeatable technology, one part wizardry and another part ninjutsu.

Those aren’t the same thing. Just consider the first steps in hacking a computer.

  • The most sophisticated attackers almost always start with methods the public doesn’t think of as sophisticated. The U.S., China and Russia — the most advanced hackers in the world — typically start an attack with phishing or exploiting security flaws vendors have already released a patch for.
  • Even so-called zero-days, previously undiscovered vulnerabilities that can’t yet be patched, are not always the sign of a sophisticated attacker. “You can have a group that uses a lot of zero-days that isn’t technically skilled, just willing to spend a lot of money to purchase them from the black market,” said Ben Read of FireEye.

The bottom line: Unless the hackers are known to wear cufflinks, you can usually take “sophisticated” with a grain of salt.

Go deeper: