Attackers only care about what is effective
…they do not care about vulnerability scores.
The point being that attackers and attacks are constantly changing, often moving at a pace that cyber defenders cannot keep up with, because in order to remain profitable and/or notorious, criminals need to remain one step ahead. Value from illegal online activity can be measured in different ways but almost always it’s about direct financial gain derived from the sale of stolen private data or payments from ransomware.
Attackers are using automation to increase their reach, employing tools that do the heavy lifting during an attack. Automation allows criminals to find vulnerable servers faster but the main attack is still perpetrated by a human. However, as automated bots increase in sophistication the human element of an attack is likely to decrease with time. Metasploit has been a popular platform for years, used by both testers and hackers but now we have AutoSploit. A new tool that is a combination of Metasploit and Shodan, which automates the search and subsequent hacking of susceptible remote hosts.
The ‘Things’ in IoT is not only IT, not only transport, home or communications, it’s everywhere. There are now more IoT devices than people. It’s an attractive target.
We can mitigate against some of this by good design practice, but it’s a struggle. We need operational cultures that are rooted in data and cyber security. We need the help of ethical hackers to identify vulnerabilities (see Barnaby Jack, “You have to demo a threat to spark a solution”) and we need complete visibility and analysis of the flows of data in our large-scale networks so we can hunt for anomalies and where appropriate remove dangerous and harmful activity.