The biggest underestimated security threat of today? Advanced persistent teenagers

Date:

Share post:


If you ask some of the top cybersecurity leaders in the field what’s on their worry list, you might not expect bored teenagers to be top of mind. But in recent years, this entirely new generation of money-driven cybercriminals has caused some of the biggest hacks in history and shows no sign of slowing down.

Meet the “advanced persistent teenagers,” as dubbed by the security community. These are skilled, financially motivated hackers, like Lapsus$ and Scattered Spider, which have proven capable of digitally breaking into hotel chains, casinos, and technology giants. By using tactics that rely on credible email lures and convincing phone calls posing as a company’s help desk, these hackers can trick unsuspecting employees into giving up their corporate passwords or network access. 

These attacks are highly effective, have caused huge data breaches affecting millions of people, and resulted in huge ransoms paid to make the hackers go away. By demonstrating hacking capabilities once limited to only a few nation states, the threat from bored teenagers has prompted many companies to reckon with the realization that they don’t know if the employees on their networks are really who they say they are, and not actually a stealthy hacker.

From the points of view of two leading security veterans, have we underestimated the threat from bored teenagers?

“Maybe not for much longer,” said Darren Gruber, technical advisor in the Office of Security and Trust at database giant MongoDB, during an onstage panel at TechCrunch Disrupt on Tuesday. “They don’t feel as threatened, they may not be in U.S. jurisdictions, and they tend to be very technical and learn these things in different venues,” said Gruber. 

Plus, a key automatic advantage is that these threat groups also have a lot of time on their hands. 

“It’s a different motivation than the traditional adversaries that enterprises see,” Gruber told the audience.

Gruber has firsthand experience dealing with some of these threats. MongoDB had an intrusion at the end of 2023 that led to the theft of some metadata, like customer contact information, but no evidence of access to customer systems or databases. The breach was limited, by all accounts, and Gruber said the attack matched tactics used by Scattered Spider. The attackers used a phishing lure to gain access to MongoDB’s internal network as if they were an employee, he said.

Having that attribution can help network defenders defend against future attacks, said Gruber. “It helps to know who you’re dealing with,” he said.

Heather Gantt-Evans, the chief information security officer at fintech card issuing giant Marqeta, who spoke alongside Gruber at TechCrunch Disrupt, told the audience that the motivations of these emerging threat groups of teenagers and young adults are “incredibly unpredictable,” but that their tactics and techniques weren’t particularly advanced, like sending phishing emails and tricking employees at phone companies into transferring someone’s phone number. 

Image Credits:Getty Images

“The trend that we’re seeing is really around insider threat,” said Gantt-Evans. “It’s much more easier to manipulate your way in through a person than through hacking in with elaborate malware and exploitation of vulnerabilities, and they’re going to keep doing that.”

“Some of the biggest threats that we’re looking at right now relate to identity, and there’s a lot of questions about social engineering,” said Gruber. 

The attack surface isn’t just limited to email or text phishing, he said, but any system that interacts with your employees or your customers. That’s why identity and access management are top of mind for companies like MongoDB to ensure that only employees are accessing the network.

Gantt-Evans said that these are all “human element” attacks, and that combined with the hackers’ often unpredictable motivations, “we have a lot to learn from,” including the neurodivergent ways that some of these younger hackers think and operate.

“They don’t care that you’re not good at a mixer,” said Gantt-Evans. “We in cybersecurity need to do a better job at embracing neurodiverse talent, as well.”



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Microsoft and a16z set aside differences, join hands in plea against AI regulation

Two of the biggest forces in two deeply intertwined tech ecosystems — large incumbents and startups —...

SpaceX wants to test refueling Starships in space early next year

SpaceX will attempt to transfer propellant from one orbiting Starship to another as early as next March,...

Perplexity launches an elections tracker

Perplexity, the AI-powered search engine, might hallucinate from time to time. But the company wants to show...

When to sell your company? Look for these signals

Part of the mythology of Silicon Valley is the committed founder driving the company to a blockbuster...

The Chainsmokers want to bring a different kind of value add to B2B companies

The potential value a celebrity investor can bring to a consumer company, beyond just writing a check,...

New funding rounds confirm that money attracts money

Welcome to Startups Weekly — your weekly recap of everything you can’t miss from the world of...

How to make open source software more secure

Earlier this year, a Microsoft developer realized that someone had inserted a backdoor into the code of...

ChatGPT: Everything you need to know about the AI-powered chatbot

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm since its launch in November 2022....