The biggest underestimated security threat of today? Advanced persistent teenagers

Date:

Share post:


If you ask some of the top cybersecurity leaders in the field what’s on their worry list, you might not expect bored teenagers to be top of mind. But in recent years, this entirely new generation of money-driven cybercriminals has caused some of the biggest hacks in history and shows no sign of slowing down.

Meet the “advanced persistent teenagers,” as dubbed by the security community. These are skilled, financially motivated hackers, like Lapsus$ and Scattered Spider, which have proven capable of digitally breaking into hotel chains, casinos, and technology giants. By using tactics that rely on credible email lures and convincing phone calls posing as a company’s help desk, these hackers can trick unsuspecting employees into giving up their corporate passwords or network access. 

These attacks are highly effective, have caused huge data breaches affecting millions of people, and resulted in huge ransoms paid to make the hackers go away. By demonstrating hacking capabilities once limited to only a few nation states, the threat from bored teenagers has prompted many companies to reckon with the realization that they don’t know if the employees on their networks are really who they say they are, and not actually a stealthy hacker.

From the points of view of two leading security veterans, have we underestimated the threat from bored teenagers?

“Maybe not for much longer,” said Darren Gruber, technical advisor in the Office of Security and Trust at database giant MongoDB, during an onstage panel at TechCrunch Disrupt on Tuesday. “They don’t feel as threatened, they may not be in U.S. jurisdictions, and they tend to be very technical and learn these things in different venues,” said Gruber. 

Plus, a key automatic advantage is that these threat groups also have a lot of time on their hands. 

“It’s a different motivation than the traditional adversaries that enterprises see,” Gruber told the audience.

Gruber has firsthand experience dealing with some of these threats. MongoDB had an intrusion at the end of 2023 that led to the theft of some metadata, like customer contact information, but no evidence of access to customer systems or databases. The breach was limited, by all accounts, and Gruber said the attack matched tactics used by Scattered Spider. The attackers used a phishing lure to gain access to MongoDB’s internal network as if they were an employee, he said.

Having that attribution can help network defenders defend against future attacks, said Gruber. “It helps to know who you’re dealing with,” he said.

Heather Gantt-Evans, the chief information security officer at fintech card issuing giant Marqeta, who spoke alongside Gruber at TechCrunch Disrupt, told the audience that the motivations of these emerging threat groups of teenagers and young adults are “incredibly unpredictable,” but that their tactics and techniques weren’t particularly advanced, like sending phishing emails and tricking employees at phone companies into transferring someone’s phone number. 

Image Credits:Getty Images

“The trend that we’re seeing is really around insider threat,” said Gantt-Evans. “It’s much more easier to manipulate your way in through a person than through hacking in with elaborate malware and exploitation of vulnerabilities, and they’re going to keep doing that.”

“Some of the biggest threats that we’re looking at right now relate to identity, and there’s a lot of questions about social engineering,” said Gruber. 

The attack surface isn’t just limited to email or text phishing, he said, but any system that interacts with your employees or your customers. That’s why identity and access management are top of mind for companies like MongoDB to ensure that only employees are accessing the network.

Gantt-Evans said that these are all “human element” attacks, and that combined with the hackers’ often unpredictable motivations, “we have a lot to learn from,” including the neurodivergent ways that some of these younger hackers think and operate.

“They don’t care that you’re not good at a mixer,” said Gantt-Evans. “We in cybersecurity need to do a better job at embracing neurodiverse talent, as well.”



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

OpenAI’s GPT-5 reportedly falling short of expectations

OpenAI’s efforts to develop its next major model, GPT-5, are running behind schedule, with results that don’t...

OpenAI announces new o3 model — but you can’t use it yet

Welcome back to Week in Review. This week, we’re looking at OpenAI’s last — and biggest —...

Google pushes back against DOJ’s ‘interventionist’ remedies in antitrust case

Google has offered up its own proposal in a recent antitrust case that saw the US Department...

If climate tech is dead, what comes next?

Humans have an innate desire to name things, but to be honest, we’re not always that good...

Hollywood angels: Here are the celebrities who are also star VCs

Becoming a venture capitalist has become the latest status symbol in Hollywood.  Everyone these days, from Olivia Wilde...

Meet Skyseed, a VC fund and incubator backing the Bluesky and AT Protocol ecosystem

On November 15, Peter Wang posted a message requesting ideas for a new incubator and fund to...

Sam Altman disputes Marc Andreessen’s description of AI meetings with Biden administration

Famed investor Marc Andreessen recently talked about meetings with Biden administration staff who gave him the impression...

EV startup Canoo places remaining employees on a ‘mandatory unpaid break’

Struggling electric van startup Canoo has placed its remaining employees on what it’s calling a “mandatory unpaid...