Advanced attacks are out, while persistent, relatively simple attacks are in. That was one takeaway from the numerous discussions I had with information security experts at this month's RSA Conference in San Francisco.
Of course, there will always be a place for advanced campaigns, such as backdooring the firmware used by one of the world's largest networking vendors, which many security experts believe involved up to three countries' intelligence services, starting with the U.S. National Security Agency.
"The most effective lures are the ones that just have one word."
But despite all of the APT hype in recent years, cybercriminals, and especially nation-state attackers, prefer to keep things simple.
So says the NSA's "hacker in chief" - Rob Joyce, who heads its Tailored Access Operations. At the recent USENIX 2016 conference, he said that when doing nation-state exploitation, the NSA uses the simplest techniques, whenever possible, and isn't afraid to be incredibly persistent, waiting for targets to make a slight mistake or misconfiguration.
Witness that paradigm at work in the form of ransomware infections, which allow attackers to charge their victims directly, should they wish to decrypt their hard drives, post-infection. Of course, the number of people - and organizations - who pay up attests to a widespread lack of preparedness, such as maintaining up-to-date, offline backups (see Hollywood Hospital Pays Ransom to Unlock Data).
On the opening day of this month's RSA briefings, Christopher Young, general manager of the Intel Security Group - formerly known as McAfee - noted that profits related to version 3 of the CryptoWall ransomware are estimated to have reached at least $325 million. I also spoke with Raj Samani, Intel's CTO for Europe, the Middle East and Africa, at the conference, who told me that the amount of fraud that's been tied to CryptoWall version 3 so far is likely grossly underestimated.
Attackers have long employed social-engineering attacks - trickery - to accomplish their goals. For nation states, that can mean gaining persistent, long-term access to targeted networks, for example, by tricking an employee into opening a malicious Excel file, as happened in the 2011 breach of conference sponsor RSA.
Unfortunately, in this age of people being conditioned to click on the latest-and-greatest cat videos, our collective ability to fall for such tricks makes it seem endemic to being human.
How bad is it? "The most effective lures are the ones that just have one word - 'info' [for example] - with a .doc attached," Ryan Kalember, senior vice president of cybersecurity strategy for security firm Proofpoint, told me at the conference.
Education, as well as tough love, can help. Kalember's colleague at Proofpoint, Dave Jevans, who also chairs the Anti-Phishing Working Group, told me that many organizations not only use fake phishing campaigns to test their employees, but also require those who fail the test to submit to related training. And some organizations will remove offenders' ability to access sensitive information, or even fire them.
For enterprises that must do battle against an increasing number of simple yet effective attacks, maybe tough love pays.