At the FRESH IT 2023 conference held in Prague this March, Vlad Iliushin, a cybersecurity expert and ELLIO CEO , addressed the enduring challenge posed by script kiddies. Their activities, responsible for generating substantial internet background noise and an abundance of SYNful packets, continue to burden network security professionals. In his presentation, Vlad told about the strategies and tools wielded by script kiddies.
Free-for-all
One factor that enables script kiddies (often undeservingly labeled as amateur hackers) to remain a persistent challenge for network security professionals is the easy accessibility of exploits crafted by seasoned attackers. These exploits prey on software vulnerabilities, potentially granting attackers unauthorized access to systems or data. Despite the high level of technical prowess required to create these exploits, a number are shared online and can be effortlessly obtained by attackers, even those with limited experience.
The rapid dissemination of exploits presents a substantial threat to organizations, as staying updated with the latest vulnerabilities and countering the risks they pose can be a formidable task.
Once a sophisticated exploit becomes available online, often under the guise of being “for research purposes only,” it effectively becomes an open-source weapon, with no method of retrieval. What was once an exclusive 0-day exploit swiftly becomes commonplace, enabling attackers to seamlessly integrate it into their arsenal. This leads to the execution of more intricate and harmful attacks. The rapid dissemination of exploits presents a substantial threat to organizations, as staying updated with the latest vulnerabilities and countering the risks they pose can be a formidable task.
Spray and pray
Another element that amplifies the threat level of script kiddies is their capacity to generate substantial network traffic and background noise. This often complicates the task for security teams in distinguishing between legitimate traffic, generic malicious activities like indiscriminate internet scanning for services to exploit, and targeted attacks specifically planned by sophisticated threat actors aimed at breaching a particular organization. SYN(ful) packets are frequently employed by script kiddies to scan the network for open ports or running services, the results of which are subsequently utilized in auto-exploit utilities.
Given the untargeted “spray-and-pray” nature of these attacks, the primary goal of script kiddies is to exploit and seize control of as many endpoints as rapidly as possible. Interestingly, in such instances, their main competition isn’t necessarily the security teams but other attackers with similar objectives. Once successful, the exploited machines can serve countless purposes for a triumphant script kiddie.
Script kiddies could also conscript the hacked machine into a botnet-for-hire service. Botnets, comprising networks of infected devices, can be remotely commanded to conduct attacks.
When a script kiddie successfully infiltrates a machine, they can repurpose it for several malicious endeavors. For instance, they might employ the compromised machine for cryptocurrency mining. This operation, while financially benefiting the script kiddie, exhausts system resources and impairs machine performance.
Script kiddies could also conscript the hacked machine into a botnet-for-hire service. Botnets, comprising networks of infected devices, can be remotely commanded to conduct attacks. By leasing botnets in clandestine marketplaces, attackers can orchestrate extensive attacks without the need for personal botnet construction or maintenance.
Another possible use for the compromised machine is as a launchpad for ransomware, a type of malware that encrypts files and extorts payment in return for the decryption key. Ransomware attacks can lead to considerable disruptions, triggering significant downtime and data loss.
In certain scenarios, the script kiddie might merely deface the website or vandalize the machine, either as proof of their hacking prowess or as a symbolic gesture. Irrespective of the specific actions initiated by the script kiddie, a compromised machine can serve as a gateway into an organization’s network, potentially catalyzing further attacks.
This constant barrage of alerts can divert security teams’ attention away from more sophisticated threats, leading to a phenomenon known as alert fatigue.
Alert overload
Script kiddies often exhibit remarkable persistence in their network scanning activities, continuously seeking vulnerabilities and weaknesses to exploit. Their incessant scanning generates a deluge of alerts and logs, potentially causing an alert overload for professional security teams. Sifting through these numerous alerts to pinpoint authentic threats can prove arduous and demanding, particularly in the face of the high-volume, low-level noise produced by script kiddies’ activities.
This constant barrage of alerts can divert security teams’ attention away from more sophisticated threats, leading to a phenomenon known as alert fatigue. Here, the constant influx of alerts results in desensitization, increasing the likelihood of overlooking real threats. Hence, the persistent activities of script kiddies not only pose a direct threat but also indirectly compromise the effectiveness of security measures.
Risk mitigation
It’s an undeniable reality that organizations need to continuously monitor their networks for anomalous activity, whilst ensuring their security framework is kept up-to-date and appropriately configured. Given the relentless evolution of attacker tactics and techniques, preemptive threat monitoring and management are of utmost importance. To handle the influx of alerts, and effectively prioritize the risks, organizations can utilize automated tools or expand their security team. However, managing alerts represents just one facet of a holistic cybersecurity strategy.
One proactive approach and a valuable source for alert triage is the implementation of a honeypot network. A honeypot network serves as a decoy, designed to attract potential attackers with the intention of studying their tactics and tools. Distributing a series of honeypots across various internet sectors enables organizations to pinpoint the origin and methodologies of potential attackers. These decoys can also offer valuable insights into emerging attack techniques and enable the testing of security defense measures.
However, deploying honeypots necessitates meticulous planning to ensure they don’t inadvertently expose the network to further risk. Moreover, the data acquired from honeypots needs thorough analysis to glean actionable intelligence. Honeypots, while instrumental in identifying potential threats, should not be relied upon as the sole line of defense. They should be part of a multi-tiered security strategy which encompasses network segmentation, endpoint protection, and regular security audits.
Overload by events, alerts in your SIEM or SOAR?
In cybersecurity, data is everything – timely, reliable data drives the right decisions. But with the sheer volume collected, every security analyst faces the same tough challenge: spotting the truly critical alerts hidden within a flood of non-urgent noise.
ELLIO Threat Intelligence identifies and filters out non-urgent, low priority alerts in real time, directly within your SIEM, SOAR, or TIP. ELLIO allows SOC team to focus on critical threats that matter without wasting time investigating non-urgent cybernoise.
ELLIO accelerates targeted attack detection by differentiating malicious from benign traffic.
About Vlad Iliushin
Vlad Iliushin is a co-founder of ELLIO and President of the Anti-Malware Testing Standards Organization AMTSO. A true cybersecurity enthusiast, Vlad’s passionate about network security, IoT, and cyber deception. Before ELLIO, he founded and led the Avast IoT Lab (now Gen Digital), developing security features and researching IoT threats. He has spoken at many conferences, including Web Summit and South by Southwest (SXSW), where he demonstrated IoT vulnerabilities alongside World Chess Champion Garry Kasparov.
