At the FRESH IT 2023 conference held in Prague this March, Vlad Iliushin, a cybersecurity expert and CEO of ELLIO, addressed the enduring challenge posed by script kiddies. Their activities, responsible for generating substantial internet background noise and an abundance of SYNful packets, continue to burden network security professionals. In his presentation, Vlad told about the strategies and tools wielded by script kiddies.
Free-for-all
One factor that enables script kiddies (often undeservingly labeled as amateur hackers) to remain a persistent challenge for network security professionals is the easy accessibility of exploits crafted by seasoned attackers. These exploits prey on software vulnerabilities, potentially granting attackers unauthorized access to systems or data. Despite the high level of technical prowess required to create these exploits, a number are shared online and can be effortlessly obtained by attackers, even those with limited experience.
The rapid dissemination of exploits presents a substantial threat to organizations, as staying updated with the latest vulnerabilities and countering the risks they pose can be a formidable task.
Once a sophisticated exploit becomes available online, often under the guise of being “for research purposes only,” it effectively becomes an open-source weapon, with no method of retrieval. What was once an exclusive 0-day exploit swiftly becomes commonplace, enabling attackers to seamlessly integrate it into their arsenal. This leads to the execution of more intricate and harmful attacks. The rapid dissemination of exploits presents a substantial threat to organizations, as staying updated with the latest vulnerabilities and countering the risks they pose can be a formidable task.
Spray and pray
Another element that amplifies the threat level of script kiddies is their capacity to generate substantial network traffic and background noise. This often complicates the task for security teams in distinguishing between legitimate traffic, generic malicious activities like indiscriminate internet scanning for services to exploit, and targeted attacks specifically planned by sophisticated threat actors aimed at breaching a particular organization. SYN(ful) packets are frequently employed by script kiddies to scan the network for open ports or running services, the results of which are subsequently utilized in auto-exploit utilities.
Given the untargeted “spray-and-pray” nature of these attacks, the primary goal of script kiddies is to exploit and seize control of as many endpoints as rapidly as possible. Interestingly, in such instances, their main competition isn’t necessarily the security teams but other attackers with similar objectives. Once successful, the exploited machines can serve countless purposes for a triumphant script kiddie.
Script kiddies could also conscript the hacked machine into a botnet-for-hire service. Botnets, comprising networks of infected devices, can be remotely commanded to conduct attacks.
When a script kiddie successfully infiltrates a machine, they can repurpose it for several malicious endeavors. For instance, they might employ the compromised machine for cryptocurrency mining. This operation, while financially benefiting the script kiddie, exhausts system resources and impairs machine performance.
Script kiddies could also conscript the hacked machine into a botnet-for-hire service. Botnets, comprising networks of infected devices, can be remotely commanded to conduct attacks. By leasing botnets in clandestine marketplaces, attackers can orchestrate extensive attacks without the need for personal botnet construction or maintenance.
Another possible use for the compromised machine is as a launchpad for ransomware, a type of malware that encrypts files and extorts payment in return for the decryption key. Ransomware attacks can lead to considerable disruptions, triggering significant downtime and data loss.
In certain scenarios, the script kiddie might merely deface the website or vandalize the machine, either as proof of their hacking prowess or as a symbolic gesture. Irrespective of the specific actions initiated by the script kiddie, a compromised machine can serve as a gateway into an organization’s network, potentially catalyzing further attacks.
This constant barrage of alerts can divert security teams’ attention away from more sophisticated threats, leading to a phenomenon known as alert fatigue.
Alert overload
Script kiddies often exhibit remarkable persistence in their network scanning activities, continuously seeking vulnerabilities and weaknesses to exploit. Their incessant scanning generates a deluge of alerts and logs, potentially causing an alert overload for professional security teams. Sifting through these numerous alerts to pinpoint authentic threats can prove arduous and demanding, particularly in the face of the high-volume, low-level noise produced by script kiddies’ activities.
This constant barrage of alerts can divert security teams’ attention away from more sophisticated threats, leading to a phenomenon known as alert fatigue. Here, the constant influx of alerts results in desensitization, increasing the likelihood of overlooking real threats. Hence, the persistent activities of script kiddies not only pose a direct threat but also indirectly compromise the effectiveness of security measures.
Risk mitigation
It’s an undeniable reality that organizations need to continuously monitor their networks for anomalous activity, whilst ensuring their security framework is kept up-to-date and appropriately configured. Given the relentless evolution of attacker tactics and techniques, preemptive threat monitoring and management are of utmost importance. To handle the influx of alerts, and effectively prioritize the risks, organizations can utilize automated tools or expand their security team. However, managing alerts represents just one facet of a holistic cybersecurity strategy.
One proactive approach and a valuable source for alert triage is the implementation of a honeypot network. A honeypot network serves as a decoy, designed to attract potential attackers with the intention of studying their tactics and tools. Distributing a series of honeypots across various internet sectors enables organizations to pinpoint the origin and methodologies of potential attackers. These decoys can also offer valuable insights into emerging attack techniques and enable the testing of security defense measures.
However, deploying honeypots necessitates meticulous planning to ensure they don’t inadvertently expose the network to further risk. Moreover, the data acquired from honeypots needs thorough analysis to glean actionable intelligence. Honeypots, while instrumental in identifying potential threats, should not be relied upon as the sole line of defense. They should be part of a multi-tiered security strategy which encompasses network segmentation, endpoint protection, and regular security audits.
Are you oveloaded by SIEM events and alerts in your SOAR?
Set up ELLIO’s Virtual SOC Analyst, an efficient ML-powered suite of tools designed to streamline security operations, combat alert fatigue, and save resources. ELLIO’s Virtual SOC Analyst reduces alert overload and improve triage process in SIEM and SOAR.
About Vlad Iliushin
Vlad is a cybersecurity expert, co-founder and CEO of ELLIO. In addition to his work at ELLIO, Vlad is a board member of AMTSO (Anti-Malware Testing Standards Organization), where he is actively involved in the development of new testing guidelines for security products.
Prior to co-founding ELLIO Technology, Vlad was a lead researcher at Avast (now Gen Digital), an international cybersecurity company. He led the IoT Lab, developed proofs-of-concept for security features used in Avast products, and conducted research on IoT threats. Vlad has spoken at many international conferences such as Kaspersky Security Analyst Summit, Websummit, TROOPERS Conference, SXSW Conference & Festival, QuBit, and various local events for the tech community.