The IT security industry, which was essentially born in the 1980s, is now a multibillion-dollar industry that is vital, if not essential, to protecting everyday operations of modern life, from basic business activity to hospitals to critical infrastructures and industries.
The evolution of cyber attacks and cyber security has been equally as impressive. What began as a curiosity, amusement, and notoriety in the early 1980s has grown into a multibillion-dollar organized crime industry.
Every step forward in cyber attacks and security marked the start of a new generation. Since most IT security infrastructures are only at the 2nd and 3rd generation of security, today’s IT security deployed by businesses is at a very concerning inflection point. On the other hand, today’s attacks are far more advanced 5th generation. Simply put, a company’s security is behind the times and ill-equipped to defend against today’s attacks. Businesses must implement 5th-generation security to defend against 5th-generation attacks.
This post will explore the five generations of cyber attacks in history.
The first generation began in the 1980s, coinciding with the general public’s widespread availability and use of personal computers. Virus attacks and malicious software programs that replicate on new computers became commonplace almost immediately. All businesses and personal computer users were affected by these virus attacks. Virus attacks had a large and disruptive impact that commercial anti-virus software was created to protect against them.
Personal computers were used as stand-alone devices in the 1980s. Viruses were spread using portable floppy discs, which were used to share files between users and personal computers.
The phrase “hacker in his parent’s basement” was coined. In the 1980s, the terms “computer hacking” and eventually “hacking” referred to those who write software programs to disrupt or attack computers. The hackers were mostly inquisitive teenagers who broke into systems for sheer joy and challenge. Viruses were also written in the pursuit of knowledge and to establish a personal reputation as a clever program creator. The underground hackers advanced and organized through bulletin board systems (BBS), which provided anonymity and the freedom to share knowledge and trophies among peers as it evolved beyond individuals.
- Elk Cloner: Elk Cloner was the first virus to infect personal computers after it was written and released. It was written as a joke by then-15-year-old Richard Skrenta and served as an annoyance, occasionally displaying a poem on the infected computer.
- Brain: Brain is regarded as the first global virus. It was accidentally created in 1988 when two brothers, Basit and Amjad Farooq Alvi, wrote what they thought was a mechanism to prevent illegal copying of their software. Their design, however, was flawed, and their tool turned into a virus that replicated and copied itself.
With the advent of networking and the internet in the 1990s, the second generation emerged. “Everyone was going online,” as they put it. With the internet connecting governments, businesses, and the general public, the floodgates for malicious and volatile software were opened. The network firewall was created due to this unrestricted access to anything and everything connected.
Network connectivity advanced information sharing from hand-carrying floppy drives to computer speed over connected networks in the 1990s, and the speed and spread of attacks grew in lockstep.
With the advent of networking, hackers began to organize and communicate through the World Wide Web (WWW) and websites, ending hacker BBSs. Increased connectivity aided the spread and devastation of curious pranksters and the early stages of cybercrime and theft.
- Morris Worm: In November 1988, the Morris worm was released in the early days of the internet. A graduate student at Cornell University, Robert Morris created the Morris Worm with good intentions. He claims he created the worm to test the internet’s size. The worm contained an error, causing it to infect computers repeatedly, consuming resources, and causing a denial of service situation. The Morris Worm is believed to have infected up to 60,000 host systems across the early internet, spotlighting the need for network and Internet security.
- Melissa Virus: The Melissa Virus was released in 1999 by David Smith, a network programmer. It was hidden in a Microsoft Word document macro that, when opened, sent an email to the first 50 addresses in the computer’s MAPI email address file. A sense of curiosity drove Smith. Melissa caused $80 million in damages by crashing 100,000 email servers.
As attackers learned to exploit vulnerabilities in all components of an IT infrastructure, the third generation emerged in the early 2000s. “A flaw/weakness in a system’s design, implementation, operation, and management that could be exploited to violate the system’s security policy,” according to IETF RFC 2828.
There were a lot of weak spots. Multiples existed in operating systems applications at any given time. Every element of an IT infrastructure had vulnerabilities that an experienced attacker could exploit to gain access to a private network. Firewalls, anti-virus, and intrusion detection system (IDS) products were unable to effectively stop attacks targeting vulnerabilities. As a result, intrusion detection systems (IDS) evolved into intrusion prevention systems (IPS) to detect and prevent vulnerabilities attacks.
Cyber attacks are often described as “sophisticated,” and this generation showed the first signs of attack sophistication. Rather than writing a virus or worm that spreads by accident, attackers in this era began to analyze networks and software products for specific vulnerabilities to which they could design attacks, penetrate and disrupt operations or steal assets. And in some cases, their attack was disguised as “social engineering,” which enticed users to “click” and start the infection.
The IT industry is booming, with new products, tools, applications, and services being developed to meet the demands of a hungry market that is rapidly and aggressively moving everything online—and attackers are becoming aware of the potential reward. They become more organized and sophisticated, and they are less concerned with fame and more concerned with making money through illegal means, such as cyber hacking.
- ILOVEYOU: On May 4, 2000, the ILOVEYOU virus was released, infecting thousands of computers in minutes. It had such a broad and lasting impact that it was featured on the cover of Time magazine in May 2000. Although companies and anti-virus vendors screened emails with a subject line: “ILOVEYOU,” attackers simply changed the subject line to keep the virus alive.
- SQLSlammer: SQLSlammer, also known as Sapphire, exploited vulnerabilities in Microsoft SQL Server and MSDE to become the world’s fastest-spreading worm.
- Estonia: Estonia, a member of the European Union and NATO, was subjected to massive cyber attacks on its infrastructure on April 27, 2007.
As attackers advanced to new levels of sophistication, the fourth generation emerged around 2010. Attackers and their tactics became more sophisticated. International espionage, massive data breaches, and large-scale internet disruption were all part of the attacks. Because of the large-scale impact on and relevance to the general public, this generation’s attacks made headlines in daily mainstream media. The attacks had an impact on CEOs in boardrooms and prompted government investigations.
While the second and third generations of internet security provided access control and inspected all traffic, they were woefully inadequate in validating the end-user content received via email, file downloads, and other means. Everything from resumes to picture files had been hacked. Behind them, sophisticated code was waiting to be launched and spread, and it was sometimes backed up by massive bot armies ready to storm the gates. All that was required was for a user to do their job—for example, open an attachment in an official-looking email in their In-box, download a business file from the internet, or plug a USB into their laptop—and the attack would be launched silently. The attack could search for databases and exfiltrate personal information. It could launch a massive bot-driven denial of service attack for disruption or as a decoy for the real attack via communication back to “Command&Control” (C&C), among other things.
This generation’s sophistication skyrocketed, and it’s a foreshadowing of things to come. The high-profile data breaches resulted from specifically designed and “engineered” attacks to compromise the target, exfiltrate data for sale on black markets, and/or cause major disruptions. Because unintentional leakage of sophisticated attack tools beyond the original target educated the general hacker world, the proliferation was unique and more dangerous than previous generations. It raised the overall sophistication of the attackers above what it would have been otherwise. The Stuxnet worm, for example, spread beyond its original target after its components were discovered in other attacks, and anyone can now download it.
The generic “attackers” become a more organized and formidable force in this generation. They become truly professional, organized crime organizations, and nation-states treat their cyber forces as if they were an arm of their military, creating cyber attacks for profit or disruption.
- Target: Target, the third-largest US retailer, made headlines in December 2013 when malware was planted on their POS system, compromising up to 40 million customer credit and debit cards, as well as the personal information of up to 110 million customers (various reports claim from 70 to 110 million). According to reports, the attackers first broke into Target’s HVAC provider’s network, which had remote access to Target to provide HVAC service in some Target stores. The attackers installed the malware in Target’s POS system, which allowed them to capture and export credit cards and other personal information before it was encrypted and sent to Target for processing. The breach’s financial consequences were estimated to be hundreds of millions of dollars, with some estimates reaching $1 billion. Gregg Steinhafel, Target’s CEO and Board Chairman, also resigned.
- DYN: On Friday, October 21, 2016, the world learned that an army of bots hosted on internet-connected cameras was able to cause outages to well-known internet services such as Twitter, Amazon, Spotify, and Netflix, bringing cyber security to a new level of public awareness. The outage was caused by a global Distributed Denial of Service (DDoS) attack on DYN, a large DNS infrastructure company. It may not have surprised internet security experts, but it served as another reminder of the Internet grid’s vulnerability. Fortunately, it did not cause as much damage as it could have.
The 5th generation emerged around 2017 as advanced tool leakage fueled large-scale, multi-vector attacks. The criminals profited and were disrupted by these massive attacks, which had a large-scale impact. This resulted in the creation of custom, sophisticated malware that can infiltrate and spread across virtually any IT infrastructure vector, including a company’s networks, cloud instances, remote offices, mobile devices, third parties, and more. “Incidents that would have once been considered extraordinary are becoming more and more commonplace,” writes The Global Risks Report 2018, 13th Edition, of the latest 5th generation of attacks. “…the WannaCry attack, which affected 300,000 computers across 150 countries,” the report continues,” and NotPetya, which caused quarterly losses of US$300 million for several affected businesses.”
The 5th-generation attacks spread quickly and infected many businesses and entities across large geographic areas in hours. Viruses from previous generations moved quickly, but these 5th-generation attacks are even faster, more sophisticated, stealthy, and successful. The WannaCry attack, for example, used a tool developed by the US National Security Agency called EternalBlue, which was presumably unintentionally leaked to the cyber world. The tool used vulnerabilities in Microsoft Windows XP to allow attackers to carry out a variety of attacks, ranging from ransomware to complete disruption. In comparison to previous generations, 5th generation attacks pose a greater threat. They’re multi-vector and mega because they can infiltrate and spread from and to any vector of an IT infrastructure, such as networks, cloud instances, remote offices, endpoints, mobile devices, third parties, and more.
Cybercriminals in the fifth generation are highly organized, even industrialized, as any successful business would be. The attackers are technically adept, and as new technologies enter the market, they will quickly exploit them for their gain and at the expense of their intended victim.
Malware can now be licensed and receive technical support, and cybercrime has its social networks with escrow services. For your crime spree, you can rent botnets by the hour. Malware infection services that quickly create botnets for a fee, as well as a thriving market for zero-day exploits (unknown vulnerabilities)
- WannaCry: The WannaCry ransomware attack spread across the globe In May 2017, affecting computers running Microsoft Windows XP. The attack encrypts data and demands Bitcoin as a ransom payment. WannaCry used a tool developed by the US National Security Agency called EternalBlue, which was presumably unintentionally leaked to the cyber world.
- NotPetya: Petya ransomware first appeared in March of 2016. It encrypts hard drives and demands a ransom for the decryption key. Then, in June 2017, an attack in Ukraine, Russia, and parts of Europe, initially thought to be Petya, targeted banks, airports, and power companies. It was dubbed NotPetya after further investigation because it was not Petya.