If you ask the field's top cybersecurity leaders what's on their worry list, you might not expect bored teenagers to be top of mind. But in recent years, this entirely new generation of money-driven cybercrime has led to some of the largest hacks in history, and shows no signs of slowing down.
Meet the “advanced and tenacious teenager” as the security community calls him. These are skilled, financially motivated hackers like Lapsus$ and Scattered Spider who have proven capable of digitally infiltrating hotel chains, casinos, and tech giants. These hackers use tactics that rely on credible email lures and persuasive phone calls posing as the company's help desk to trick unsuspecting employees into accessing company passwords and networks. access can be waived.
These attacks were highly effective, causing massive data breaches that affected millions of people and resulted in huge ransoms being paid to eliminate the hackers. Having demonstrated hacking capabilities once limited to only a few nations, threats from bored teenagers have led many companies to believe that employees on their networks are really who they say they are. I don't know if that's the case, and I've come to realize that it's not actually the case. stealth hacker.
From the perspective of two veteran security gurus, are we underestimating the threat of bored teenagers?
“It's probably not going to last very long,” Darren Gruber, technical advisor for security and trust at database giant MongoDB, said on a stage panel at TechCrunch Disrupt on Tuesday. “They don't feel as threatened, they may not be within U.S. jurisdiction, they're very technical, and they tend to learn these things in different places,” Gruber said.
Additionally, an important automatic benefit is that these threat groups are also given more time.
“This is a different motivation than the traditional adversaries that businesses see,” Gruber told the audience.
Mr. Gruber has first-hand experience dealing with some of these threats. MongoDB was compromised in late 2023, and some metadata such as customer contact information was stolen, but there was no evidence that customer systems or databases were accessed. By all appearances, the intrusion was limited, and Gruber said the attack was consistent with tactics used by Scattered Spider. He said the attacker used a phishing scam to gain access to MongoDB's internal network pretending to be an employee.
Obtaining this attribution will help network defenders defend against future attacks, Gruber said. “It helps to know who you're dealing with,” he says.
Speaking alongside Gruber at TechCrunch Disrupt, Heather Gant Evans, chief information security officer at fintech card issuer Marketa, told the audience that the motivations of the new threat group made up of teenagers and young adults were “believable.” Their behavior is “incredibly unpredictable,” he said. There were no particularly sophisticated tactics or techniques, such as sending phishing emails or tricking phone company employees into forwarding someone's phone number.
Image credit: Getty Images
“The trends we're seeing are really about insider threats,” Gant-Evans said. “It's much easier to get in through people than it is to hack with sophisticated malware or exploit vulnerabilities, and they'll continue to do that.”
“Some of the biggest threats we're looking at right now are identity-related, and there are a lot of questions around social engineering,” Gruber said.
He said the attack surface is not limited to email or text phishing, but extends to any system that interacts with employees or customers. That's why companies like MongoDB prioritize identity and access management to ensure only employees have access to the network.
Gant-Evans said these were all attacks with a “human element”, coupled with hackers' often unpredictable motivations, such as the neurodivergent ways of thinking and acting that some young hackers have. There's a lot to learn.”
“They don't care that you don't like mixers,” Gant-Evans says. “Those of us in cybersecurity need to be better at embracing neurodiverse talent.”