I have recently been thinking about the threat landscape, what it consists of and who are the so-called "players" in the field, what kind of attack surface they provide, what are the typical attacks and what to do about it. This is a broadly generalized blog post about the topic.
These days anything that is put online or operates online can get hacked. If you have a network, IP or simply an email address, you can be a target. If you use the Internet, you can be a target. Heck, even if you don't use the Internet at all, you can be a target to close proximity attacks or through your service provider you interact physically with. Do you use a smartphone, drive a Internet-connected car or use some kind of IP-enabled device? The attack surface is getting very broad.
Most consumers and consumer devices are considered opportunistic targets, organizations and their infrastructure on the other hand are considered more being actual targets as these tend to have something valuable to steal. Opportunistic can be for example sending a lot of emails and hoping someone takes the bait, creating a malicious advert which is shown on many popular sites, and random scanning of the Internet and hoping to find assets with default credentials. whereas potential targets are more closely studied and a attack strategy created. Of course an organization, the infrastructure and it's employees are a target for opportunistic attackers also.
One might ask after reading the above: what if you're an opportunistic target and work for an organization, doesn't that make you also an actual target? In a sense yes. If you have an user account in to the organization network and use a computer/mobile, you can also be a target if you happen to fall under the attack strategy umbrella.
When looking back in time for a couple of years, it seems to me that the most common problems these days are "ransom" related attacks, either DDoS or ransomware type of activities targeting either mobile or computers, as people tend to pay up when they lose access to something which is very valuable to them, either having business or personal impact.
Also a lot of service providers are attacked and as a collateral damage also the service provider's customers are affected, typically in form of leaked personally identifiable information. It doesn't seem to matter if it is related to health, work or leisure, leaks happen and get publicized steadily which are the results of from example a popped web-application and underlying database or a lost/stolen device.
Of course there is a lot of other things going on, banking and point-of-sale device malware, enrolling assets into a botnet and so on. In addition many Internet-connected devices are built without much security consideration, putting equally organizations and consumers at risk. Some examples of these Internet-connected devices are for example surveillance cameras with default passwords or mobile phones which do not get security updates.
Some of the attacks appear more opportunistic in nature, whereas targeted attacks try to stay below the radar and focus more on IPR or collecting valuable information that can be used for monetary or other purposes. The opportunistic attackers tend to be more of the cybercrime type and targeted attackers are hacktivists and groups with own agendas.
The cybercrime is flourishing with it's own commercialized services, malware-related services, DDoS services, carding and for example selling remote access to hacked assets amongst many of the things provided. There are marketplaces and forums where stolen data and services are sold to anyone who is interested and has enough virtual currency to spend. It has been made simple to be a cybercriminal as you can buy the services you want, lowering the bar to get own operations started. But most of the operations are opportunistic in nature, like for example spam campaigns laced with ransomware.
Those cybercrime operations that are not opportunistic, involve more time and planning to get to know the organization and the 3rd parties it operates with, and can result in huge monetary damages with for example redirecting payments to attacker provided bank accounts.
The hacktivists on the other hand pick organizations that somehow are considered behaving badly, and try to find a way to shame them publicly for example via leaking information, but also potentially affect their income by disrupting operations. The groups with own agendas can be hackers-for-rent type of groups or nation-state actors, typically targeting organizations they believe have something valuable. These groups can be present in an organization network for months or even years, slowly siphoning off IPR-related or sensitive material to whoever benefits most of the data.
Many security firms study these groups, reversing their tools and try to discover their TTPs (Techniques, Tactics and Procedures). When they investigate a break-in, they can at some level identify if it is the same group or a group operating in similar fashion. It is a bit difficult to follow this area, as each security firm tend to create their own naming for a group - even if they've been studying the same group.
In essence, the attacker manages to get a foothold into the environment, create a persistence mechanism, then find ways to access valuable assets and transfer the information through specifically set up infrastructure. The initial foothold is gained by carefully studying the organization and it's employees and finding the entry point from there. The cybercrime market can even have a compromized host available into the organization's network, or leaks contain re-used access credentials into organization's remotely available assets. Based on the study, the attacker can for example compromize a website regularly visited by the employees to serve a malicious payload, but typically the attack is more simple. The attacker targets a specific employee and sends a personalized email which contains an infected document or a link to a website hosting the malicious payload. After the payload gets executed, the attacker gains access into the environment.
Nation-state actors on the other hand can have a totally different arsenal in use as has been shown in the recent years, including remote zero-day exploits in devices and software. Also potential control of networks give the capability of "silently" exploiting end users. How often does it happen and against whom is unclear, but most likely there are operations executed from time to time and most probably aimed at governmental adversaries.
When looking back at this, it seems to me that the most efficient way is to target a user directly via email and try to get the user into executing something malicious, or target them with malicious advertisements. It has also turned up in different analyzes that the malicious payload doesn't have to exploit a publicly unknown (and more expensive) vulnerability, a so-called zero-day, but even a few years old vulnerabilities do work.