In 1881, Dr. George E. Goodfellow, a physician in Arizona, witnessed a dramatic Wild West shootout between two men standing just six feet apart. One of the men, Charlie Storms, was fatally shot. When Dr. Goodfellow examined Storms’ body, he made a remarkable discovery: the bullet that had passed through Storms’ heart was lodged in a silk handkerchief tucked into his breast pocket. Surprisingly, the silk remained completely intact, showing no signs of tearing. This incident marked one of the first documented cases of silk’s unexpected resilience to gunfire.
Sixteen years later, in Chicago, a Catholic priest named Casimir Zeglen demonstrated an innovative use of silk in front of the mayor and other officials. During the demonstration, Zeglen was deliberately shot with a pistol while wearing a bulletproof vest he had designed using layers of silk, linen, and wool. The vest successfully stopped the bullet, proving its effectiveness. Over the following decades, Zeglen’s concept would be refined and improved upon, eventually leading to the creation of modern body armor. The principles he established paved the way for the development of advanced synthetic fibers like Kevlar, which now form the core of contemporary bulletproof vests.
The Digital Wild West
Just as the development of bulletproof vests required rigorous testing under real-world conditions, the digital landscape of today demands equally robust security measures. The explosive growth of the Internet has created a virtual Wild West, where cyber threats are just as real and dangerous as any physical attack.
In the realm of personal protection, inadequate testing of bulletproof vests can lead to tragic consequences. Similarly, in cybersecurity, insufficient or superficial testing can leave organizations vulnerable to attacks with far-reaching implications. The stakes in this digital frontier are immense, with the global cost of cybercrime projected to reach $9.5 trillion USD this year – an amount that would represent the world’s third-largest economy after the U.S. and China.
While the attention of the industry remains focused on the OWASP Top 10 and other well-documented vulnerabilities – one critical weakness often goes unmentioned: the proliferation of charlatans offering subpar testing services. Organizations driven by fear of becoming another breach statistic and pressured by regulatory requirements often fall victim to these security snake oil salesmen. It’s akin to testing a bulletproof vest with a squirt gun – a superficial exercise providing false security. Many cybersecurity firms exploit this panic, marketing basic vulnerability scans as comprehensive penetration tests.
These shallow assessments amount to little more than checkbox exercises, designed solely to meet minimum regulatory requirements. With their lack of expertise and depth, these tests leave organizations unprepared against the true threats lurking in the cyber frontier. One would be better off taking the money and allocating it to a future ransom budget.
Real Threats
As technology has been embedded in everyday life, cyber-attacks are unavoidable in the modern world. But how exactly has it become so costly? Who is to blame? Besides the rogue individuals running tools that they found in public repositories (aka script kiddies), there are two recognized types of groups that exemplify the importance of thorough security reviews.
Government-Backed APT Groups
Instead of engaging in traditional kinetic wars, countries are now deploying troops to the cyber battlefield. This nation-state sponsored Advanced Persistent Threat (APT) groups are syndicates of highly skilled threat actors. Their use of advanced tools, tactics, and procedures (TTP) make them extremely dangerous adversaries. The attacks carried out by these groups are usually against specific targets in alignment with a government’s strategic interests, to conduct espionage, steal intellectual property or money, and disrupt critical infrastructure. With the support of the government, APTs are well-funded, arming them with the resources they need to carry out these sophisticated attacks. In some cases, APTs may have direct links to a nation’s military or intelligence services. A few well-known examples of APT groups are:
The Sandworm Team: This APT group consists of members of the Russian Main Intelligence Directorate (GRU). The campaigns carried out by this unit include:
- The attacks on Russia’s neighboring country Ukraine in 2015 through 2016 that targeted the country’s electrical grid.
- The 2017 NotPetya malware attacks, that were also intended for Ukraine but quickly breached the target’s borders and infected networks worldwide.
- The Olympic Destroyer malware that was used against the 2018 Winter Olympic Games in an act of retaliation after Russian athletes were banned from participating under their country’s flag following the Russian government-sponsored doping scandal.
The Lazarus Group: A North Korean APT, is believed to be responsible for financial crimes that amount to billions of dollars in theft and loss across multiple cyber attacks including:
- The 2015 attack against the computer systems of the Bangladesh Bank that resulted in a $81 million heist.
- The use of the WannaCry ransomware variant that infected more than 200,000 computers in 150 countries in 2017.
- The 2022 Axie Infinity attack targeting the Ronin Bridge in which they extracted approximately $625 million in cryptocurrency.
APT33 (Elfin): A suspected Iranian APT, that targets governments and organizations in certain industries such as the research, chemical, engineering, finance, and telecommunication sectors. The attacks attributed to this group are:
- The 2018 attacks using the Shamoon malware family against Saipem, an Italian oil drilling company, which resulted in approximately 10% of sensitive files on the company’s servers being destroyed.
- The exploitation of the CVE-2018-20250 vulnerability in an unpatched computer belonging to a target in the chemical industry of Saudi Arabia in 2019, which allowed for remote code execution on the device.
Cybercriminal Gangs
In an interconnected world, cybercriminal gangs have emerged as formidable adversaries. Motivated by money rather than political agendas, these groups set their sights on targets of any size as long as they believe it will be profitable. With access to a network of underground resources and individuals, these gangs are agile and adaptive, constantly evolving their tactics in order to evade the law. Even if the anonymity of their members is cracked and indictments are brought against their true identities, the countries in which they operate often do not agree to extradition. Examples of cybercriminals gangs are:
Lapsus$: A collective of cybercriminals that use large-scale social engineering and extortion techniques. The group has targeted governments, technology companies, manufacturers, schools, energy providers, telecommunications companies, and healthcare providers across the world. Their attacks include:
- The Nvidia data breach of 2022 in which the group stole hundreds of gigabytes of proprietary data and dumped it on the web.
- The theft of Samsung Galaxy source code used by the company for encryption and biometric unlocking functionality in 2022.
- The 2023 attack against RockStar Games, the company that develops the highly popular Grand Theft Auto video games. Due to this attack, 90 videos of gameplay from the next installment of the game were leaked and posted publicly online.
LockBit: A ransomware group that has targeted over 1,700 victims and received more than $91 million in extortion payments since 2020 in the United States alone. The LockBit ransomware variant operates as a ransomware-as-a-service (RaaS) model, in which the malware is maintained by the group and sold to affiliates. In 2022 to 2023, LockBit ransomware was attributed to:
- 18% of all reported ransomware incidents in Australia.
- 22% of ransomware incidents in Canada.
- 23% of ransomware reports in New Zealand.
- 16% of ransomware incidents against State, Local, Tribal, and Tribunal (SLTT) government organizations in the United States.
EXOTIC LILY: This group acts as an Initial Access Broker (IAB) that specializes in gaining unauthorized access to targets and then sells the initial foothold to other criminal groups. Using domain and identity spoofing, this group is known for using spear phishing techniques in order to trick internal members of an organization into installing malware. The group’s witnessed technique is as follows:
- Attackers use a business proposal template that is tailored to the targeted organization to initiate contact via email using a spoofed domain.
- Once initial communication was established, attackers would engage in further communication to establish trust.
- The attackers then upload malware to a legitimate file-sharing service and use the service’s sharing functionality to deliver the payload to the target.
Adversary Emulation in Penetration Testing
To effectively evaluate how your security program would fare against the sophisticated attack strategies and techniques used by these groups, it is essential to match their complexity. True penetration testing transcends the limitations of automated vulnerability scanning.
While vulnerability scanners might identify individual weaknesses, they are unable to replicate the escalations in severity or intricate attack chains that threat actors employ. Real attackers are not only exploiting isolated vulnerabilities – they are chaining multiple weaknesses across different assets and business logic flaws to achieve their malicious goals. This requires a deep understanding of how a target operates, something even the latest AI technology cannot reliably replicate.
By assuming the mindset of a malicious attacker, cybersecurity professionals conducting true penetration tests adopt the adversary emulation model to mirror real-world threats. This approach goes far beyond checking boxes.
What is known as “red teaming” represents the most advanced form of this testing, but the core principle of thinking like an attacker remains essential to effective penetration tests. Instead of applying generic checklists regardless of an organization’s industry, size, and technology stack – adversary emulation accounts for the specific threat landscape. Real threat actors tailor their campaigns to their targets – your security testing should do the same.
By investigating the TTPs used in real attacks by adversaries with malicious intent, penetration testing teams that employ the adversary emulation model can simulate past successful attacks. This allows your organization to see how it would fare against the exact same attack that brought your competitor to its knees.
As a result of such thorough evaluations, organizations gain a more nuanced understanding of their security posture and vulnerabilities. With this insight, security investments can be prioritized, tailored defenses can be implemented, and incident response processes can be adjusted to ensure the maximum level of resiliency is reached.
This mindset and use of advanced TTPs is something that we at Netragard are proud to say we leverage when conducting our penetration tests. We protect you from people like us.
Quality Over Mediocrity
Much like testing a bulletproof vest with a squirt gun, the difference between a thorough, high-quality penetration test and a superficial one can mean the difference between robust protection and devastating vulnerability. The core issue is the mistaken belief that a cyber attack will never target you. This false sense of security, without adequate investment, can ultimately lead to response and remediation costs that far exceed the price of regular, more affordable preventive measures. There is a saying in the industry, it’s not if you get attacked but when. It is imperative that we remove the false sense of security of thinking it won’t happen to you so it’s ok to choose the cheapest option. Without adequate investment in security, the amount you pay in remediation can far exceed the cost of more preventative and proactive measures.
While many see cybersecurity investment as a cost center rather than a profit center, the opposite is true. Investing in high quality cybersecurity mitigates vulnerabilities that lead to data breaches, the cost of which far outweighs the cost of reactive measures. In other words: investing in cybersecurity increases the profitability of an organization.
In IBM’s Cost of a Data Breach Report 2024 it was found that:
- 46% of breaches include customer personal data.
- 43% of breaches include intellectual property.
- 70% of organizations experienced significant disruption or very significant disruption to business as a result of a breach.
- Only 1% of organizations rated their level of disruption as low. Even at the low rating, these entities still incurred an average cost of $4.63 million.
- Among the organizations that reached a full recovery post breach, more than 75% relay the recovery took over 100 days.
- Regulatory fines over $100,000 saw a 5% increase compared to 2023.
According to the World Economic Forum’s 2024 Global Cybersecurity Outlook Report, out of the 199 participant organizations surveyed:
- 29% reported that they had experienced significant consequences due to a cyber-attack in the past 12 months.
- The number of malware families and variants that have infected at least 10% of global organizations has doubled over the past five years.
- When questioned as to whether their organizations have the skills to achieve their cybersecurity objectives, an alarming 78% of respondents reported they do not have the in-house skills to do so.
Choose the Right Vest
In both the Wild West and the digital frontier – innovation and resilience are born from the harshest conditions. Just as the quality of a bulletproof vest can be the determining factor between life and death, the quality of a cybersecurity evaluation can be the difference between thwarting an attack and falling victim to one. Organizations are under constant fire and only by being put to the proverbial gun will they know if their cyber vests will be able to withstand the trigger fingers of APTs and cybergangs.
