
Attack on the devs: Why data exfiltration is a top threat to 2025 supply chains
55% of open source malware now targets developers. Here’s why data exfiltration is a top threat to supply chains in 2025 – and how to defend against it.
Read MoreWith the boom of generative AI tools, threat actors have even more capacity to automate their operations and attack more organisations with greater efficiency. One Forbes headline warns that AI is unleashing a ‘new era of menacing threats’; and we know that cybercriminals can utilise AI to analyse vast volumes of information in order to identify vulnerable and high-value targets.
But at Black Hat MEA 2022, Richard Rushing (CISO at Motorola Mobility) pointed out that the increasing use of automation by criminal groups can also become a vulnerability for the attackers themselves.
They rely on automation. And you can use it against them.
Threat actors use a lot of automation to build software, and they’re almost always attacking a number of different organisations at the same time.
Multiple campaigns run side-by-side, using the same software. The attacker’s job, Rushing said, is to make their attacks look different – so if one organisation detects an attack, the other 20 companies the attacker is already targeting don’t gain information that tells them they’re at risk too.
To create those apparent differences between attacks, threat actors change certain elements of the software. And cybersecurity professionals need to understand how to identify the same attack when it’s presented differently.
“So,” Rushing said, “you look at things in the malware world and say well, what doesn’t change? Well, the file name changes, the hash name changes. The file size usually doesn’t.”
That means if you look for common file sizes, you can identify the same attack being deployed under a different disguise.
“Same thing with registry changes. I can’t do my persistence mechanisms in the malware, and change it multiple times for every kind of thing I’m deploying. I’m going to do the same thing — because it works.”
You might, for example, notice that one attack happens in the exact same time cycle as another attack; or at the exact same time of day. And that’s a strong indicator that it’s the same attack – even if file and hash names are different.
In criminology, the study of criminal behaviour allows criminologists to identify behaviour patterns that are common among offenders. These behaviours are then used to develop criminal profiles – which have been found to help law enforcement agencies identify offenders and prevent crimes before they happen.
Obviously, criminal profiling has its limitations and risks, which we won’t get into here. But a similar behavioural approach can be applied to malware and cyberattacks – using behaviour as the identifying feature that reveals an intended crime.
“There are all these different ways you can leverage to discover malware just by its known behaviours,” Rushing added. And if you can identify common behaviours, you can get around misleading details and discover attacks that are being automated for deployment against multiple victims at the same time.
“You already have those controls – you just have to adjust the logic slightly.”
And when you do that, an attacker can change the IOPS all day long – but you’ll still be able to track their behaviour.
Join the newsletter to receive the latest updates in your inbox.
55% of open source malware now targets developers. Here’s why data exfiltration is a top threat to supply chains in 2025 – and how to defend against it.
Read MoreRailway CISO Dimitri Van Zantvliet explains how cybersecurity has evolved from mechanical safeguards to AI-driven systems, and why defending critical infrastructure is about trust and public safety.
Read MoreHow do you get your first job in cybersecurity? Break things. Because cultivating your hacker mindset can help you differentiate yourself in a competitive market for entry-level infosec roles.
Read More