So long, and thanks for only using readily available scripts

There is a general belief that it has become easier to conduct cyber attacks and that little skill or knowledge is required to compromise systems. In particular, it is often argued that the technical expertise required to mount successful cyber attacks is declining as a consequence of new offensive resources, such as attack scripts and userfriendly attack execution tools, becoming available in the public domain. These resources include, for example, exploit databases such as Packet Storm and Exploit Database, and attack execution frameworks such as Metasploit, Armitage and BurpSuite. This theory is in referenced by various works in the cyber security domain. For example, Liu and Chen (Liu & Cheng 2009) state that “attack tools and techniques have become increasingly automated and sophisticated over the past decade, whereas the technical knowledge and skills required to use these tools has decreased dramatically”. The same trend is described by the NATO (Robinson 2016), among others. Liu and Chen (Liu & Cheng 2009) even suggests that “all it takes is the basic ability to follow instructions and push buttons”. An attacker with this low level of skill, knowledge or ambition is often referred to as a “script kiddie”. Simmonds et al. (Simmonds et al. 2004) refer to a script kiddie as “someone who uses already established and part automated techniques in attacking a system”; Hald and Pedersen (Hald & Pedersen 2012) refer to the script kiddie as “one who relies on premade exploit programs and files ("scripts") to conduct his hacking, and refuses to bother to learn how they work”. Most other taxonomies and ontologies that characterize hackers describe script kiddies similarly (Rogers 2006). The idea that script kiddies and other novice cyber criminals represent an increasing threat due to the increased sophistication and automation is widespread and influence decision making on many different levels. For example, ENISA (Lévy-Bencheton et al. 2015) considers the script kiddie as threat agent that can realize some 30 different cyber threats and are, with the exception of physical attacks, relevant to the same type of threats as nation states. Others’ have suggested that anybody could use exploit kits to steal online banking credentials (Choo 2011). The present paper aims to analyze whether unsophisticated cyber attacks that a typical script kiddie is able to perform actually pose a threat to systems today. This is summarized by the research question (RQ) stated below: