The reason for the massive surge in attacks is slightly more complicated. Ultimately, the problem stems from the historical design of networking. Once upon a time, in the dark ages of the 1980’s and 1990’s, networking was hard. There were a number of network products and options. Interoperability between networks, even those using the same core technologies, was difficult. The concept of Network Engineers arose, and in reality it did require quite a bit of engineering education and experience.
Networks were designed using the castle model. The electronic ends of the network (i.e. your domain) represent the castle walls. Firewalls, malware detectors and intrusion detectors are the guarded gates to your domain. Initially those technologies worked well. However, those technologies are all based on the fact that they can recognize an attack, and recognition comes in the form of previous exposure. That was fine when attacks were limited to specific and repeated methods. But hacking is now big business. Where attacks were once the playground for amateurs, today’s hackers are far more sophisticated. Not only are attacks often unique against their targets, most often attacks utilize the domain administrators’ credentials.
Domain administrators are the resident superpowers. They have full access to everything including the security systems. Unfortunately, when those domain administrator credentials are hacked, stolen or socially engineered away from their owners, the hacker gains unrestricted access to everything. Security systems can be turned on and off. Rules can be put in place that create unmonitored back doors. Log files can be edited and any ‘footprints’ easily erased.
Historically, the most common way to detect one of these types of attacks is for a domain administrator to notice that their (or a colleagues) credentials are being used to spawn jobs that they don’t recall starting. Once suspicions are aroused, it’s often quite simple to trace the attack history retroactively through a number of log files and other forensic methods. However, in far too many cases, the attack isn’t discovered until the hacker has made it public.