Script Kiddies: An Underestimated Threat and Intelligence Resource

Script Kiddie

In our modern digital landscape threats to our organization’s security posture appear to be everywhere. Many cybersecurity managers must allocate their attention and prioritize their efforts to focus on the most dangerous of these malicious actors. These usually include Nation-States (such as Russia, China, and Iran), sponsored nonstate actors such as sophisticated individuals and Advanced Persistent Threats (APTs), and hacktivist collectives driven by multiple ideologies and causes.

When one considers a lack of security personnel, finite budgets, and the daily effort required to maintain safe and efficient networks, it’s easy to see why “script kiddies” (a.k.a. skids) don’t make the Top 5 list of many manager’s concerns. Within a cybersecurity context, that decision poses a significant risk. From an intelligence standpoint, that decision leads to several missed opportunities.

Script Kiddie – a derogatory term coined by hackers – conjures up images of unsophisticated and opportunistic “wannabees” possessing little technical skill. These amateurs make mistakes which are easy to spot and, in many cases, can be defeated with relative ease. Unlike professional hackers, their attacks of choice tend to reflect their lack of skill: DDoS and website defacement being the most prevalent.

Given this reality, why would any rational cybersecurity professional dedicate time and resources to script kiddies when the world is generating sophisticated threats that are “obviously” more dangerous and warrant serious attention? The answer is straightforward.

Cybersecurity managers who don’t pay attention to this group, especially as we transition into the future, are underestimating the threat they pose and are missing a significant opportunity to cultivate intelligence resources which can then be exploited to serve defensive purposes in the organization. Consider the points listed below.

1. The random nature of script kiddies is nearly impossible to predict.

Professional hackers tend to be methodical, disciplined, and diligent in their work. Although that doesn’t guarantee their success – and by no means makes them “predictable” – there’s a method to their madness. They research their targets, enumerate their networks, plan their strategy, customize their scripts, and implement their exploits in a logical (albeit covert) manner.

Script kiddies tend to be emotional, irrational, and impulsive. They engage in very little planning prior to the exploit and tend to quit if not successful on the first few attempts. They also have the tendency to intentionally “break things” when they get angry or frustrated. A destructive malicious actor with no discipline and nothing to lose can cause a lot of damage on the way out of a network.

2. The motive and intent of script kiddies is nearly impossible to predict.

When a nation-state or sponsored nonstate actor selects a target, they are typically (but not always) motivated by political, economic, or military factors. Their tools, tactics, and procedures (TTPs) will usually reflect and support the motive. They tend to be rational actors, possessing advanced levels of discipline and patience. The prize of a successful exploit is worth the wait.

Skids tend to be motivated by their base instincts including revenge, the need for attention to validate self-worth, causing disruption and chaos “just because” it can be done, and just for personal fun. They tend to be irrational actors with little or no concern regarding the potential consequences for their actions. Losing a friend on Facebook or not achieving the number of expected “likes” on a social media post may be the impetus for a skid’s next exploit.

3. Script kiddies provide anonymization for dangerous criminals.

A professional hacker with sophisticated tradecraft will take all steps necessary to remain anonymous and undetectable. These steps are intrinsically interwoven into the target selection, malicious code, TTPs, and timing of the exploit event. The use of virtual machines, VPNs, and masking techniques are assumed SOPs for professionals in this space.

Script kiddies, by their nature, provide another level of concealment for dangerous malicious actors if they are successful. If not, they serve as the “shiny object” in the magician’s hand everyone is watching while the magician’s other hand conceals the true object of the illusion. By the time the audience removes their gaze from the shiny object and looks at the magician’s other hand, it is empty. GASP! It’s magic!

4. Script kiddies may unwittingly aid dangerous criminals.

In our modern age of “Ransomware as a Service,” skids are flourishing by serving as proxy armies for professional hackers. That arrangement is easy to understand. However, skids are never given the “big picture” by professionals and rarely (if ever) know where they fit into the equation. They may have known they were assisting in the placement of ransomware in a healthcare facility to make a paycheck, but did they know the penalty for the victim’s non-compliance would be a kinetic attack on the facility’s ICU that killed four critically ill patients? Probably not. If they don’t connect the dots, they may continue to be unaware that they were even a party to this criminal action.

How do we leverage our resources to address this underestimated threat and convert this category of malicious actors into valuable intelligence resources and assets? The old-fashioned way.

Early in my law enforcement career (before Google, believe it or not) I worked on a Federal Fugitive Task Force based in Florida which had jurisdictional responsibility for the Caribbean and Latin America. We were targeting “big fish” with UFAPs (Unlawful Flight to Avoid Prosecution warrants). Foreign nationals residing in foreign countries are not the easiest targets to locate. Once located, they are not the easiest to apprehend.

Our success in executing these warrants stemmed from “flipping” the small fish and keeping them under tight control. Instead of locating script kiddies, slapping them on the wrist, and sending them home to contemplate their misbehavior – which doesn’t work; recidivism proves that – place the proverbial axe over their head and turn them for actionable intelligence. It works in the intelligence community (IC), it works in the law enforcement community (LE), and it can work for cybersecurity operations as well.

This holds especially true if the script kiddie has never had any interaction with the criminal justice system. First offenders have not been hardened; they are soft targets that can be manipulated to cooperate for the greater good (and their own good, to be sure). If they don’t cooperate, charge them to the fullest extent that the law allows.

If they do cooperate, keep the threat of criminal action alive in their minds and utilize them as a source of actionable intelligence whenever possible. There is little doubt they will maintain secrecy; bragging to friends that they’re a turned confidential informant for law enforcement has negative repercussions. They won’t do it.

Script kiddies may score low on the priority list for many cybersecurity managers, and for good reason. However, once the technology implications are set aside, their value as intelligence resources for locating “bigger fish” is real, obtainable, and potentially high value by nature.

Cybersecurity managers may choose to overlook the intelligence value provided by script kiddies, but they should not turn their backs on these “amateurs.” They are cyber criminals and have the potential to pose a serious threat to any network.

Michael I. Kaplan is the founder and CEO of Phase2 Advantage, and currently manages the Defensive Security initiatives of the company. He is a military veteran and a national advocate for the military affiliate community. After attending the U.S. Army’s Intelligence Center of Excellence at Fort Huachuca in Arizona in 1983, he attended the Defense Language Institute, Airborne School, several specialized Schools at FT. Bragg in North Carolina, and was assigned to the 11th Special Forces Group (AGR).

Michael was recruited in 1989 to Special Projects Group and served as an instructor and operator on a Federal International Fugitive Task Force (his FBI letters of reference can be viewed on his LinkedIn profile). He was responsible for supervising and training 325 agents who were responsible for more than 3,000 UFAP apprehensions in seven years. Michael left government service in 1994 to pursue a career in High-Threat Executive Protection as an instructor and operator, then founded Phase2 Advantage in 2014. His numerous Instructor firearm certifications are listed on the Phase2 Advantage website and LinkedIn.

Feel free to contact Michael at