Organizations today are facing cybersecurity challenges that are multi-faceted, with a threat landscape that is rapidly evolving. Threats are intelligent, autonomous and increasingly difficult to detect, with new ones emerging and old ones returning with enhanced capabilities.
Malicious actors work hard to keep innovating, and their persistence pays off. Cybercriminals made $209 million in the first quarter of 2016 alone using just one tactic: ransomware. The World Economic Forum estimates that the total economic cost of cybercrime is currently $3 trillion.
To help organizations address this critical issue, Fortinet’s (News - Alert) latest Global Threat Landscape Report aims to provide an accurate representation of the cyber threat landscape in Q4 2016. The report comprises billions of threat events and incidents observed in live production environments around the world from October 1 through December 31, 2016. This data offers a unique perspective on the threats that exist, how often they occur, what differs across sectors and regions, and what’s changing over time – an in-depth view of the cyber threat landscape from many perspectives.
Before diving into the details, though, it’s important to place them in the context of infrastructure trends. Exploits, malware and botnets do not occur in a vacuum; instead, they evolve and adapt over time as applications, technologies, configurations, controls and behaviors change.
For example, the report found that encrypted traffic using SSL stayed steady at about 50 percent and accounted for roughly half of overall Web traffic traversing within an organization. It is important to monitor HTTPS traffic usage because, though it is good for privacy, it presents challenges to detecting threats that can hide in encrypted communications. Often SSL traffic passes through without inspection due to the massive overhead required to open, inspect and re-encrypt traffic. This forces IT teams to make the difficult choice between performance and protection.
Another finding was a rise in the use of cloud applications. In terms of total applications detected per organization, the number of cloud applications trended up at 63 – roughly a third of all applications detected. This trend has significant implications for security, since IT teams have less visibility into the data residing in cloud applications, how that data is being used and who has access to it.
Now that the stage has been set, let’s look at some of the threat research details for the time period covered in the report.
An Army of Things Powered by the Digital Underground
Internet of Things (IoT) devices are sought-after commodities for cybercriminals around the world. Adversaries are building their own armies of “things,” and the ability to cheaply replicate attacks at incredible speed and scale is a core pillar of the modern cybercrime ecosystem. IoT devices compromised by the Mirai botnet initiated multiple record-setting DDoS attacks. The release of Mirai’s source code increased botnet activity by 25 times within a week, with activity increasing by 125 times by year’s end. In addition, IoT-related exploit activity for several device categories showed scans for vulnerable home routers and printers topped the list, but DVRs/NVRs briefly eclipsed routers as the thing of choice with a massive jump spanning 6+ orders of magnitude.
Mobile malware became a larger problem than before. Though it accounted for only 1.7 percent of the total malware volume, one in five organizations reporting malware encountered a mobile variant; nearly all was on Android (News - Alert). Substantional regional differences were found in mobile malware attacks, with 36 percent coming from African organizations, 23 percent from Asia and 16 percent from North America, compared to only 8 percent in Europe. This data has implications for the trusted devices on corporate networks today.
Ransomware Isn’t Going Anywhere
Ransomware warrants attention regardless of industry, and this high-value attack method will likely continue with the growth of ransomware-as-a-service (RaaS). Ransomware was present in all regions and sectors but particularly widespread in healthcare institutions.
Like mafia clans, two malware families, Nemucod and Agent, went on a crime spree. 81.4 percent of all malware samples captured belonged to just these two families. The Nemucod family is infamously affiliated with ransomware. 36 percent of organizations detected botnet activity related to ransomware. TorrentLocker was the winner and Locky placed third.
Daring Exploits, But Old is New
Adversaries took a “leave no vulnerabilty behind” policy. Unfortunately, attention focused on security patches and flaws in old devices or software means less time and attention to focus on the growing attack surface accelerated by the digital devices of today. A full 86 percent of firms registered attacks attempting to exploit vulnerabilities that were over a decade old. Almost 40 percent of them saw exploits against even older CVEs. An average of 10.7 unique application exploits were tracked per organization. About nine in 10 firms detected critical or high-severity exploits.
Overall, Africa, Middle East and Latin America exhibited a higher number and variety of encounters for each threat category when comparing the average number of unique exploit, malware and botnet families detected by organizations in each world region. These differences appeared most pronounced for botnets.
Taking the Larger View
Just as criminals use old vulnerabilities for their purposes, cybersecurity professionals will find that tried-and-true methods still work to help secure the network: reviewing the organization’s security posture and policies, building and implementing advanced threat detection and response across the network, and patching and hardening to minimize the attack surface. New methods should be grafted in, as well. It is critical to ensure that the data and security elements across all environments and devices are integrated, automated and able to share intelligence across the organization, from IoT to the cloud.
Additional best practices include remembering that the organization’s threat landscape is more similar to that of others than one might think and, at the same time, it is also different in ways one might not have considered. Gaining access to shared threat intelligence, as well as keen insight into which strategies and tactics will be of use and which won’t, will help safeguard the network from the never-ending onslaught of opportunistic and innovative threats.
About the Author
John Maddison has more than 20 years of experience in the telecommunications, IT Infrastructure and security industries. Previously, he held positions as general manager data center division and senior vice president core technology at Trend Micro (News - Alert). Before that, John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.