Cisco published their midyear report last week. The information detailed within paints an interesting picture of the changing landscape of digital attacks. Some of the more salient points indicate that adversaries continue to deploy rapidly evolving exploits. This in turn creates a dilemma for organizations attempting to counter them. Often time security gaps are filled based on present intelligence only to become ineffective in a relatively short amount of time. The Cisco 2015 Midyear Security Report does an excellent job in identifying trends in threats, targets, and attackers. The following are excerpts pulled from the report.
Major
Discoveries
Exploits of Adobe Flash
vulnerabilities are increasing. They are regularly integrated into widely used
exploit kits such as Angler and Nuclear. Angler continues to
lead the exploit kit market in terms of overall sophistication and
effectiveness. Operators of crimeware,
like ransomware, are hiring and funding professional development teams to help
them make sure their tactics remain profitable. Criminals are turning
to the anonymous web network Tor and the Invisible Internet Project (I2P) to
relay command-and-control communications while evading detection. Adversaries are once
again using Microsoft Office macros to deliver malware. It’s an old tactic that
fell out of favor, but it’s being taken up again as malicious actors seek new
ways to thwart security protections. Some exploit kit
authors are incorporating text from Jane Austen’s classic novel Sense and
Sensibility into web landing pages that host their exploit kits. Antivirus
and other security solutions are more likely to categorize these pages as
legitimate after “reading” such text. Malware authors are
increasing their use of techniques such as sandbox detection to conceal their
presence on networks. Spam volume is
increasing in the United States, China, and the Russian Federation, but
remained relatively stable in other regions in the first five months of 2015. The security industry
is paying more attention to mitigating vulnerabilities in open-source
solutions. Continuing a trend
covered in the Cisco 2015 Annual Security Report, exploits involving Java have
been on the decline in the first half of 2015.
No Industry Is Immune
to Attack
Cisco has refined and
simplified its methodology for tracking high-risk verticals for web malware
encounters in order to deliver more precise results. We no longer compare the
median encounter rate for all organizations that use Cisco® Cloud Web Security
with the median encounter rate for all companies in a specific sector that are
using the service. We now compare the relative volumes of attack traffic
(“block rates”) with those of “normal” or expected traffic. Figure 19 shows 25 major industries and their
relevant block activity as a proportion of normal network traffic. A ratio of
1.0 means the number of blocks is proportional to the volume of observed
traffic. Anything above 1.0 represents higher-than-expected block rates, and
anything below 1.0 represents lower-than-expected block rates. For example,
block rates for the retail and wholesale industry are in proportion to the
volume of traffic that was observed for that industry. In examining the block
rates of Cisco customers, we determined that the electronics industry has the
most blocked attacks among the 25 industries tracked. Cisco attributes the
electronic industry’s high proportion of block rates to an outbreak of Android
spyware. As seen in Figure 19, most industries hover at the “normal” level (the
1.0 line) for the ratio of attacks to normal network traffic. However, singling
out industries currently above the 1.0 line as being significantly more
vulnerable to attacks may be misleading, especially as this analysis only
covers the first half of 2015. In addition, no industry should consider itself
“safer” than other industries in terms of being a target. Every organization in
every industry should assume that it is vulnerable, that attacks will happen,
and that it should implement defense-in-depth strategies accordingly.
Geographic Overview
Cisco researchers also
examined the countries and regions where malware-based block activity
originates, as seen in Figure 20. The countries were selected for study based
on their volume of Internet traffic. A block ratio of 1.0 indicates that the
number of blocks observed is proportional to network size. Malware acquires a
foothold on vulnerable devices. Countries and regions with block activity that
we consider higher than normal likely have many web servers and hosts with
unpatched vulnerabilities on their networks. A presence in large, commercially
viable networks that handle high Internet volume is another factor for high
block activity. Figure 20 relates to where servers are hosted. This graphic
does not attribute patterns of malicious web activity to the depicted countries
or regions. Hong Kong, which ranks number one on the list, is an example of a
region where a high percentage of vulnerable web servers are observed. A small
number of networks hosted in France participated in an outbreak midway through
the reporting time period, which raised its profile more than expected.
Types of Web Based Attacks
Figures 21 and 22 show
the various types of techniques that adversaries are using to gain access to
organizational networks. Figure 21 illustrates the most commonly seen methods,
including Facebook scams and malicious redirects. Figure 22 shows lower-volume
attack methods observed in the blind sample we examined. Note that “lower
volume” does not mean “less effective.” Lower-volume attack methods, and the
malware associated with them, can represent emerging threats or highly targeted
campaigns. Therefore, when monitoring web malware, it is not enough to simply
focus on the types of threats most commonly seen. The full spectrum of attacks
must be considered.
Cybersecurity
Call to Action
Cisco security experts suggest that change is imminent for the security
industry. A wave of consolidation and integration is needed to develop
innovative, adaptive, and trustworthy security solutions that can reduce time
to detection and prevent attacks. In addition, our geopolitical experts provide
insight into the importance of cybergovernance for supporting innovation and
economic growth in business on the global stage.
References
Cisco. (2015). Cisco
2015 Midyear Security Report. Retrieved from http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html
