Evolution characterises developing cyberthreats
11 April 2018 | 0
Ransomware has remained a top cybersecurity threat globally, but its application is evolving, according to the latest Verizon Data Breach Investigations Report (DBIR).
Ransomware is becoming more targeted and its usage more refined, said Gabe Bassett, senior information security data scientist, Verizon.
Speaking to TechPro, Bassett said that in comparison to previous years, it is not so much that things are changing drastically.
“If you do not have two-factor authentication enabled on internet-facing services, the attackers are ahead of you,” Gabe Bassett, Verizon
“What we see is a refinement by the attackers, it is almost like them slowly working to maximise the return on investment or searching for the greatest value proposition that organisations can offer. Kind of like bargain hunters.”
Ransomware remains the most prevalent variety of malicious software, the report found, and was found in 39% of malware-related cases examined this year, up from fourth place in the 2017 DBIR (and 22nd in 2014). Most importantly, Verizon said that based on its dataset, it has started to impact business critical systems rather than just desktops. This is leading to bigger ransom demands, making the life of a cybercriminal more profitable with less work.
Bassett said that attackers are far more likely to focus on databases for encryption attacks, rather than simply stealing the data.
“And as they slowly refine, they slowly find more advantageous opportunities,” said Bassett. “So they are going from just general ransomware, to realising that there were all of these databases on the Internet which were unencrypted, and that you can just log into them and encrypt them.”
According to the report, malware incidents were 13 times more likely to destroy data and 14 times less likely to export data than last year. This is the refining of technique, said Bassett, away from exfiltration to sell data and more encryption in place, which is an easier value proposition.
Another refinement of technique is around the targeting of individuals. Human Resource (HR) departments are being targeted for data relating to topics such as taxation.
Bassett said that in the past where criminals went after personal banking details, the opportunity was somewhat complex. Now, by attacking HR departments, and potentially getting the tax details for a person, rebates can be misdirected or claims for refunds made that are far easier to accomplish, with less risk.
“This is an easier proposition for the criminals,” said Bassett.
Part of the strategy for more targeted attacks has meant that the human factor is highlighted as a weakness. The report says that employees are still falling victim to social attacks. Financial pretexting and phishing represent 98% of social incidents and 93% of all breaches investigated, it said, with email continuing to be the main entry point (96% of cases). Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasising the need for ongoing employee cybersecurity education, said the report.
Phishing has become more manageable, as the report established that 78% of people did not fail a phishing test within the year, but 4% do fall victim in any given test. Bassett points out that this is still a significant enough proportion to be of concern.
The most likely origin for a threat is still outside the organisation, the report says, but one breach can have multiple attackers. Nearly three quarters (72%) of attacks were perpetrated by outsiders, with more than a quarter (27%) involving internal actors. Just 2% involved partners and 2% feature multiple partners. Organised crime groups still account for 50% of the attacks analysed, said Verizon.
Distributed Denial of Service (DDoS) attacks have evolved too, and while the headline-grabbing massive attacks are getting larger, the median incidence is getting smaller, and easier to mitigate, said Bassett.
However, he said that as these kinds of attacks have now become commoditised, where anyone can procure an attack on an individual target, they are still somewhat effective if there are no or inadequate protections in place.
As with previous years, the time it takes to discover a breach is still worryingly long. More than two thirds (68%) of breaches took months or longer to discover. This is even more of a concern given that nearly nine out of 10 (87%) of the breaches examined had data compromised within minutes, or less, of the attack taking place.
Bassett highlighted the fact that of the 2,200 odd breaches that were examined, the largest single technique used, for some 399, was stolen credentials, starkly highlighting the need for greater controls.
Two-factor authentication in particular, is now seen as a necessary step in such instances.
“If you do not have two-factor authentication enabled on internet-facing services, the attackers are ahead of you,” said Bassett.
Another key point, said Bassett, was for organisation to implement better asset management. When an organisation does not have full visibility of all assets, attackers can target those that less well orchestrated and managed, such as from a patch management point of view, and more easily exploit known vulnerabilities.
Bassett said even where patch management is effective for more than 90% of an estate, this still leaves a significant portion that is not fully managed, and potentially opening up a larger attack surface.
“The ultimate thing that we wish people would take away from the DBIR,” said Bassett, “is that people need to go out and do something.”
“We are hopefully showing infosec people where the problem areas are and giving them hints and ideas as to what they can do to protect their people and their systems.
It is for every infosec pro out there to understand what they can do for their own situation.”
But the message, said Bassett, is there is always something that can be done, it is not insurmountable.