DAV EY WINDER Research from security firms is easy to ignore, but they’re in the best position to spot issues. Davey runs through the key takeaways from the latest batch.
Research from security firms is easy to ignore, but they’re in the best position to spot issues. Here are the key takeaways from the latest batch
It’s easy to dismiss “research” and “threat reports” by security vendors. Look at the Wikipedia definition of MRDA (Mandy Rice-Davies Applies) and you’ll find a reference from this very column back in 2005 ( pcpro.link/272mrda) as well as another by our very own Paul Ockenden (“well, she would say that, wouldn’t she?”). I always slap a virtual MRDA sticker on the front of any such report that comes my way, but that doesn’t mean they’re all to be ignored.
Take, for example, the 2016 Sonic-Wall Global Response Intelligence Defense (GRID) Threat Network report, which analyses input from over one million security sensors across nearly 200 countries. This was intriguing for several reasons, not least because it bucks the usual knell-of-doom overtones by detailing how collected unique malware samples went down to 64 million in 2015.
Don’t get too excited folks, this doesn’t mean malware is dead; it only dropped by 4 million. Still, if such stats could fall across the board by the same 6.25% year on year, I’d be a happy man. And it wasn’t the only good news, either; the total number of attack attempts registered by the GRID network was down from 8.19 billion to 7.87 billion.
The best stat was reserved for the creation of new point-of-sale malware, which hit a high in 2014 but has since dropped by a staggering 93%. Back in 2014, Sonic-Wall saw that creation total rise three-fold from the year before, which perhaps accounts for the large drop – but it’s welcome nonetheless.
Cast your mind back and you’ll recall that 2014 was the year of those mega-breaches of Home Depot, Target, Staples and so on. The resulting brand damage forced the hand of retailers and credit card companies alike, and chip-based POS systems rolled out across the US to replace the magnetic stripe swipers they’d stoically refused to do away with, despite their known insecurities. Static security data on a credit card is far from ideal, so a system that ensures each transaction is issued with a unique verification code has to be a good thing. POS malware isn’t off the cybercrime agenda, but cybercriminals are investing their time and effort upon other attack methodologies.
I liked that this research confirmed how Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption continues to be on the up, from 5.3 trillion secure web connections in 2015 to 7.3 trillion in 2016. In fact, the majority of web sessions detected by Sonic-Wall GRID were: 62% of the total web traffic it saw, to be exact. This is of little surprise, given the drive by Google to penalise nonsecure connections in terms of SEO and blocking them as potentially dangerous within the browser.
Indeed, I found it difficult to find a non-SSL site to enable Google to pop up the warning, so I could grab the screenshot ( left). I ended up applying some sideways thinking and checked the “recent worst” list of sites that had failed the SSL checker tests at SSL Labs ( ssllabs. com/ssltest). Initiatives such as HTTPS Everywhere ( eff.org/httpseverywhere), a collaboration between the Tor Project and Electronic Frontier Foundation that rewrites non-encrypted sites to HTTPS, and Let’s Encrypt ( letsencrypt.org), which provides free SSL certificates and operates as an open certificate authority, have helped greatly in this.
Not that you should equate an encrypted connection with a secure site: they’re different beasts entirely. Even SSL itself has become an attack vector, courtesy of most folk not being in a position to perform deep packet inspection to detect malware that’s hiding inside the encrypted session. Next-gen firewalls manage this, of course, but few enable the feature since it means there’s usually a huge performance hit. Sonic-Wall reckons that those who don’t inspect SSL/TLS traffic are ignoring more than half the traffic entering their networks.
It isn’t all good news, though, and as you might have guessed, one attack vector that’s on the up in terms of both attack attempts and profit is ransomware. Across 2015, the total number of attacks via ransomware detected by Sonic-Wall was just under 4 million, rising to 638 million last year.
Time to make sure those backups are working, huh? And at least one of your multiple backups – you do have multiple backups, don’t you? – isn’t only off-site but off-network as well. Ransomware has been clever enough, in some variants at least, to quietly sit there running in the background and encrypting stuff for a few weeks before announcing itself and demanding a ransom. Why do this, when it hugely increases the chances of getting caught and earning diddly-squat from the attack? Because it also hugely decreases the chance that the victim will have a clean, non-encrypted backup they can use.
The Sonic-Wall report found that, for the most part, phishing campaigns were the delivery mechanism of choice and most-used SSL/TLS encryption to evade detection, which isn’t surprising. What is surprising is that growth, however, and it reflects a few things. First, just how easy it is to become a ransomware attacker. All you need is the ability to search and, possibly, a little cash up-front to fund the purchase of a Ransomware Exploit Kit from the Dark Web.
“One attack vector that’s on the up in terms of both attack attempts and profit is ransomware”
I say “possibly”, since some kits are free (there’s no honour among thieves, don’t you know – they steal, copy and distribute) and others might ask for a percentage (typically 20%) of each successful ransom. Even those selling their (or someone else’s) wares typically charge no more than $100 as a flat-rate fee.
The second factor is Bitcoin, a cryptocurrency that enables attackers to have more confidence that the ransom will leave little by way of a footprint once paid.
Worryingly, firms in the UK were three times as likely to be targeted by ransomware than those in the US, despite the US being hit by the largest number of actual infections. Countries such as China, which restrict the use of Tor and Bitcoin, were the least likely to suffer from the ransomware scourge.
Another report that came my way, albeit in draft form, attempted to turn the usual security research on its head. Many in the security industry believe that ex-hackers should be avoided at all costs, and as such refuse to employ them. Others see a benefit in having the experience of those who have been there and done that. It’s well known that I used to be a hacker myself, and maintain my contacts within that world – even though, beyond a few close friends, there are few who know my real identity.
Anyway, the point is that security intelligence outfit Nuix has put together what it is calling “The Black Report”. The subtitle gives the game away somewhat: “Decoding the Minds of Hackers”.
Nuix hasn’t gone truly dark and spoken to black hats here, instead speaking to legal hackers: penetration testers. These are the folk who get paid to hack into systems and uncover the weaknesses that can and will be exploited by the cybercriminal fraternity. As one of those questioned said, the attacks, tools and methodology are all the same as the bad guys; the only thing that makes what he does legal is a statement of work from the client employing him.
Nuix spoke to a bunch of pen testers to focus on surveying the threat landscape from the perspective of those actively exploiting it. It asks questions about attack methodologies, favoured exploits, and what defensive countermeasures were the most and least effective in stopping them. This is where security reports start to get a little more scary, because the statistics are from those who are actually doing the hacking.
So when we’re told that 81% of them could identify and exfiltrate data within a 12-hour window, we get worried. That’s a big number, even allowing for a little professional bravado. Not surprisingly, 84% used social engineering as part of their attack strategy. This is something that hasn’t changed over the years; exploiting the misplaced trustworthiness of other people to your own ends was something I was doing more than two decades ago. With 69% of attackers never getting caught by security teams, and 50% changing their attack methodology with every target, things don’t look any brighter for the businesses trying to keep data safe.
Equally interestingly, asked about how the pen testers felt when they read of hackers being arrested and convicted, the vast majority thought that “legal” is a myopic view of the situation and there’s more to right and wrong than what the government decided to legislate upon. It seems there’s less separating white and black hats than you might think; indeed, the boundary is pretty thin by the looks of it. If you’re interested in this career path, by the way, the majority of hackers had less than three technical certifications and didn’t think these were a reliable indicator of ability.
When it comes to attack modes, the jury was split almost in half between phishing and direct server attack. There was huge agreement, however, that open-source hacking tools were the best. What about on the flip side, you ask? When the hackers were kept out, what was the most effective defensive method? It was a close call between endpoint security out front and intrusion detection/prevention systems just behind. Firewalls were a distant third, and almost on the horizon was antivirus software.
One in five hackers reckoned they could beat any system, given enough time. To me, this suggests that the “in depth, multi-layered security” defence message that I and others have been hammering home for years is the exact right approach. Two of the layers that scored very highly among the pen testers were user education and vulnerability scanning, so there’s a couple of interesting takeaways for you.
But not as interesting, or important, as some of the follow-up information that was included in this draft copy of The Black Report. The researchers asked the pen testers what their biggest frustration with the job was, and 64% said it was when organisations didn’t fix the things they knew to be broken. I find it sad that so many are experiencing this, especially given that the whole point of having a pen test in the first place is to find those things, and presumably fix them.
Yet “limited remediation” is the phrase that pen testers are using for what happens following submission of their reports. Only 10% were reporting full remediation of all
“When we’re told by exhackers that 81% of them could identify and exfiltrate data within a 12-hour window, we get worried”
the identified vulnerabilities upon subsequent retesting.
Like myself, these professional hackers spend at least five to ten hours each week researching security news and technologies. The majority also changed attack methodologies from one attack to the other, but not to avoid capture or because the previous methodology had stopped working. Nope, the reason given by more than half those asked was “to learn new techniques”. Yet there’s little evidence that the teams charged with keeping them out do the same.
I’d be interested to hear from any readers who work within the IT security sector, or are simply tasked with this responsibility where you work, as to how long you spend going over research papers and keeping up with current IT security trends?
And finally…
I will finish this report of reports with a handy list. The “Fujitsu Threat Predictions” report ( pcpro. link/272fuji) includes a summary of what it considers the ten most important security trends – and risks to enterprises – of this year.
1. Network blind spots
2. Artificial intelligence making for smarter security (and attacks)
3. Banks are in the firing line
4. Attackers will shift their attention to mobile devices
5. We will see how clever smart cities really are
6. Rapid recovery required to protect reputations
7. Business will want their data in the safest hands
8. Global clients will keep a beady eye on supply chains
9. Boards wake up to cybersecurity
10. The biggest problem remains in the basics