My usual disclaimer: You are about to read details from a security vendor report. I find it worth sharing because there are interesting snapshots of the mess enterprises must deal with after an attack. But like all vendor-based research, there's inevitable bias that favors the technology they sell. Keep that in mind as you read on.
A few weeks ago I had coffee with the folks from managed security service provider (MSSP) Solutionary. After an overview of the company, we delved into discussion about an upcoming threat report their researchers were preparing. Yesterday, I got my hands on the finished product, which contains some interesting detail on where attacks are coming from and what the cost is for the victims.
Among the details:
--DDoS and malware infection recovery is costing organizations thousands of dollars per day – In case studies, it is revealed that organizations are spending as much as $6,500 per hour to recover from DDoS attacks and up to 30 days to mitigate and recover from malware attacks, at a cost of just over $3,000 per day. These amounts do not include revenue that may have been lost due to related systems downtime.
--U.S. IP addresses are the largest source of attacks against U.S. organizations –While there has been considerable discussion about foreign-based attacks against U.S. organizations, 83% of all attacks against U.S. organizations originate from U.S. IP address space, and the absolute quantity of these attacks vastly outnumbers attacks seen from any other country. One contributing factor is foreign attackers using compromised machines near attack targets in the U.S. to help evade security controls. This attack localization strategy has also been observed in attacks on targets in other countries.
--Attackers from different countries focus on different industry targets – 90% of all attack activity from China-based IP addresses is directed against the business services, technology, and financial sectors. 85% of all attack activity from Japan-based IP addresses identified by Solutionary was focused against the manufacturing industry. However, attacks targeting the financial sector appear to originate fairly evenly from attackers in many countries across the world.
--Attack techniques vary significantly by country of origin – Among the top four non-U.S. source countries of attacks, the majority of attack traffic from China is indicative of communication with already-compromised targeted devices, while Japanese and Canadian attackers appear to focus more on application exploit attempts. Attacks originating from Germany involve more botnet Command and Control (C&C) activity.
--75% of DDoS attacks targeted Secure Socket Layer (SSL) protected components of web applications – In addition to traditional network-layer attacks, recent DDoS attacks often focus on application layer components, most often SSL. Detecting and blocking attacks in encrypted protocols primarily used for legitimate traffic can be more complex than responding to historical TCP/UDP-based DDoS attacks.
--Malware attacks target the financial and retail verticals – Approximately 80% of attempts to infect organizations with malware are directed at financial (45%) and retail (35%) organizations. These attempts frequently arrive as targeted spam email, which attempts to coerce the recipient to execute an attachment or click on an infected link.
--54% of malware evades anti-virus detection – Solutionary tests all acquired malware samples against as many as 40 different commercial and freeware anti-virus products through VirusTotal and other resources to determine each product’s effectiveness. Only 46% of samples tested were detected by anti-virus. This statistic reflects the need for organizations to maintain multiple malware detection mechanisms, as anti-virus solutions alone are insufficient.
--Java is the most targeted software in exploit kits – Java is now the most prominent software targeted in malware exploit kits, replacing Adobe® PDF exploits. Almost 40% of total exploits in exploit kits now target Java. The cross-platform nature of these two technologies likely explains their positions as leading exploit targets.
Registration is required to obtain the report, but it's worth the time. Have a look and share your thoughts.