Adapting to the New Normal in Cybercrime

istock 653137674

The volume and sophistication of attacks targeting organizations is accelerating at an unprecedented rate. Fortinet’s Q4 2017 Threat Landscape Report, just released this week, reports an average of 274 attacks per firm, which is a staggering 82% increase over the previous quarter. One reason for this spike is that in order to hit the maximum number of targets, malware needs to spread as rapidly as possible before countermeasures such as updated AV signatures can be put in place. Which means that even though many security vendors are working to get updates and signature files out to customers as fast as possible, cybercriminals have upped their game to counter that change.

The number of malware families being tracked also increased by an alarming 25% in Q4, to 3,317, with the number of unique malware variants growing 19%, to 17,671. These numbers not only show a dramatic growth in the volume of attacks that organizations are facing, but in the evolution of malware itself.

However, this is not just about volume. These attacks are also increasingly sophisticated. Swarms of infected devices are using new, harder to combat multi-vector attacks that include a wide variety of malware from different malware families. This allows an attack to run through a library of exploits until it finds one that can crack a targeted device.

Current Threat Trends

This combination of rapid development and increased propagation of new variants is catching far too many organizations unprepared. Here are the most important trends you should be aware of, and some ideas on how you can prepare your organization to stop them:

IoT Attack Intensity

Three of the top twenty attacks identified in Q4 targeted IoT devices. Unlike the first generation of IoT attacks, which focused on exploiting a single vulnerability, new IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously, making them much harder to combat. In addition, Reaper was built using a flexible Lua engine and scripts, which means that instead of the static, pre-programmed attacks of previous exploits, the code can be easily updated on the fly, which means that entire botnets, already in place, can run new and more malicious attacks as they become available.

The Rise of Cryptojacking

Cybercriminals are clearly motivated to exploit the digital currency trend as we have documented a significant spike in cryptojacking attacks. Cryptojacking takes many different forms, and a malicious infection can result in everything from browser hang-ups and system crashes, to degraded network performance, to data theft and ransomware.

The biggest trend involves phishing attacks or infecting vulnerable websites with malware designed to steal CPU cycles to perform cryptomining on behalf of the attacker. Initially, such attacks hijacked all available CPU, causing machines to become virtually unusable. However, new, more sophisticated attacks now monitor device CPU and rate limit the amount of processing power they leverage, stealing 50% or less of available CPU power at any given moment in order to evade detection.

More Ransomware

Several strains of ransomware topped the list of malware variants. Locky was the most widespread malware variant and GlobeImposter followed as the second. A new strain of Locky emerged, tricking recipients with spam before requesting a ransom. We have also documented that ransomware is leveraging new top-of-mind subjects like cryptocurrency in scams, while the growing availability of Ransomware-as-a-Service on the Darkweb is making it much easier for less technically skilled criminals to target organizations.

Sophisticated Industrial Malware

An uptick in exploits targeted at industrial control systems (ICS) and safety instrumental systems (SIS) suggests that attackers are also targeting OT infrastructure with sophisticated malware. For example, an attack codenamed Triton has the ability to cover its tracks by overwriting its malware payload with garbage data to thwart forensic analysis. Compromising OT platforms is enticing for certain threat actors because successful attacks against critical infrastructure can cause significant damage with far-reaching impact.

Attack Variety: Steganography is an attack that embeds malicious code in images. It’s an attack vector that has not had much visibility over the past several years, but it appears to be on the resurgence. The Sundown exploit kit uses steganography to steal information, and while it has been around for some time, it was reported by more organizations than any other exploit kit. It was found dropping multiple ransomware variants. 

Preparing Your Organization

One reason attacks have been more successful is that IT teams are stretched thin trying to deploy and manage their digital transformation efforts. The key takeaway is that evolving network footprints have dramatically expanded the potential attack surface, and legacy threat detection and signature-based antivirus tools, especially those that have been deployed as isolated devices, are simply unable to keep pace with the volume, variety, and velocity of today’s malware. The traditional model of buying new security devices to combat emerging threats is no longer effective. There are just not enough resources to go around to deploy, monitor, and manage even more isolated security tools.

Instead, today’s organizations need to take a more proactive approach that includes:

Managing Vulnerabilities

Organizations need to inventory the devices on their network and prioritize patching based on malware volume. At the same time, they need to implement advanced threat protection capabilities such as sandboxing to detect and respond to unknown threats before they can impact the network.

Integrating Security Systems

Security devices that can’t share threat intelligence, detect sophisticated attacks, or participate in a coordinated counterattack have limited value in today’s networks. Effective security devices need to be able to interoperate with other security devices as an integrated system. This requires deploying a framework built around devices that use open standards for communication, that can leverage a common operating system, or at the least, can be integrated together through a common management, analysis, and orchestration platform to unify visibility and control.

Implementing Automation

Today’s attacks can’t wait for human intervention. Attacks happen at digital speeds, and response needs to occur in real time. Even more importantly, data needs to be automatically and constantly correlated using advanced behavioral analytics so that systems can anticipate attacks and automatically adapt before an attack happens or a compromise occurs.

Segmenting the Network

Organizations need to identify devices at the access point and automatically direct them into specific network segments to prevent the lateral movement of malware across the network. Combined with active monitoring, networks need to be able to identify a rogue or infected device, isolate it, and then automatically begin remediation.

Training Users

As attacks like cryptojacking that rely on phishing and social engineering gain momentum, organizations need to prioritize cybersecurity awareness, including educating users on how to recognize social engineering attacks.

Fighting Fire with Fire

Digital transformation isn’t just impacting business. Cybercriminals are driving their own digital transformation. Malware, for example, is developing new swarm-like capabilities to better exploit the expanding attack surface of digital enterprises. These attacks leverage multiple vulnerabilities to target and overwhelm devices and access points. Defending against these new multi-vector threats requires an integrated security approach with swarm-like capabilities that can pit “swarm against swarm” in order to effectively counter and repel an attack.

Achieving this requires a security transformation effort that mirrors your digital transformation. A security fabric, for example, allows you to integrate and automate isolated security technologies, enabling traditionally separate and isolated solutions to work together as a system to automatically share and correlate event intelligence and automate a response that marshals and orchestrates the combined resources across your entire security infrastructure, from endpoints and the core to the cloud, to detect and repel an attack.