Zero-days, Botnets, and Swarming: What You Need to Know to Protect Your Organization

Fortinet’s latest Threat Landscape Report provides details about what most of us in the security industry already know: cybercriminals continue to commit significant resources to breaking into networks. However, a careful analysis of this data – collected from billions of events observed in live production environments around the world – provides critical insight into the techniques and tools cybercriminals rely on to access your network’s data, and provides IT teams and security leaders with a better understanding of the sorts of countermeasures they should be focused on.

Zero-day Threats

As security professionals, we live in a very reactive world. As a result, we typically build IPS signatures once a vulnerability has been discovered, which leaves us behind right from the start. To help deal with this challenge, Fortinet has a dedicated Zero Day research team that examines third-party products and applications looking for weaknesses and exploitable vulnerabilities.  The goal is to discover them before the bad guys do and get security countermeasures in place. This quarter, we have added a new entry to the Threat Landscape Report focused on zero-day discoveries. So far this year, we have discovered and reported over 185 previously undocumented vulnerabilities, 63 of them just in Q3. We adhere to responsible disclosure, and notify all vendors upon discovering a zero-day vulnerability before announcing it publicly. But we also create zero-day IPS signatures designed to see and block attempts to exploit these vulnerabilities, even if they haven’t yet been publically announced.

One interesting trend we noted were new zero-day attacks focused on antivirus software. Attackers usually try to stay away from antivirus software because they want to go undetected, but this case they were focused on exploiting weaknesses in the software to gain control. The instances we found are reminders that although antivirus software is there to protect us from malware, it can also be a target. This serves as a critical reminder that updating and patching antivirus software is just as critical as any other network resource, and maybe more so, as anti-virus technology tends to run with higher system privileges.

Botnet Bounceback

Another interesting insight in this quarter’s report focuses around botnet reoccurrence. We discovered that many organizations experienced the same botnet infections multiple times. 75% of organizations infected with a botnet will see a second occurrence, and 70% of those will experience a third. There are a lot of factors that could contribute to this. A company may not thoroughly understand the total scope of a breach. A botnet may go dormant only to return again after business operations return to normal. Or they never found the root cause or patient zero.

Far too often, the recurrence of an infection is the result of an incomplete security policy. Dealing with a breach can be very stressful and chaotic. The last thing you want to do is try to figure out your next steps in the middle of an attack. You need to assume that a breach will occur, and already have a documented plan in place for how you will detect, analyze, respond, and recover from it. In the case of botnet attacks, ensure you focus on properly identifying the full scope of the breach, combined with forensics analysis to determine how the threat got there in the first place.

Swarming

This past quarter, three separate exploits targeted against the Apache Struts framework made our top 10 list. A fourth was among the major movers for the quarter.  This is significant because the Equifax breach was the result of a vulnerable Apache Struts component. This piling on of attacks targeted at a particular vulnerability, especially one that was successful, is an example of how attackers swarm when they “smell blood in the water.” It is also an indicator of how much cybercriminals prefer to exploit proven vulnerabilities to building new attack methods.

Most of the time, the best thing you can do is to simply have a good vulnerability and patch management process in place — aka Good Cyber Hygiene. But we also know that this is often easier said than done. You may not be aware of every device on your network. You also may not be able to patch everything for a variety of reasons. So to start, you need tools to help you inventory everything on your network. You then need to compare them against a prioritized list of known vulnerabilities and start a comprehensive patch, protect, or replace program.

One way to understand which vulnerabilities are being targeted the most is to use reports like this one. It is also important to remember that successful attacks have a higher probability of being used again. Therefore, if you learn about a high-profile breach, check the attack vector and ensure you do not have that exposure. And if you do, make it a priority to fix it.  

Mid-size Firms at Greatest Risk

One of the most important conclusions from this report is that mid-sized firms are at the greatest risk from cyberattack. Part of the reason is that they are adopting cloud solutions at faster rates than larger enterprises, creating greater exposure and a broader attack surface. At the same time, they don’t have the same level of security resources or technology investments available to them that larger organizations have. As a result, cybercriminals tend to view them as a “sweet spot” that can be more easily exploited than large enterprises.

This assessment is supported by data showing higher rates of botnet infections for mid-size firms as compared either small businesses or large enterprises.

With all the technology solutions available, deciding how to best protect your organization can be overwhelming. I suggest that if you haven’t already done so, regardless of the size of your company, the best place to start is to go back to the basics. 

• First, identify all your authorized and unauthorized assets within your environment. You have to know what you’re protecting.
• Second, limit user privileges. Not everyone needs administrator privileges. 
• Third, limit applications to only those with a business need. Using unnecessary applications, especially cloud-based applications, expands the attack surface and increases the complexity of protecting the environment.
• Lastly, practice good cyber hygiene and keep your assets updated and patched.

One final point for mid-size businesses: if you fail to do the basics, you will never fully reap the benefits of your technology investments. And given the competitive nature of today’s digital marketplace, that is not something many companies can afford.