The latest Dell Security Annual Threat Report (registration required) pulls no punches. It makes it clear that cyber criminals are taking advantage of shape-shifting techniques to make their exploits harder to track and defeat. They are also making more and more use of encrypted traffic which allows them to spirit away data undetected as companies struggle to check what is leaving the enterprise.
- Exploit kits evolved to stay one step ahead of security systems, with greater speed, heightened stealth and novel shape-shifting abilities.
- Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption continued to surge, leading to under-the-radar hacks affecting at least 900 million users in 2015.
- Malware for the Android ecosystem continued to rise compared to 2014, putting the lion’s share of the smartphone market at risk.
- Malware attacks nearly doubled to 8.19 billion; popular malware families continued to morph from season to season and differed across geographic regions.
Dell Security report kept short but hard hitting
At just 19 pages in length the report is a relatively easy read for security teams and the C-Suite executives overseeing cyber security inside an organisation. What it highlights from the start is not a failure of security team but the problems with the complex security landscape and skills of the adversary.
According to Curtis Hutcheson, general manager, Dell Security: “Many of the breaches in 2015 were successful because cybercriminals found and exploited a weak link in victims’ security programs due to disconnected or outdated point solutions that could not catch these anomalies in their ecosystem.”
It is the constant probing by cybercriminals of networks that enables them to find a hole. In addition there there has been a significant surge in the amount of threats being discovered and then productised. These are then available through the Dark Web as exploit kits that can be purchased, rented or even accessed through an emerging Malware as a Service (MaaS) as hackers take advantage of cloud computing to scale their attacks
The growth in attacks is staggering
To give some idea of the scale of the attacks that companies are subjected to Dell provides some initial numbers for 2015:
- 2.17 trillion IPS attacks were blocked
- 8.19 billion malware attacks were blocked
- 73% increase in unique malware samples compared to 2014 and triple the number from 2014. This equates to 64 million unique malware samples.
These numbers come from data reported back to Dell from the Dell SonicWALL Global Response Intelligence Defense (GRID) Network. This consists of Dell SonicWALL devices on customer sites, in Dell offices, over 1 million sensors and a collection of honeypots, traps and industry collaboration. As such they can be seen as real world numbers rather than some of the aggregated numbers that are often bandied about in the industry.
One of the interesting figures here is the number of unique malware samples. Panda Security recently reported they had seen 84 million unique samples in 2015. Panda has a much wider consumer base than Dell Security which may account for the difference. However, it is a very large difference that will cause some concern from security teams. One of the reasons for the difference may be the way that malware samples are identified and named.
This tracking of malware is not simple. The major families of malware tend to constantly morph to attack specific industries and countries and there appears to be a lot of samples that are simply engineering tests. These appear and disappear quickly and it is reasonable to assume that many are often missed until a post attack deep analysis is carried out.
Stealth and shape-shifting making it harder to detect attacks
There were four main exploit kits that dominated in 2015, Angler, Nuclear, Magnitude and Rig. While these were the most common there has been an active focus on the Dark Web to build exploit kits as these can be rented out. The problem for security companies is tracking the explosion of exploit kits all of whom are capable of taking advantage of zero-day vulnerabilities.
Interestingly Dell names Adobe Flash, Adobe Reader and Microsoft Silverlight as the most common targets for such vulnerabilities. This is due to their popularity both inside corporates and with anyone wanting to distribute video and content such as security reports.
One of the big evolutions in exploits came when Dell SonicWALL reported it had discovered an exploit kit it called Spartan in September 2015. The base code was fully encrypted making it hard for security products to identify and when it did create a threat it did so in memory. With devices now regularly shipping with large amounts memory available to the operating systems and applications this is a case of cybercriminals simply using what they have available to them.
Exploits have also become adept at detecting the existence of security software and then modifying their code. They are also using techniques to obfuscate their landing pages which makes it increasingly hard for security software to track them. One of the techniques used by Magnitude, for example, used steganography to hide the attacks inside images or video.
Encryption both a curse and a cure
As companies have moved to the use of SSL/TSL encryption to protect their communications so too have cybercriminals. They have realised that the volume of encrypted communications traffic is a good place to hide. It takes a lot of processing power to check all traffic in real-time to ensure nothing is hiding in the encrypted traffic streams. For older networking equipment this is something that they cannot scale to leaving many companies unable to see what is going on in their traffic.
Android still a malware magnet
It’s hard to underestimate the impact of malware on the Android market. As the report states: “Stagefright was, in theory, one of the most dangerous vulnerabilities ever discovered for Android.” Surprisingly, despite the number of devices exposed there have been no reports of widespread infection due to the speed with which it was patched.
Dell makes it clear that not only are Android malware writers innovative they are also successful. Ransomware attacks have evolved to attack the logon PIN rather than just encrypt files while banking and financial apps are a prime target for malware. The announcement by Intercede and Solacia that they have teamed up to provide a post-factory Trusted Execution Environment (TEE) into which application can be deployed is one potential solution to some of these attacks.
So what for 2016?
Good news and bad news unfortunately. The good news is that Dell believes the successful exploitation of Adobe Flash vulnerabilities will have a decreased impact as major vendors such as Google move away from it. Sadly that’s about as good as the news gets.
Attacks on Near Field Communication (NFC) payment systems will continue. This is not just about attacking devices and point-of-sale terminals but also about the ease with which attacks can target cards in wallets and purses. There is footage on the Internet this week showing an attacker using a touchless terminal and walking past people taking money off of their cards.
This is not just an attack against card companies but as users begin to use mobile payment apps, and the Dell report singles out Android Pay, it will also be a phone issue. There is a need for more work to be done to introduce multi-factor support to prevent simple walk by attacks.
Unsurprisingly cars are mentioned as a risk. The exploits we’ve seen are disturbing but are deeper than many are reporting. The growth of APIs that are used to connect systems often with no security or signing mechanism means that we will see an increase in attacks through malicious APIs. These are likely to be deployed in the same way as games across Android. They will go through several iterations that are safe before the bad code is introduced. This way they get around the naturally suspicious among the developer community.
The rise in attacks means that nobody is talking about perfect security anymore and even the best managed security environment can have gaps. Given the rise in attacks that companies are subjected to it should come as no surprise that cybercriminals are finding the gaps. This means that security teams need to review how they test and validate corporate cybersecurity.
The tools that are used must be constantly reviewed and kept up to date. There is nothing wrong with overlap between tools and end-user devices must be required to use security tools approved by the enterprise or be blocked from access the network and data. This is just as true of third-party suppliers and customers who are integrated into sales and manufacturing as it is internal staff.
There are also a lot of companies who lack good incident response plans. A good plan is more than how to close the door and stop the attack, it has to deal with notification of the authorities and deal with the reputational fallout. Notification is slowly becoming a legal requirement in many countries and this means that there has to be coordination between security and legal teams inside enterprises.
What all of this doesn’t mean is that it is time to panic. Attacks will happen and some will be successful, this is something that any risk assessment will make clear. What is more important is making sure that internal teams have done everything that they can reasonably be expected to do and that monies spent on security are targeted rather than just creating a smokescreen of false protection.