Cisco has published its 2017 Midyear Cybersecurity Report (MCR). The report runs to 90 pages. It looks at the shifting landscape of cyber attacks and the impact on organisations from the rise in security breaches. The report uses data gathered by Cisco from its own customers, partners and Security Operations Centres (SOCs). The company says that it is now seeing over 40 billion points of telemetry a day. Overall it paints a picture of cyber security that will concern many a Chief Information Security Officer (CISO).
There is also a blog from David Ulevitch, Senior Vice President and General Manager, Security Business Group, Cisco. In his blog, Ulevitch says: “The unsettling news at this halfway point in the year is that the bad actors are adding new and sophisticated spins to their exploits. Their aim is not just to attack, but to destroy in a way that prevents defenders from restoring systems and data. We’ve coined a name for adversaries’ new goal: destruction of service (DeOS).”
What is a Destruction of Service (DeOS) attack?
Cisco says these attacks are designed to eliminate backups and other safety nets organisations may have established. In reality there has been the potential for these types of attack for several years. What has changed is the way cyber attackers are combining types of attack.
One of the key elements of these attacks is ransomware. Data is encrypted and a ransom demanded. Even if the ransom is paid there is no guarantee that data will be unlocked. Importantly, attackers are no longer targeting single machines. Once inside a network they go after both end user devices and network servers. Whenever and wherever they find data, they encrypt it.
For many enterprises this means that backups and live data are encrypted. This is because a lot of backups are kept online so that they can be restored more easily. An increasing number of enterprises have also deployed tiered storage solutions. Only when data is deemed “too old” or has not been accessed for a while is it finally backed up and stored offline. All of this data is now open to attack which makes it hard to restore a system.
Alongside this, cyber criminals are waiting before they trigger an attack. They want their attack to be stored inside any backup the enterprise takes. This allows them to restart the attack as soon as the data is restored. The impact of losing access to data and not being able to restore is business threatening to a lot of organisations.
DeOS just the tip of the iceberg
DeOS attacks are just the visible manifestation of one type of attack. Before the attacks take place the malware has to infect at least one machine. Exploit kits (EK) such as Angler, Neutrino and Nuclear have been effective at exploiting vulnerabilities and installing malware. While there have been successes in limiting their effectiveness they have persisted for several years.
Cisco says it is seeing a drop off in the use and effectiveness of EK. It puts this down to better defences such as automatic security updates in operating systems and applications. There have also been successes in disrupting the networks on which the EK rely. However, it is too soon to see them as an old type of attack. The developers of EK have often taken them offline and then brought them back with new features designed to outwit security tools.
As EK attacks have declined, a combination of older and other approaches have taken their place. Hackers are good at social engineering and this has led to an increase in phishing attacks targeting key individuals inside organisation. Business Email Compromise (BEC) attacks continue to claim victims. BEC is successful because it exploits poor processes and management chains inside enterprises.
Also on the rise is spam. After several years of the IT industry reducing the amount of spam, it is on the rise. The current generation of spam still relies on macros and embedded code. However, it is also security aware. It is able to detect many of the latest security software solutions and sandboxing techniques. This enables it to avoid detection while it seeks a user to unwittingly allow it to act.
The Internet of Things a great tool for attackers
The use of the Internet of Things (IoT) by hackers has been well documented. A significant part of the problem is the lack of security in too many Internet connected devices. Enterprise IT departments often have no say in the purchase of many of these devices. Security cameras, fridges, televisions and other goods are often purchased by different departments. Few of them have any security training.
A major concern is the number of Internet connected devices with little to no security. These devices are easily enrolled into large botnets. Botnets are also being combined into super botnets that are then used to launch Distributed Denial of Service (DDoS) attacks. These attacks can not only shutdown an enterprise they can block of parts of the Internet. It is likely that these attacks will continue to increase in size and effectiveness.
This is driving an increase in tools and techniques to mitigate DDoS attacks. The major service providers are already working together to provide greater resiliency across the Internet. This will only have a limited impact. Organisations need to do more to identify any Internet connected device inside their network. This will allow them to develop their own mitigation strategies and sandbox “at risk” devices into their own networks. This will also help identify attempts to enrol devices into botnets without risking the integrity of core business networks.
Better cyber security forcing a change in attackers behaviour
As organisations improve their cyber security habits, attackers are forced to find new attacks. This is more than just raising the bar for attackers. It is about deploying new approaches to security and improving processes.
The MCR identifies improved responses to patching Adobe Flash as reducing the effectiveness of some EK. Over the last three year the time taken to patch Flash vulnerabilities has fallen from 308 days to 62. That is still a significant window of opportunity for attackers especially as they will have access to a vulnerability long before a vendor begins to develop a patch.
It is not just enterprises that have forced a change in behaviour. Better sharing of threat intelligence data across the security industry has also played a part. It has allowed security providers and law enforcement to take action against the networks that support the attackers. This has stopped some attacks in just days. The recent Not Petya or Nyetya attack was stopped very quickly when the command & control (C&C) servers and emails addresses were shutdown.
Cisco’s six messages to IT security teams
In the MCR, Cisco has provided six steps to improve enterprise security. These are:
- Keeping infrastructure and applications up to date, so that attackers can’t exploit publicly known weaknesses.
- Battle complexity through an integrated defense. Limit siloed investments.
- Engage executive leadership early to ensure complete understanding of risks, rewards and budgetary constraints.
- Establish clear metrics. Use them to validate and improve security practices.
- Examine employee security training with role-based training versus one-size-fits-all.
- Balance defense with an active response. Don’t “set and forget” security controls or processes.
What does this mean?
It is always easy to fall into the Fear, Uncertainty and Doubt (FUD) approach when talking about cyber security. Cyber attacks are on the rise as are data breaches. What is important is what is being done to limit their impact. The number of vulnerabilities and their seriousness is increasing. The most effective ones are those developed for governments by private security companies. These are not reported to vendors so that they can be blocked. Inevitably, as seen by the leaks from the US NSA and CIA, these attacks end up in the hands of criminals.
Once that happens, vendors are also alerted and able to begin the process of patching. The time taken to patch vulnerabilities from a vendor perspective has fallen over the last few years. Most will issue a patch within 60 days. Where they cannot and depending on the vulnerability they will attempt to provide a temporary fix.
The challenge for enterprise IT security teams is how to test patches before deploying them. They are aware of and concerned about the risk of a bad patch causing chaos inside their IT estate. Despite this they are patching more quickly than ever before. Vendors are also doing more to help by providing automated patch solutions inside operating systems and as part of regular updates to apps. The mobile software providers are leading the way here with the desktop solutions still lagging some way behind.
The enterprises IT teams are also encrypting more and more data. This makes it of less value to an attacker if stolen. It is also important that an enterprise helps its partners and customers protect their data and systems. By doing so it can be sure that data shared is data protected.