NTT Security, the cyber security division of NTT has released its Global Threat Intelligence Report 2018 (registration required). There are a number of surprises in this report including the top targets and attacks varying considerably by region. In addition, inside regions such as EMEA, there was considerable differences in the industries attacked and the tools used.
There are a number of potential reasons for this. It could, for example, be about political considerations such as elections or based around major sporting events. The number of attacks against the Winter Olympics in South Korea will certainly show as a spike in Asia when next year’s report comes out.
With the World Cup being held in Russia soon, there is an expectation of significant cyber activity around that. It too will feature in next year’s report on attacks in EMEA. There is already some signs that this has started with some phishing campaigns offering information on teams. This mirrors what was seen in the Winter Olympic attacks.
What were the top targets worldwide?
There was a significant shift in the top five most attacked industries in 2017. The top five were:
Finance (26%): This is the first time in several years that finance has been the most attacked industry. One possible reason for this may have been the number of attacks against cryptocurrency exchanges. There were a number of high profile and lucrative attacks in that area. Banks also came under sustained DDoS attacks in several areas with Webstresser and IoTroop two of the botnets that targeted this sector.
Technology (19%): Attacks against technology companies have risen sharply. Historically this industry has faced attacks seeking to gain access to intellectual property. Access to software code bases in particular has enabled hackers to discover new exploits. NTT Security was unable to say exactly what they thought was the driver behind this current set of attacks. IP will certainly be part of it but there are other reasons. There has been an explosion of technology, especially in the IoT space. Attacking those companies allows hackers to install malware at source. This means that products are infected before they ship which means hacker no longer need to worry about how to infect devices.
Business & Professional Services (10%): This is a very broad and new category.
Manufacturing (9%): As with technology, attacks against manufacturers have always been about IP. However, there has been a significant shift in who is getting attacked. Manufacturing often has a long supply chain. The majority of companies in this space tend to be SMEs and with digital transformation are increasingly integrated into the systems of larger companies. This means that successful attacks against them gives hackers a foothold from which to attack larger companies who would otherwise be difficult to breach.
Retail (8%): Attacks against retail are widespread and commonplace. Although it has fallen down the list in terms of attacks in 2017, the rewards for effective attacks can be significant. Hackers are not after product although disrupting supply chains has been a target. The big goal here is theft of customer data. Retailers are still struggling to effectively secure customer data including payment details. The latter was highlighted by Sysnet recently.
What did NTT Security see in the regions?
There is no obvious pattern across the regions. Only finance featured in the top two slots for most of the regions and only technology featured in all five regions. Breaking regions such as EMEA and APAC down shows that attacks against industries also varied widely in the regions.
In EMEA, for example, the most attacked industry was Business & Professional Services (20%). Manufacturing (18%) was in third place. In the UK, however, manufacturing was the most attacked industry with over 40% attacks focused on it. What is not clear is if these attacks were against those running manufacturing facilities or their supply chain. We have asked NTT Security for more clarity and will update the report when we get those details.
What is important is that the numbers seen by NTT Security are mirrored by other organisations. The EEF recently reported that cyber attacks were becoming a major challenge for UK manufacturers. Another report, this time from the National Cyber Security Centre (NCSC) warned of supply chain attacks against Critical National Infrastructure (CNI). Without the ability to break the NTT Security figures down, it’s hard to know what to protect and what the attackers are looking for.
Attack methods also varied by region
NTT Security has grouped the types of attacks into four main groups. That does not mean that other types of attacks didn’t take place. DDoS caused significant disruption to many businesses last year and continues to do so. The four key groups NTT Security has focused on in this report are spyware/keylockers, trojan/droppers, virus/worms and ransomware.
The difference between the global attack and regions is marked. This is almost certainly down to factors such as the botnets used to launch some attacks and the perceived susceptibility of some regions to certain attacks.
Ransomware is a good example of this variance. The was a significant rise in the number of attacks recorded last year yet globally it accounted for just 7% of attacks. In EMEA, however, it was responsible for 29% of attacks. The NTT Security Threat Intelligence team say that this could be down to the attacks being spotted in EMEA first. This allowed other regions to get defences in place before the attackers pivoted to their region.
What does this mean
At the beginning of every year security vendors send off their predictions of what the top attacks will be for the next 12 months. Few, if any, vendors tune their predictions based on region. As this report shows, such predictions are more guesswork than science and intended to do little more than garner some press coverage.
There is a lot to be learned from this report. Attackers are sophisticated enough to change, modify and tune their attacks for different regions. They are also good at picking the right targets for different attacks.
The intelligence used by attackers to choose when to launch attacks is more than most organisations possess. For example, how many IT Security teams put out warnings of spam and phishing attacks ahead of major global events. Those that haven’t started to warn of such campaigns ahead of the World Cup are just not doing their job. There is plenty of information about the cyber attacks that took advantage of the Winter Olympics and Commonwealth Games this year. Expect similar campaigns over the next eight weeks.
Another major takeaway is that industries such as manufacturing and supply chain are, and will continue to be, prime targets. They tend to have long chains of small companies who lack skills and abilities to protect themselves. Large businesses need to do more to help educate their channels, both suppliers and customers. This is as much about risk management as it is preventative security.