Qualys Blog

www.qualys.com
Juan C. Perez

CyberSecurity Report: Threat Landscape Gets More Sophisticated

Destruction of service. Get acquainted with this newly-minted term, and with its acronym — DeOS. It’s a particularly disturbing type of cyber attack InfoSec teams may face regularly in the not too distant future.

Cisco 2017 Cybersecurity ReportThat’s one of the main findings featured in the Cisco 2017 Midyear Cybersecurity Report, a comprehensive cyber security study the networking giant has been publishing for almost a decade.

Due to several troubling developments, including the expected popularization of DeOS attacks — intended to wreck breached IT systems — and the proliferation of IoT device use in DDoS attacks, this report blares a special alarm.

“We must raise our warning flag even higher,” reads the report, which is based on research and data from Cisco and several of its technology partners, including Qualys. “Our security experts are becoming increasingly concerned about the accelerating pace of change — and yes, sophistication — in the global cyber threat landscape.”

InfoSec Teams Face Two Major New Challenges

While enterprise InfoSec teams continue getting better at detecting, preventing and recovering from cyber attacks, they’re grappling with two thorny trends that could hamper their progress and expose their organizations to newfangled threats.

The first is what Cisco calls security breaches’ “escalating impact,” as cyber criminals are no longer driven solely by a desire to profit financially, but are now increasingly motivated by a drive to demolish victims’ IT systems.   

It is within this context that Cisco forecasts the likely emergence of DeOS attacks, which it describes as “new and devastating.” It also notes the rising and concerning popularity of hijacking vulnerable IoT devices to unleash massive DDoS attacks.

“Botnet activity in the IoT space suggests some operators may be focused on laying the foundation for a wide-reaching, high-impact attack that could potentially disrupt the internet itself,” Cisco warns.

At the second trend’s core are “the pace and scale of technology.” This refers to how organizations’ adoption of new technologies like cloud computing and mobility have made it harder to secure enterprise IT environments.

The boundaries of traditional, homogeneous, on-premises network perimeters have been blurred, extended and erased, and IT environments have become more hybrid, heterogeneous and exposed to the internet.

As a result, many IT organizations have lost comprehensive visibility into their IT assets, leading to the creation of dangerous blind spots. They’re also struggling to quickly and effectively manage vulnerabilities and prioritize remediation in their IT environment.

This has translated into an “ever-expanding attack surface” that malicious hackers have been eager to take advantage of.

“The breadth and depth of recent ransomware attacks alone demonstrate how adept adversaries are at exploiting security gaps and vulnerabilities across devices and networks for maximum impact,” reads the report.

A key for InfoSec teams to avoid falling prey to these two trends: Simplify their fragmented security toolbox, and aim for a “seamless and holistic” approach. Having too many security products from multiple vendors creates complexity and slows down an InfoSec team’s ability to react quickly and effectively.

“When security teams can consolidate the number of vendors used — and adopt an open, integrated, and simplified approach to security — they can reduce their exposure to threats,” reads the report.

In particular, they will be better able to prevent and dodge those aforementioned DeOS attacks, especially those that leverage IoT botnets.

Major Findings and Recommendations

At almost 90 pages, the Cisco report is packed with valuable insights, explanations, tips and best practices for enterprise InfoSec teams. Here we’ll highlight a sampling of the findings in the report’s 3 main areas of focus.

Attacker behavior

  • Exploit kits are down, but you must remain vigilant

Since early 2016, exploit kit activity has declined “dramatically” after two leading kits — Angler and Nuclear — disappeared, and a third one, Neutrino, now only resurfaces occasionally for short periods of time.

However, several others are still very much active, targeting well-known vulnerabilities that remain unpatched in many organizations. Cisco warns that it’s a matter of time before exploit kit creators move aggressively to seize existing, untapped opportunities.

“There is little doubt that we will see a resurgence in the exploit kit market, given that crimeware is an industry worth billions. As soon as a new attack vector emerges that is easy to exploit and can affect users at scale, the popularity of exploit kits will rise again — and so will competition and innovation,” the report states.

Thus, organizations must diligently and swiftly patch vulnerabilities and practice “defense in depth” so that they’re not caught off guard by an exploit kit resurgence.

Data from Qualys shows marked improvement in organizations’ speed at patching Flash vulnerabilities, a longtime favorite attack vector for hackers.

The time needed to patch 80% of known Flash vulnerabilities in an organization dropped on average from 308 days in 2014 to 62 days in 2016, according to data from the 3+ billion vulnerability scans Qualys conducts annually.

  • Ransomware Gets the Headlines, but Pay Attention to Business Email Attacks

Venture a guess as to what’s the most effective way to extract large sums of money from a business. Ransomware, you say? Try again. The correct answer: Business email compromise, or BEC, a scam based on social engineering.

In the typical BEC scenario, fraudsters impersonate a high-ranking official at an organization by spoofing the executive’s email address, and, with a legit-looking message, instruct someone in the finance department to urgently wire money to a supposed partner or vendor. The money, of course, lands in an account managed by the cyber criminals.

Facebook and Google are among the companies that have been victimized by BEC scammers, despite having sophisticated fraud-detection methods and tools. According to figures from the Internet Crime Complaint Center (IC3), BEC netted fraudsters a total of $5.3 billion between October 2013 and December 2016. Almost 22,300 organizations in the U.S. fell prey to BEC during that time period.

Effective protection against BEC lies not so much with InfoSec tools but rather with improved business processes, such as better user education. “For example, training employees to identify out-of-the-ordinary requests for financial transfers, such as an out-of-country transfer at a business that operates domestically. Organizations can also require employees to verify wire transfers with another employee — perhaps by phone — to bypass a spoofed email,” the Cisco report reads.

Vulnerabilities

  • You’re Embracing the Cloud, and So Are the Hackers

The rapid, enthusiastic adoption of cloud computing by organizations of all sizes and in all verticals hasn’t gone unnoticed by cyber criminals.

They know that millions of businesses globally have moved critical applications and computing resources to public cloud platforms, and that those cloud workloads also offer convenient conduits and shortcuts to on-premises systems.

Unsurprisingly, hackers are now aggressively and continuously attempting to breach public cloud infrastructures. Between December 2016 and mid-February 2017, Cisco analyzed thousands of customers’ corporate cloud environments and found evidence of suspicious log-in attempts in more than 17% of the organizations.

Compounding the issue is the explosion in connected cloud apps in recent years, driven by employee installations: The average enterprise today has 1,050 unique apps in its environment.

“These apps touch the corporate infrastructure and can communicate freely with the corporate cloud and software-as-a-service (SaaS) platforms as soon as users grant access through open authorization (OAuth),” Cisco warns in the report.

A recent, high-profile attempt to compromise OAuth happened in early May, when Gmail users were targeted by a phishing campaign.

Cisco recommends that organizations pay much more attention to the number of cloud users they give admin rights to, which the company found is much higher than for on premises environments.

The problem is that the more users with admin rights, the higher the risk that hackers will compromise one of these “keys to the kingdom” accounts, which give the bad guys broad access and power.

Specifically, Cisco found that a whopping 6% of cloud users have privileged accounts, even though most admin tasks (88%) in most organizations are carried out by only two of admin users, on average.

“We also determined that organizations could remove ‘super admin’ privileges from 75% of their admin accounts with little or no business impact,” reads the report.

Overall, organizations must understand that just because they’ve moved a workload to a public cloud environment, they can’t forget about core security and compliance tasks.

Public cloud service providers operate on a “shared security responsibility” model. This means that the cloud provider takes care of the security of the cloud while you define your controls in the cloud to protect your data and infrastructure, by doing vulnerability management, policy compliance, malware detection, web app scanning and other critical security and compliance tasks.

  • Don’t Fly Blind

Many IT departments have lost visibility into their IT environments, for various reasons. For example, adoption of new technologies like cloud computing and mobility have made IT environments more hybrid.

Meanwhile, trends such as BYOD (bring your own device), Shadow IT and consumerization of IT have made it much easier and prevalent for employees to bypass the IT department and use apps and devices of their choosing, even though those are often unsafe.

This loss of clarity creates major risks, because an InfoSec team can’t protect the IT assets that it doesn’t know are on the network.

“Unmanaged network infrastructure and endpoints can be easily compromised by attackers looking to gain a foothold that will enable them to move laterally within an organization and breach specific targets,” the Cisco report reads.

To regain this visibility, organizations need:

* access to real-time, context-driven security intelligence 

* solutions that enable real-time monitoring and leak path detection

* effective segmentation policies

* a full, continuously updated and detailed inventory of IT assets on premises, in clouds and on endpoints

“Such inventories should be conducted regularly and automatically, because enterprise network, endpoint, and cloud infrastructure changes constantly and cannot be monitored effectively by security personnel alone,” reads the report.

Security Challenges and Opportunities for Defenders

  • IoT Security Risks

The Internet of Things (IoT) offers significant benefits for businesses and their customers by giving myriad types of consumer and industrial products that were previously offline the capability to get on a network, be managed and, via sensors, collect and transmit data.

However, it’s clear that security is IoT’s Achilles heel, for reasons such as:

* InfoSec teams’ inability to detect, scan and monitor IoT devices due to their proprietary technology

* lack of built-in IT security features on IoT systems

* unknown and unpatched vulnerabilities on IoT products

* difficulty gaining physical access to IoT devices

* confusion over which team is responsible for IoT protection: InfoSec or Physical Security

“Defenders need to start focusing on potential IoT weaknesses because adversaries want to target them to launch ransomware campaigns, steal sensitive information, and move laterally across networks. IoT devices are the type of vulnerable ‘low-hanging fruit’ that threat actors are quick to exploit,” reads the Cisco report.

To avoid breaches caused by IoT security exploits, Cisco recommends organizations adopt a “proactive and dynamic approach” that includes:

* surrounding IoT devices with intrusion-prevention system defenses

* closely monitoring network traffic

* tracking IoT device behavior to flag suspicious activity

* implementing patches promptly

* working with IoT vendors that have a product security baseline and issue security advisories

Conclusion: Good Guys Make Progress, But Hackers Push the Envelope

InfoSec teams have made significant strides, but the challenges ahead are daunting, in particular the risks associated with IoT vulnerabilities and the possibility of DeOS attacks aimed at not just breaching systems but at wiping out organization’s IT and operational infrastructures.

“That is why it has never been more important for organizations to make cybersecurity a top priority,” the Cisco report states.

This means investing in tools that automate core InfoSec tasks, like asset inventory, vulnerability management, remediation prioritization, endpoint indicators of compromise, configuration assessment, web app scanning, policy compliance and file integrity monitoring.

It’s also key for CISOs and other InfoSec leaders to “claim a seat at the table” along with their organization’s top business executives and board members, in order to improve communication and develop a partnership relationship.

CISOs must realize that “senior management and boards of directors not only view cybersecurity as a high priority for the business, but also are eager to hear more about the issue. In fact, they are likely looking for better and more information,” the report states.


Download the complete report.

Leave a Reply