Last week, Cisco Systems released the 2018 edition of its Annual Cybersecurity Report (ACR) you can find here. The report, compiled from a survey of 3,600 chief security officers (CSOs) and security operations leaders from across the globe, seeks to highlight emerging threats in the rapidly evolving landscape of cybersecurity. With 53% of all attacks resulting in damages of $500,000 or more (according to this year’s report), it’s obviously important to keep a finger on the pulse of cybercrime as it is a constantly moving target. As I noted in last year’s recap, these annual reports are well-regarded in the industry, even by Cisco Systems’ competitors—they always take a measured, industry-focused look at the state of affairs, and are not openly slanted towards driving Cisco Systems sales. Yes, what they are saying maps nicely to their security portfolio, but if it didn’t, you would have to scratch your head and ask “why not”. Here are my takeaways from this year’s report.
Malware cyptoworms on the rise
One of the big findings from the new report was that malware, particularly ransomware, is becoming increasingly more sophisticated and dangerous. Now attackers are building their malware to be self-propagating and “worm-like,” capable of spreading throughout a network to cause unprecedented damage. According to the report, while previous malware required an actual human actor to initiate (via email, drive-by download, or physical media), all it takes now is an active, unpatched workstation. This being said, the report made clear that the traditional methods of delivering malware through email and spam are still alive and kicking, even as more sophisticated methods emerge.
Many new attackers aren’t even focused on the ransom—their goal is the destruction of systems and data. You might remember the WannaCry incident from last May, (wrote about here) which exploited a Microsoft Windows security vulnerability to “earn” over $143,000—you better believe that was the work of a ransomware cryptoworm. According to the report, the U.S. government believes that WannaCry is actually using the ransom component as a smokescreen of sorts, to mask its real objective of wiping data for destruction, not treasure. 2017 also gave us the Nyetya incident, in which the Nyetya wiper malware snuck in through software update systems for a popular tax software package in Ukraine—reportedly affecting over 2,000 businesses in the country. Supply chain attacks such as Nyetya are increasing in velocity and intensity, according to the report. The 2018 ACR warns that WannaCry and Nyetya are just the beginning and that these sophisticated malware attacks have the terrifying potential to take down the Internet. This is not a threat for IT departments to sleep on.
Another key finding from the report is that cybercriminals, too, are embracing encryption. Encryption, of course, is designed to bolster security—the report found that 50 percent of global web traffic was encrypted as of last October, with that number rising. More and more, however, criminals are turning to the tool to help them hide command-and-control (C2) activity. Cisco Systems reports that its researchers detected a 3X increase in encrypted network communication used by inspected malware samples over a 12 -month span. Furthermore, Cisco Systems says that its analysis of over 400,000 malicious binaries revealed that around 70% had utilized encryption as of October of last year.
Increase in encrypted, malicious binaries
Additionally, the report found that many cybercriminals are utilizing C2 channels that are dependent on legitimate Internet services (Google, Dropbox, and Github, for example). These “backdoor” C2 tactics are very dangerous because they are difficult to identify amidst all the legitimate Internet traffic. This strategy appeals to bad actors for a number of reasons, according to the report:
- the ease of registering new accounts on these services
- the ease of setting up a web page on the public Internet
- the ability to usurp these legitimate services’ SSL certificates (instead of having to build encryption into their own malware)
- increased difficulty in white-listing (can’t just drop access to Google Drive if that’s the corporate standard)
Examples of Legitimate Services abused by malware for C2
Another finding in the report is that cybercriminals are developing new techniques to outmaneuver defenders’ sandboxing environments. One emerging trend cited in the report was the practice of significantly ramping up the volume of malicious attempts once an effective sandbox evasion technique is found, in order to maximize returns.
Thirty-one percent of organizations have experienced cyber attacks on OT Infrastructure.
Furthermore, the company found that many companies underestimate how many endpoints are in their IT environments. And even furthermore, the report found that knowledge of critical vulnerabilities is not in itself enough to motivate many organizations to patch the problem—it often takes a major security breach event to light the fire under these organizations (businesses actually had access to a patch that would have prevented WannaCry for two months prior to the attacks). This spells major trouble for the future—organizations must change the way they think about security, and start taking preventative measures seriously.
Arm’s Security Manifesto is a great read about the threat of IoT devices and what needs to be done to thwart it.
Cisco Systems recommendations
The report laid out a number of recommendations for minimizing organizational risk to these emerging cybercrime trends, which aren’t too far from ones we had recommended over the past year. These best practices include:
- the implementation of scalable first-line-of-defense tools
- adherence to corporate policies for patching, network segmentation
- deployment of next-generation endpoint process monitoring tools
- increased analytics
- frequent backup of data
- annual review of security systems
- security response procedures (you will be hacked, know what do when you are)
- explore the use AI and machine learning in network security to give organizations better visibility, allowing them to identify and detect unusual patterns in large volumes of encrypted web traffic
None of these recommendations seem onerous that makes running a business impossible and appears complete. One thing I would advocate more strongly for is hardware-based, biometric, multi-factor authentication. While identity is only one step of the equation, it is big. Seems like a fingerprint, iris, 3D face scan plus location-based rules could help thwart many of these break-ins. Why does someone in Russia on a Saturday need access to the CRM if we have no one based in Russia? Let’s ask that person for a fingerprint.
As our security technology improves, so does that of those who seek to exploit it. As per usual, Cisco Systems’ ACR delivers a great birds-eye view of the current cyber threat landscape, with sage advice on how organizations can best minimize their risk and mitigate damage when breaches occur. Organizations would be well-advised to give this report its due attention—it could very make the difference between staving off or falling victim to the next big security breach. While there are no guarantees that if you follow any of this advice you will be secure, I can guarantee everything will change next year as security is a constantly moving target.