Midyear Cybersecurity Report predicts new ‘Destruction of Service’ attacks

The Cisco 2017 Midyear Cybersecurity Report (MCR) has revealed the rapid evolution of threats and the increasing magnitude of attacks, and forecasts potential “destruction of service” (DeOS) attacks.

These DeOS attacks could eliminate organisations’ backups and safety nets, required to restore systems and data after an attack. Also, with the advent of the Internet of Things (IoT), key industries are bringing more operations online, increasing attack surfaces and the potential scale and impact of these threats.

 

Rapid spread

Recent cyber incidents such as WannaCry and Nyetya show the rapid spread and wide impact of attacks that look like traditional ransomware, but are much more destructive. These events foreshadow what Cisco is calling destruction of service attacks, which can be far more damaging, leaving businesses with no way to recover.

The Internet of Things continues to offer new opportunities for cybercriminals, and its security weaknesses, ripe for exploitation, will play a central role in enabling these campaigns with escalating impact. Recent IoT botnet activity already suggests that some attackers may be laying the foundation for a wide-reaching, high-impact cyber-threat event that could potentially disrupt the Internet itself.

Measuring effectiveness of security practices in the face of these attacks is critical. Cisco tracks progress in reducing “time to detection” (TTD), the window of time between a compromise and the detection of a threat. Faster time to detection is critical to constrain attackers’ operational space and minimise damage from intrusions. Since November 2015, Cisco decreased its median time-to-detection (TTD) from just over 39 hours to about 3.5 hours for the period from November 2016 to May 2017. This figure is based on opt-in telemetry gathered from Cisco security products deployed worldwide.

 

Threat landscape: What’s hot and what’s not

Cisco security researchers watched the evolution of malware during the first half of 2017 and identified shifts in how adversaries are tailoring their delivery, obfuscation and evasion techniques. Specifically, Cisco saw they increasingly require victims to activate threats by clicking on links or opening files. They are developing fileless malware that lives in memory and is harder to detect or investigate as it is wiped out when a device restarts. Finally adversaries are relying on anonymised and decentralised infrastructure, such as a Tor proxy service, to obscure command and control activities.

While Cisco has seen a striking decline in exploit kits, other traditional attacks are seeing a resurgence:

  • Spam volumes are significantly increasing, as adversaries turn to other tried-and-true methods, like email, to distribute malware and generate revenue. Cisco threat researchers anticipate that the volume of spam with malicious attachments will continue to rise while the exploit kit landscape remains in flux.
  • Spyware and adware, often dismissed by security professionals as more nuisance than harm, are forms of malware that persist and bring risks to the enterprise. Cisco research sampled 300 companies over a four-month period and found that three prevalent spyware families infected 20 percent of the sample. In a corporate environment, spyware can steal user and company information, weaken the security posture of devices and increase malware infections.
  • Evolutions in ransomware, such as the growth of Ransomware-as-a-Service, make it easier for criminals, regardless of skill set, to carry out these attacks. Ransomware has been grabbing headlines and reportedly brought in more than $1 billion in 2016, but this may be misdirecting some organisations, who face an even greater, underreported threat. Business email compromise (BEC), a social engineering attack in which an email is designed to trick organisations into transferring money to attackers, is becoming highly lucrative. Between October 2013 and December 2016, $5.3 billion was stolen via BEC, according to the Internet Crime Complaint Center.

Unique industries face common challenges

As criminals continue to increase the sophistication and intensity of attacks, businesses across industries are challenged to keep up with even foundational cybersecurity requirements. As Information Technology and Operational Technology converge in the Internet of Things, organisations struggle with visibility and complexity. As part of its Security Capabilities Benchmark Study, Cisco surveyed close to 3,000 security leaders across 13 countries and found that across industries, security teams are increasingly overwhelmed by the volume of attacks. This leads many to become more reactive in their protection efforts.

  • No more than two-thirds of organisations are investigating security alerts. In certain industries (such as healthcare and transportation), this number is closer to 50 percent.
  • Even in the most responsive industries (such as finance and healthcare), businesses are mitigating less than 50 percent of attacks they know are legitimate.
  • Breaches are a wake-up call. Across most industries, breaches drove at least modest security improvements in at least 90 percent of organisations. Some industries (such as transportation) are less responsive, falling just above 80 percent.
  • In the Public Sector – Of threats investigated, 32 percent are identified as legitimate threats, but only 47 percent of those legitimate threats are eventually remediated.

 

Cisco’s advice

To combat today’s increasingly sophisticated attackers, organisations must take a proactive stance in their protection efforts. Cisco Security advises:

  • Keeping infrastructure and applications up to date, so that attackers can’t exploit publicly known weaknesses.
  • Battle complexity through an integrated defense. Limit siloed investments.
  • Engage executive leadership early to ensure complete understanding of risks, rewards and budgetary constraints.
  • Establish clear metrics. Use them to validate and improve security practices.
  • Examine employee security training with role-based training versus one-size-fits-all.
  • Balance defense with an active response. Don’t “set and forget” security controls or processes.

For the 2017 MCR, a diverse group of 10 security technology partners were invited to share data from which to jointly draw threat landscape conclusions. Partners that contributed to the report include Anomali, Flashpoint, Lumeta, Qualys, Radware, Rapid7, RSA, SAINT Corporation, ThreatConnect and TrapX. Cisco’s security technology partner ecosystem is a key component of the company’s vision to bring security that is simple, open and automated to customers.

Related reading