Time to Detect Compromise Improves, While Detection to Containment Worsens: Report

Cost of Malvertising is Minimal; Price of Zero-days is Rising, Researchers Say

Throughout 2016, Trustwave investigated hundreds of data breaches in 21 different countries, and conducted thousands of penetration tests across databases, networks and applications. An analysis of key findings from this activity is presented in the 2017 Trustwave Global Security Report published Tuesday (PDF).

The result is a mixed bag. Overall, security defenses have slightly improved, but attacks continue to evolve. Detection is improving. Trustwave says the median time to detect a compromise has decreased from 80.5 days in 2015 to 49 days in 2016. The difference between self-detected and third-party detections is, however, dramatic: just 16 days for self-detected and 65 days for externally detected.

It should surprise no-one that a company that has invested in security technology able to detect intrusions would detect intrusions faster than a company that relies on external detections. Nevertheless, this demonstrates the effectiveness of those controls in reducing the dwell time and reducing the attackers’ window for exfiltration.

Containment, however, has not improved to any similar degree. The duration from intrusion to containment has dropped from 63 days in 2015 to 62 days in 2016; but the time taken from detection to containment has worsened slightly from 2 days to 2.5 days.

According to Trustwave’s figures, North America geographically, and retail vertically, are the most breached sectors. POS breaches rose sharply — particularly in North America, which has been slow to adopt EMV cards — from 22% of breaches in 2015 to 31% in 2016.

Malvertising remained the number one source of traffic to exploit kit landing pages; and the cost of malvertising is remarkably low. Trustwave ran its own experiment running online ads testing for vulnerable versions of Flash. “Researchers,” notes the report, “estimate an attacker could reach approximately 1,000 computers with exploitable vulnerabilities for about $5 — less than $.01 per vulnerable machine — far less than the $80 to $400 per 1,000 computers attackers pay for access to infected machines, depending on geolocation.”

SecurityWeek asked Lawrence Munro, worldwide VP of SpiderLabs at Trustwave, for his two biggest takeaways from this year’s report. What concerns him most is the continuing instance of common vulnerabilities in the majority of applications. “These are not esoteric vulnerabilities,” he said, “but ones that map closely to the OWASP Top 10.” During 2016, Trustwave’s application scanning services found that 99.7% of applications had at least one vulnerability, while the mean number of vulnerabilities was 11 per application. 

“Trustwave’s on-demand penetration testing service, uncovered almost 30,000 vulnerabilities in web applications in 2016. Analysts classified 79 percent of them as informational or low-risk vulnerabilities, 11 percent as medium-risk, 7 percent as high-risk and 3 percent as critical, the most severe category.”

Among the critical vulnerabilities, 13.8% involved authentication bypass. 5.7% involved Heartbleed leakage, 5.1% involved vertical privilege escalation, 4.8% was unencrypted sensitive data and 4.2% were SQLi vulnerabilities.

It is worth stressing that Trustwave’s vulnerability scanning was undertaken for customers on commercial applications — and the clear implication is that developers are still not building in security during development before release.

Munro’s second takeaway is the cost of vulnerabilities for sale on the underground market. Trustwave’s researchers discovered an alleged zero-day Windows vulnerability being offered for sale at $95,000. Although not following through with an actual purchase, Trustwave researchers on the underground forums believe this was a genuine zero-day being genuinely sold.

“The offer first appeared on a website,” explains the report, “that serves as an underground marketplace for Russian-speaking cybercriminals to buy and sell coding services, access to exploit kits and botnet resources, and other illegitimate products and services. A user going by the name ‘BuggiCorp’ posted a message on May 11 offering to sell a local privilege escalation (LPE) exploit for the Windows kernel for $95,000.”

In part, the sale offer reads (translated): “[the vulnerability] exists in all OS [versions], starting from Windows 2000. [The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10.”

Trustwave concludes that this was a genuine zero-day being offered for sale, partly because the seller insisted on using the forum’s administrator as an escrow party. “The escrow requirement,” notes the report, “suggests the offer was real: If BuggiCorp could not deliver the exploit as promised, it would not get paid.”

What most intrigued Munro, however, was not the sale of zero-days on the dark web; but the price being demanded. “If zero-days can trade at these figures on the dark web,” he asked, “what does that say about the effectiveness of current bug bounty schemes, which rarely pay out anything like this amount?”