The Past and Future Threat Landscape:

Transcription

1 The Past and Future Threat Landscape: A Review of Cisco s 2017 Annual Cybersecurity Report Prepared By: Btech 221 E. Walnut Street, Ste. 138 Pasadena, CA Author: Lance Bird Last Edit Date: February 28, 2017

2 In early 2017, Cisco released their perennial security publication: the Cisco Annual Cybersecurity Report. Inside, industry experts analyzed months of data from across all economic verticals to provide a holistic and heuristic analysis of the threat landscape and future of the increasingly-digitized world. Researchers expect there to be an over-twofold increase in annual global IP traffic from the current 1 billion terabytes per year by 2020 i ; smartphones will exclusively account for 30% of that traffic ii with other mobile and wireless devices accounting for another 36% of all IP traffic. iii This mass proliferation of devices from which an individual or entity can connect to the Internet will serve to expand exponentially the playing field for malicious actors, and it is incumbent upon responsible executives and IT departments to prepare for this inevitability. iv The report was organized simply into sections on attacker behavior, defender behavior, an analysis of the data collected during the Benchmark Study, and a predictive industry brief; for the sake of simplicity, this report will be organized in similar fashion. In examining attacker behavior, three key areas of focus appear in the report: favored means of attack, vulnerable operating systems and programs, and new tactics being deployed. Social engineering remains as the primary means by which malicious actors first gain access to individual machines and larger networks. In the past year, malicious advertising ( malvertising ) schemes have increased in frequency, with ShadowGate potentially affecting millions of users worldwide. These schemes involve a baited ad that, when clicked on, would redirect the user through a series of intermediate servers to a final endpoint; there, the endpoint would take advantage of insecure browsers to download a PUA or exploit kit to the workstation, all without the knowledge of the user. v Similarly, spam containing malicious links or attachments remains a prominent and growing attack vector; thriving botnets saw the global volume of spam increase to nearly two-thirds of total volume in 2016 with nearly 10% of that being categorized as malicious. vi The links or attachments in malicious, spam deliver malicious scripts and exploit kits similar to those delivered through malvertising schemes. While not frequently noted in a world of increasing technological advancement, good employee training with respect to secure web-browsing and habits can be a powerful first line of defense against malicious actors. Historically popular exploit kits such as Nuclear, Neutrino, and Angler saw a retreat from the black market in 2016, potentially opening the door for new actors like RIG, Sundown, Sweet Orange, and Magnitude to enter in vii These exploit kits take advantage of known vulnerabilities that have yet to be closed with software patches. These vulnerabilities remain as one of the single largest sources of risk with attackers still probing Flash, Java, PDF, and Silverlight despite decreased traffic. viii Large vulnerabilities in the Android operating system persist, making it the most targeted operating system in malware attacks; the profluence of infected mobile devices should prove worrisome to any IT staff monitoring a network with little or no bring you own device control or policy set in place. Furthermore, patching browsers can reduce the ability of malicious actors to operate through web-based exploit kits and infection vectors. ix 2016 saw new tactics emerge in the threat landscape as well. The reduction of the mean time to evolve by nearly all forms of malware points to a defensive landscape forcing frequent updating. x While encouraging in that defenders are flagging threats faster, it is apparent that

3 through the combination of new and different file types and new and effective binaries, attackers are still well-capable of crafting a pervasive threat. The rapid cycling of binaries in the Locky and Cerber families of ransomware is especially concerning as Cisco saw slower progress in reducing the mean time-to-detect the aforementioned threats. xi Furthermore, attacks on middleware, frequently vulnerable and not-frequently-patched pieces of software that join platforms or applications, also increased in 2016, marking an expansion of the attack surface for malicious actors. xii For defenders, 2015 and 2016 were landmark years saw an unprecedented number of patches released and an increased adoption of secure development lifecycle procedures by software developers, both of which resulted in fewer vulnerabilities in xiii However, while client-side vulnerabilities decreased, the number of server-side vulnerabilities increased 34% in 2016 from xiv Regular patching remains a key part of any security protocol, and the patching of server vulnerabilities, if not previously a priority for IT teams, is certainly a priority now. xv With an increasing demand for frequency and regularity in patching and other security fields, automation presents a clear path to simplified network security management and the only means of providing true attention to all possible threats for understaffed and underfunded IT departments. xvi This automation, whether in the form of an automated patching solution, an intrusion detection system, or a form of user access monitoring (approximately 0.02% of user activity is expected to be malicious xvii ), removes human error from IT procedures and facilitates the clean, unencumbered operation of your organization s digital infrastructure. Cisco s Benchmark Study involved the yearlong cooperation and input of thousands of security professionals in building apparent trends across IT departments. The responses bring to light some frightening trends. Notably, a majority of IT professionals are becoming more confident in their tools but not in their ability to effectively use them, xviii are feeling less support from chief-level executives in pursuing enterprise-wide security goals, xix and are placing a decreased emphasis on security operationalization. xx The decreased emphasis on operationalization, perhaps, is most frightening; decreased focus on security protocols and procedures and their integration with the network infrastructure can easily lead to blind spots forming in integrated architectures. Regular, frequent review of network architecture and security protocols should be performed. Also noteworthy are some early statistics from the growing cybercrime pandemic: 71% of network outages caused by security breaches lasted at least one hour with over a third of those attacks lasting longer than eight hours; xxi operations and finance (at 36% and 30%, respectively) were the most commonly targeted departments and systems. xxii In an industry-wide look at IT operations across all economic verticals, Cisco found a number of key foci through 2017 and beyond. First, with the SANS Institute estimating that 80% of data breaches originate from third-parties, now is the time to review the security measures and diligence being taken by your vendors. xxiii Ignorance does not excuse responsibility, and barebones compliance does not always match best practices. Next, with mobile data speeds growing at an accelerating rate and expected to match wired speeds by 2020, the operational space and attack opportunities of malicious actors will increase; xxiv paired with an increasing demand by employees for flexible access to work resources, IT will be faced

4 with significant challenges in maintaining enterprise security standards in the next few years. The rate of growth of the mobile landscape will preclude IT from reacting Planning solutions and budgeting for these inevitable problems now will ease the strain on IT and the organization in the future, and having plans already established, agreed upon, approved, and in place will facilitate a seamless and easy adoption of new policies. xxv 2015 and 2016 marked huge years for the IT security industry, and only one thing is certain: the industry will continue to advance, grow, develop, and expand. The upcoming years will see the demise of classic threats and the growth of novel threats as technology advances, but the mission of all security personnel will remain the same; we will be here to protect the data of our clients or users against malicious actors, and it will be incumbent upon us to advance our organizations security measures in response to the rapidly developing threat landscape. This paper certainly provided a number of interesting potentialities to prepare for and contingencies to consider, and by driving the planning process with focused consideration on involvement from the top of the organization down, standardized policies and protocols, and xxvi appropriate tools, IT can effectively deliver policies focused on preventing, detecting, and xxvii mitigating the effects of malicious actors on your network.

5 Lance Bird is a Network Defense Specialist at Btech Services, LLC. With a specific focus on monitoring automated patching systems, smart antivirus systems, and data encryption and protection, Lance is uniquely prepared to implement a range of effective services aimed at reducing risk at both the endpoint and network-wide level.

6 i 2017 Annual Cybersecurity Report, 10. ii 2017 Annual Cybersecurity Report, 67. iii 2017 Annual Cybersecurity Report, 10 & 67. iv 2017 Annual Cybersecurity Report, 8. v 2017 Annual Cybersecurity Report, 14. vi 2017 Annual Cybersecurity Report, 25. vii 2017 Annual Cybersecurity Report, 21. viii 2017 Annual Cybersecurity Report, 15. ix 2017 Annual Cybersecurity Report, 14. x 2017 Annual Cybersecurity Report, 35 & 40. xi 2017 Annual Cybersecurity Report, 37. xii 2017 Annual Cybersecurity Report, 44. xiii 2017 Annual Cybersecurity Report, 42. xiv 2017 Annual Cybersecurity Report, 44. xv 2017 Annual Cybersecurity Report, 45. xvi 2017 Annual Cybersecurity Report, 52. xvii 2017 Annual Cybersecurity Report, 19. xviii 2017 Annual Cybersecurity Report, 49. xix 2017 Annual Cybersecurity Report, 50. xx 2017 Annual Cybersecurity Report, 53. xxi 2017 Annual Cybersecurity Report, 55. xxii 2017 Annual Cybersecurity Report, 56. xxiii 2017 Annual Cybersecurity Report, 64. xxiv 2017 Annual Cybersecurity Report, 68. xxv 2017 Annual Cybersecurity Report, 67. xxvi 2017 Annual Cybersecurity Report, 71. xxvii 2017 Annual Cybersecurity Report, 72.

7 Citations Cisco Systems, Inc Annual Cybersecurity Report. Rep. Cisco Systems, Inc., Jan Web. 15 Feb <