The Websense 2015 report looks at how threat actors are gaining capabilities through the adoption of cutting-edge tools instead of technical expertise. Redirect chains, code recycling and a host of other techniques are allowing these actors to remain anonymous, making attribution time consuming, difficult and ultimately unreliable. Widespread use of older standards in lieu of newer and more secure options continues to leave systems vulnerable and exposed. A brittle infrastructure allows threats to expand into the network framework itself, including the code base of Bash, OpenSSL, and SSLv3.
The Websense Security Labs 2015 Threat Report details eight key behavioral and technique based trends, along with actionable information and guidance to assist security professionals in planning their network defense strategy. Top findings include:
1) Cybercrime Just Got Easier: In this age of MaaS (Malware-as-a-Service), even entry level threat actors can successfully create and launch data theft attacks due to greater access to exploit kits for rent, MaaS, and other opportunities to buy or subcontract portions of a complex multi-stage attack. In addition to easier access to cutting-edge tools, malware authors are also blending new techniques with the old, resulting in highly evasive techniques. Even while the source code and exploit may be unique and advanced, much of the other infrastructure used in attacks is recycled and reused by the criminal element.
2) Something New or Déjà Vu?: Threat actors are blending old tactics, such as macros, in unwanted emails with new evasion techniques. Old threats are being “recycled” into new threats launched through email and web channels, challenging the most robust defensive postures. Email, the leading attack vector a decade ago, remains a very potent vehicle for threat delivery, despite the now dominant role of the web in cyberattacks.
3) Digital Darwinism – Attackers have restructured the methodology of attacks to reduce their threat profile. They do this by becoming less linear in following the traditional Kill Chain. These are harder to detect, as stages are skipped, repeated or only partially applied, thereby reducing the threat profile. Activity at any one stage of the Kill Chain varied widely. Just as spam probe activity focuses upon the first stages of the Kill Chain, other stages of the Kill Chain saw varying levels of activity. Some stages saw more activity; others had much less than the year before.
4) Avoid the Attribution Trap: It is particularly difficult to do attribution, given the ease by which hackers can spoof information, circumvent logging and tracking or otherwise remain anonymous. Often, analysis of the same circumstantial evidence can lead to widely different conclusions; use the valuable time following an attack on remediation efforts.
5) Elevating the IQ of IT: With an anticipated global shortfall of 2 million skilled security practitioners by 2017, new approaches for utilizing resources and adopting technology are needed. Otherwise, it is inevitable that organizations will be out-maneuvered by their adversaries.
6) Insight on the insider: Insider threats will continue to be among the risk factors for data theft, from both accidental and malicious actions by employees.
7) Brittle infrastructure: 2014 saw the threat landscape expand into the network infrastructure itself, as hidden vulnerabilities were revealed deep within the code base of Bash, OpenSSL, SSLv3 and others that have been in popular use for decades.
8) IoT – The threat multiplier: The Internet of Things (IoT) will magnify exploitation opportunities as it grows to an estimated range of 20-50 billion connected devices by 2020. IoT offers previously unimaginable connectivity and applications, yet ease of deployment and the desire to innovate often override security concerns.
The Websense Security Labs 2015 Threat Report data was collected and evaluated using our ThreatSeeker® Intelligence Cloud, receiving up to five billion inputs daily from around the world. Expert interpretation was provided by Websense Security Labs based on interviews and investigations performed by researchers and engineers in Europe, the Middle East, Asia and North America examining attack activity and impact across the full Kill Chain.