Report: Cybercrime gets easier, attribution gets harder

Websense released the Websense Security Labs 2015 Threat Report, analyzing evolving attack trends, tactics and defense vulnerabilities.

The report looks at how threat actors are gaining capabilities through the adoption of cutting-edge tools instead of technical expertise. Redirect chains, code recycling and a host of other techniques are allowing these actors to remain anonymous, making attribution time consuming, difficult and ultimately unreliable. Widespread use of older standards in lieu of newer and more secure options continues to leave systems vulnerable and exposed. A brittle infrastructure allows threats to expand into the network framework itself, including the code base of Bash, OpenSSL, and SSLv3.

"Cyber threats in 2014 combined new techniques with the old, resulting in highly evasive attacks that posed a significant risk for data theft," said Charles Renert, vice president of security research for Websense. "In a time when Malware-as-a-Service means more threat actors than ever have the tools and techniques at hand to breach a company’s defenses, real-time detection across the Kill Chain is a necessity.”

The Websense Security Labs 2015 Threat Report details eight key behavioral and technique based trends, along with actionable information and guidance to assist security professionals in planning their network defense strategy. Top findings include:

1)      Cybercrime Just Got Easier: In this age of MaaS (Malware-as-a-Service), even entry level threat actors can successfully create and launch data theft attacks due to greater access to exploit kits for rent, MaaS, and other opportunities to buy or subcontract portions of a complex multi-stage attack. In addition to easier access to cutting-edge tools, malware authors are also blending new techniques with the old, resulting in highly evasive techniques. Even while the source code and exploit may be unique and advanced, much of the other infrastructure used in attacks is recycled and reused by the criminal element. For example:

·         In 2014, 99.3 percent of malicious files used a Command & Control URL that has been previously used by one or more other malware samples. In addition, 98.2 percent of malware authors used C&C’s found in five other types of malware.

2)      Something New or Déjà Vu?: Threat actors are blending old tactics, such as macros, in unwanted emails with new evasion techniques. Old threats are being “recycled” into new threats launched through email and web channels, challenging the most robust defensive postures. Email, the leading attack vector a decade ago, remains a very potent vehicle for threat delivery, despite the now dominant role of the web in cyberattacks. For example:

·         In 2014, 81 percent of all email scanned by Websense was identified as malicious. This number is up 25 percent against the previous year. Websense also detected 28 percent of malicious email messages before an anti-virus signature became available.

·         Websense Security Labs identified more than 3 million macro-embedded email attachments in just the last 30 days of 2014.

3)      Digital Darwinism - Surviving Evolving Threats: Threat actors have focused on the quality of their attacks rather than quantity. Websense Security Labs observed 3.96 billion security threats in 2014, which was 5.1 percent less than 2013. Yet, the numerous breaches of high profile organizations with huge security investments attest to the effectiveness of last year’s threats.

Attackers have restructured the methodology of attacks to reduce their threat profile. They do this by becoming less linear in following the traditional Kill Chain. These are harder to detect, as stages are skipped, repeated or only partially applied, thereby reducing the threat profile. Activity at any one stage of the Kill Chain varied widely. Just as spam probe activity focuses upon the first stages of the Kill Chain, other stages of the Kill Chain saw varying levels of activity. Some stages saw more activity; others had much less than the year before.

For example, suspicious emails were up 25 percent year-over-year, dropper files fell by 77 percent, call home activity rose 93 percent and exploit kit usage dropped 98 percent, while malicious redirect activity remained flat.

4)      Avoid the Attribution Trap: It is particularly difficult to do attribution, given the ease by which hackers can spoof information, circumvent logging and tracking or otherwise remain anonymous. Often, analysis of the same circumstantial evidence can lead to widely different conclusions; use the valuable time following an attack on remediation efforts.

Other topics addressed in the report:

5)      Elevating the IQ of IT: With an anticipated global shortfall of 2 million skilled security practitioners by 2017, new approaches for utilizing resources and adopting technology are needed.  Otherwise, it is inevitable that organizations will be out-maneuvered by their adversaries.

6)      Insight on the insider: Insider threats will continue to be among the risk factors for data theft, from both accidental and malicious actions by employees.

7)      Brittle infrastructure: 2014 saw the threat landscape expand into the network infrastructure itself, as hidden vulnerabilities were revealed deep within the code base of Bash, OpenSSL, SSLv3 and others that have been in popular use for decades.

8)      IoT – The threat multiplier: The Internet of Things (IoT) will magnify exploitation opportunities as it grows to an estimated range of 20-50 billion connected devices by 2020. IoT offers previously unimaginable connectivity and applications, yet ease of deployment and the desire to innovate often override security concerns.