The Cisco Midyear Cybersecurity Report (MCR) has been released and the findings are certainly eye-opening.
The team at Cisco uncovered a rapid evolution of threats and an increasing magnitude of attacks, forecasting potential ‘destruction of service’ (DeOS) attacks – a method that could eliminate organisations’ backups and safety nets required to restore systems and data after an attack and leaving businesses with no way to recover.
What’s more, with the rapid advent of the Internet of Things (IoT), key industries are bringing more operations online and consequently increasing attack surfaces and the potential scale and impact of these threats.
Cisco asserts the IoT is ‘ripe’ for exploitation given its security weaknesses, which means it will play a central role in enabling these campaigns with escalating impact.
According to Cisco, current IoT botnet activity already suggests that some attackers may be laying the foundation for a wide-reaching, high-impact cyber-threat event that could potentially disrupt the Internet itself.
“As recent incidents like WannaCry and Netya illustrate, our adversaries are becoming more and more creative in how they architect their attacks,” says Steve Martino, vice president and chief information security officer at Cisco.
“While the majority of organisations took steps to improve security following a breach, businesses across industries are in a constant race against the attackers. Security effectiveness starts with closing the obvious gaps and making security a business priority.”
Cisco says ‘time to detection’ (TTD) is crucial in the face of these attacks as a faster TTD can constrain attackers’ operational space and minimise damage from intrusions.
For instance, over the period from November 2016 to May 2017 Cisco decreased its median TTD from just over 39 hours to about 3.5 hours.
“Complexity continues to hinder many organisations’ security efforts. It’s obvious that the years of investing in point products that can’t integrate is creating huge opportunities for attackers who can easily identify overlooked vulnerabilities or gaps in security efforts,” says Scott Manson, cyber security leader for Middle East and Turkey at Cisco.
“To effectively reduce TTD and limit the impact of an attack, the industry must move to a more integrated, architectural approach that increases visibility and manageability, empowering security teams to close gaps.”
The researchers at Cisco watched the evolution of malware during the first half of 2017 and identified shifts in how adversaries are tailoring their delivery, obfuscation and evasion techniques:
- They’re increasingly requiring victims to activate threats by clicking on links on opening files
- They are developing fileless malware that lives in memory and is harder to detect or investigate as it is wiped out when a device restarts
- Finally, they’re relying on anonymized and decentralised infrastructure such as a Tor proxy service to obscure command and control activities
Cisco noted a striking decline in exploit kits, however, other traditional attacks are seeing a resurgence:
- The volume of spam with malicious attachments are increasing, which Cisco expects will continue for some time while the exploit kit landscape remains in flux
- Spyware and adware is also on the rise again – of 300 sample companies, Cisco found 20 percent were infected with three prevalent spyware families
- Evolutions in ransomware, such as the growth of Ransomware-as-a-Service, make it easier for criminals, regardless of skill set, to carry out these attacks
There were also some interesting findings when narrowing the threats down to industry.
Within the public sector, of threats investigated 32 percent are identified as legitimate threats but only 47 percent of these threats are eventually remediated.
In retail, 32 percent said they’d lost revenue due to attacks in the past year with about a quarter losing customers or business opportunities
40 percent of manufacturing security professionals said they don’t have formal security and don’t follow standardised information security policy practices.
Meanwhile 42 percent of security professionals in Utilities and 37 percent in Healthcare said targeted attacks are high-security risks to their organisations.
In short, Cisco advises organisations to be proactive rather than reactive, taking steps like:
- Keep infrastructure and applications up to date so that attackers can’t exploit publicly known weaknesses
- Battle complexity through an integrated defense and limit siloed investments
- Engage executive leadership early to ensure complete understanding of risks, rewards and budgetary constraints
- Establish clear metrics and use them to validate and improve security practices
- Examine employee security training with role-based training versus one-size-fits-all