We recently released our latest “Threat Landscape Report,” in which we gathered insights into the cybersecurity landscape around the world. The data spans the cybersecurity kill chain, focusing on three central aspects of the landscape — including application exploits, malicious software and botnets –against the backdrop of important enterprise technology and industry sector trends. The research reveals that while more high-profile attacks have dominated the headlines, the majority of threats faced by organizations are opportunistic in nature. What’s more, the internet of things continues to present security challenges, both within the connected devices themselves and as a change agent in terms of how data — and threats — are shared.
Hyperconvergence and IoT are accelerating the spread of malware
As networks and users increasingly share information and resources, attacks are spreading rapidly across distributed geographic areas and a wide variety of industries.
Studying malware can help provide views into the preparation and intrusion stages of these attacks.
The prevalence of mobile malware remained steady from Q4 2016 to Q1 2017, with about 20% of organizations detecting it. Only one family of Android malware broke into the top of the charts in Q4 2016, but three did in Q1 2017. The percentage of mobile malware jumped from 1.7% of total volume in Q4 to 8.7% in Q1.
In terms of regional prevalence, mobile malware rose in every region except the Middle East. The rate of growth was statistically significant in all cases rather than simply random variation. Compared to some other regional threat comparisons, Android malware appeared to have stronger geographic tendencies.
Exploit attempts against IoT devices themselves, however, dropped in Q1. Detection volume, shown in the chart below, fell an order of magnitude for the most-targeted device categories. This was most notable within the DVR/NVR category, which sprang to life last quarter and neared 100 million daily detections at one point during the Mirai-fueled DDoS attack again Dyn. It’s certain that the universe of vulnerable internet-connected things weren’t fixed after one quarter, so we can’t help but interpret this as a slight calm between storms.
Threats by region and industry? Not really
The internet knows no geographic distances or boundaries, according to our research. Modern tools and pervasive “crime as a service” infrastructure enable attackers to operate on a global scale at light speed. As a result, most threat trends appear more global than regional. This was even the case with ransomware. We learned that ransomware affected 10% of firms over the quarter, and it’s reported by a little over 1% on any given day. Furthermore, this is true of all industries and regions to some degree. This is a complex threat that won’t go away with simplistic approaches.
To complicate matters more, cluster analysis by vertical industry shows that the attack surface across most industries was the same, with a few exceptions, such as the education and telco sectors. This means that adversaries can exploit similar attack surfaces across verticals more easily, especially with automated tools. Cybercriminals today don’t even have to tweak their attack methods; they can go after several industries at once. Think about the ease of scale and speed this enables; WannaCry is a perfect example. A huge proportion of exploit activity is fully automated via tools that methodically scan wide swaths of the internet, probing for opportunistic openings.
You can see this in more detail in Figures 2 and 3 and how they compare. Many industries fall within the nexus of the “mega-cluster” in each of those charts. More interesting is the fact that they also share many of the same outliers (e.g., education, telco/carrier, MSSP). Could it be that an organization’s infrastructure usage has a stronger relationship to its threat profile than its industry?
The takeaway here is that cybersecurity strategies need to increasingly adopt trustworthy network segmentation and high degrees of automation to prevent and detect adversaries’ efforts to target the newly exposed flanks of businesses and governments. You have to fight automation with automation, especially as attack vectors across industries are looking similar.
In our report, we looked at threats that span from pre-attack reconnaissance (exploits) to weaponization (malware) to post-compromise command and control (botnets). While targeted attacks often grab the headlines, the bulk of threats faced by most organizations are opportunistic in nature. It is a reminder that defenses should be spread along the kill chain, and we recommend reviewing security postures to assess capabilities at each phase. A few other IoT-focused takeaways that stand out:
- Protecting against mobile malware is particularly challenging because devices are not shielded on the internal network, frequently joining public networks, and often are not under corporate ownership or control. Mobile security strategies must acknowledge these conditions and yet still thwart malware through mobile application controls and malware protections integrated into the network.
- Our findings pertaining to Mirai-style botnet attacks serve as a reminder that monitoring what’s going out of your network is just as important as what’s coming in (likely more so). Protecting all hosts and users from all inbound threats is an impossible task, but severing C2 communications at key chokepoints in your network through a combination of smart tools and good intel is much more achievable.
For a deeper analysis and other valuable takeaways of all the data we gleaned, download the “Q1 2017 Threat Landscape Report” here.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.