Advanced persistent threats in the form of tricking users into visiting malicious websites, as well as phishing emails and hacking intrusions, escalated during the first half of 2013, according to a report by FortiGuard
If enterprises don't deploy security patches within a week or two of availability, it's almost asking for someone to take advantage -- and unless you're extremely lucky, they will.
security strategist, FortiGuard Labs
Based on data collected from 121,353 FortiGate devices located around the globe reporting incidents between Dec. 1, 2012 to June 1, 2013, FortiGuard Labs' statistical data indicated that 3.14 billion users were tricked into visiting malicious websites; 142 million unsuccessful hacking attempts were launched; and 4.45 million phishing emails were effectively blocked.
In their report, advanced persistent threats (APTs) were defined as "people being specifically targeted by a group -- whether it's an attack by a state-sponsored group or a hacktivist-motivated group -- trying to steal information from your network," explained Richard Henderson, security strategist for FortiGuard Labs at Fortinet.
During the past six months, "We've seen billions of attempts to get people to visit malicious sites that deliver riskware, adware or targeted malware … you name it," he said. "These types of attacks are definitely getting worse."
Nation states are behind most advanced persistent threats
Not surprisingly, the report primarily calls out nation states such as China, Israel, Russia and the United States as the biggest instigators of advanced persistent threats.
Launching APT attacks typically requires a high level of funding, skills and infrastructure, but some cybercriminal groups are also likely involved.
Critical infrastructure devices are parked on the public Internet
One of the most disturbing findings highlighted in the report is that billions of critical infrastructure devices are connected to the public Internet.
"Industrial control system devices, for example, should always be behind a router or gateway that sets up a secure VPN to allow access to those devices solely through an internal network," Henderson said.
The days of "hiding behind obscurity and hoping no one will find these industrial control system devices are over, since technology is evolving at such a rapid pace. Tools exist now specifically to find these devices. Attacks could have and should have happened by now -- but haven't. I hope companies start parking their infrastructure behind routers and gateways, where it requires more skill to get at them," he said.
Enterprises aren't educating users about signs of APT attacks
On the somewhat surprising side: Enterprises are doing an even worse job than expected in terms of educating users about the types of things they should be suspicious of online and the typical signs of spear-phishing attacks.
"Everyone should treat every single email that comes into their inbox with a degree of skepticism, especially ones with attachments or links to external sites," Henderson said. "If you're not expecting an email from a colleague at work and one arrives with an attachment that could contain malware, such as Excel spreadsheets, Word docs and with PDF files in particular, use caution. Years ago, PDF files were seen as safe, but now PDFs can be exploited with a relatively simple skillset."
Enterprises aren't deploying security patches with any sense of urgency
More on advanced persistent threats
How to combat advanced persistent threats: Strategies to protect your organization
Incident response security plans for advanced persistent threats
Advanced persistent threat detection, prevention are hard, but possible
Another surprise, given how quickly cybercriminals will exploit it, is how many enterprises still don't deploy security patches to their boxes with any sort of urgency.
"I found boxes all over the public Internet, woefully out of date and ripe for exploit, just sitting there not hidden behind any sort of firewall or gateway. With all of the point-and-click tools available to hackers now, it's not at all difficult to find and detect whether a box is vulnerable to certain exploits," he cautioned. "If enterprises don't deploy security patches within a week or two of availability, it's almost asking for someone to take advantage -- and unless you're extremely lucky, they will."
Henderson believes corporate enterprises in general will likely continue to be victimized because companies tend not to make security changes until some pain point has been reached.
"We're starting to see companies spend more on security, and it's a trend we hope continues," he said. "Cybercriminals are making millions upon millions of dollars each year with malware. The risk vs. reward … it's no surprise they're evolving in a way to monetize exploits as quickly as possible to keep the money rolling in."
The bottom line is that APTs aren't going to go away and everyone should increase their awareness of them.