freshidea - Fotolia
According to one security vendor, legacy security techniques won't be enough to ward off the coming wave of layered and increasingly complex cybersecurity threats, but not all experts agree.
In its 2015 Threat Report, San Diego-based security vendor Websense Inc. cites research from its Websense Security Labs unit that observed 3.96 billion security threats in 2014, as 5.1% fewer threats than 2013. However, attacks were more likely to use a blend of techniques in order to be more sophisticated, complex, and evasive than attacks of the past.
Websense noted that in order to make attacks more evasive, threat actors increasingly used the onion router (TOR) network to anonymize the source of communications, more human interaction to eliminate automated analysis methods, sandbox evasion techniques, as well as older attack techniques combined with others to create a layered attack.Websense said that one of the old techniques that saw a resurgence in 2014 was the use of embedded macros as the delivery method for malware. Websense recorded 3 million email attachments that contained embedded macros in the last 30 days of 2014. Websense also found that 81% of all email it scanned in 2014 was deemed malicious, up 25% from 2013; 28% of those malicious emails were found before antivirus signatures were made generally available for their respective payloads.
Websense described an example of a layered attack that targeted fewer than 100 accountants. A socially engineered message convinced targets to open a Microsoft Word document and in turn run its embedded macro, which would then download a malicious program that opened a backdoor into the machine. The next day, the attack continued in order to open more holes in security before exfiltrating sensitive data.
Charles Renert, vice president of Websense Security Labs, pointed to network infrastructure vulnerabilities as another attack vector that has seen more activity. A few of the most highly publicized threats of the year were found in network infrastructure, including Heartbleed (OpenSSL), Shellshock (Bash), and POODLE (SSLv3).
Renert said that vulnerabilities like this have caused IT professionals to lose faith in established infrastructure standards.
"Shellshock affected almost 10% of Web servers at that time; that's a massive population of servers," Renert said. "The idea of patching fast enough, and potentially shifting infrastructure, is difficult for enterprise. There will likely be more systemic issues like these that threats will use to propagate."
A key to all of this for threat actors is to be quiet and evasive, noted Renert, and this is made much easier through the malware-as-a-service (MaaS) ecosystem, which includes a marketplace for threat actors to exchange skills, tools, and stolen data. Renert said the price of exploit kits has remained low (around $800 to $1500 per month) because of increased competition.
"We saw three times as many exploit kits in use than previous years, but the number of actual attacks was lower," said Renert, referring to the report data showing that exploit kit usage dropped 98% year-over-year. "Exploit kits aren't high volume, but more targeted. The quieter you are, the harder it is to identify the attacks. It's not the volume game at play here, but the quality of the path."
Robert Graham, CEO of Atlanta-based Errata Security, wasn't convinced that the trends Websense cites in its report are really new.
"If you look at last year's Threat Report from Websense, it cited the same trends of 'advanced attacks' and 'targeted attacks' being the norm," Graham said. "Attacks have always used multiple attack vectors."
Websense said that attacks were also more likely to be modified by attackers, leading to threats that iterated at an average rate of 3.2 updates per second. However, Renert noted that more than 99% of malware communicates with a previously used command-and-control (C&C) server URL, suggesting that it isn't so easy for attackers to rewrite C&C infrastructure of an attack.
"If you get a PDF, there will be a script that will call a URL for malicious code. You may see 10,000 documents with that code," Renert said. "They all point to different URLs, but when you follow those URLs, the ultimate destination is often the same server."
Graham noted that this is a practice that has been observed for years, but unfortunately, having the knowledge doesn't do much to lead to a solution.
"That's one of the big things that attackers do -- using thousands of randomly generated domains that point to an IP, which will be blocked, then change the IP continuously," Graham said. "There are services that will tell you the domain and IP addresses to block. It's not a bad thing to do, but it's not going to do a lot to improve security."
Graham believes that although attacks are getting somewhat more complex, enterprises would do better by focusing on basic best security practices than trying to find more advanced technologies to handle the threats.
"This idea that there is a magic pill to stop new threats is false," Graham said. "The problem with all of these attacks is that enterprise hasn't been doing basic security, like keeping sufficient logs to trace back and see what happened, or making sure various business processes don't open up holes in firewalls. These are all things that people know but find ways to ignore, and stop doing them."
New defenses needed due to shortage of security pros
In the report, Websense indicated that enterprises need to be more aggressive in adopting new security technologies, because what it called, "traditional protection technologies" aren't able to keep up with the evolving threat landscape, especially because of a shortage in skilled IT professionals.
Websense cited data from Boston-based Burning Glass Technologies, which found that cybersecurity job postings grew 74% from 2007-2013, and that U.S. employers posted 50,000 jobs requesting CISSP skills, while recruiting from a pool of about 98,000 CISSP certification holders worldwide as of March, according to (ISC)2.
Renert said that training and new technologies would have to fill the gap, including contextually-aware tools used to surface actionable information that can guide less-skilled employees, applying real-time security capabilities wherever possible, and sharing threat intelligence in order to mitigate more well-orchestrated attacks.
"When you look at the underlying threat trends, the net effect is that there will always be a few threats that will get through the security controls in place," Renert said. "Antivirus and firewalls can only protect so much, and it is almost inevitable that organizations will have systems that are already infected. The teams need to be stronger, and the tools need to reduce dwell time."
Before taking on advanced attack techniques, be sure you know the basics of cybersecurity threat protection.