BY Richard Summerfield

The cyber security industry evolved significantly in 2018, with aggressive new attackers emerging, according to the FireEye Mandiant ‘M-Trends 2019 Report’.

Encouragingly, however, organisations are getting better at responding to breaches quickly. Over the past eight years, dwell times have decreased significantly – from a median dwell time of 416 days in 2011 to 78 days in 2018.

Thirty-one percent of the breaches investigated by Mandiant last year had dwell times of 30 days or less, up from 28 percent of compromises in 2017. Twelve percent had dwell times greater than 700 days, down from 21 percent in 2017.

The report suggests that the increase in compromises detected in less than 30 days is due to greater use of ransomware and cryptominers over the last 12 months, which are detected faster. FireEye also believes that companies are improving their data visibility through better tooling, which allows for faster response times. In the Americas, the median dwell time fell from 75.5 days in 2017 to 71 days in 2018.

Nation states continue to pose an increasingly dangerous and evolving threat. The report identifies North Korea, Russia, China and Iran, among others, as the most threatening actors which are continually enhancing their capabilities and changing their targets in alignment with their political and economic agendas. The report suggests that significant investments have provided these actors with more sophisticated tactics, tools, and procedures, with some becoming more aggressive, and others better at hiding and staying persistent for longer periods of time.

There are a number of important steps companies must take if they are to resist attacks which are coming in increasingly diverse forms. Attackers are targeting data in the cloud, including cloud providers, telecoms and other service providers; they are re-targeting past victim organisations and are even launching phishing attacks during mergers & acquisitions (M&A) activity.

“By regularly reviewing and updating their incident Response Plans and associated use cases and playbooks, organisations can mitigate the risk of destruction of important evidence, failure to identify major breaches, and extending the duration of breaches,” notes the report. “Organisations should incorporate important concepts such as evidence preservation during remediation activities, context of alerts instead of simple volume metrics, and eradication timing into these documents. This will empower front line analysts to effectively escalate relevant information to decision makers and avoid costly mistakes.”

Report: M-Trends 2019

BY Richard Summerfield

2018 was a challenging year for the cyber security industry as threat actors’ tactics, traits and techniques continued to evolve. As a result, the number of large corporations which fell victim to cyber attack continued to grow last year, according to AppRiver’s ‘2018 Global Security Report’.

AppRiver’s Email Security and Web Protection filters quarantined more than 10 billion global threats including: (i) 8.3 billion messages containing URL-based malware, phishing attacks and text-based attacks; (ii) 300 million emails that included malware in a message attachment; (iii) the majority of malicious attachments with Word files with embedded macros; and (iv) 4.5 billion quarantined messages that originated in the US.

Trojan attacks surpassed the number of ransomware attacks, becoming the most commonly distributed threat type – Trojans were dispersed more than 20 million times. The ‘Trickbot Trojan’ and ‘Emotet’, were particularly prominent threats. Emotet, which functions as a downloader of other banking Trojans, cost state, local, tribal and territorial (SLTT) governments up to $1m per incident to remediate. In order to defeat such attacks, companies must deploy a robust ‘defence-in-depth’ approach, the report notes. Distributed Spam Distraction (DSD) and Business Email Compromise (BEC) attacks also became more prominent in 2018.

“The lines between hacking, cybercrime, and cyberwarfare are increasingly blurred now,” said Troy Gill, AppRiver’s senior cybersecurity analyst. “As a result, protecting small- and mid-sized businesses must be considered an integral part of our larger national cybersecurity posture. To be most effective, our strategy must be comprehensive, addressing vulnerabilities at all levels.”

Looking ahead, the report notes that internal ecosystem attacks will increase and attackers will employ more ‘bleeding-edge’ attack methods. The report notes that more advanced attack techniques will likely trickle down from the nation-state level to threaten more for-profit attacks against the public.

The rapid growth of the number of Internet of Things (IoT) devices will also create challenges, particularly as the lack of security being built into such devices will leave parties exposed.

Report: 2018 Global Security Report

BY Richard Summerfield

While cyber security threats are gaining in exposure and media coverage, many companies remain unprepared for a breach — a fact which is particularly worrying when one considers that cyber attackers are gaining vastly greater scale through new techniques, such as killchain compression and attack automation, according to Alert Logic’s ‘Critical Watch Report: The State of Threat Detection 2018’.

The report, which was completed following the analysis of more than 1 billion security anomalies, 7 million events and over 250,000 verified incidents, found that the traditional killchain has evolved. Today, 88 percent of killchain attacks are gaining efficiency and speed by combining what was formerly identified as the first five phases of such an attack — recon, weaponisation, delivery, exploitation and installation — into a single action. As a result, the new killchain is capable of creating near-instantaneous attacks that bypass many established security practices.

Automation has also emerged as an important and effective tool for cyber criminals who are able to launch random and recursive attacks which force organisations to alter the ways they asses risk. Cryptojacking has also become a major concern for organisations. Eighty-eight percent of recent WebLogic attacks were cryptojacking attempts. Worryingly, as cryptojacking attacks are highly automated and hit small, medium and enterprise-sized organisations indiscriminately and at similar rates, industry and size may no longer be reliable predictors of threat risk.

The report also found that web application attacks remain the most frequent and dominant type, with SQL injection attempts comprising 43 percent of all attacks observed.

“It’s no secret that attackers push the envelope and innovate attacks to abuse weaknesses anywhere they find them—in cloud and hybrid deployments, containerised environments, and on-premises systems,” said Rohit Dhamankar, vice president of Threat Intelligence Products at Alert Logic. “What is troublesome is the use of force-multipliers like automation to scale attacks for increased financial gain. This report demonstrates that attackers are gaining increasing sophistication in their ability to weaponise trusted techniques to exploit common vulnerabilities and misconfigurations for purposes such as cryptomining.”

Report: Critical Watch Report: State of Threat Detection 2018