Each year, Cisco publishes an industry benchmark, the Cisco Annual Cybersecurity Report. The yearly publication analyses advances in the security industry and by cybercriminals – a never-ending struggle. These reports provide insights into how peers in your industry assess security preparedness in their organisations and offers insights into where to strengthen defences. The annual reports are comprehensive and often sobering, but provide an invaluable insight into emerging security trends and where to focus defensive effort.
We share below selected insights from the 2016 and 2017 reports, with links to download the original reports for you to find out more.
The threat of cybersecurity breaches to organisations both large and small is significant. The threat can be serious for business continuity, financial cost and legal exposure due to loss of sensitive data. What is often overlooked is that this also comes with potentially catastrophic reputational risk in surprisingly frequent security breaches. The 2017 Cisco report highlights that a shocking 49% of organisations had to manage public scrutiny of a security breach in the previous year.
The 2016 and 2017 annual reports advocate analysis of behaviour of two distinct but obviously related actors:
Savvy attackers rarely remain still. Security analysis needs to assess and respond to “time to evolve” (TTE), the speed at which adversaries evolve their tactics to keep them fresh and evade detection.
The financial incentives for cybercriminals are daunting. Threat actors use ransomware, for example, to encrypt users’ files, providing the keys for decryption only after users pay a “ransom”—usually in the $300 to $500 range. According to Cisco’s 2016 research, the primary actor responsible for about half of the Angler exploit kit activity in a particular campaign in 2015 was targeting up to 90,000 victims per day, netting the adversaries more than $30 million annually. With the stakes that high, it is not difficult to see why attacker behaviour evolves rapidly to defend those stakes.
Cisco’s 2016 analysis found that the majority of that malware—91.3 percent— uses the Domain Name Service (DNS) to carry out campaigns in one of three ways:
Through retrospective investigation into DNS queries, Cisco uncovered “rogue” DNS resolvers in use on customer networks. The customers were not aware that the resolvers were being used by their employees as part of their DNS infrastructure.
Adware, when used for legitimate purposes, is software that downloads or displays advertising through redirections, pop-ups, and ad injections and generates revenue for its creators. However, the 2017 report highlights that cybercriminals are increasingly using adware as a tool to help increase their revenue stream. Threat actors are using adware to:
You ignore this risk at your peril. Cisco analysis of 130 organisations across multiple industry verticals over a period from November 2015 to November 2016 revealed that more than 75% of organisations investigated had adware infections.
The 2016 report also highlighted that Flash continues to be a popular attack vector for malware despite industry increasingly moving away from Flash in favour of HTML 5. Despite the fact that overall Flash volume decreased over the previous year, the report suggested that Flash-related malware was likely to remain a primary exploitation vector for some time. The more recent 2017 report suggests that this remains the case. While java, Flash and Silverlight use is being deprecated across the industry in order to improve security, many organisations still have significant risk exposure. While an initial surge of users rapidly install release updates, there is still a very long tail of users who are much slower to respond. Threat actors continue to exploit that time lag and therein lies the vulnerability for many organisations.
The message is clear. Browser plug-ins should be minimised and tightly controlled. Browser versions should be kept current. Browser and operating system patches should be applied rapidly, with compliance enforced to ensure 100% adoption to avoid the long tail. This is not new, but the fact that so many organisations remain vulnerable is concerning.
The 2017 report also highlights the importance of recognising that this extends to mobile devices. With the growing mobile workforce, mobile devices are increasing the attack vector of choice for threat actors. Three out of the top 20 malware detected were on Android.
Which makes it unsurprising that mobile devices are now the number one source of security concern for security professionals surveyed in the 2017 report.
What is clear in the 2016 and 2017 reports is that the security front line presents an ever-expanding surface for potential attacks. The proliferation of mobile devices creates more endpoints to protect. The Cloud is expanding the security perimeter. And users are, and always will be, a weak link in the security chain. As businesses embrace digitisation—and the Internet of Everything (IoE) begins to take shape—defenders will have even more to worry about. The attack surface will continue to expand, giving adversaries more space to operate.
The lack of integration in security can allow gaps of time and space, where threat actors can launch attacks. The tendency of security professionals to juggle solutions and platforms from many vendors can complicate assembling a seamless defence. The 2017 report highlights that increasingly complex defences may be part of the challenge for security professionals. Many organisations use at least a half-dozen solutions from multiple vendors. Cisco research indicates that in many cases, the security teams in those organisations can investigate only half the security alerts they receive on a given day. With an expanding attack surface, and rapidly evolving attacker behaviour, that is clearly not ideal.
Stopping all attacks may not be possible. But you can minimise both the risk and the impact of threats by constraining your adversaries’ operational space and, thus, their ability to compromise assets. One measure you can take is simplifying your collection of security tools into an interconnected and integrated security architecture. Integrated security tools working together in an automated architecture can streamline the process of detecting and mitigating threats. You will then have time to address more complex and persistent issues.