Why the impacts of cybersecurity breaches can be wide-reaching

Each year, Cisco publishes an industry benchmark, the Cisco Annual Cybersecurity Report. The yearly publication analyses advances in the security industry and by cybercriminals – a never-ending struggle. These reports provide insights into how peers in your industry assess security preparedness in their organisations and offers insights into where to strengthen defences. The annual reports are comprehensive and often sobering, but provide an invaluable insight into emerging security trends and where to focus defensive effort.

We share below selected insights from the 2016 and 2017 reports, with links to download the original reports for you to find out more.

  1. The impacts of cybersecurity breaches can be wide-reaching
  2. Understand attacker behaviour to enhance your defender behaviour
  3. For modern cybercriminals, making money is paramount
  4. The DNS blind sport
  5. Adware is impacting the majority organisations
  6. Browser and browser extensions remain an Achilles heel
  7. Mobile devices are part of the new security frontier
  8. Your organisation’s attack surface is expanding
  9. Implications for business

The Impacts of Cybersecurity breaches can be wide-reaching

The threat of cybersecurity breaches to organisations both large and small is significant. The threat can be serious for business continuity, financial cost and legal exposure due to loss of sensitive data. What is often overlooked is that this also comes with potentially catastrophic reputational risk in surprisingly frequent security breaches. The 2017 Cisco report highlights that a shocking 49% of organisations had to manage public scrutiny of a security breach in the previous year.


Understand attacker behaviour to enhance your defender behaviour

The 2016 and 2017 annual reports advocate analysis of behaviour of two distinct but obviously related actors:

  • Attacker behaviour is constantly evolving
    • Examine how attackers scan vulnerable networks and deliver malware
    • Be aware of how tools such as email, third-party Cloud applications and adware are weaponised
    • Place increasing focus on methods that cybercriminals employ during the installation phase of an attack.

Savvy attackers rarely remain still. Security analysis needs to assess and respond to “time to evolve” (TTE), the speed at which adversaries evolve their tactics to keep them fresh and evade detection.

  • Defender behaviour needs to evolve in step – Defender behaviour needs to evolve at an equal or faster speed, striving to reduce average median time to detection (TTD). The 2017 report highlights the emerging weaknesses in middleware libraries that present opportunities for adversaries to use the same tools across many applications, reducing the time and cost needed to compromise users. Cisco’s research on patching trends also highlights the benefit of presenting users with a regular cadence of updates to encourage the adoption of safer versions of common web browsers and productivity solutions.

For modern cybercriminals, making money is paramount

The financial incentives for cybercriminals are daunting. Threat actors use ransomware, for example, to encrypt users’ files, providing the keys for decryption only after users pay a “ransom”—usually in the $300 to $500 range. According to Cisco’s 2016 research, the primary actor responsible for about half of the Angler exploit kit activity in a particular campaign in 2015 was targeting up to 90,000 victims per day, netting the adversaries more than $30 million annually. With the stakes that high, it is not difficult to see why attacker behaviour evolves rapidly to defend those stakes.

The DNS blind sport

Cisco’s 2016 analysis found that the majority of that malware—91.3 percent— uses the Domain Name Service (DNS) to carry out campaigns in one of three ways:

  • To gain command and control
  • To exfiltrate data, and/or
  • To redirect traffic.

Through retrospective investigation into DNS queries, Cisco uncovered “rogue” DNS resolvers in use on customer networks. The customers were not aware that the resolvers were being used by their employees as part of their DNS infrastructure.


Adware is impacting the majority organisations

Adware, when used for legitimate purposes, is software that downloads or displays advertising through redirections, pop-ups, and ad injections and generates revenue for its creators. However, the 2017 report highlights that cybercriminals are increasingly using adware as a tool to help increase their revenue stream. Threat actors are using adware to:

  • Inject advertising, which may lead to further infections or exposure to exploit kits
  • Change browser and operating system settings to weaken security
  • Break antivirus or other security products
  • Gain full control of the host, so they can install other malicious software
  • Track users by location, identity, services used, and sites commonly visited
  • Exfiltrate information such as personal data, credentials, and infrastructure information (for example, a company’s internal sales pages)

You ignore this risk at your peril. Cisco analysis of 130 organisations across multiple industry verticals over a period from November 2015 to November 2016 revealed that more than 75% of organisations investigated had adware infections.

Browser and browser extensions remain an Achilles heel

The 2016 report also highlighted that Flash continues to be a popular attack vector for malware despite industry increasingly moving away from Flash in favour of HTML 5. Despite the fact that overall Flash volume decreased over the previous year, the report suggested that Flash-related malware was likely to remain a primary exploitation vector for some time.  The more recent 2017 report suggests that this remains the case.  While java, Flash and Silverlight use is being deprecated across the industry in order to improve security, many organisations still have significant risk exposure. While an initial surge of users rapidly install release updates, there is still a very long tail of users who are much slower to respond. Threat actors continue to exploit that time lag and therein lies the vulnerability for many organisations.

The message is clear. Browser plug-ins should be minimised and tightly controlled. Browser versions should be kept current. Browser and operating system patches should be applied rapidly, with compliance enforced to ensure 100% adoption to avoid the long tail. This is not new, but the fact that so many organisations remain vulnerable is concerning.

Mobile devices are part of the new security frontier

The 2017 report also highlights the importance of recognising that this extends to mobile devices. With the growing mobile workforce, mobile devices are increasing the attack vector of choice for threat actors. Three out of the top 20 malware detected were on Android.

Which makes it unsurprising that mobile devices are now the number one source of security concern for security professionals surveyed in the 2017 report.

Your organisation’s attack surface is expanding

What is clear in the 2016 and 2017 reports is that the security front line presents an ever-expanding surface for potential attacks. The proliferation of mobile devices creates more endpoints to protect. The Cloud is expanding the security perimeter. And users are, and always will be, a weak link in the security chain. As businesses embrace digitisation—and the Internet of Everything (IoE) begins to take shape—defenders will have even more to worry about. The attack surface will continue to expand, giving adversaries more space to operate.


Implications for business

The lack of integration in security can allow gaps of time and space, where threat actors can launch attacks. The tendency of security professionals to juggle solutions and platforms from many vendors can complicate assembling a seamless defence. The 2017 report highlights that increasingly complex defences may be part of the challenge for security professionals. Many organisations use at least a half-dozen solutions from multiple vendors. Cisco research indicates that in many cases, the security teams in those organisations can investigate only half the security alerts they receive on a given day. With an expanding attack surface, and rapidly evolving attacker behaviour, that is clearly not ideal.

Stopping all attacks may not be possible. But you can minimise both the risk and the impact of threats by constraining your adversaries’ operational space and, thus, their ability to compromise assets. One measure you can take is simplifying your collection of security tools into an interconnected and integrated security architecture. Integrated security tools working together in an automated architecture can streamline the process of detecting and mitigating threats. You will then have time to address more complex and persistent issues.

For more information, or to discuss the implications of any of the topics raised in this blog, please contact Data#3.
Learn more about the Data#3 and Cisco partnership.


Tags: Cisco, Cybersecurity



Managed Services eBook
Your guide to Data#3 Managed Services

Digital disruption is causing significant changes in the workplace, leading to higher expectations for access, security, and support regardless of…

JuiceIT Guest Blog | How XDR can help when time is of the essence

The only thing worse than cyber threats is an inability to detect those threats in time. Organisations need the…

JuiceIT Guest Blog | Veeam Platform: Reliable and Fast Recovery from Ransomware in a Hybrid World.

Ransomware attacks have become a growing concern for organisations of all sizes in Australia and New Zealand, resulting in significant…

Customer Story: Pernod Ricard Winemakers

Azure Migration gives Pernod Ricard Greater Flexibility and Improved Performance Download Customer Story Contact a Specialist…

Why would you deploy SASE?
If Secure Access Software Edge (SASE) with Cisco Meraki is the destination, what does the journey to get there look like?

Firstly, let’s set the scene. The term SASE was first mentioned by Gartner Analysts in July 2019 and Gartner continues…

Data#3 named (HPE) Platinum Partner of the Year and Aruba GreenLake Partner of the Year
Data#3 enjoys double scoops at HPE/Aruba awards night

December 08, 2022; Brisbane, Australia: Leading Australian technology services and solutions provider, Data#3, is proud to announce that it has…

Azure BaaS
Protecting Data in a Cloud World: Will Backup as a Service be what Keeps Your Business Online Through a Crisis?

Very few organisations could run in a technology-free environment, so naturally, strong IT departments put considerable effort into business continuity…

Azure Site Recovery
Beyond Backup: The Role of Azure Site Recovery in Business Continuity

In the first of our Azure Backup blog series, we discussed the value of data, and the critical importance…