Today, we released the 2016 Security Annual Threat Report leveraging work by the SonicWall Threat Research Team. The annual report always raises questions from our customers and partners trying to understand what this means to them as they continually evolve their security posture. When it comes to a discussion around the big breaches, I always hear statements like “I am not big enough to target” or “I am in a different industry” or “my environment is not as complex.”
However, targeting does not necessarily mean a single company. Most people think of targeted attacks as an isolated incident, similar to a sniper picking out and killing a victim with a single shot. A sophisticated attacker might take a series of well-placed shots to increase the chances of taking down the target. While this is a popular view, it is actually a very rare occurrence in the real cyber-world.
In actuality, most targeted cyberattacks are less like a sniper and more like an epidemic where specially crafted viruses are created to remain dormant and undetected on the majority of people, so that only the desired targets become ill. This parallels the cybersecurity where an attack stays dormant on most hosts and uses them as conduits for spreading until a target environment is detected. As in the attack against point of sale (POS) terminals that propagates throughout the network undetected passing from host to host, looking for a point of entry, until it finds a vulnerable POS terminal/terminals from which it can steal data. At that point, it doesn’t matter if the victim is a large retail chain or a small grocery store.
Security measures are only as strong as their weakest links. As the threat report illustrates, last year’s big attacks succeeded not because the companies did not have extensive security measures in place, but because they had gaps in security. One of the major security gaps that can make a corporation vulnerable is the concept of “trusted network”, “trusted device” or “trusted user.” Ultimately, in the world of modern cybersecurity, there is no such thing as “trusted.” Just because some traffic or access is allowed doesn’t mean it can be trusted. It should still be scanned/analyzed/processed to check for malicious content or behavior.
Unfortunately, organizations often overlook this principle of modern cybersecurity. Too many times, organizations look at security technologies like encryption (e.g., VPN, IPSec, SSL and TLS) and get lulled into the trap of thinking that having secure network protocols means they are safe. In fact, these security protocols are not designed for protecting networks from attack, but simply for ensuring that the traffic content is not modified and not accessible from the outside.
The 2016 SonicWall Security Annual Threat Report points out that more and more attacks are coming over encrypted channels like SSL/TLS in order to make detection harder. Last year, we saw an increase in the use of SSL/TLS and HTTPS connections of over 100 percent. While SSL/TLS keeps legitimate traffic safer from being hacked, it also hides malware and attacks from security systems. In fact, many attacks use encryption to hide themselves from detection. Still, there are ways to benefit from encryption without cloaking potential attacks, such as SSL inspection as well as a program that includes rigorous security audits.
The thing to remember is that most attacks are not individually crafted, instead hackers use well developed tools like exploit kits to achieve their goals. We are tracking the exploit kits and monitor their attempts to try and stay one-step ahead of security systems. As our research team analyzes today’s cyber threats, they focus on the exploit kits used by hackers to evade today’s security tools. We are monitoring the ways cybercriminals use these pre-packaged software systems to infiltrate servers and automatically exploit vulnerabilities. Typically, these kits come pre-loaded to attack certain vulnerabilities, but cybercriminals can also modify them on the fly to exploit the newest weaknesses, often the same day they are discovered. Because of our research, we discovered a new, previously unknown exploit kit that hides itself from anti-forensics capabilities, and we named it Spartan.
Multiple exploit kits give attackers large number of opportunities to not only target the latest zero-day vulnerabilities, but also continue to probe for weaknesses in the security posture and gaps in security solutions. Our research, the SonicWall GRID network and a large footprint of sensors allow us to continuously monitor the trends in exploit kit development so that we can continue to stay one step ahead when it comes to protecting our customers.