To make certain your network security and response plan is up to date, it’s important to have a solid understanding of the current threat landscape. The operative word here being current, it’s a tall order—as we all know attackers are changing their habits frequently. But, even so, it makes sense to be as proactive as possible by taking a look at the most recent industry data.
In my most recent blog, I used the Cisco 2017 Annual Cybersecurity Report as a basis for a 2017 Security State of the Union topic, discussing its high-level findings around the focus on security, and how organizations are addressing cybersecurity concerns.
In this second of a three-part blog series covering the Cisco report, we’ll take a look at current attack behaviors, broken into four phases of an attack:
The first step in any attack is to look for a means of entry. Attackers are looking for vulnerable browsers and plugins as ways to fool users into running applications, binaries, scripts, and the like—to gain access to a users’ computer. Topping the list was PUA and Suspicious Binaries (PUA = Potentially Unwanted Applications), with Trojan Droppers and Facebook Scam Links not far behind.
Browser infections are also a major problem. With 75% of organizations investigated by Cisco having adware infections, it demonstrates the attacker’s reliance on ad injectors, browser settings hijackers, utilities, and downloaders.
Once an attacker has an “in” to an endpoint, the next step is to take advantage of any known vulnerability. Flash has long been a popular attack vector, although its usage is fading. Since Oracle made the decision to eliminate the Java browser plug-in in 2016, the industry is also seeing a decline in the use of this popular entry point. Even so, with many organizations not up to date, Flash and Java—along with PDF and Silverlight—remain the best route in to most networks for attackers.
The top three exploit kits—Angler, Nuclear, and Neutrino—all but disappeared from the threat landscape last year. This has allowed smaller players to take a more dominant stance. In nearly all cases, the new kits are still targeting Flash, Silverlight, and IE vulnerabilities. Patching these applications and removing unnecessary plug-ins is a solid first step in protecting your customers.
User awareness training to help identify and avoid phishing scams can significantly reduce the potential for infection—check out our blog on creating a meaningful user awareness training program.
Once an endpoint is compromised, the next step is to establish persistence on a machine by installing a backdoor. Should the initial infection be removed, the backdoor provides a means to regain access to the endpoint, reinstall the infection, or both.
The top five malware backdoors involve PUAs, heuristic (in which the malware scans the machine for anti-malware behaviors and adapts accordingly), Trojans (four variants), and Java. Keep in mind these backdoors are only present because of a user falling for a phishing scam or malicious adware, making this easily avoidable.
Even though it’s not a phase in an attack, detection is an essential piece of a robust security strategy. Back in 2015, it took an average of over 39 hours to detect a compromise. The good news is that, as of late 2016, this number is down to just a little over six hours. The bad news is that it still takes about six hours to detect a compromise—that is a substantial amount of time for an attacker to begin their internal discovery and diligence, and can potentially let them gain access to elevated credentials.
The overarching theme from the Cisco report seems to be “there’s some shifting of players and methods, but, by and large, the attacks are very similar to previous years.” This is good news, in that you can look to current solutions—both technical and user-based—to help stop attacks at the infection point. By implementing protection against malware and phishing, you’ll put your customers in a much better place.
In the third part of this blog series, we’ll explore how well other organizations are defending themselves against attack—and how you can leverage their insights for your customers.
Learn how SolarWinds MSP helps MSPs and IT Service Providers stay more secure here: https://www.solarwindsmsp.com/products