In order to gain intelligence about the threats that may be directed to our organizations we need to tune into what is happening on the Internet. By reading the latest annual security reports we can learn from what others have experienced and broaden our perspective on the current threat landscape. Security practitioners should be sharing information about threats and attacks just as readily as the attackers share information, exfiltrated data and access to botnets. We can learn from recent security reports and anticipate what we can expect to occur in 2015 and try to adapt our defensive strategies to protect our enterprises.
IT Security is Like Dental Floss
Parallels can be drawn between IT security and using dental floss. We know that using dental floss can add years to your life expectancy but it requires discipline and a small time commitment every day. Similarly, IT security requires a relatively small capital investment and a relatively small investment in time to configure granular policies and be vigilant. Good security is a result of taking time to configure prudent security and then spending the time to establish situational awareness of the environment. The papers are full of news about companies that have not invested enough time into their security programs.
Sharing Security Experiences
We can be sure that the attackers are sharing information between themselves about what attack types are more successful than others. They are sharing information about targets, trading information about application vulnerabilities, trading access to botnets, and coordinating with organized crime organizations as part of their business ecosystem.
Few IT staff members actually share the valuable tidbits of knowledge that they have accumulated with the rest of the industry. Think about the powerful amplification affect an individual can have on the industry if they shared what they knew with others. Defenders should be sharing information about what attack types they are observing and what defensive capabilities are most effective. However, companies are often unwilling to share information for fear of embarrassment, a lack of security knowledge and experience, or a lack of time to communicate it. Many IT security organizations run so lean they don’t have the time required to keep up on security topics, time to keep tabs on security events, or time to share intelligence information with other organizations.
Annual Security Reports
One way an organization can gain information about what types of attacks are taking place “in the wild” is to read annual security reports that are published. Many different companies write periodic security reports about current security trends, current attack types, and best current defensive practices. These reports are written by security equipment and software manufacturers, security service companies, Internet service providers, and other security associations.
In the distant past (2009, 2010, 2011) I have written about the annual security reports that companies publish. We should applaud these organizations who are spending a vast amount of time compiling and publishing these reports on what is happening in terms of Internet security. There were a whole host of “security SNAFUs” (as Ellen Messmer calls them) in 2014 and 2013 and we should all try to learn from these incidents. In the last 6 to 12 months, many organizations have published some very good reports on the state of Internet security.
This article will list and review many of the recently published security reports. By reading these reports and sharing this type of knowledge with our colleagues we can strive for better security practices. We can read these reports to anticipate what attack types may become prevalent in the new year, to get an idea of the threats our organizations are currently facing, and how we should configure our security systems to have maximum effectiveness.
Verizon Data Breach Investigations Report (DBIR) 2014
Every springtime since 2008, Verizon has published its Data Breach Investigations Report (DBIR). This is one of the best annual security reports because it anonymously compiles information from 63,000 actual security incidents. This year’s report covered all incidents, even if data records were not leaked, unlike previous year’s reports that covered only confirmed information breaches. This year’s report identified nine common attack patterns represent the vast majority of cyber-attacks. This report breaks down these nine attack types and covers which attack types are common in specific industries.
Of all the statistics revealed in the DBIR, the one that continues to amaze us is the duration between a security incident occurring and when the organization actually discovers the compromise. In some cases, it takes organizations over a hundred days to discover a breach has occurred. Often times, an organization discovers the break from another outside person or company identifies that information has been leaked.
The 2014 breach report actually covers information gathered during 2013 so by this time in the year, this information can be at least 18 months old. In several months we are likely to receive the 2015 DBIR that will cover data from 2014.
Cisco Systems Annual Security Report (ASR)
Cisco publishes their Annual Security Report (ASR) on the state of Internet security twice a year. There is a midyear security report which covers threat intelligence from the first half of the year, and an annual security report which covers what occurred the whole previous year. The report is a combination of threat intelligence from Talos, Cisco’s threat research team, and examining cybersecurity trends.
The Cisco 2014 Annual Security Report covered information from the 2013 year. This report covered how attacks are now targeting manufacturing and agricultural targets, but retail and point-of-sale systems are still financially lucrative targets. Even though spam volumes are down, breaking news spam, spear phishing and “watering hole” attacks are on the rise. Their report revealed that 99% of all mobile malware was directed toward Android OS devices. Java was the leading Indicator of Compromise (IoC) ahead of Flash exploits and PDF issues.
In August 2014, Cisco published their Midyear Security Report 2014 which covered security intelligence from the first half of 2014. This report noted that the Internet of Things (IoT) may represent a growing attack target in the coming years as more IP-enabled embedded devices connect to networks. This report covered Cisco’s “Inside Out” project where they looked at outgoing DNS queries were destined for Dynamic DNS (DDNS) systems. Cisco’s recommendation is for organizations to use a system like Infoblox's DNS Firewall to restrict DNS queries destined to malicious systems. This midyear report also confirmed the increase in Java exploits and recommends organizations update to more secure updated Java 8 versions. The report covered the recent NTP packet amplification attacks and showed how attackers can change their tactics rapidly based on effectiveness of the attacks.
Cisco just today released their 2015 Annual Security Report. This year’s report covered events occurring in 2014. This ASR noted that there is an ever-widening gap between the capabilities of defenders and attackers. This report also noted the decline in Java exploits. The report also found that many organizations are over-confident about their security posture because there are still many of these same companies who are experiencing breaches. There was also a large percentage of unpatched OpenSSL servers operating showing that many organizations are not patching frequently enough.
Microsoft Security Intelligence Report (SIR)
Microsoft publishes their annual Security Intelligence Report (SIR) that provides information on current threats based on their host operating systems, popular enterprise and consumer applications and cloud-based service perspective on security. Microsoft has been publishing these reports every 6 months since 2006 and they have been the go-to source for information on current security threats. The Microsoft Security Intelligence Report (SIR) Volume 16 covered issues occurring from July 2013 to December 2013. The latest Microsoft Security Intelligence Report, Volume 17, published in November 2014, covers issues from the first half of this year: January through June 2014.
One great initiative that Microsoft has taken on is the Microsoft Active Protections Program (MAPP). MAPP is forum for software providers to share and access vulnerability information to help them update their software faster in response to new vulnerabilities. MAPP is an example of how sharing security information between companies can be beneficial to the whole industry.
Akamai State of the Internet Report
Akamai has been producing their State of the Internet Report for many years now. Akamai’s extremely large cloud and Content Distribution Network (CDN) gives them access to a large amount of data about Internet threats targeting them and their customers. This year, Akamai acquired Prolexic, a network security company that provides services that help companies avoid damaging DDoS attacks. Akamai is leveraging the Prolexic services to help Akamai’s CDN and cloud customers mitigate the effects of the service-affecting attacks. Prolexic used to publish their own Quarterly Global DDoS Attack Report but that research has now been brought into the quarterly State of the Internet Report.
Their Q3 2014 State of the Internet Report is available for download now. This report talks a lot about the increase in bandwidth of DDoS attacks due to the increasing Internet access speeds whereby subscriber devices are used as bots to generate the traffic. The attack mentions that reflection attacks using DNS and NTP are starting to wane, but new reflecting attacks using different protocols like SSDP and UPnP and leveraging vulnerable mobile, CPE and IoT devices may become pervasive. This report also mentioned that the U.S. was the primary source of DDoS attacks.
Arbor Networks Worldwide Infrastructure Security Report (WISR)
Arbor Networks has also been publishing annual security reports since about 2004. Their ninth Worldwide Infrastructure Security Report (WISR) covers data gathered from late 2012 to late 2013. This report is based on data that their DDoS products gather and information from their user base on survey results from over 220 service providers and large enterprises worldwide. This data is also based on the information gathered from their Active Threat Level Analysis System (ATLAS) global threat intelligence system from their Peakflow SP customers. Arbor Networks also publishes threat information from their Arbor Security Engineering & Response Team (ASERT) group based on ATLAS information.
The current WISR indicated that the largest DDoS attacks are now well over 100Gbps where just a few years ago they were peaking at 40Gbps. The duration of DDoS attacks is also typically less than an hour in duration. This report also confirmed a rise in the number of IPv6-enabled service provider networks and that IPv6 transport was used on some DDoS attacks. However, IPv6 traffic visibility trails IPv4 traffic visibility. This report confirmed the use of DNS and NTP as packet amplification techniques used by attackers. One interesting set of statistics was on the size of the OPSEC teams. A few organizations had large OPSEC teams, while the majority of companies have extremely small teams or no team to speak of and lack of headcount or resources was listed as the largest OPSEC team challenge. This report also shows that most organizations are using ACLs, firewalls, IPSs and Intelligent DDoS Mitigation Systems (IDMS) to defend against DDoS attacks.
NTT/Solutionary Global Threat Intelligence Report (GTIR)
Solutionary (which is now part of the NTT Group) provides managed security services to their global customers. Because their Solutionary Security Engineering Research Team (SERT) is watching over the security for many organizations, it gives them a unique perspective of the state of Internet security. NTT Group 2014 Global Threat Intelligence Report (GTIR) came out earlier in 2014 and covers attacks seen in 2013. In case you are curious you can also look at their SERT Quarterly Threat Intelligence Report from Q3 2013.