This article is part of our Essential Guide: A guide to threat management

Advanced threats are the new baseline, says Websense

Enterprises must recognise that more cyber criminals are able to launch attacks due to the emergence of the malware-as-a-service business model

Enterprises must recognise that more cyber criminals are capable of launching advanced attacks due to the emergence of the malware-as-a-service business model, according to security firm Websense.

The ranks of cyber threat actors around the globe grew to staggering proportions in the past year, according to the Websense Security Labs 2015 Threat Report.

Researchers have seen a threefold increase in the number of exploit kits available on the increasingly competitive cyber criminal market in the past 12 months, with average prices relatively low at $800 to $1,500 a month.

Researchers have also seen some exploit kits like Nuclear and Angler undergo intense development to use new obfuscation layers and to integrate zero-day code more readily.

“Even cyber criminals with low technical capabilities are now able to access malware code and techniques that would previously been out of their reach,” said Websense Security Labs principal security analyst Carl Leonard.

“The barriers to entry are significantly reduced, and anyone can have access to all the tools and capabilities as attackers higher up the food chain, which presents a problem for businesses because advanced threats are now the new baseline,” he told Computer Weekly.

In addition to easier access to cutting-edge tools, malware authors are also blending new techniques with the old, resulting in highly evasive techniques. 

For example, while the source code and exploit may be unique and advanced, much of the other infrastructure used in attacks is recycled and reused by the criminal element.

Organisations need protection against entire threat lifecycle

Researchers revealed that in 2014, 99.3% of malicious files used a command and control (C&C) address that has been previously used by one or more other malware samples, and 98.2% of malware authors used C&Cs found in five other types of malware.

“As we were writing the report, we concluded that if malware writers are reusing infrastructure that is known, organisations need to have protection against the entire threat lifecycle from malicious files to the C&C structures," said Leonard.

“It is only when organisations have a clear picture of everything that is going on with the tools and capabilities that make cyber crime so easy for attackers that they are in a position to secure their enterprise.”

Despite the growing awareness of the kill chain model that analyses cyber attacks in seven key stages to find ways to detect and disrupt each stage, Leonard said organisations still tend to focus on point systems.

“But while these systems can be very good at identifying one particular aspect of a threat, there is a need for broader technologies to operate across the kill chain and raise the bar by putting obstacles at every stage of an attack,” he said.

The ease for all cyber criminals to conduct advanced attacks is one of eight trends highlighted by the threat report that Websense believes pose significant data theft risks for organisations.

The next most important trend for enterprise IT decision makers, said Leonard, is the recognition by mature organisations that effective security requires skilled users with a deep understanding of advanced attacks in addition to processes, policies and technology tools.

Shortfall in skilled security professionals

The report notes that with an anticipated global shortfall of two million skilled security practitioners by 2017, unless new approaches to utilisation of resource and adoption of technology, it is inevitable that organisations will be out-manoeuvred by their adversaries.

All organisations should be seeking to raise the security IQ within the business, especially in the light of the limited resources in IT teams

Carl Leonard, Websense

“All organisations should be seeking to raise the security IQ within the business, especially in the light of the limited resources in IT teams and even security operations centres,” said Leonard.

“If the security industry can provide actionable intelligence for those tasked with protecting the information of an organisation without the noise of false alarms, then IT teams can be better utilised and even delegate tasks to less-skilled IT staff.”

Organisations can also bolster their security posture by educating users, said Leonard, because research shows 30% of users will still click on malicious links even after they have been warned, so there is clearly a need to raise security IQ among users.

“Users could also be useful in alerting the organisation to potential attacks at a much earlier stage in the attack before any harm is done if they know what they are looking for and how best to pass that information on to internal investigators,” he said.

The report recommends that IT management should work with human resources departments to proactively address how they can attract and retain talent.

Organisations should also invest in contextually aware tools will prioritise alerts and provide actionable information to guide less-skilled personnel to deal with the bulk of incidents, and they should build talent internally with co-ordinated programs of talent management, training and supportive technology.

Being prepared for the internet of things

The third area that enterprise IT decision makers should be focusing on, said Leonard, is the internet of things (IoT) and how the challenges being faced elsewhere in the organisation are going to be extended to other devices and “as yet unimaginable platforms”.

This is an area of IT that is evolving very quickly, he said, but there is an opportunity for businesses to be more prepared for what is coming than they were for the bring-your-own-device (BYOD) phenomenon.

Many businesses have gone through the growing pains of BYOD, and the challenges of IoT will be similar around protecting the data

Carl Leonard, Websense

“Many businesses have gone through the growing pains of BYOD, and the challenges of IoT will be similar around protecting the data, the deployment options and dealing with the unknown of how exactly IoT will be applied in the business,” said Leonard.

“But many organisations already have an understanding of how to track their important data, so businesses simply need to apply that understanding to IoT, and so there is hope because businesses should already have an understanding of data and its value that they can build upon.”

However, Leonard said organisations must understand that as IoT device use evolves in the business context, attackers will seek to manipulate those devices for malicious purposes or use them as ways of getting into networks as has happened with BYOD.

The report warns that IoT will magnify exploitation opportunities as it grows to an estimated range of 20-50 billion connected devices by 2020, especially if ease of deployment and the desire to innovate is allowed to override security concerns.

“Organisations need to think about the security of IoT devices from the very start by building on what we have learned in the past about BYOD and about developing software, systems and devices that are secure by design and about the need for the encryption of data,” said Leonard.

The report recommends that organisations evaluate their security posture in light of the IoT, that they consider how data will be recorded, stored and protected, and that they build controls around that early.

According to the report, organisations should also look for devices with the necessary security built-in and let suppliers know their security requirements to drive any necessary changes.

Trends highlighted by the report

Threat actors are blending old tactics, such as macros, in unwanted emails with new evasion techniques. Old threats are being “recycled” into new threats launched through email and web channels, challenging the most robust defensive postures.

The report recommends that defensive postures need to be re-evaluated to ensure coverage across the kill chain, that security systems are configured to watch and analyse tactics both old and new, and that real-time capabilities are applied to every attack stage.

Threat actors have focused on the quality of their attacks rather than quantity and have developed the ability to vary activity widely at any one stage of the attack.

The report recommends that threat intelligence needs to be shared across defences working in concert across the entire attack lifecycle, that logs and reports should be monitored for anomalous activity, that in-line, real-time analysis capabilities for all systems be deployed, and that organisations recognise that sandboxing has severe limitations with stealthier forms of malware and that other defences that span the entire attack lifecycle are required.

It is particularly difficult to do attribution, given the ease by which hackers can spoof information, circumvent logging and tracking or otherwise remain anonymous.

The report recommends that organisations use valuable time following an attack to focus on remediation and adapting defences for the next attack.

Insider threats will continue to be among the risk factors for data theft, from both accidental and malicious actions by employees.

The report recommends employee education to reduce their susceptibility to social engineering, information sharing to raise awareness, tools to test knowledge of best practices for identifying phishing emails and other suspicious content, as well as monitoring of behaviour to identify the high risk user behaviour of a disgruntled or other dangerously motivated employee.

The threat landscape is expanding into the network infrastructure itself, as hidden vulnerabilities were revealed deep within the code base of Bash, OpenSSL and others that have been in popular use for decades.

The report recommends that organisations conduct regular reviews of mission-critical systems using legacy technologies for potential risk and upgrade opportunities, that they stay connected to the streams of threat intelligence and conversations that can highlight newly discovered potential vulnerabilities, and that that they have a process to assess potential risk based on how the vulnerable technology is applied in their particular organisation.

Read more on Hackers and cybercrime prevention