pixel_dreams - Fotolia

Business needs to prioritise cyber attack detection, says Cisco

Early detection of malicious activity is a top priority to defend against cyber attacks by highly motivated threat actors, says Cisco's latest security report

Businesses urgently need to reduce the time it takes to detect malicious activity on their networks, according to the Cisco 2015 Midyear Security Report.

The report identifies early detection as a top priority to defend against sophisticated cyber attacks by highly motivated threat actors.

New risks associated with Adobe Flash, the evolution of ransomware and the Dridex mutating malware campaign reinforce the need for reduced time to detection, the report said.

Exploits of Adobe Flash vulnerabilities – which are integrated into the Angler and Nuclear exploit kits – are on the rise, the report said, due to the lack of automated or regular patching.

The report said there was a 66% increase in the number of Adobe Flash Player vulnerabilities reported by the Common Vulnerabilities and Exposure (CVE) system in the first half of 2015, compared with the whole of 2014.

The creators of quickly mutating Dridex campaigns have a sophisticated understanding of evading security measures, the report said. As part of their evasion tactics, attackers rapidly change the emails’ content, user agents, attachments or referrers, and launch new campaigns – forcing traditional antivirus systems to detect them anew.

Cisco security researchers found the Angler Exploit Kit represents the types of common threats that will challenge organisations as the digital economy and the internet of things (IoT) create different attack vectors and revenue opportunities for cyber attackers.

Angler is one of the most sophisticated and widely used exploit kits because of its innovative use of Flash, Java, Internet Explorer and Silverlight vulnerabilities, the report said. It excels at evading detection by employing techniques such as domain shadowing, where stolen domain account credentials are used to create subdomains directed at malicious servers, giving the attacker a huge number of web addresses to cycle through and discard after use.

Reducing detection times

With the digitisation of business and the IoT, malware and threats become even more pervasive, the report said, with many organisations taking an average of 100 to 200 days to detect malicious activity.

In contrast, Cisco claims its Advanced Malware Protection (AMP) portfolio – with retrospective analysis of attacks that make it past existing defences – can reduce time to detection to 46 hours.

“Hackers, being unencumbered, have the upper hand in agility, innovation and brazenness. We see this time and again, whether it is nation-state actors, malware, exploit kits or ransomware,” said Jason Brvenik, principal engineer, Security Business Group, Cisco.

“A purely preventive approach has proven ineffective, and we are simply too far down the road to accept a time to detection measured in hundreds of days. 

Read more about threat detection

"The question of what do you do when you are compromised highlights the need for organisations to invest in integrated technologies that work in concert to reduce time to detection and remediation to a matter of hours; and then they should demand their suppliers help them to reduce this metric to minutes,” he said.

Cisco said the report’s findings underscore the need for businesses to deploy integrated security systems rather than point products, work with trustworthy suppliers and enlist security services providers for guidance and assessment.

Further, the report said geopolitical experts have declared that a global cyber governance framework is needed to sustain economic growth.

Cyber risk gathers pace

Cisco security researchers found ransomware remains highly lucrative for hackers, as the criminals continue to release new variants.

Ransomware operations have matured to the point that they are completely automated and carried out through the dark web, the report said. To conceal payment transactions from law enforcement, ransoms are paid in crypto currencies, such as bitcoin.

The innovation race between adversaries and security suppliers is accelerating, the report said, placing users and organisations at increasing risk. Suppliers must be vigilant in developing integrated security systems, the report said, that help organisations be proactive and align the right people, processes and technology.

“Organisations cannot just accept that compromise is inevitable, even if it feels like it today,” said John Stewart, senior vice-president, chief security and trust officer at Cisco.

“The technology industry must up the game and provide reliable and resilient products and services, and the security industry must provide vastly improved, yet meaningfully simplified, capabilities for detecting, preventing and recovering from attacks,” he said.

According to Stewart, Cisco is aiming to take the lead in this direction in response to the fact that business strategy and security strategy are the top two issues for many organisations.

“Trust is tightly linked to security, and transparency is key – so industry-leading technology is only half the battle. We're committed to providing both: Industry-defining security capabilities and trustworthy solutions across all product lines,” he said.

Read more on Hackers and cybercrime prevention