pixel_dreams - Fotolia
Less than half of information security professionals use shared cyber threat intelligence, a survey has revealed.
Of those who use shared threat intelligence, 59% said it was “very valuable” while 38% said it was “somewhat valuable”.
Most (72%) of respondents said they were most willing to share data about the behaviour of malware, followed by URL reputations (58%), external IP address reputations (54%), certificate reputations (43%) and file reputations (37%).
Despite the relatively low level of adoption, 91% of the 500 cyber security professionals – polled in a wide variety of industries across North America, Asia Pacific and Europe – said they were interested in industry-specific cyber-threat intelligence; some 54% said they were “very interested”.
Sectors such as financial services and critical infrastructure stand to benefit most from industry-specific threat intelligence, said the report, considering the highly specialised nature of threats McAfee Labs has monitored in these two mission-critical industries.
While 63% of respondents indicated they may be willing to contribute their own data – as long as it could be shared securely and privately – only 24% said they were “very likely” to share, while 39% said they were “somewhat likely” to share.
Of those who have not implemented threat sharing in their enterprises, 54% identified corporate policy as the reason, followed by industry regulations preventing information sharing (24%), a lack of information (24%), and concerns about shared data being linked to them personally or their organisations (21%).
Read more about threat intelligence
- Threat intelligence tools are a growing market and enterprises need to be able to see through the hype to get the best product for them.
- Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
- Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.
Getting a more accurate picture
The findings suggest a lack of experience or knowledge of the varieties of threat intelligence integration options available to the industry, the report said, as well as a lack of understanding of the legal implications of sharing cyber threat intelligence.
“The reality is that sharing cyber threat intelligence is absolutely necessary to ensure that enterprises across entire industries are able to learn from each other and set up proactive defences to safeguard both their corporations and the industry as a whole,” said Raj Samani, chief technology officer for Europe at Intel Security.
“In many cases, advanced stealthy attacks can lie hidden on a network but, with corporations proactively sharing details of threats and attacks, similar enterprises will also be able to more rapidly detect threats and correct their systems.”
No single organisations can have a complete view of everything but, through collaboration with others, it is possible to get a far more accurate picture of what is going on, Samani told Computer Weekly.
“For years cyber attackers have been sharing information, so it is time for defenders to start doing the same,” he said.
Read more about ransomware
- Businesses are still getting caught by ransomware, despite the fact that there are fairly straightforward methods to avoid it.
- Criminals use devices compromised for click fraud as the initial step in a chain of infections leading to ransomware attacks, warns security firm Damballa.
- The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
- The Cryptolocker ransomware caught many enterprises off guard – but there is a defence strategy that works against it.
New ways of working
According to Samani, there is a need for more real-time sharing of threat intelligence, especially in industry sectors.
“Although there are several informal networks that have been established, these tend to be intermittent and now there is a recognition that more real-time sharing of information is necessary,” he said, citing the Carbanak gang’s theft of up to $1bn from financial institutions as an example of where real-time threat intelligence sharing could have reduced losses significantly.
The report highlights the need to overcome the barriers of organisational policies, regulatory restrictions, liability risks and a lack of implementation knowledge to realise the benefits of cyber threat intelligence sharing.
“The idea of cyber threat intelligence sharing has been around for a while, but this is still a relatively new area that requires a new way of working,” said Samani.
“Most organisations have to do some work on classifying data and establishing processes and legal frameworks including non-disclosure agreements and guidelines for what can and cannot be shared, what organisations it can be shared with, and under what circumstances.”
By classifying data, he said, organisations would be able to do things like anonymise certain data fields, which could help in getting around industry sector regulations and other concerns about threat intelligence sharing.
Ransomware grows rapidly
Samani said that information sharing is a “two-way street” and requires a degree of trust.
The report also showed that, after slowing slightly mid-year, ransomware regained its rapid growth rate with a 26% quarter-over-quarter increase in the fourth quarter of 2015.
Open-source ransomware code and ransomware-as-a-service continue to make it simpler to launch attacks, the Teslacrypt and CryptoWall 3 campaigns continue to extend their reach, and ransomware campaigns continue to be financially lucrative.
“It is getting easier and easier to carry out ransomware attacks and they are enabling cyber criminals to get their hands of hundreds of millions of dollars in ransom,” said Samani.
An October 2015 analysis of the CryptoWall 3 ransomware hinted at the financial scale of such campaigns, when McAfee Labs researchers linked just one campaign’s operations to $325 million in victim ransom payments.
The fourth quarter of 2015 saw a 72% quarter-over-quarter increase in new mobile malware samples, as malware authors appear to have produced new malware faster.
“Organisations should note that ransomware and mobile malware are clearly the two areas that cyber criminals are focusing on,” said Samani. The UK is one of the most targeted countries because of its organisations’ track record of paying off attackers, he said.
Rootkit malware samples drop
“In the past, all attacks tended to be as surreptitious as possible, but there has been a real spike in confrontational, in-your-face attacks, where cyber criminals are saying ‘pay up, or else’.”
The number of new rootkit malware samples dropped sharply in the quarter, however, continuing a long-term downward trend in this type of attack.
McAfee Labs attributed some of this decline, which began in the third quarter of 2011, to ongoing customer adoption of 64-bit Intel processors coupled with 64-bit Microsoft Windows. These technologies include such features as Kernel Patch Protection and Secure Boot, which together help better protect against threats such as rootkit malware.
Overall, the report showed that after three quarters of decline, the total number of new malware samples resumed its ascent in the fourth quarter of 2015, with 42 million new malicious hashes discovered, a 10% increase on the previous quarter driven mainly by 2.3 million new mobile malware samples.
However, the report shows that the number of new malicious signed binaries has dropped each quarter for the past year, reaching the lowest level in the fourth quarter of 2015 since the second quarter of 2013.
McAfee Labs believes the decline can be attributed in part to older certificates with significant presence in the dark market are either expiring or being revoked as businesses migrate to stronger hashing functions.
Adwind on the rise
Also, technologies such as Microsoft’s Smart Screen technology represent additional tests of trust which might make the signing of malicious binaries less beneficial to malware authors.
The report also assesses the Adwind remote access Trojan (RAT), a Java-based backdoor Trojan that targets various platforms supporting Java files.
Adwind is typically propagated through spam campaigns that employ malware-laden email attachments, compromised web pages, and drive-by downloads.
The report shows a rapid increase in the number of .jar file samples identified by McAfee Labs researchers as Adwind, with 7,295 in the last quarter of 2015, a leap of 426% compared with the first quarter of 2015.