monsitj - Fotolia
“The security industry faces critical challenges in our efforts to share threat intelligence between entities, among supplier solutions and even in their portfolios,” said Vincent Weafer, vice-president of McAfee Labs.
“Working together is power. Addressing these challenges will determine the effectiveness of cyber security teams to automate detection and orchestrate responses, and ultimately tip the cyber security balance in favour of defenders,” he said.
The main challenges to cyber threat intelligence sharing are:
1. Volume – a massive signal-to-noise problem continues to plague defenders trying to triage, process, and act on the highest-priority security incidents.
2. Validation – attackers may file false threat reports to mislead or overwhelm threat intelligence systems, and data from legitimate sources can be tampered with if poorly handled.
3. Quality – if security suppliers focus just on gathering and sharing more threat data, there is a risk that much of it will be duplicative, wasting valuable time and effort. Sensors must capture richer data to help identify key structural elements of persistent attacks.
4. Speed – intelligence received too late to prevent an attack is still valuable, but only for the cleanup process. Security sensors and systems must share threat intelligence in near real time to match attack speeds.
5. Correlation – the failure to identify relevant patterns and key data points in threat data makes it impossible to turn data into intelligence and then into knowledge that can inform and direct security operations teams.
Read more about threat intelligence
- Threat intelligence tools are a growing market, and enterprises need to be able to see through the hype to get the best product for them.
- Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
- Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.
To move threat intelligence sharing to the next level of efficiency and effectiveness, McAfee Labs suggests focusing on three areas:
1. Triage and prioritisation – simplify event triage and provide a better environment for security practitioners to investigate high-priority threats.
2. Connecting the dots – establish relationships between indicators of compromise so that threat hunters can understand their connections to attack campaigns.
3. Better sharing models – improve ways to share threat intelligence between our own products and with other suppliers.
“Increasingly sophisticated attackers are evading discrete defence systems, and siloed systems let in threats that have been stopped elsewhere because they do not share information,” said Weafer.
“Threat intelligence sharing enables us to learn from each other’s experiences, gaining insight based on multiple attributes that build a more complete picture of the context of cyber events,” he said.
Inside the Mirai botnet
The report examines the inner workings of the Mirai botnet, which was responsible for the highly publicised distributed denial of service (DDoS) attack on Dyn, a major domain name system service provider.
Mirai is notable, the report said, because it detects and infects poorly secured internet of things (IoT) devices, transforming them into bots to attack its targets.
The October public release of the Mirai source code led to a proliferation of derivative bots, although the report said most appear to be driven by script kiddies and are relatively limited in their impact.
However, the report warns that the source code release also led to offerings of “DDoS as a service” based on Mirai, making it simple for unsophisticated attackers to execute DDoS attacks that expoit other poorly secured IoT devices. Mirai botnet-based DDoS attacks are available as a service in the cybercriminal marketplace for $50 to $7,500 a day, McAfee Lab researchers report.
They also estimate that 2.5 million IoT devices were infected by Mirai by the end of the fourth quarter of 2016, with about five IoT device IP addresses added to Mirai botnets each minute at that time.
Read more about Mirai
- DDoS protection provider alleged to be Mirai botnet creator.
- Customers of broadband ISPs Post Office Broadband and Kcom have been hit by a cyber attack perpetrated by the evolving Mirai IoT botnet.
- Organisations with an online presence should prepare for terabit-class Mirai IoT botnet-based DDoS attacks that could knock almost any business offline or disable chunks of the internet.
- The Mirai DDoS attack on DNS firm Dyn at the end of October 2016 highlighted both the vulnerability of the world’s internet infrastructure and the dangers of leaving devices unsecured.
In the fourth quarter of 2016, McAfee Labs’ Global Threat Intelligence network registered notable trends in cyber threat growth and cyber attack incidents across industries:
1. Malware growth – the number of new malware samples slowed 17% in Q4, while the overall count grew 24% in 2016 to 638 million samples.
2. Mobile malware – the number of new mobile malware samples declined 17% in Q4, while total mobile malware grew 99% in 2016.
3. Ransomware growth – the number of new ransomware samples dropped 71% in Q4, mostly due to a drop in generic ransomware detections, as well as a decrease in the activity of the Locky and CryptoWall strains. The number of total ransomware samples grew 88% in 2016.
4. Mac OS malware – although still small compared to Windows threats, the number of new Mac OS malware samples grew 245% in Q4 due to adware bundling. Total Mac OS malware grew 744% in 2016.
5. Spam botnets – spam email messages from the top 10 botnets dropped 24% in Q4 to 181 million emails. They generated 934 million spam messages in 2016 overall.
McAfee counted 197 publicly-disclosed security incidents in Q4 and 974 publicly-disclosed security incidents in 2016. Security incidents are events that compromise the integrity, confidentiality or availability of information assets. Some, but not all, of these incidents are breaches. Breaches are incidents that result in the confirmed disclosure of data.
According to the report, the public sector experienced the greatest number of incidents by far, but McAfee believes this may be the result of stricter requirements for reporting incidents, as well as an increase in attacks related to the US election process, mostly voter database incidents and defacing of election websites.