2015 Websense's Threat Report

A brief analysis of the 2015 Websense's Threat Report
Cybercrime never been so easy.

Introduction

Will be presented the main points addressed in Threat Report of Websense Security Labs® in 2015. The original file can be found here.

Cybercrime just got easier

MaaS (Malware-as-a-Service) has established itself as a practice, since even those who do not have in-depth knowledge in the area can have access to technology and cutting-edge tools, including samples of malicious source code, attack service providers and exploit kits.

Attacks exhibiting advanced behavior are becoming common, especially in the areas of evasion, to hide intent or identification.

Avoid the attribution trap

The concern about the attribution of authorship of an attack should be left to the competent authorities, the company should focus on the improvement of its defenses and the incident management tasks such as repair information.

The main techniques for maintaining anonymity used by cybercriminals in 2014, included:

  • Use of the TOR (The Onion Router);

  • Use of compromised sites registered by an independent third party, thus implying the Registrant in the attack;

  • Use of hosting providers that defies international law, refusing to cooperate with abuse notifications or requests for legal applications;

  • Complex series of redirect chains, set to work only for the target organization and run only once;

  • The use of dynamic DNS to resolve domains registered by attackers to IP addresses that change often provide information that overshadow the real DNS path and therefore are not actionable.

Elevate the IT knowledge

For those interested in joining the cybersecurity area, good news, according to a study by (ISC)² on the Global Information Security Workforce 2013, there will be a shortage of 2.2 million IT security professionals qualified by the year 2017.

Another concern to consider is to seek methodologies and tools for education and awareness of users. The current generation is more familiar with the technological environment and are better able to understand and disseminate the necessary habits to safer behaviors.

Perception of internal threats

Internal threats will remain among the main risk factors for the theft of data and can be divided into two types: accidental and malicious.

Accidental is the employee being hoodwinked with social engineering to open malicious emails or surf on a compromised site.
Malicious is when the employee draw / purposely distributes information for monetary gain or career support.

Building a fragile infrastructure

In 2014, the threat landscape has expanded to the network infrastructure when hidden vulnerabilities were revealed on the basis of Bash codes, OpenSSL SSLv3 and others that have been used for decades.
Shellshock, Heartbleed and Poodle, to name a few, have demonstrated the fragile nature of infrastructure standards and demanded rapid risk assessment and implementation of mitigation methods to prevent exploits and data theft by cybercriminals.

Déjà vu?

Recycling social engineering messages is not new. But we see growth in 2014 in the recycling of other tactics, mixed with new methods and techniques to increase evasion. One aspect of this revival of threats tactics was measured at Websense Security Labs, which identified more than 3 million e-mail attachments with macros only in the last 30 days of 2014.
A good example of the effectiveness of this approach was demonstrated in mid-year past, when a modern, advanced and targeted attack in the financial sector used Microsoft Word macros extremely updated to evade detection.

In 2014, 81% of all e-mails examined by Websense have been identified as unwanted. A 25% increase compared to the previous year. And the most interesting, besides the volume of malicious emails, is the fact that Websense detected 28% of malicious e-mail messages before an antivirus signature became available, creating a window of exposure from 17.5 hours to antivirus users.

Internet of Things

The Internet of Things (IoT) will expand opportunities for exploration as it grows to an estimated range of 20 to 50 billion connected devices by 2020.

The IoT offers connectivity and applications that were previously unimaginable, but the ease of implementation and the impetus for innovation are factors for raising security concerns.

Confidential information may also leave the organization by cameras and microphones, especially those equipped with the ability to “voice activation”. Cybercriminals can get useful information with GPS and other devices with automatic reports.

Evolving threats

The attacks seen in 2014 demonstrated a high degree of sophistication and reduced linearity. A higher use of exploits Adobe Flash and Microsoft Silverlight, and less reliance on Adobe Reader vulnerabilities.

The evasion of detection is critical for the duration of an attack from the initial violation to the extended period of data theft. Some examples of the most notable techniques that have become increasingly prevalent and refined in 2014 include:

  • Traffic guidance systems (TDS, Traffic Direction System) have been implemented to deliver threats in specific geographies;

  • Networks TOR (The Onion Router) is used to make anonymous communications sources related to botnets, malicious downloads or data theft;

  • Sandboxing evasion techniques: Malicious code can refer to the target system on virtual machine artifacts (including searching for specific models of hard drives and search the Windows registry for keys relating to virtual machines). If found, there is no any malicious behavior.

  • Executable can lie dormant or suspended before starting any malicious behavior.

  • Stealing virtual currencies and “kidnap” data for ransom have become popular ways of monetizing an attack.

Conclusion

Vulnerabilities that had been forgotten and even had their antivirus countermeasures removed are being exploited again.

Cybercriminals are increasing in skill and in absolute numbers. This factor, coupled with the shortage of highly skilled IT security requires a major investment by companies, both in training and in tools.

The most modern techniques of exploitation has demonstrated innovation in the avoidance of capacity and mixing traditional applications with new concepts, achieving a high degree of impact.

IoT adds a new myriad of devices and networks that are not necessarily prepared against this threat landscape.

To sum up, we can conclude that in the current threat landscape, organizations need to combine education and awareness of employees (associated with the qualification of IT security team) with advanced technology to mitigate operations inherent risks.