By Tan Yuh Woei
THE quote “change is the only constant” can be applied in many situations—nowhere is it more true than in the cybersecurity space. The Internet—everyone’s go-to place for work and play—is becoming a battleground.
Last year saw far-reaching Web vulnerabilities, faster attacks, files held for ransom and far more malicious code than in previous years. Symantec Corp.’s annual assessment of the tactics of Web-based threats on businesses exposes a tactical shift by cyberattackers. They are now infiltrating networks and evading detection by hijacking the infrastructure of major corporations and using it against them.
Small and medium businesses (SMBs) are encouraged to beef up their security as various online threats are seen emerging in the coming year, since cybercriminals are becoming more creative in how they infiltrate and abuse existing technologies.
Some key trends identified in this year’s report elucidate why corporate defenses, especially those of SMBs, need to stay one step ahead:
1. Attackers are streamlining their tactics. Vulnerabilities have always been a big part of the security picture, where operating system and browser-related patches have been critical in keeping systems secure. However, the discovery of vulnerabilities such as Heartbleed, ShellShock and Poodle, and their wide-spread prevalence across a number of operating systems, brought the topic to the fore.
In 2014 attackers continued to breach networks with highly targeted spear-phishing attacks, which increased 8 percent overall. But attackers became more efficient, deploying 14 percent less e-mail toward 20 percent fewer targets. On top of this, 60 percent of all targeted attacks struck small and medium-sized organizations. This was an uptick in spear-phishing attacks on SMBs, increasing 26 percent and 30 percent, respectively. These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver e-mail attachments. This puts not only the businesses, but also their business partners, at higher risk.
2. Cyberattackers are leapfrogging defenses. While organizations are on the lookout for attackers using stolen employee credentials and identifying signs of suspicious behavior throughout their network, savvy attackers are using increased levels of deception and, in some cases, hijacking companies’ own infrastructure and turning it against them.
In 2014 advanced attackers were observed to:
• Deploy legitimate software onto compromised computers to continue their attacks without risking discovery by antimalware tools.
• Leverage a company’s management tools to move stolen intellectual property around the corporate network.
• Use commonly available crimeware tools to disguise themselves and their true intention if discovered.
• Build custom attack software inside their victim’s network, on the victim’s own servers.
• Use stolen e-mail accounts from one corporate victim to spear-phish their next corporate victim.
• Hide inside software vendors’ updates, in essence “Trojanizing” updates, to trick targeted companies into infecting themselves.
3. Digital extortion is on the rise. Cybercriminals have used ransomware to turn extortion into a profitable enterprise, attacking big and small targets alike.
Ransomware attacks grew 113 percent in 2014, driven by more than a 4,000-percent increase in file-encrypting ransomware or what is known as crypto-ransomware attacks.
On a human level, ransomware is one of the nastiest forms of attack. Instead of pretending to be law enforcement seeking a fine for stolen content, as seen in traditional ransomware, crypto-ransomware holds a victim’s files, photos and other digital-media hostage without masking the attacker’s intention. The victims will be offered a key to decrypt their files, but only after paying a ransom that can range from $300-$500—and that’s no guarantee their files will be freed.
In 2013 crypto-ransomware accounted for a negligible percentage of all ransomware attacks (0.2 percent, or one in 500 instances). However, in 2014, crypto-ransomware was seen 45 times more frequently. While crypto-ransomware predominately attacks devices running Windows, Symantec has seen an increase in versions developed for other operating systems. Notably, the first piece of crypto-ransomware on mobile devices was observed on Android last year.
And while the advice remains the same—do not pay the criminals—many businesses and individuals simply want or need their files back. So they pay, and thus the scam remains profitable.
So what can businesses do to gain the upper hand?
1. Employ defense-in-depth strategies. Emphasize multiple, overlapping and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection or protection systems, web site vulnerability with malware protection, and Web-security gateway solutions throughout the network.
2. Monitor for network incursion attempts, vulnerabilities and brand abuse. Receive alerts for new vulnerabilities and threats across vendor platforms for proactive remediation. Track brand abuse via domain alerting and fictitious web site reporting.
3. Be aggressive in updating and patching. Update, patch and migrate from outdated and insecure browsers, applications, and browser plug-ins. This also applies to operating systems, not just across computers, but mobile and Internet of Things devices, as well. Keep virus and intrusion prevention definitions at the latest available versions using vendors’ automatic update mechanism. Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organization.
As businesses consider their security preparedness and their future needs, the ISTR indicates areas to keep an eye on. Sophisticated techniques once used for state-level espionage are now becoming a part of routine attacks. Hackers will continue to attack increasingly popular technologies, such as cloud providers and mobile platforms, as well as social networks, with their enormous user base. Web sites will always be a source of potential malware, which will continue to proliferate into new, more creative attacks. To stay ahead of cybercriminals, security cannot be an afterthought and businesses should ensure their protection strategies are up to date and include a combination of technology and employee education to combat evolving threats.
This edited column submitted in December 2015 by Tan Yuh Woei, Symantec Corp. senior director for Association of Southeast Asian Nations region, carries views not necessarily reflecting that of the BusinessMirror’s.