The Threat Changes – Daily

Cyber-crime is a real and growing threat in today’s always-connected world. Modern day adversaries are highly adaptive, taking advantage of expanding attack surfaces and ever-evolving tactics to keep their windows of opportunity open. As data becomes more and more valuable in today’s digital world, the stakes are also higher and the damage that could be dealt by cyber criminals is much greater, with devastating financial and reputational repercussions.

According to the Cisco 2017 Annual Cybersecurity Report (ACR), over one-third of organizations that experienced a breach in 2016 reported substantial customer, opportunity and revenue loss of more than 20 percent. Forty-nine percent of respondents said their business had faced public scrutiny due to a security breach.

Today’s cyber criminals move with agility as well as speed in order to evade detection. They continually search for new ways to operate; evolving their strategies and experimenting with a wide range of delivery methods. Among the techniques they commonly use in order to breach networks around the globe include exploiting lapses in patching and updating of systems, luring users into socially engineered traps and embedding malware into seemingly legitimate online content.

Once their methods are compromised, attackers will quickly and quietly change strategies in a bid to keep their tactics fresh and avoid detection. Due to the constantly evolving nature of advanced modern threats, Cisco’s 2017 ACR also included a TTE (time to evolve) analysis, i.e. “the time it takes adversaries to change the way specific malware is delivered and the length of time between each change in tactics.”

Figure: File Extension and MIME Combinations for the Family of Threats and Indicators That Lead to and Include the Locky Payload (Web and Email Vectors)
Figure: File Extension and MIME Combinations for the Family of Threats and Indicators That Lead to and Include the Locky Payload (Web and Email Vectors)

As an example, through their TTE research on Locky ransomware, Cisco discovered that adversaries would deliver the Locky payload via the web or email by employing a myriad of file extension and MIME combinations. The combinations included various Microsoft Word-related file content types (msdownload, ms-word) as well as malicious javascript, executable and zip files.

To evade file-based detection and ensure the threat remained active and effective, the authors of Locky designed it to frequently use new binaries. The majority of the Locky files observed between November 2015 and October 2016 were less than a day old when first detected. In other words, the rotation of new binaries for this ransomware occurred on a daily basis.

Not only that, each malware family has a unique pattern of evolution. In order to defend themselves against such rapidly and diversely evolving threats, enterprises must employ security solutions that can quickly detect, respond, contain and eliminate malware before it causes any significant damage.

Integrating security with intelligence is key. Cisco security products utilise Talos, the industry-leading threat intelligence organization dedicated to providing protection from known and emerging threats before, during, and after cyber security attacks.

It is becoming increasingly important for every successful enterprise to make cybersecurity a business-level priority. Cyber security can no longer be just “an IT challenge”. The consequences are just too great to ignore.

share us your thought

0 Comment Log in or register to post comments