Criminals on a mission of ambition and disruption, says Symantec
Ransomware attackers are increasing their ransoms; more emails are containing malicious links; and disruption is the word of the day - it’s no wonder CIOs are becoming out of touch with what is happening in their organisations.
According to Symantec’s latest Internet Security Threat Report, 2016 was marked by a year of ambition and disruption.
One in 131 emails contains a malicious link or attachment, which is the highest rate in five years. Symantec says email is becoming a prime delivery method for malware.
Windows PowerShell and Microsoft Office are two of the main methods attackers are using to conduct attacks that leave ‘a lighter footprint’ and can hide in plain sight. 96% of PowerShell files in the wild were malicious, according to Symantec.
Business email compromise (BEC) scams are targeting more than 400 businesses every day - and raking in more than 3 billion dollars.
“There has been a shifting focus from attackers to focus more and more on email as the initial incursion vector. If you look back on 2014 in New Zealand, we saw one in 114 emails as malicious. We’ve seen the numbers of malicious emails doubling in the last few years,” Symantec’s local New Zealand spokesperson and technology strategist Mark Shaw.
Shaw says it shows that the attackers are confident that the email method works for delivering that initial payload.
“New sophistication and innovation are the nature of the threat landscape, but this year Symantec has identified seismic shifts in motivation and focus,” comments Kevin Haley, director, Symantec Security Response.
“Cyber criminals caused unprecedented levels of disruption by focusing their exploits on relatively simple IT tools and cloud services.”
Malware families are on the increase with more than 100 new families released in the wild. 36% of those are ransomware attacks.
Attackers are also becoming greedier through their ransom demands - the average ransom has increased 266% to an average of $1077 from just $294 in 2015. 34% of global ransomware victims will pay the ransom.
The survey also found increasing attacks against the US as part of political subversion and targeted sabotage. It’s not just political election attacks that are gaining momentum - nation states (particularly North Korea) are also going after banks in Bangladesh, Vietnam, Equador and Poland.
Shaw says New Zealand has little to worry about.
“Do we expect that to happen in New Zealand? No, I don’t think so. We don’t have a target on our back as much as the US elections, nor a determined attacker, nation state or attack group behind us,” he says.
CIOs are finding it difficult to keep track of how many cloud apps their organisations use. Most assume the number is up to 40 apps, when in reality there are almost 1000. Symantec believes that this disparity can lead to insufficient security policies and procedures, and that CIOs must get a grip - fast.
Cloud services are also at risk. Symantec cites a case in which cloud databases from a single provider were hijacked and ransom, because users left outdated databases open and without authentication enabled.
Symantec’s advice for businesses:
- Don’t get caught flat-footed: Use advanced threat intelligence solutions to help you find indicators of compromise and respond faster to incidents.
- Prepare for the worst: Incident management ensures your security framework is optimised, measurable and repeatable, and that lessons learned improve your security posture. Consider adding a retainer with a third-party expert to help manage crises.
- Implement a multi-layered defence: Implement a multi-layered defence strategy that addresses attack vectors at the gateway, mail server and endpoint. This also should include two-factor authentication, intrusion detection or protection systems (IPS), website vulnerability malware protection, and web security gateway solutions throughout the network.
- Provide ongoing training about malicious email: Educate employees on the dangers posed by spear-phishing emails and other malicious email attacks, including where to internally report such attempts.
- Monitor your resources – Make sure to monitor your resources and networks for abnormal and suspicious behaviour, and correlate it with threat intelligence from experts.
“One of the biggest things that businesses can be doing is making sure their employees are educated and aware. You can have all the technology in the world but without employees making the right decisions, that can be the difference between a significant outage or loss. Or it could be a good outcome when they’ve reported something and that’s been shut down,” Shaw concludes.