Report: Attacks will happen, so reduce the time to detection
- By Kevin McCaney
- Aug 03, 2015
As hackers get shiftier, more agile and nastier, organizations trying to defend their networks need to realize they’re not going to prevent every intrusion and focus on shortening the amount of time it takes to detect one. Also, don’t trust Jane Austen.
Those are two of the findings in Cisco’s recently released its Mid-Year Security Report, which details, among other things, the rise of exploit kits, the return of Flash attacks and the increasingly slippery evasive tactics cyber criminals and other bad actors are using to cover their tracks.
Shortening the time to detection is something that would have benefited the Office of Personnel Management, for instance, since the hacks revealed in June that exposed the information of more than 22 million current, former and prospective Defense Department personnel and contractors, went on for months before being discovered.
As far as types of attacks go, one of the trends the report cites is the greater use of the Angler Exploit Kit, which takes what Cisco calls innovative use of Flash, Java, Internet Explorer and Silverlight vulnerabilities, and uses domain shadowing—using stolen domain credentials to redirect traffic through lists of subdomains—to avoid detection.
“Angler has increased its penetration rate twofold,” in the first half of this year, Jason Brvenik, principal engineer for Cisco’s Security Business group, said in an interview. And Angler is effective, he said: Four out of 10 Angler landing pages cause compromises.
And while criminals are making greater use of the Tor anonymous network and the Invisible Internet Project to stay hidden, some exploit kit developers are also trying a new trick, using excerpts from Jane Austen’s “Sense and Sensibility” on their landing pages to try to fool antivirus and other security software into thinking the pages are legitimate.
Some other trends highlighted in the report include the return of Flash as an attack vector, the decline of Java as an exploit target and the reappearance of some old attacks.
In addition to being included in Angler’s sophisticated arsenal, Flash exploits are on the rise overall. There was a 66 percent jump in Adobe Flash Player vulnerabilities in the first six months of the year, the report states, putting it on pace to set a new record for vulnerabilities reported by the Common Vulnerabilities and Exposure database maintained by US-CERT and Mitre Corp..
The biggest culprit in the revival of Flash is that so many organizations either lack automated patching or just don’t get around to it in a timely manner. “Patching,” Brvenik said, “continues to be a pain point.”
For a little bit of good news, exploits involving Java, for years considered the biggest security risk to U.S. computers, were on the decline in the first half of 2015, continuing a trend from last year.
Meanwhile, “we’re seeing some old stuff come back,” Brvenik said, such as macro viruses used to extract information from Word and other Microsoft Office documents. However, some of those old macro viruses are being delivered in a new way, through fast-morphing Dridex attacks that arrive via email and regularly and quickly change the email content, attachments and other features, forcing antivirus to detect them over and over again.
And while old attacks, regardless of how they’re delivered, might not seem to have the level of sophistication that would worry government, they can do damage. The “Operation Buckshot Yankee” attack from 2008, which resulted in the largest breach in U.S. military history and prompted the Pentagon to completely revamp its security strategy, was the work of a fairly unsophisticated worm.
“There’s no shortage of mundane, unsophisticated attacks achieving a level of success,” Brvenik said.
The bottom line is that, although organizations have made some security improvements in recent years, such as mitigating vulnerabilities in open-source solutions, attackers are staying a step ahead, according to Cisco’s report. One answer: accept the fact that some attacks will get through and reduce the time it takes to detect them, thereby limiting damage.
The current industry standard for time to detection is 100 to 200 days, Brvenik said, an amount of time that’s not good enough against today’s fast-moving threats. One answer is retrospective analysis, a technique that, in Cisco’s tests with angler, reduced that time to detection to 46 hours.
Among Cisco’s other recommendations are moving toward an integrated defense architecture that has security embedded throughout, rather than relying on point solutions, and making use of services to provide elements of security, something that could help make up for the current shortage in cybersecurity talent.
Brvenik also said that customers, such as those in DOD, should contractually demand that vendors are transparent about the security of their products and all steps in the supply chain.
On a large scale, the report said, the United States and other nations need to develop a global cyber governance framework that can help protect networks and data and support economic growth without compromising privacy.
Kevin McCaney is a former editor of Defense Systems and GCN.