Content, Content

One Decade of Cyber Attack Data: Trustwave Research Findings…

Trustwave Chief Marketing Officer Steve Kelley
Trustwave Chief Marketing Officer Steve Kelley

While annual cybersecurity spending hits $90 billion and the industry has come a long way in the last 10 years, we are now plagued by increasingly sophistication malware obfuscation, social engineering tactics and advanced persistent threats (APT). So concludes Trustwave, a Top 100 MSSP, in the 10th edition of its annual Global Security Report.

The latest volume has a unique aspect to it: Trustwave compares and contrasts the cybersecurity landscape looking back 10 years, from its first study in 2008 through 2017. In the process, the managed security provider said it relied on its analysis of billions of logged security and compromise events worldwide, hundreds of hands-on data-breach investigations and internal research.

Here are some of Trustwave's top line observations spanning that time period, culled directly from the study’s authors: Basically we have gone from the macro and less virulent to the micro and far nastier.

  1. In 2008, the biggest threats were opportunistic to steal money, card data, login credentials and other valuable information from as many victims as possible. Trustwave calls it “spray and pray.” Skilled, professional cyber attackers now have the resources, time and patience to perpetrate against specifically chosen targets to breach nearly any network.
  2. In 2008, hackers took a far and wide approach. Now, cyber attackers plan significantly more sophisticated attacks. APTs have less urgency and more strategy behind them.
  3. Spam filters are better now. Ten years ago, 85 percent of all inbound email was spam. That figure has shrunk to 59 percent in 2016 and 39 percent last year. Today, a small number of criminal gangs using botnets to distribute malware control most spam.
  4. Cyber phishing is more tricky now. PDF files are on the rise as phishing lures with hackers tricking consumers into opening false files that steal their information.
  5. Bitcoin has emerged. Attacks seeking payment card information are down as cyber gangs turn to stealing cryptocurrencies.
  6. Vulnerabilities have spiked. A marked increase in vulnerability disclosures began in 2012 with a dramatic spike in 2017, in part owing to a doubling of internet users.
  7. Starting in 2006 with Web Attacker, exploit kits, which enable non-technical attackers to infect computers, flourished between 2013 and 2015. The exploit kit market is dormant now but likely will resurface as a profit source for hackers.

Here are some of the study’s findings:

  • North America breaches: North America leads in data breaches at 43 percent, followed by the Asia Pacific region at 30 percent, EMEA at 23 percent, and Latin America at four percent.
  • Retail breaches: At nearly 17 percent of breach incidents, retail is the industry leader, followed by finance and insurance at 13 percent and hospitality at 12 percent.
  • Bigger targets: Sophisticated attack are aimed at larger targets. Half of the incidents investigated involved corporate and internal networks, up seven percent from 2016, followed by e-commerce at 30 percent. Incidents impacting point-of-sale systems have decreased noticeably to 20 percent of the total.
  • Human threat: Social engineering and phishing top the infection method, confirmation that employee awareness remains the greatest hurdle for corporate cybersecurity teams. In corporate network environments, phishing and social engineering at 55 percent leads, followed by malicious insiders at 13 percent and remote access at nine percent. CEO fraud, a social engineering scam to trick executives into authorizing fraudulent money transactions, continues to increase.
  • Web applications: Every web application Trustwave tested showed at least one vulnerability, with 11 as the median number detected per application.
  • Web attacks: Many breach incidents showed signs of careful pre-planning by cyber criminals probing for weak packages and tools to exploit. Cross-site scripting was involved in 40 percent of attack attempts while distributed denial of service only three percent.
  • Malware persistence: 30 percent of malware examined used obfuscation to avoid detection and bypass first line defenses but 90 percent used persistence techniques to reload after reboot.
  • Service providers: At nearly 10 percent of compromises targeting business, IT service provider attacks aimed at web-hosting providers, POS integrators and help desk providers, have increased markedly. A successful hit on one provider opens the gates to a raft of new targets.
  • Detection: The median time between intrusion and detection for externally detected compromises was 83 days in 2017, a stark increase from 65 days in 2016. Median time between intrusion and detection for compromises discovered internally, however, dropped to zero days in 2017 from 16 days in 2016, indicating that businesses discovered the majority of breaches the same day they occurred.
  • Payment cards: At 40 percent, payment card information is the top dog for data targeted in a breach, dipping in incidence only slightly from 2016. Burglaries targeting hard cash rose to 11 percent mostly due to fraudulent ATM transaction breaches.
  • Email malware: At its peak, Necurs sends spam from between 200,000 and 400,000 unique IP addresses per day. Several major Necurs botnet campaigns for propagating ransomware, including WannaCry, banking trojans and other damaging payloads kept spam containing malware high at 26 percent, although that figure slid from nearly 35 percent in 2016.
  • Patching: The number of vulnerabilities patched in five of the most common database products was 119, down from 170 in 2016.

"As long as cybercrime remains profitable, we will continue to see threat actors quickly evolving and adapting methods to penetrate networks and steal data,” said Steve Kelley, Trustwave chief marketing officer. Security is as much a “people issue as it is a technology issue," he said. To combat cyber crime, organizations must learn to “think and operate like an attacker."

According to researcher IDC, worldwide spending on security-related hardware, software, and services is expected to hit $91.4 billion in 2018, an increase of about 10 percent from 2017.  Managed security services will be the largest technology category in 2018 with firms spending nearly $18 billion for outsourced services, IDC said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.