Mapping the cybersecurity threatscape for 2016


If you want to get a real-world handle on how the cybersecurity threatscape is being shaped, and therefore understand both threat evolution patterns and the best methods to mitigate against the resulting attacks, quarterly research reports are probably your best bet.

OK, so anyone who has read the ‘Mitigating Cybercrime Through Meaningful Measurement Methodologies’ paper which I co-authored with Ian Trump from LogicNow, will appreciate that I am no great fan of the reporting by numbers approach to security news.

However, this certainly doesn’t mean that there isn’t real value to be had from the research and analysis that comes out of vendors in the form of quarterly threat reports; value in the shape of mapping the cybersecurity threatscape that is.

As you might imagine, here at IT Security Thing we read a lot of such reports and spend a great deal of time analysing what the numbers actually mean. A lot of the time, truth be told, they don’t mean a whole lot; or at least not a whole lot new that we didn’t already know. When interesting trends do emerge, however, they are worth repeating.

So, without further ado, here’s a brief overview of the evolving threatscape as mapped by analysing myriad security research reports over the last few weeks.

Add the drop in reconnaissance activity to the spike in attack traffic and you are most likely going to get an increase in targeted attacks to follow

First up is the ‘Security Engineering Research Team (SERT) Quarterly Threat Report for Q4 2015’ from managed security provider Solutionary, which appears to be a pretty broad analysis of the threatscape. IT Security Thing narrowed the focus a bit, and found that the most interesting statistic was a huge drop in reconnaissance activity.

Reconnaissance activity is the sum total of those processes used to identify targets for attack, and according to the Solutionary numbers it dropped by 76 percent from the previous quarter. As it had already dropped in Q3, this actually equates to a fall of 88 percent when compared to reconnaissance activity from Q2.

Now put this finding together with the fact that attack traffic spiked in Q4, with observed malware jumping 236 percent, during Q4 ’15. This could be indicative that organisations have been compromised in order to retain a persistent presence that then has the potential to laterally expand compromises within the targeted environment.

In other words, add the drop in reconnaissance activity to the spike in attack traffic and you are most likely going to get an increase in targeted attacks to follow.

Next up on our list to look at was the ‘2016 Vormetric Data Threat Report’ that revealed some areas of concern over spending and the strategic security direction of many organisations. The report, produced in conjunction with 451 Research, found that 64 percent of organisations continue to equate compliance with security even when the data breach evidence before them suggests otherwise.

What is particularly worrying being that the ‘compliance does not guarantee security’ message isn’t getting through. The number who insisted that ‘compliance is very or extremely effective at preventing data breaches’ actually went up from 58 percent the previous year.

Vormetric also warns that investments in IT security controls are misplaced, in the sense that most focus on the perimeter, which is proving less than efficient in halting breaches or the kind of increasingly sophisticated cyberattacks we are seeing today. Needless to say, investments in compliance being at the top of the list, when it comes to setting IT security budget priorities, is also misplaced.

Interestingly, the UK seems to understand the cybersecurity threatscape a little better in this regard as the report suggests that reputation and brand protection are the biggest security spending drivers here. Compare that to Australia, Germany and the US where compliance requirements rule the budgeting roost.

Next we looked at Blue Coat, which recently acquired Elastica as part of a £500 million investment over recent years in the cloud security sector. The newly acquired Elastica CloudSOC platform provides insight into more than 60 million documents within cloud apps such as Microsoft 365, Salesforce and Google Drive. So it should come as no surprise that Blue Coat was keen to analyse that data in its Q4 2015 Shadow Data Report.

The key takeaway from the threatscape perspective revolves around shadow data. This shouldn’t come as too much of a surprise given the report name. Nor when you consider that employees are continuing to use cloud apps to share corporate data among partners and with customers alike.

What is more surprising, given the fact that not only is awareness of the shadow IT problem relatively high, but organisations have plenty of options to address it, is that the shadow data threat appears to be on the rise rather than running a flat line or decreasing.

Blue Coat analysis reveals that 26 percent of documents stored within cloud apps are broadly shared, with any employee having access. What’s more, 10 percent of shared documents contained sensitive data, or data that is subject to compliance regulations. Data such as source code (48%) and personally identifiable information (33%) for example.

Overall, cloud app usage is increasing with the number of apps per organisation rising from 774 to 812 compared to the previous quarter with Microsoft Office 365 being the most popular amongst them. As far as the cybersecurity threatscape is concerned, then, the primary threats that all this reveals organisations are facing from both sanctioned and shadow cloud apps would be: data exfiltration, data destruction and account takeover.

The ESET ‘Trends for 2016:(In)Security Everywhere’ report, coming out of ESET’s Research Labs, makes threatscape predictions based upon a trend analysis of the previous year’s threat events through a process of constant monitoring.

The ESET report, by its own admission, covers a lot of ground. The introductory section states that “taking into account discussion and examination of what has happened in technology, it is difficult to sum up everything in one phrase,” for example. What caught our attention here at IT Security Thing, however, was the section detailing the evolution of ransomware as this gels with our own analysis of the increasing importance of the threat.

ESET points out the growth in the number of ransomware variants over recent years, which target various platforms and technologies. It also suggests that this evolutionary process has seen a focal shift from simply encrypting files to attacking complete devices. This is evidenced by such threats as Android/Lockerpin.A that modifies the unlock code of an Android smartphone to prevent the owner accessing his own device.

Interestingly, the Foursys IT Security Survey, also highlights the ransomware risk. Headline figures of note from this one include that of the 15 percent of responders who admitted a security breach during the course of 2015, 42 percent were apparently ransomware driven attacks.

One ransomware attack even made the main BBC television news while we were writing this report. Lincolnshire County Council services were in a state of ongoing disruption following a ransomware attack that included a demand for a £1 million release fee to return access to essential systems and data.

That there was a significant increase in attacks against UK sites, up by 20.7 percent, and that 10 percent of targets were attacked more than 10 times is more useful.

At the time of writing, it is thought that this was a zero-day ransomware attack involving a previously unseen malware variant. This further confirms our gut feeling that ransomware is going to be a major feature of the 2106 cybersecurity threatscape.

Talking of major features, and current attacks, we cannot ignore the HSBC DDoS attack that took the banking giants online services down on 29 January 2016.

While obviously not addressing the HSBC attack itself, as it will be some time before we get a factual handle on who was behind that one, the Imperva Q4 2015 DDoS report reveals some interesting facts about the threat sector.

Most of the media will probably hang their headline hook on 39.8 percent of DDoS attacks originating out of China. However, that’s something of a red herring if you ask us as it doesn’t particularly help in either defining the threat or defending against it.

That there was a significant increase in attacks against UK sites, up by 20.7 percent, and that 10 percent of targets were attacked more than 10 times is more useful. These numbers should, at least, grab the attention of UK organisations and get them thinking about defensive strategies.

Specific detail such as more than 80 percent of attacks lasting less than 30 minutes, being of the ‘short burst/high Mpps’ variety, should help shape that strategy. As should data emerging that network layer attacks were up by 25.3 percent over the previous quarter.

So there you have it, a quick exploration of the emerging cybersecurity threatscape map for 2016 as seen through an analysis of multiple threat reports from the last month. To sum up then, ransomware and DDoS will likely remain the big hitters, fuelled by highly targeted attacks and misjudged security spending.