The potential for “destruction of service” (DeOS) attacks is greatly concerning and organizations would be well-advised to adopt a proactive cyber stance in their protection efforts to combat increasingly sophisticated attackers, warns a new report from Cisco.
“Cyber incidents such as WannaCry and Nyetya show the rapid spread and wide impact of attacks that look like traditional ransomware, but are much more destructive,” the firm cautioned Thursday in releasing the Cisco 2017 Midyear Cybersecurity Report.
“These events foreshadow what Cisco is calling destruction of service attacks, which can be far more damaging, leaving businesses with no way to recover,” the company notes. “These could eliminate organizations’ back-ups and safety nets, required to restore systems and data after an attack,” it explains.
The WannaCry and Nyetya attacks show “adversaries are becoming more and more creative in how they architect their attacks,” Steve Martino, vice president and chief information security officer at Cisco, says in the statement.
“How DeOS attacks will play out and what they will look like depends on the threat actors’ core motivations and the limits of their creativity and capabilities,” the latest report adds.
“While the majority of organizations took steps to improve security following a breach, businesses across industries are in a constant race against the attackers. Security effectiveness starts with closing the obvious gaps and making security a business priority,” Martino comments in the statement.
Examining the latest threat intelligence gathered by Cisco Collective Security Intelligence, it offers data-driven industry insights and cyber security trends from the first six months of 2017, along with recommendations to improve security posture.
Cisco recommends that organizations take a proactive stance in their protection efforts, by doing the following:
keeping infrastructure and applications up to date, so attackers cannot exploit publicly known weaknesses;
battle complexity through an integrated defence and limit siloed investments;
engage executive leadership early to ensure complete understanding of risks, rewards and budgetary constraints;
establish clear metrics and use them to validate and improve security practices;
examine staff security training with role-based training versus one-size-fits-all; and
balance defence with an active response (do not “set and forget” security controls or processes).
Experience in the first half of the years shows that use of malware is evolving, with Cisco security researchers identifying “shifts in how adversaries are tailoring their delivery, obfuscation and evasion techniques. Specifically, Cisco saw they increasingly require victims to activate threats by clicking on links or opening files,” the statement explains.
“They are developing fileless malware that lives in memory and is harder to detect or investigate as it is wiped out when a device restarts.”
Also of concern are developments around the Internet of Things (IoT), which could put certain key industries in harm’s way if steps are not taken to “improve security posture as information technology and operational technology converge,” the statement notes.
With IoT, Cisco reports key industries are bringing more operations online, thereby increasing attack surfaces and the potential scale and impact of these threats.
IoT “continues to offer new opportunities for cyber criminals, and its security weaknesses, ripe for exploitation, will play a central role in enabling these campaigns with escalating impact,” the statement notes.
“Recent IoT botnet activity already suggests that some attackers may be laying the foundation for a wide-reaching, high-impact cyber-threat event that could potentially disrupt the Internet itself,” it continues.
The report also identifies other threats that are on the rise:
spam volumes are significantly increasing, as adversaries turn to other tried-and-true methods, like email, to distribute malware and generate revenue – the expectation is the volume of spam with malicious attachments will continue to rise while the exploit kit landscape remains in flux;
spyware and adware bring risks to corporate environments, including stealing user and company information, weakening the security posture of devices and increasing malware infections;
growth of ransomware-as-a-service make it easier for criminals, regardless of skill set, to carry out attacks; and
business email compromise (BEC), a social engineering attack, involves an email designed to trick organizations into transferring money to attackers and is becoming highly lucrative.
“Revenue generation is still the top objective of most threat actors,” the report notes. “However, some adversaries now have the ability – and often now, it seems, the inclination – to lock systems and destroy data as part of their attack process.”
“The dramatic increases in cyber attack frequency, complexity and size over the past year suggests that the economics of hacking have turned a corner,” the report notes.
Citing observations from Radware, the modern hacking community is benefiting from the following:
quick and easy access to a range of useful and low-cost resources;
a dramatic increase in the number of high-value, increasingly vulnerable targets putting more and more valuable information online;
a level of maturity in the shadow economy, and with the Internet, that provides malicious actors with efficiency, security, and anonymity.
“As criminals continue to increase the sophistication and intensity of attacks, businesses across industries are challenged to keep up with even foundational cybersecurity requirements,” the statement notes.
“Malicious actors are taking advantage of that ever-expanding attack surface. The breadth and depth of recent ransomware attacks alone demonstrate how adept adversaries are at exploiting security gaps and vulnerabilities across devices and networks for maximum impact,” the report states.
“It is important for defenders to understand changes in adversaries’ tactics so that they can, in turn, adapt their security practices and educate users,” the report further advises.
Cisco’s Security Capabilities Benchmark Study – which involved surveying almost 3,000 security leaders across 13 countries – found that “across industries, security teams are increasingly overwhelmed by the volume of attacks. This leads many to become more reactive in their protection efforts,” the statement notes.
Even in the most responsive industries (such as finance and healthcare), businesses are mitigating less than 50% of attacks they know are legitimate, the findings show.
Across most industries, breaches drove at least modest security improvements in at least 90% of organizations, the survey found. That said, some industries (such as transportation) are less responsive, falling slightly more than 80%.
Other findings include the following:
for the public sector, 32% of the threats investigated were identified as legitimate threats, but only 47% of those legitimate threats are eventually remediated;
for the retail sector, 32% of respondents report they had lost revenue as a result of attacks in the past year with about a quarter losing customers or business opportunities;
for the manufacturing sector, 40% of security professionals there say they do not have a formal security strategy, nor do they follow standardized information security policy practices; and
for the utilities sector, security professionals note that targeted attacks (42%) and advanced persistent threats (40%) were the most critical security risks to their organizations.
“Complexity continues to hinder many organizations’ security efforts,” suggests David Ulevitch, Cisco’s senior vice president and general manager of its Security Business Group.
“To effectively reduce time to detection and limit the impact of an attack, the industry must move to a more integrated, architectural approach that increases visibility and manageability, empowering security teams to close gaps,” Ulevitch advises.