“Our just-released 2016 Cisco Annual Security Report (ASR) presents a challenging cybersecurity landscape: cyber defense teams are fighting to keep up with rapid global digitization while trying to integrate dozens of vendor solutions, speed up detection, and educate their organizations from top to bottom. Meanwhile attackers grow more bold, flexible, and resilient by the day, setting up professional infrastructures that look a lot like what we’d find in legitimate businesses. On the global front, we see fluctuations in cyber Internet governance across regions, which inhibits collaboration and the ability to respond to attacks,” says John Stewart Senior Vice President, Chief Security and Trust Officer
The Cisco 2016 Annual Security Report—which presents research, insights, and perspectives from Cisco Security Research—highlights the challenges that defenders face in detecting and blocking attackers who employ a rich and ever-changing arsenal of tools.
In this report, Cisco security researchers highlight the tactics that threat actors use to build a solid infrastructure to make their campaigns stronger and more effective. Adversaries continue to adopt more efficient methods for boosting their profits—and many are paying special attention to harnessing server resources.
“Today, some emboldened cybercriminals are tapping into legitimate online resources. They leach server capacity, steal data, and demand ransoms from online victims whose information they hold hostage.”
Major Developments and Discoveries
The DNS Blind Spot: Attacks Using DNS for Command and Control
Cisco’s analysis of malware validated as “known bad” found that the majority of that malware—91.3 percent—use the Domain Name Service in one of these three ways: To gain command and control, To exfiltrate data and To redirect traffic. Despite adversaries’ reliance on DNS to help further malware campaigns, few companies are monitoring DNS for security purposes (or monitoring DNS at all).
Browser Infections: Widespread—and a Major Source of Data Leakage
Malicious browser extensions can be a major source of data leakage for businesses and are a widespread problem. We estimate that more than 85 percent of organizations studied are affected by malicious browser extensions.
Adobe Flash tops Vulnerabilities List
The Adobe Flash platform has been a popular threat vector for criminals for several years. Flash vulnerabilities still turn up frequently on lists of high-urgency alerts. However, Cisco researchers believe that the protections now built into some commonly used web browsers and operating systems will lessen criminals’ reliance on Flash.
Encryption: A Growing Trend—and a Challenge for Defenders
“Observing the trends of 2015, our researchers suggest that encrypted traffic, particularly HTTPS, has reached a tipping point. While not yet the majority of transactions, it will soon become the dominant form of traffic on the Internet.” Although encryption can help protect consumers, it also can undermine the effectiveness of security products, making it more difficult for the security community to track threats
“Organizations have become better at encrypting data when it is transmitted between entities, but data at rest is often left unsecured. Many of the most notable breaches in the last few years have taken advantage of unencrypted data stored in the data center and other internal systems. For attackers, this is like following a secured supply truck to an unlocked warehouse.”
Online Criminals Increase Server Activity on WordPress
Online criminals are continually on the lookout for methods to add efficiency and cost savings to their operations—along with new ways to evade detection. Increasingly, cybercriminals are finding this efficiency within websites created using WordPress, the popular website and blog development platform. In WordPress sites, attackers can take control of a steady stream of compromised servers to create an infrastructure that supports ransomware, bank fraud, or phishing attacks.
The Cisco 2015 Annual Security Report is one of the preeminent security reports that examines the latest threat intelligence gathered by Cisco security experts, providing industry insights, trends and key findings revealing cybersecurity trends for 2015.
Aging Infrastructure: A Problem 10 Years in the Making
Aging, outdated IT infrastructure is a vulnerability for organizations. As we move closer to the Internet of Things (IoT)—and the Internet of Everything (IoE)—it becomes more important for businesses to make sure they are relying on a network infrastructure that is secure, thus ensuring the integrity of the data and communications traversing the network
Recommendations: responding to the reality check
As our Security Benchmark Capabilities Study shows, reality has set in for security professionals. Security professionals’ confidence in their readiness to block attackers is wavering.
Enterprises should continue to raise their awareness of their security preparedness, and security professionals must champion the growth of budgetary outlays to support technology and personnel. In addition, confidence will rise when security practitioners deploy tools that can not only detect threats, but also contain their impact and boost understanding of ways to prevent future attacks.
A Look Forward
Geopolitical Perspective: Uncertainty in the Internet Governance Landscape
In the post–Edward Snowden era, the geopolitical landscape for Internet governance has changed dramatically. There is now pervasive uncertainty surrounding the free flow of information across borders.
End-to-end encryption—how it benefits consumers and organizations, and the challenges it creates for law enforcement in their investigations of criminal and terrorist activity—will also be a topic of much debate between governments and industry in the year ahead.
Some governments are expressing great concern about the rise of a market for unpatched vulnerabilities—so-called weaponized software. Such tools are vital to the security research community as it looks for ways to protect networks around the globe. But in the wrong hands, particularly those of repressive regimes, this technology, intended for good, could be used for financial crime, to steal national and commercial secrets, suppress political dissent, or disrupt critical infrastructure
Time to Detection: The Race to Keep Narrowing the Window
We define “time to detection,” or TTD, as the window of time between the first observation of an unknown file and the detection of a threat.
Since May 2015, Cisco has reduced the median time to detection (TTD) of known threats in our networks to about 17 hours—less than one day. This far outpaces the current industry estimate for TTD, which is 100 to 200 days.
The Six Tenets of Integrated Threat Defense
The report underscores the value of moving to an integrated threat defense architecture as a way to combat threats.
“An integrated threat defense architecture is a detection and response framework that offers more capabilities and supports faster threat responses by collecting more information from deployed infrastructure in an automated, efficient manner. The framework observes the security environment more intelligently. Instead of just alerting security teams to suspicious events and policy violations, it can paint a clear picture of the network and what’s happening on it to help inform better decision-making around security.”
CISCO presented six tenets of integrated threat defense to help organizations, and their security vendors, better understand the intent and potential benefits of their architecture:
1. A richer network and security architecture is needed to address the growing volume and sophistication of threat actors.
2. Best-in-class technology alone cannot deal with the current—or future—threat landscape; it just adds to the complexity of the networked environment.
3. More encrypted traffic will require an integrated threat defense that can converge on encrypted malicious activity that renders particular point products ineffective
4. Open APIs are crucial to an integrated threat defense architecture.
5. An integrated threat defense architecture requires less gear and software to install and manage.
6. The automation and coordination aspects of an integrated threat defense help to reduce time to detection, containment, and remediation.
“It also means working toward a cohesive security landscape, where companies, industries, and governments communicate and collaborate to thwart cyber criminals, taking an integrated approached to threat defense that operates in near real time on our behalf.”
“Here’s my take on what we can all do now”, says John Stewart :
1. Senior leaders across organizations of all types must acknowledge, embrace, and own security as their strategy, not a CISO’s, and not just in IT.
2. Vendors that embed IT in their offerings must produce solutions that customers can trust and are designed with security in mind. We have to slow the vulnerability being introduced.
3. Adding “yet another vendor” cannot continue to be our answer. This just adds to the complexity of the security challenge and leaves companies more vulnerable to attacks. For cost, return on investment, efficacy, and to remain nimble, security efforts must be business led, architecturally delivered, and provably integrated and effective.
4. Increased attention, measurable results, added resilience, and focusing on what we can control are all possible now – so let’s capitalize on the moment before it’s too late.
The 2016 Cisco Annual Security Report analyzes the most compelling trends and issues in cybersecurity from Cisco security experts, providing insight on advancements made by both the security industry and the criminals hoping to breach defenses. Geopolitical trends, perceptions of cybersecurity risk and trustworthiness, and the tenets of an integrated threat defense are also discussed.