Cisco 2018 Annual Cybersecurity Report: Self-spreading malware can sink the entire Internet

In a match, the striker has the initiative. Can the defender still predict the future, though? Cisco believes so when it publishes its security report today.

The Cisco 2018 Annual Cybersecurity Report studies what attackers have done in the last 18 months, and new trends detected in malware, cloud and so on. We security enthusiasts at Cisco’s Gold Partner Conscia Netsafe have a quick summary of the report’s 68 pages for you here:

Malware being developed as never before

Network-based ransomware cryptoworms makes it possible for ransomware attacks to start without human involvement. Self-spreading malware is fatal and could sink the entire Internet, according to Cisco’s experts.

Hackers exploit legitimate cloud services even more

Attackers work hard at circumventing Sandbox protection and extract maximum use from encryption. Even legitimate channels like Google, Dropbox and GitHub are used for its command and control traffic (C2), making it virtually impossible to trace.

Hackers recycle more and more of their infrastructure such as email addresses, autonomous system numbers (ASN) and name servers. They send out several attacks from the same domain.

“Previously, it was virtually only government agencies and security services that use legitimate cloud services to carry out data breaches. Today the framework for this is available to anyone to download at home and use via the Darknet,” says Henrik Bergqvist, Head of Cybersecurity at Cisco AB.

“When it is possible to use services like Gmail and Dropbox to orchestrate an attack, it places entirely different demands on the company to protect itself. Before it was “easy” to detect Internet traffic to a suspicious server and block it. When this is now happening via legitimate cloud services it is far more difficult to identify what is harmful traffic,” says Bergqvist in closing.

Hackers are using the Internet of Things even more

The fast-growing number of unpatched and unmonitored IoT devices is a growing vulnerability. Organisations with a lot of IoT devices are also slow to react to threats, according to Cisco. IoT Botnet is growing and becoming more automated – and is being used for much more advanced DDoS attacks. At the same time companies are having a hard time protecting IoT and cloud environments, often because the division of responsibility is not clear.

What should we do?

Cisco 2018 Security Capabilities Benchmark Study shows how 3,600 respondents in different countries work with security – and that they have big challenges today.

  • Implement first-line-of-defence tools that can be scaled (for example cloud-based)
  • Implement policies and routines for application, systems and patching
  • Segment the network
  • Implement next generation client security (roughly translated from endpoint process monitoring tools)
  • Get good threat intelligence data in good time, and processes for using it.
  • Make deeper and more advanced analyses
  • Review and practice security response procedures
  • Back up data often and test restore procedures
  • Review third party security routines to reduce the risk of attacks through the supply chain
  • Scan micro services, cloud services and application management systems
  • Review security systems and the possibilities of using SSL Analytics and if possible, SSL decryption.

Companies should also consider incorporating security solutions that include machine learning and AI. When malware is hiding its communication in encrypted web traffic, and harmful users on the inside are sending sensitive data through cloud services the security teams needs more effective tools.

“In addition to the above recommendations, I see a big need to train staff on threats, with training courses and with fake deception emails. It is also important to invest in trained IT security personnel, either internally or with the vendor,” comments Mikael Gustafsson, senior network and security consultant at Conscia Netsafe.

“Because IT threats are becoming more advanced, more qualified decisions must be made, everything from risk assessing IT systems to correctly training staff and fine adjustments to security products, etcetera,” Gustafsson says in closing.

Cloud technology is the solution

When attackers use encrypted and legitimate services it becomes harder to find already identified threats. One problem is the enormous and rapidly growing amount of potentially harmful traffic that companies must handle. The amount of malware increased more than tenfold in the last 20 months according to Cisco, which affects how fast malware can be detected (Time to detection, TTD*).

The median time for Cisco to detect malware during this period is 4,6 hours, compared to 39 hours in 2015 and 14 hours in 2015-2016. Cloud-based security solutions have been crucial for Cisco to limit detection time as it permits scaling even though the number of total events and endpoints are increasing. Locally installed security solutions would be hard pressed to offer the same flexibility.

Cisco concludes by saying that designing a security solution that can handle more than ten times the expected malware volume over two years – at the same response times – would be extremely difficult and costly for any organisation.

*Cisco defines ”Time to detection”, TTD as the time from infiltration to when the threat is detected. Through Cisco’s opt-in security telemetry from solutions around the world, it is possible to measure the time from downloading a malicious file until it is identified as threat. Median TTD is the average of the monthly medians during the period, in this case from January 2016 until October 2017.