A review of recent trends in cyber threats - Q4 2017
It is difficult to write a good news story for 2017 because the reality is that all threats are on the rise. The only silver lining is both for professional thieves and those working for IT security (to stop them) because, “business” has never been better. For the rest of us, hopefully some of these statistics will remind you to update your software, maintain excellent passwords, be careful what you download, and be careful what you click on. For those in IT, you also need to keep and monitor logs at every layer in the technolgoy stack, be on constant lookout for behaviour changes in systems and people, and add additional layers to your defensive perimeter.
How big is the market for cyber security?
According to CyberSecurity Ventures, global spending on cyber security will exceed US$120 billion in 2017. The massive growth in this sector has fueled a baffling array of consultants, software vendors, cloud vendors, hardware vendors, managed service providers and more helping to protect our systems and data. It is incredibly complex market that is very difficult to quantify. If we take Canada’s share of the global GDP at 1.5% as a proxy for our share of the security market that puts local spending at CAD $2.26 billion. What is fueling this dramatic investment in security technology that serves no direct revenue stream for buyers? It is the massive growth and globalization of hacking and the direct and indirect costs of a breach.
Ransomware is the new black - but that doesn’t mean that the others are going away
For those who don’t know the analogy, in fashion there is the notion that every year there is a hot new colour to replace the ever-popular black. This applies in security because every year there are new threat trends that dominate the minds of CEOs.
A few years ago it was all about high profile data breaches, last year everybody was talking DDoS and in 2017 the market has brought ransomware to the dance. Every tradeshow and conference headlines off it and new vendors are entering the market – including CIRA. We look to the DNS to help protect Canadians from phishing and malware (including ransomware). Despite the current focus on ransomware, the reality is that all types of attacks continue to grow because our IT systems have grown very complex and interconnected. This complexity when combined with the entrepreneurial speed at which organizations must move creates vulnerabilities, which thieves call, “opportunities”. There is now a very clear path to nefarious profit enabled through the dark web, globalization, anonymous cyber-currencies, and proven payment models.
What do we mean by proven payment? At a Fall 2017 conference in Ottawa, Trend Micro presented that you could buy 100 credit card numbers for $19 and a complete identity for $5. These statistics predated the Equifax breach and a potential flood of new identities, meaning that the price for owning you has probably dropped even lower.
On the ransomware side of things, the average ransomware payout is reported to be somewhere between $700 - $1000 depending on who’s report you reference. This low average payout means that hackers aren’t just targeting the big enterprises but hitting local business and homeowners. Overall, it is estimated to be a billion dollar global “industry” for thieves! In Canada while we have seen a few high profile incidents reported in universities and hospitals we know that the vast majority of successful attacks go unreported because the damage to organizational reputation has traditionally out weighed the cost of just staying quiet. For individuals, we assume that many simply consider any hacking on their personal PC to be solved by a hard drive format and not involve contacting authorities.
Interestingly, Canada gets far more than our fair share of malicious activity – likely due to our proximity to, and use of, services based in the USA. Cisco’s 2017 mid-year security update showed a map where Canada was the recipient of far more malware attacks than our network size would suggest with a score of 6.2:1 blocks to network size. To compare the USA was only 0.7 blocks to network size. While this measure is difficult to fully grasp the critical learning is that we received almost 9X more malware blocks than we would expect based on our smaller size and proximal similarity to our southern neighbor.
Malware tools resemble commercial software
The malware used by hackers and thieves gets better and forks into different branches with increasing speed. It may surprise many people that the ransomware tools can be easily downloaded and resemble commercial-grade software complete with online help and multilanguage support. This makes sense because thieves want to make it as easy as possible to, ”buy” your own data back after they have encrypted it. Even if your users have been well trained on phishing tactics, mistakes are always a matter of when. The weak link in the security stack is still humans.
Ransomware is the latest and biggest threat in a family of malware that just keeps growing. Canadians still need to be on the look out for phishing scams and software hijacking in the tools they download. As more of us become conditioned to do everything in the cloud the threat grows worse as we are not always aware of where we are doing what. The family of malware includes adware, spyware, ransomware, worms, bots, rootkits, trojans, viruses, and more. Their goal in the past was to make money off your information, but today goals have changed to use your system to exploit others and even to use your system resources to mine bitcoins. Overall, McAfee reports that total malware has grown 23% in the 4 quarters leading up to Q2 2017 with mobile malware growing 61%!
CIRA is protecting over 225,000 users with our malware protection – what have we learned?
Since releasing the D-Zone DNS Firewall we have ramped up quite quickly due to being deployed in a number of large public organizations. This gives us a sufficient user base on which to evaluate malware trends seen in the wild in Canada. In the last 30 days alone we have blocked over 106,000 queries to nefarious sites – each one with the potential to, at best inconvenience users and IT administration. At worst a successful attack can encrypt and lock down a system. In most cases when the Firewall was put in place, the customer has also found instances of some pretty serious malware already on their network calling home to a command and control server.
The following chart provides a look at the top threats we have seen blocked at our customers. By far the largest threat is malware already in the system attempting to call home. This means that infected devices are already on their network. Notably, a large percentage of our customer base is academic so they have a higher risk user base and a high proportion of BYOD in their environments. Among the other top threats we see some pretty nasty problems with many of the top being malvertising type like RoughTed. The good news is a relatively small proportion of ransomware and DNS amplification queries were found.
Threats by type
Anecdotally, we also saw a few surprises. One customer lost access to one of their own operating websites, only to discover that it had been compromised and being used as part of an online loan scam. Another found that access to an education site was blocked and realized that a seemingly benign place for solving multiplication tables was also inadvertently distributing malware. In other words, hackers don’t just rely on fake websites to distribute content but hack into legitimate sites that aren’t well protected. It is the reason that organizations need real-time updates to their threat blocking.
New Places to hide - domain names
One of the advantages of the more regulated domain name marketplace of the past was that in order to get a country-code top level domain, like a .CA, .UK, etc. you needed to provide proof of address. It made it more difficult to use a domain for nefarious purposes. Over on the .com side of things you had scarcity on your side. And finally, in both cases there was a cost to acquiring a domain. Today, that has changed with over 1,000 new TLDs and over 23 million registered domains there are more places to launch phishing attacks. Moreover, many have offered very low cost promotions to help build market share. For example, at one point during its high growth phase BlueCoat networks determined that one TLD, .xyz had 97% of its sites used for nefarious purposes. Some organizations go so far as to block entire TLDs due to their reputation.
DDoS continues to be a growing threat the organizations face and with the growth of securitychallenged IoT we don’t see this trend abating. Additionally botnets like Necurs have infected millions of devices and can easily be recruited to launch many types of attacks.
Canada receives 7% of large DDoS attacks over 10 GBps, giving us the dubious ranking of 5th in the world (Arbor Networks 12th Annual 12th Annual Worldwide Infrastructure Security Report)! Additionally, attack frequency is on the rise giving the need for Canadian organizations to continually manage and protect bandwidth in all the services related to delivering websites, services, and cloud applications. Of particular note is that service providers are most often targeted and globally 86% have seen attacks. This makes sense because, when they are taken down it amplifies the number of customers impacted. Of these types of attacks the DNS is an often targeted service. The DNS translates the human readable address typed into a web browser into the IP addresses that machines understand so that when you request a web site or service it gets to the server delivering it.
Top targeted countries for DDos attacks greater than 10 Gbps by percentage
Excerpt from Arbor Networks 2017 Report
This last year saw some of the biggest news items hit the wire in a long while. Some of the big headline attacks were driven off the growth in IoT devices and in compromised servers. In this new era of easy to recruit attack resources and easily available (and open sourced) software, like Mirai, almost anyone can launch an attack. Some big events included a 600+ Gbps attack in September 2017 on a single blogger, shortly followed by a >1 TBps attack on a large French hosting company and culminating in “internetmaggedon” with an attack on DynDNS that brought down many of its customers and impacted millions of Canadians access to content and services.
Headlines were made and CEO’s fired this year when Equifax had one of the worst breaches in history – but the problem puts all organizations at risk. Scalar’s data survey showed that the average cost of a breach is $175K and that 51% of organizations surveyed have suffered a data loss.
79% of companies collect data from individuals.
21% of users trust companies with their data
- BSI Group
Business wants data, consumers don’t trust them and so governments are acting. Over 100 countries have laws to protect data and these laws have been getting more teeth. For example, after years of planning the updated General Data Protection Regulation (GDPR) in Europe goes into effect in 2018. It puts significant requirements on organizations to have full accountability over the data they collect. The good news is that the rules in Canada are already quite similar to those being put in place in Europe so our government has been ahead of the game. Canadian organizations need to know to whom data is shared and how it is used and have process that provide appropriate access to the specific and required data within departments and suppliers.
There is more good news for Canada, according to the Ponemon Institute. Our sleepy little country ranked lowest on this list for the probability of a significant data breach based on historical data. Interestingly, this was juxtaposed by a report from Risk Based Security Inc. that determined that Canada had the third largest number of data breaches in the world with 59 instances after the USA (1,357) and the UK (104). It suggests that the scale of individual breaches in Canada have been lower than in other countries. We speculate that this is likely due to our relatively small number of global head offices.
Loss of key data is a factor in customer churn and has a real financial cost because, according to our research, 44% of Canadians are reluctant to do business with an organization after a data breach.
Small Business Impact
According to the the Canadian Chamber of Commerce’s Cyber Security in Canada paper, the Canadian economy is dominated by small business and that 71% of breaches happen to small business – who probably lack resources for adequate protection. In addition to breaches, a recent report from Malwarebytes shows 81% of the SMBs they surveyed had experienced a cyber attack of some kind and the cost of the attacks was less in direct ransomware-type payouts but measured in significant system downtime.
Lastly, the federal government is in the process of proposing its own improvement to the PIPEDA regulations. Corporations in Canada may be legally obliged to report data breaches to both the authorities and the individuals affected within a short time after the breach is discovered. This is expected to dramatically increase the number of headlines on this issue and help organizations to think a little more about their protection – especially, as the Equifax situation illustrates, senior management jobs are on the line.
Ransomware is making the biggest headlines among all the malware out there in the wild. However, all the other threats continue to grow. Organizations need multiple layers of defences against this type of threat. These layers serve to protect each other and the core and are not just the purview of big business. Even very small businesses need security that is appropriate to the organization’s size. For small organizations a firewall in the cloud AND locally using different threat data, along with appropriate desktop antivirus software may be sufficient. For larger organizations user-based security ideally works in tandem with, or are easy to add to, other forms of security at the application and network layers.
By working with cloud vendors like CIRA with our D-Zone DNS Firewall organizations can easily add a layer of defence easily at a low cost.