The expanding attack surface
2017 was the year of digital transformation. Traditional network environments were upended by the rapid adoption of things like cloud infrastructure and cloud-based applications and services, the virtualization of data centers, the integration of billions of new, connected IoT devices, and the continued expansion of mobility, BYOD, and related applications.
Because this change has happened so rapidly, many organizations have had to scramble to find ways to extend security to new network ecosystems, devices, and applications. For example, organizations today use an average of about 200 different applications, ranging from productivity tools used internally, to consumer-facing applications that provide quick access to data and enable tap-of-the-screen transactions. These applications span from remote devices to cloud services, and mine deep into the data center for real-time information. The number of high-profile data breaches and the resulting theft of hundreds of millions of data files containing personally identifiable information (PII) is a testament to the risks associated with these changes.
One way organizations are attempting to address this challenge has been to simply encrypt traffic that moves between different network domains. As a result, over the past year encrypted traffic using HTTPS and SSL has grown from less than half of total network traffic to a record high of nearly 60%. While encryption can certainly help protect data in motion as it moves between core, cloud, and endpoint environments, it also represents a real challenge for traditional security solutions.
Inspecting encrypted traffic requires a significant amount of processing overhead, driving security throughput for many security devices to a crawl. Which is why many security vendors neglect to report performance numbers related to inspecting encrypted traffic. So, when speed is essential, many organizations have begun to bypass inspection for their encrypted data, assuming that if it is encrypted it is also protected. Which, of course, is wrong.
If the origin or destination device has been compromised, encryption has very little value. Even worse, encrypted tunnels are also an ideal way to transport malware into or across a network. Which is why organizations need to augment their encryption strategy with solutions designed to open, inspect, and re-encrypt traffic at network speeds.
The increasing volume of traffic needing inspection is further compounding the problem. Daily bandwidth used by organizations, for example, has grown from 6.3GB to 8.9GB, a nearly 71% increase. And according to IDC, the cloud adoption rate increased by 61% last year, making tracking and securing information along its entire data path increasingly difficult.
In addition, nearly 80% of network traffic travels east-west across the network between different devices and even network ecosystems. Unfortunately, in addition to the challenges related to increased data volumes needing inspection, many organizations do not have consistent security deployed between their core network, data centers, virtualized environments or cloud infrastructure. This fragmented security approach leaves gaps in inspection and protocols that are being exploited by today’s cyber criminals.
The increasing sophistication of cyber attacks
Over this past year we have seen the rise of the commoditization of cyber crime, with such things as Ransomware-as-a-Service and Malware-as-a-Service now commonly available on the dark web. We are also seeing advanced services being offered, such as a service known as FUD (fully undetected) that allows criminal developers to upload attack code and malware to an analysis service for a fee, and then receive a report as to whether security tools from different vendors can detect it. This allows them to refine their malware to better circumvent security devices used by a targeted organization.
In 2016, the Mirai shadownet was built using millions of vulnerable IoT devices, and was used to bring down a large chunk of the Internet. Because threats tend to be opportunistic – often generating copycat attacks – 2017 saw dozens of Mirai copycats, some more successful than others.
For example, six months after Mirai we saw the launch of the Hajime botnet. While it was built on the same basic foundation, it was significantly more sophisticated, including a set of built-in cybertools, cross-platform compatibility, and a dynamic password list that could be remotely updated. It also leveraged automation. For example, Hajime could monitor and learn traffic and behavior thresholds to detection, and identify and remove firewall rules used to detect this kind of malware. It could also target ISPs and MSSPs and remove the rules that allowed a CPE device to talk to the service provider. The goal was to cause millions of service provider devices to go dark simultaneously, with no heartbeat to see, control, or manage these devices.
Then, just this past November, we saw a new generation of IoT-based attacks known as Reaper. While it was built using some of Mirai’s original code, analysis showed that it had been armed with exploits covering nine different known vulnerabilities spanning a variety of IoT vendors, including NetGear, Linksys, GoAhead, and Avtech. More concerning, it was built using a Lua engine, which is an embedded programming language that enables remote updating to enhance attack options on the fly. Which clearly makes it another step forward in the evolution of IoT-based attacks. Add artificial intelligence and machine learning and you have a tool that can encounter new obstacles, learn how to resolve them, and then request or self-update its code to counter those challenges.
The evolution of IoT-based attacks is simply an example of the sorts of ongoing development of security exploits we can see and track that not only increases the sophistication of attacks, but also expands the number of attack vectors, and enables attacks to detect and adapt to previously unseen devices, applications, and platforms.
The impact of poor security hygiene
We have also seen basic security hygiene activities, such as patch and replace, being seriously neglected. Nearly every company saw an exploit in 2017 targeting a known vulnerability. In fact, 86% of companies reported experiencing an exploit for a CVE that was over 10 years old! The highest profile attacks of the year, such as WannaCry, targeted known vulnerabilities for which the manufacturers had already issued a patch. Equifax, for example, confirmed that attackers entered its system in mid-May by exploiting a web-application vulnerability that had a patch available since March, resulting in the loss of personally identifiable information of 143 million people.
If that wasn’t concerning enough, follow-up attacks, such as Petya, which followed WannaCry, successfully targeted the exact same patchable vulnerability that had been previously exploited.
As networks transform, it is increasingly difficult for IT teams to keep track of all of the different devices deployed across their expanding and highly elastic environment, especially across different networking ecosystems. So, while we have been tracking the growing sophistication of exploits, we are not seeing similar growth in the ways that cybercriminals attempt to break into networks.
What You Can Do
Start by identifying all critical assets and services across your network and doubling down on your efforts to identify and patch vulnerable systems, or replace older systems that are no longer supported. This probably means implementing some sort of asset tracking and management tool.
You also need to take a hard look at the impact that analyzing high volumes of encrypted data has on the performance of your current security devices. The volume and percentage of encrypted traffic will continue to rise. You need tools that can consume data at scale and not drop to their knees when heavy processing is required.
Network segmentation must also become a critical part of your digital business strategy. As you adopting new apps, IoT devices, encrypted data, and new networked ecosystems like the cloud, you need to ensure they are properly segmented to drive security deep into the network, allowing infected devices and malware to be detected and isolated anywhere they occur, and before they can spread. Segmentation combined with regular data backup is also an effective way to combat ransomware.
Finally, new attacks are being designed to reduce the time between breach and impact. The smarter ones are even learning how to avoid detection. You can no longer afford to hand correlate threat data between devices to detect threats, or respond to attacks at anything less than machine speeds. Instead, you need to be able to fight automation with automation.
This also means you can no longer afford to deploy isolated security devices or platforms. Today’s threat landscape requires expert security systems designed to automatically collect, correlate, share, and respond to threats anywhere across your distributed network ecosystems.
You can read important takeaways in the full Global Threat Landscape Report. Also, view our video (above) summarizing valuable data points from our most recent report.
This byline originally appeared in CSO.