Quarterly Threat Report - eSentire

2 downloads 370 Views 3MB Size Report
threat volume and attack types. Each topic is divided into multiple sections, including visual data analysis, written an
Q1

2017

Quarterly Threat Report

Threat Report

eSentire Threat Intelligence

Table of Contents Preface......................................................................................3 Industry Targets......................................................................4 Threat Trend............................................................................4 Threat Type Heat Map...........................................................5 Threat Count by Day of Week..............................................6 Threat Breakdown Heat Map..............................................6 Methodology............................................................................7 Appendix 1: Threat Types.....................................................7 Appendix 2: Confidence Language....................................9

eSentire 2017 Q1 Quarterly Threat Report © 2017 eSentire, Inc. All rights reserved. www.eSentire.com | @eSentire.com | [email protected]

2

Threat Report

eSentire Threat Intelligence

Preface eSentire invented a highly integrated technology stack that enables unparalleled visibility into our midmarket customer networks and agile real-time threat response capabilities. This report provides a quarterly snapshot, analyzing all events investigated by the eSentire Security Operations Center (SOC), while addressing three topics: threat types, threat volume and attack types. Each topic is divided into multiple sections, including visual data analysis, written analytical analysis, practical recommendations and key assumptions.

eSentire 2017 Q1 Quarterly Threat Report © 2017 eSentire, Inc. All rights reserved. www.eSentire.com | @eSentire.com | [email protected]

3

Threat Report

eSentire Threat Intelligence

Industry Targets Between January 1 and March 31, the eSentire SOC detected nearly 4 million attacks across multiple industries, with Finance, Technology, Legal, Mining, and Retail seeing the most activity. Small financial companies, in particular, make for high-reward, low-risk opportunities for attackers as they can provide large monetary returns with little effort. Robust cybersecurity standards in small companies are seldom cost-effective unless security tasks are outsourced to companies specializing in security.

Retail

Technology 10.31% Legal 7.80%

Finance 66.38% Mining

Threat Trends This quarter has seen an upward trend in attacks with the threat landscape increasing dramatically in the third week of February and through March. Scanning and intrusion attempts dominated the data trends. Together, they represent 75 percent of signals for Q1, with Malicious Code trailing at 11 percent. Compared to 2016, scanning events have seen a large increase in 2017, particularly in the month of March, in which detection of scanning events nearly doubled. As exploitation becomes more costly for attackers, analysts are observing a gradual transition to tactics that rely on social engineering. This includes phishing, spam and webpages that manipulate users into installing malware on their computer or divulging confidential information.

eSentire 2017 Q1 Quarterly Threat Report © 2017 eSentire, Inc. All rights reserved. www.eSentire.com | @eSentire.com | [email protected]

4

Threat Report

eSentire Threat Intelligence

Threat Type Heat Map Information Gathering was the dominant threat type in Q1 when compared to 2016, in which Intrusion Attempts were most prominent. Additionally, Malicious Code incidents increased in March. These changes in threat type volume indicate an increase in Information Gathering as attackers regroup to determine the best methods of attack going forward. Together, Intrusion Attempts and Information Gathering accounted for about three quarters of observed attacks. March, in particular, saw the largest increase, as indicated by month-to-month analysis. March also saw an increase in the use of Malicious Code, while denial-of-service attacks (Availability) saw a slight decline.

Reduce the Threat Surface Administrators can reduce their threat surface by reducing the number of externally facing endpoints within the organization, such as printers or web pages that are only used internally. Implementing a VPN, which requires a password for users to access the network, can further reduce positive results from scanning campaigns, effectively hiding endpoints from sweeping, untargeted attacks. Programs and devices used in an organization should periodically be checked for patches and updates that can nullify the vulnerabilities that attackers rely on. Disabling PowerShell on Windows machines and using nonstandard ports for protocols (e.g. FTP, SSH, RDP) can also reduce risks for attack. Training for employees that helps them to identify, avoid and report phishing (and other social engineering) attempts will help prepare organizations for the shifting threat landscape in the years to come.

Table 1: Month to month threat difference

eSentire 2017 Q1 Quarterly Threat Report © 2017 eSentire, Inc. All rights reserved. www.eSentire.com | @eSentire.com | [email protected]

5

Threat Report

eSentire Threat Intelligence

Threat Count by Day of Week Weekdays in Q1 experienced the largest volume of malicious code, particularly Tuesday through Thursday. Information Gathering and Fraud, similarly, saw reduced activity during the weekends, while Availability and Intrusion Attempts have no clear weekday preference.

Analysis of weekday threat activity suggests that some threat activity is comprised of business models that respect the traditional work week, indicating an organization or structured threat actor.

Table 2: Threat count by day of week

Threat Breakdown Heat Map A breakdown of the specific kinds of threats witnessed over Q1 demonstrate a large contribution from Shellshock for Intrusion Attempts, SSH Bruteforce tactics for Information Gathering, and RDP Bruteforce for Malicious Code. Other attack methods of note are Cross Site Scripting and PHP Exploits.

eSentire 2017 Q1 Quarterly Threat Report © 2017 eSentire, Inc. All rights reserved. www.eSentire.com | @eSentire.com | [email protected]

Shellshock 156,270 27.27%

Cross Site Scripting 64,866 11.32%

Shellcode 38,703 6.75% Restricted Directory Requests 101,856 17.77%

Malicious DNS 35,482 6.19%

SSH Bruteforce 65,565 11.44%

PHP Exploit Scanner 31,618 5.52%

SIP Scanning 22,531 3.93%

RDP 32,725 5.71%

Malicious UserAgent 23,531 4.11%

6

Threat Report

eSentire Threat Intelligence

Methodology The eSentire Threat Intelligence team used data gathered from 1500+ proprietary network and host-based detection sensors distributed across multiple industries. Raw data was normalized and aggregated using automated machine-based processing methods. Processed data was reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a written analytical product. The eSentire Cyber Threat Intelligence practice is supported by multi-disciplined and carefully selected personnel with deep knowledge and technical expertise. The team provides timely, high-quality intelligence, specializing in technical threat research; all-source intelligence analysis; and risk mitigations. Are you at risk? Contact us to learn more about how eSentire Managed Detection and ResponseTM can help protect your business.

Appendix 1: Threat Types All attacks have been grouped based on a common threat taxonomy and arranged to the following nine categories: • Abusive Content: Activities that include unsolicited bulk emails, discretization or discrimination of somebody in cyber space, glorification of violence, or unappropriated sexual content (spam, cyber stalking, racism, pornography and threats against one or more individuals). • Availability: Activities that include deliberate impairment to the normal authorized functionality of networks, systems or applications by exhausting resources, or spontaneous failures or human errors, without malice or gross neglect being involved (DDoS, DoS, sabotage, nonmalicious outrage). • Information Gathering: Any activity that seeks to gather information, in a technical and non-technical way, about a user’s computer systems, open ports, protocols, services, or any combination. This activity does not directly result in a compromise, uses to facilitate further exploitation (scans, probes, sniffing, social engineering).

eSentire 2017 Q1 Quarterly Threat Report © 2017 eSentire, Inc. All rights reserved. www.eSentire.com | @eSentire.com | [email protected]

7

Threat Report

eSentire Threat Intelligence

• Intrusion Attempts: Activities that include attempts to compromise a system, application or authentication mechanisms by exploiting vulnerabilities, or weakness in a given system or its component (attacks against known vulnerabilities exploitations, password attacks and “zero days” exploitations). • Intrusions: Activities that include a successful compromise of a system, web application, service, or an account (privilege/unprivileged account compromise, web application or server compromise). • Malicious Code: Successful installation, or attempts to include or insert, any malicious software in an operating system or application for a harmful purpose (Virus, Worm, Trojan, Spyware, Ransomware).vulnerabilities, or weakness in a given system or its component (attacks against known vulnerabilities exploitations, password attacks and “zero days” exploitations). • Policy Violations: Any activities resulting from violation of an organization’s acceptable usage policies by an authorized user, but not related to other categories (non-malware related TOR traffic, attempts to access to restricted web content, use or unauthorized software/applications). • Reputation Blocks: Denial or detection of attacks based on high confidence, but a one dimensional “known bad indicator” (confirmed bad IP address, or known malicious infrastructure, malicious MD5/SHA256 file hash values). • Unclassified Attacks: All events which do not fit in one of the given categories, due to lack of attribution or low confidence for events being malicious.

eSentire 2017 Q1 Quarterly Threat Report © 2017 eSentire, Inc. All rights reserved. www.eSentire.com | @eSentire.com | [email protected]

8

Threat Report

eSentire Threat Intelligence

Appendix 2: Confidence Language Confidence language expresses the analyst’s judgment on the probability, or likelihood that a certain event will occur, under defined circumstances and considering cumulative quality of information that supports an assessment. • Certainly: 100% or (10/10) chances that a certain event will occur under defined circumstances. • Highly Probable: 93%+-6% or (8/10) chances that a certain event will occur under defined circumstances. • Probable: 75% or (7/10) chances that a certain event will occur under defined circumstances. • Plausible: 50% or (5/10). Chances are even. • Probably not: 30% +-10% or (3/10) that a certain event will occur under defined circumstances. • Almost Certainly not: 7%+-5% or (1/10) that a certain event will occur under defined circumstances.

eSentire 2017 Q1 Quarterly Threat Report © 2017 eSentire, Inc. All rights reserved. www.eSentire.com | @eSentire.com | [email protected]

9

eSentire is the largest pure-play Managed Detection and Response (MDR) service provider, keeping organizations safe from constantly evolving cyberattacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates, and responds in real-time to known and unknown threats before they become business disrupting events. Protecting more than $5 trillion in corporate assets, eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory requirements. For more information, visit www.eSentire.com and follow @eSentire.