Here be dragons: Are we taking a mythical view of legitimate threats?

It shouldn’t come as a surprise that cybercrime is big business, and is growing at an exponential rate. In 2015, UK insurer Lloyd’s of London estimated the cybercrime market at $400 Billion. Today, just two years later, the World Economic Forum estimates that same market to currently be $3 trillion. And the prediction from Cybersecurity Ventures is that it will cost the world in excess of $6 trillion annually by 2021.

The “darknet” – the part of the Internet that most people have never seen and which lies beyond normal web browsers- is protected by layers of anonymity, and has become a haven for criminal commerce. Its inaccessibility lends it a certain mystique, but that aura of mystery breeds misunderstanding. At the edge of the unknown, understanding tends to be a scarce commodity and is often replaced with fear, uncertainty, and doubt—a trio so intertwined they’re better known simply as “FUD.” 

FUD is a predisposition illustrated beautifully in the ‘monster maps’ of old. Real dangers experienced at land and sea were often represented as fantastical beasts as a warning to fellow travellers, coining the phrase, “Here be dragons”. It offers an excellent example of how FUD can lead to a mythical view of legitimate threats. Before chalking this tendency up to primitive ignorance, we should ask ourselves whether some of our modern renderings of the cyber threat landscape might also be a little more driven by FUD than fact.

Mapping threats

Fortinet recently conducted a report that sought to draw an accurate representation of the cyber threat landscape in Q4 2016, making use of data drawn from millions of security devices located around the world that analyse up to 50 billion threats a day. While the instruments and renderings may differ from ancient cartographers, the intentions were much the same; the desire to help fellow travellers conduct their business safely in an environment that is often harsh and unforgiving.

The importance of this sort of threat intelligence cannot be overstated. While most IT security professionals spend a lot of time with their heads deep in log files and security reports, it is essential to give them the bigger picture and place local threats into a larger context. New and emerging threats are characterised by attributes and actionable IOCs (indications of compromise) that can help reduce their impact, and in some cases, even stop and/or prevent them. As is often stated, it is easier for IT to find and prevent sophisticated threats if they know what to look for.

For example, the report found some interesting statistics regarding HTTPS traffic usage, which is important trend to monitor because it presents challenges to detecting threats that are able to hide in encrypted communications. HTTPS encrypted traffic using SSL accounted for more than half of all web traffic traversing the network. A good proportion of that traffic goes uninspected because of the huge processing overhead required to open, inspect, and re-encrypt it. This puts undue pressure on IT teams, by forcing them to choose between protection and performance.

Perhaps unsurprisingly, the report also documented that the amount of cloud applications being used by organisations trended up over the year. Which makes nearly a third of all applications running in an organisation now based in the cloud. It’s been known for a while the threats Shadow IT pose to security teams, including less visibility into the data residing in cloud applications, how that data is being used, and who has access to it. The problem becomes even worse when that data is accessed off the network.

There are three main trends of the threat landscape currently being exploited by cybercriminals, according to the report: application exploits, malware and botnets. For many organisations, these are the exact issues they will be combatting every day.

1. Firstly, the application exploits were collected primarily through network IPS systems. This provides a view into attacker reconnaissance activities used to identify vulnerable systems, and attempts to exploit those vulnerabilities. Indeed, one of the best ways to stop an attack is to understand how cybercriminals are going about getting into networks.

2. The malware samples were collected from endpoints, perimeter devices or sandboxes. Rather than successful installation in target systems, this data is mostly focused on delivery stages or weaponisation of an attack.

3. Finally, the botnet activity we report on was collected from a variety of network devices, and represents command and control (C2) traffic observed between compromised internal systems and malicious external hosts.

Worryingly, the last quarter of 2016 also continued the trend of increasing the volume, prevalence, and intensity of cyber attacks. The quarter sent the security industry reeling from a one-two punch of history’s largest data breach and largest DDoS attack, doubling the volume and impact of the previously worst attacks on record. But while such targeted attacks often grab the headlines, it is worth remembering that most threats are opportunistic in nature, as are the majority of ensuing financial losses.

There are plenty more data points in the report, but what it does do is remind us of the most effective security work. Namely:

• Review your security posture and policies
• Minimise the externally visible and accessible attack surface through patching and hardening
• Build and implement advanced threat detection and response throughout the network
• Expand visibility and control across increasingly distributed network environments, including endpoints, IoT, and the cloud

When it comes to understanding your organisation’s threat landscape, it’s worth bearing in mind that your threat landscape is more similar to that of others than you probably think. It is also different from others in ways you may not have thought about. Understanding which strategies, tactics, and threat intelligence you can borrow from others, and which can safely be set aside, is valuable knowledge. But it won’t happen overnight. You can’t rely on the wind changing if you want to avoid the dragons. It will require patience and expertise to develop, but you have to plot a sensible route to remove the FUD.

Mark Weir, Regional Director UK&I, Fortinet
Image Credit: Flickr / Simon Rankin