FireEye report – Aggressive new attackers emerge

BY Richard Summerfield

The cyber security industry evolved significantly in 2018, with aggressive new attackers emerging, according to the FireEye Mandiant ‘M-Trends 2019 Report’.

Encouragingly, however, organisations are getting better at responding to breaches quickly. Over the past eight years, dwell times have decreased significantly – from a median dwell time of 416 days in 2011 to 78 days in 2018.

Thirty-one percent of the breaches investigated by Mandiant last year had dwell times of 30 days or less, up from 28 percent of compromises in 2017. Twelve percent had dwell times greater than 700 days, down from 21 percent in 2017.

The report suggests that the increase in compromises detected in less than 30 days is due to greater use of ransomware and cryptominers over the last 12 months, which are detected faster. FireEye also believes that companies are improving their data visibility through better tooling, which allows for faster response times. In the Americas, the median dwell time fell from 75.5 days in 2017 to 71 days in 2018.

Nation states continue to pose an increasingly dangerous and evolving threat. The report identifies North Korea, Russia, China and Iran, among others, as the most threatening actors which are continually enhancing their capabilities and changing their targets in alignment with their political and economic agendas. The report suggests that significant investments have provided these actors with more sophisticated tactics, tools, and procedures, with some becoming more aggressive, and others better at hiding and staying persistent for longer periods of time.

There are a number of important steps companies must take if they are to resist attacks which are coming in increasingly diverse forms. Attackers are targeting data in the cloud, including cloud providers, telecoms and other service providers; they are re-targeting past victim organisations and are even launching phishing attacks during mergers & acquisitions (M&A) activity.

“By regularly reviewing and updating their incident Response Plans and associated use cases and playbooks, organisations can mitigate the risk of destruction of important evidence, failure to identify major breaches, and extending the duration of breaches,” notes the report. “Organisations should incorporate important concepts such as evidence preservation during remediation activities, context of alerts instead of simple volume metrics, and eradication timing into these documents. This will empower front line analysts to effectively escalate relevant information to decision makers and avoid costly mistakes.”

Report: M-Trends 2019

The evolving cyber threat

BY Richard Summerfield

2018 was a challenging year for the cyber security industry as threat actors’ tactics, traits and techniques continued to evolve. As a result, the number of large corporations which fell victim to cyber attack continued to grow last year, according to AppRiver’s ‘2018 Global Security Report’.

AppRiver’s Email Security and Web Protection filters quarantined more than 10 billion global threats including: (i) 8.3 billion messages containing URL-based malware, phishing attacks and text-based attacks; (ii) 300 million emails that included malware in a message attachment; (iii) the majority of malicious attachments with Word files with embedded macros; and (iv) 4.5 billion quarantined messages that originated in the US.

Trojan attacks surpassed the number of ransomware attacks, becoming the most commonly distributed threat type – Trojans were dispersed more than 20 million times. The ‘Trickbot Trojan’ and ‘Emotet’, were particularly prominent threats. Emotet, which functions as a downloader of other banking Trojans, cost state, local, tribal and territorial (SLTT) governments up to $1m per incident to remediate. In order to defeat such attacks, companies must deploy a robust ‘defence-in-depth’ approach, the report notes. Distributed Spam Distraction (DSD) and Business Email Compromise (BEC) attacks also became more prominent in 2018.

“The lines between hacking, cybercrime, and cyberwarfare are increasingly blurred now,” said Troy Gill, AppRiver’s senior cybersecurity analyst. “As a result, protecting small- and mid-sized businesses must be considered an integral part of our larger national cybersecurity posture. To be most effective, our strategy must be comprehensive, addressing vulnerabilities at all levels.”

Looking ahead, the report notes that internal ecosystem attacks will increase and attackers will employ more ‘bleeding-edge’ attack methods. The report notes that more advanced attack techniques will likely trickle down from the nation-state level to threaten more for-profit attacks against the public.

The rapid growth of the number of Internet of Things (IoT) devices will also create challenges, particularly as the lack of security being built into such devices will leave parties exposed.

Report: 2018 Global Security Report

Cyber security M&A climbs as attacks increase

BY Richard Summerfield

Cyber security M&A is on the rise, as a result of the increasing number of successful, high-profile cyber attacks, the continued digitalisation of businesses and the proliferation of new regulations, such as the European Union’s General Data Protection Regulation (GDPR), according to Hampleton Partners’ 2018 Cybersecurity M&A Market Report.

“Hacking is the newest form of warfare against businesses as well as nation states. The average cost of a single data breach is now € 3 million, up by six percent in a year, plus the reputational damage which can be catastrophic,” said Henrik Jeberg, a director at Hampleton Partners. “Given the increasing market demand for cybersecurity solutions due to regulation, digitisation, high profile hacks and new technologies requiring security, we are not surprised to see a highly active M&A market for cybersecurity assets at high valuations. I expect cybersecurity to remain a hot topic in M&A, even if we go into a period of more volatile financial markets.”

There have been a number of notable M&A deals in the tech space this year, particularly in H2. The report identifies the identity and access management subsector as one of the most notable areas of activity. The space saw a number of large deals, including acquisitions by Verimatrix and Cisco.

The private equity (PE) industry has also become an active participant in the cyber security market. Indeed, PE investors have become top bidders for a number of large cyber security assets. Thoma Bravo, TPG Capital, Francesco Partners and Vista Equity Partners have all increased their investments in the cyber security space this year.

The importance of cyber security is becoming increasingly evident, particularly as the average cost of a cyber breach continues to rise. In 2017, the average cost of a single data breach rose 6 percent to €3m per breach. Moving forward, it seems likely that the cyber security space will remain a key target for acquirers in the months ahead.

Report: 2018 Cybersecurity M&A Market Report

The evolving threat

BY Richard Summerfield

While cyber security threats are gaining in exposure and media coverage, many companies remain unprepared for a breach — a fact which is particularly worrying when one considers that cyber attackers are gaining vastly greater scale through new techniques, such as killchain compression and attack automation, according to Alert Logic’s ‘Critical Watch Report: The State of Threat Detection 2018’.

The report, which was completed following the analysis of more than 1 billion security anomalies, 7 million events and over 250,000 verified incidents, found that the traditional killchain has evolved. Today, 88 percent of killchain attacks are gaining efficiency and speed by combining what was formerly identified as the first five phases of such an attack — recon, weaponisation, delivery, exploitation and installation — into a single action. As a result, the new killchain is capable of creating near-instantaneous attacks that bypass many established security practices.

Automation has also emerged as an important and effective tool for cyber criminals who are able to launch random and recursive attacks which force organisations to alter the ways they asses risk. Cryptojacking has also become a major concern for organisations. Eighty-eight percent of recent WebLogic attacks were cryptojacking attempts. Worryingly, as cryptojacking attacks are highly automated and hit small, medium and enterprise-sized organisations indiscriminately and at similar rates, industry and size may no longer be reliable predictors of threat risk.

The report also found that web application attacks remain the most frequent and dominant type, with SQL injection attempts comprising 43 percent of all attacks observed.

“It’s no secret that attackers push the envelope and innovate attacks to abuse weaknesses anywhere they find them—in cloud and hybrid deployments, containerised environments, and on-premises systems,” said Rohit Dhamankar, vice president of Threat Intelligence Products at Alert Logic. “What is troublesome is the use of force-multipliers like automation to scale attacks for increased financial gain. This report demonstrates that attackers are gaining increasing sophistication in their ability to weaponise trusted techniques to exploit common vulnerabilities and misconfigurations for purposes such as cryptomining.”

Report: Critical Watch Report: State of Threat Detection 2018

UK C-suite cyber confidence concerns

BY Richard Summerfield

Despite recent growth in the number of recorded data breaches, senior management at a number of UK companies believe that their cyber security provisions are above average – a sign that some UK firms may be overconfident in their defences, according to the ‘United Kingdom – Views from the C-Suite Survey 2018’ report released by FICO.

Executives at three out of four UK firms believe that their company is better prepared than its competitors. Among UK industries, financial services firms were the most confident of all, with 55 percent of respondents saying their organisation is a top performer, and 41 believe that their defences are above average. Forty-two percent of telecommunications providers believe that their firm is a top performer. The least confident executives were in the retail and e-commerce sectors, with 38 percent of respondents saying that their firm is a top performer, and only 19 percent rating it as above average.

This overconfidence among UK executives is particularly jarring as only 36 percent of organisations are carrying out regular cyber security risk assessments.

“These numbers suggest that many firms just don’t understand how they compare to their competitors, and that could lead to a lack of investment,” said Steve Hadaway, FICO’s general manager for Europe, the Middle East and Africa.

The UK is not alone in its overconfidence, however. Firms from all eight jurisdictions surveyed, including the US, believe they are well placed to resist a cyber attack. Canadians were more likely to rate their firm a top performer for cyber security.

Ovum conducted the survey for FICO through telephone interviews with 500 senior executives, mostly from the IT function, in businesses from the UK, the US, Canada, Brazil, Mexico, Germany, India, Finland, Norway, Sweden and South Africa. Respondents represented firms in the financial services, telecommunications, retail and e-commerce and power and utilities sectors.

“IT leaders have greater funding than ever to protect organisations from the continuously evolving threat landscape and meet complex compliance demands,” said Maxine Holt, research director at Ovum. “These same IT leaders are undoubtedly keen to believe that the money being spent provides their organisation with a better security posture than any other – but the rapid pace of investment, often in point solutions, rarely takes an organisation-wide view of security.”

Report: United Kingdom – Views from the C-Suite Survey 2018

©2001-2019 Financier Worldwide Ltd. All rights reserved.