The recent WannaCry attack was interesting for a couple of reasons. First, the speed and scale of the attack was impressive. Over the course of a couple of days, hundreds of thousands of systems were affected and disrupted.
Second, it also unveiled a disturbing trend. The attack malware exploited a known vulnerability that not only had been revealed through the highly public release of stolen cyber tools, but Microsoft had also released a patch for the targeted vulnerability over two months before. Which means that the scale of the attack was the direct result of poor security management, not only in terms of failing to patch a highly publicized vulnerability, but also failing to update existing security tools with signatures from a variety of security vendors that had been designed to identify and block the attack.
However, another interesting component to this attack was the wide variety of industries that were affected simultaneously, such as telcos, energy providers, and healthcare systems, all located across widely divergent geographic regions, from Spain and Turkey, to Russia, China, the UK, and the US.
The question is, how was this attack able to so quickly spread across these traditionally very different environments? The answer has a lot to do with the increasing hyperconvergence of networks, and growing similarities between the infrastructures of affected organizations.
Historically, threat trends have reflected the environments in which they occur. However, as organizations continue to adopt a variety of new, highly distributed network ecosystems, and access similar data, applications, and resources, we are beginning to document that threats are no longer being confined to a specific place or industry.
Understanding how information technologies, services, configurations, controls, and behaviors change over time is important to monitoring, anticipating, and preventing new exploits, malware, and botnets.
Over the past several years, Fortinet has been actively gathering threat intelligence and correlating infrastructure trends gleaned from a voluntary threat assessment program we conduct across the globe. While the length of the assessment and the demographic mix of participating organizations tends to fluctuate from quarter to quarter, we have managed to develop infrastructure usage trends that show that, increasingly, organizations that are considered to be from very different industries are becoming more similar than one might assume.
FIGURE 1. CLUSTER ANALYSIS OF INFRASTRUCTURE USAGE BY INDUSTRY.
Looking at the data has allowed us to determine and profile those industries that share closely related profiles when it comes to infrastructure usage. More importantly, it has helped us look at the underlying policies and practices that are related to, and alter security posture.
Each bubble in Figure 1 represents a separate industry, and the size of the bubble corresponds to the number of organizations within each industry. The profiles are based on normalized values (z-scores) for common infrastructure elements, such as the number and kinds of apps being used, bandwidth usage, the ratio of encrypted to unencrypted data, and the number and variety of websites visited on any given day.
Industries placed close together have very similar infrastructure profiles, while outliers, and clusters of industries distant from each other have very different infrastructure and usage patterns. As can be seen, the majority of industries reside in a loosely packed grouping toward the upper center of the chart, including such traditionally diverse industries as Manufacturing, Healthcare, and Energy.
FIGURE 2. CLUSTER ANALYSIS OF ORGANIZATIONAL THREAT PROFILES. COLOR-CODED BY INDUSTRY.
Another way to analyze this data is to profile organizations and industries based on their shared threat characteristics. The main question we’re trying to answer is, “do organizational threat profiles also cluster according to industry, and if so, which ones are similar?”
In this dataset, we’ve taken the top 30 threats from our exploit, malware, and botnet datasets to create a common set of 90 data points that we use to formulate an organization’s threat profile. Our clustering algorithm compares these 90 markers between organizations, and calculates a measure of how similar they are to each other. Figure 2 plots these organizations, with different industries assigned a unique color, and those plotted near each other exhibiting similar threat profiles,
The primary observation is that we do NOT see a series of distinct, unicolor clusters tying distinct industries together. Instead, we see a large, dense mass of organizations across a variety of industries in the upper left quadrant, with another loose grouping forming in the upper right. And we also see that organizations within the same industry are scattered all over the graph. A straightforward interpretation of these results is that organizational threat profiles do not necessarily cluster strongly according to industry, but instead to something else.
FIGURE 3. CLUSTER ANALYSIS OF ORGANIZATIONAL THREAT PROFILES. COLOR-CODED BY INDUSTRY.
Figure 3 is a corollary of Figure 1, except it’s based on threat profile instead of infrastructure profile. As before, dots represent industries, size is based on the number of firms in that industry, and nearness of industries is equated to the similarity of their threat profiles.
The similarities between Figures 1 and 3 are striking. Many of the same industries fall within the nexus of the “mega-cluster” in each of those charts. It is interesting to also note that these charts also share many of the same outliers (e.g., Education, Telcos/Carriers, and MSSPs.) While we don’t want to confuse correlation with causation, this analysis raises some interesting questions, such as whether an organization’s infrastructure usage has a stronger relationship to its threat profile than to the industry it belongs to.
Which brings us back to our original observation: organizations adapting to the new digital marketplace seem to be adopting very similar infrastructures, such as cloud infrastructure and services, highly mobile devices and workers, IoT, shadow IT, and distributed and highly elastic network and data resources. They also share similarities in terms of the type of Internet-savvy digital customers they are catering to.
While this data bears further research, it appears that as forward-thinking organizations, regardless of industry, adapt and expand their networks to embrace the new digital economy, they are also becoming increasingly similar. Which means they are not only potentially vulnerable to the same risks and threats, but similarly overtaxed IT personnel are clearly struggling to keep up with these changes (which seems to have also resulted in diminishing security hygiene), and the use of traditional security tools – which are poorly equipped to provide an integrated and adaptive approach to security – simply cannot adequately span this newly expanded digital footprint to correlate threat intelligence, or identify and respond to sophisticated threats targeting new and often highly distributed attack vectors.
As organizations continue to adapt to the demands of the emerging digital economy, they must rethink security. Rather than continuing to deploy isolated security devices at rapidly disappearing network perimeters, they need an integrated, architectural approach that enables a holistic security strategy. This approach can see and even anticipate threats across the entire shifting network ecosystem, adapt to network changes and follow critical resources, and automatically respond at machine speeds, regardless of where across their networked ecosystem they occur.
Data in this article is from the recent Fortinet Global Threat Landscape Report.
Information about the Fortinet Security Fabric, a security vision and framework designed to tie together traditionally isolated security devices into a holistic threat defense and response solution, can also be found here.