A constantly evolving threat landscape has demonstrated the need for accurate, up to date threat intelligence in order to protect organizations against potential risks. As this information is collected, it’s crucial that security teams also understand key trends, allowing them to map information to attack vectors in order to develop strategies that can effectively defend against sophisticated attacks. Mapping out these trends not only ensures that organizations are able to recognize and address current risks, but also prepare for threats they may face in the future.
Trend analysis is crucial to understanding how cybercriminals work and predicting what they will do next. Security teams can plan accordingly by not only closely examining prevalent cyberthreats and their main traits, but also anticipate future attack strategies by becoming familiar with the trajectory of attacks and attack evolution over time. This is the main intent behind Fortinet’s threat reports.
A recent Fortinet Threat Landscape Report presents findings collected by the FortiGuard Labs team during Q4 of 2018. The data summarized in this report centers on three primary trends – exploits, malware, and botnets. While not all the same, these aspects within the threat landscape are complementary in the sense that each played a critical role in top cyberthreat activity monitored throughout the year, and the prevalence and evolution of those activities during the last quarter of 2018.
Monitoring exploit trends is a necessary component of network security. These observations help develop an understanding of how cybercriminals identify and compromise vulnerable systems. Overall, researchers detected 15 zero-day exploits and saw unique exploits increase by five points, while exploits impacting individual firms increased by 10 percent. This latest threat report also goes into further detail regarding those exploits that were considered critical and high-severity, highlighting those that were not only detected but also successful in their objectives.
During the week of October 22, for example, several events occurred simultaneously, with four out of six of the top exploits targeting IoT devices. This pattern continued throughout the quarter, despite the fact that IoT exploits overall fell five points from Q3. Ultimately, six out of the top 12 global exploits identified and ranked by FortiGuard Labs targeted IoT devices – with four out of the top 12 related to IP-enabled cameras. While not all exploits detected in Q4 were IoT-related, the number of attacks that targeted these devices demonstrates how persistent these threats continue to be.
Studying malware trends enables security researchers to better understand the objectives and capabilities of their adversaries. In Q4 of 2018, it was revealed that variants per firm increased by less than one percent, while the number of different families detected remained consistent with Q3 at 6,405. Overall, malware detection decreased slightly from the previous quarter, something which the FortiGuard Labs team attributes to the holiday season and most people being away from their office computers. In other words, when employees are on vacation, they are less likely to be opening harmful attachments or downloading malicious files, which then open the door for cybercriminals to launch attacks.
Malware detections are in line with exploit detections, in that both could be triggered at any level, even if the attack is not fully carried out or deemed successful. These detections take place at the network, application, and host level on a variety of devices, and this latest threat report details two generic detections which stood out most during this quarter: one for adware and the other for Coinhive, a cryptomining service. These detections demonstrated regional variations that showed a large difference between the highest and the lowest values for each. Additional malware detections noted by researchers include the Android/Agent.FJ!tr variant, which established a connection through the use of a fake website, and those associated with the GreyEnergy APT group, whose focus is in on stealing data.
While exploit and malware trends are able to be detected prior to an attack, botnet trends are only visible once systems are already infected. Once this occurs, affected systems will communicate with remote malicious hosts – this communication will then be flagged as an indication that something has gone wrong. With this in mind, analyzing this data is more useful for identifying weaknesses in existing security defenses and for providing insight into how to avoid a similar attack in the future. Similar to malware, botnet detection decreased slightly around the holiday season, but this did not mean that researchers saw a quarterly decrease across all, or even most, aspects. In Q4, the number of unique botnets detected increased by two percent, the number of infection days per firm increased by 15 percent, and the average volume per day/firm increased by 7 points.
There were several noteworthy botnets that drew the attention of researchers, including Gh0st, which enables an attacker to take full control of an infected system in order to spy on live webcams, download and upload files, and more. Another threat which stood out towards the end of 2018 was TrickBot, an older botnet which recently grew to 3.5 million infected devices after beginning with a volume of just 10. This threat has demonstrated its ability to evolve in order to steal credentials and browser history.
The end of 2018 saw both old and new threats. While there were some decreases from the previous quarter, it is important to note the timing of this research and the impact of the holiday season on cyberattacks. By analyzing threat trends, researchers and IT security teams alike are able to plan ahead using previously collected data from both successful attacks and unfulfilled attempts to combine with real-time activity in order to more accurately identify risks and accurately raise the bar of detection and prevention.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.