Industry Trends

We Have Seen the Enemy, and It Is Us

By Derek Manky | August 23, 2017

The job of the CSO and staff never stops. The security lifecycle requires constant attention through monitoring and analysis, responding to threats, and improving policies and protocols. Activities like patch and replace are Security 101. The trick is to always stay one step ahead of cybercriminals who are relentlessly targeting your infrastructure and resources. 

Sometimes, however, we are our own worst enemies. 

Fight automation with automationFortinet just released its Global Threat Landscape Report for Q2. Much of the data it provides is just what you’d expect. For example, FortiGuard Labs detected 184 billion total exploit attempts in Q2 from 6,300 unique and active exploits. Not only is this is an increase of 30% over Q1, with the growth of IoT and Shadownet resources we expect these numbers to continue to rise dramatically. In addition, 7 in 10 organizations experienced high or critical exploits during the quarter. By any measure, these are alarming numbers. 

Organizations also saw a number of high profile attacks that caught the attention of people around the globe. WannaCry and NotPetya successfully exploited vulnerabilities that had been leaked and patched a couple of months before, affecting millions of organizations around the world. And sophisticated IoT botnets like Hajime and Devil’s Ivy built on the devastating attack of Mirai from the summer of 2016. 

This is the sort of data security professionals have come to expect from threat reports. But Fortinet’s Q2 Threat Landscape Report also shows what these security professionals have also known for far too long – too many organizations are failing to perform even the basics to protect themselves, and they need to take action now. 

Hot and Cold Exploits 

Rather than spending resources on building new zero day attacks, cybercriminals are increasingly focused on simply exploiting known vulnerabilities. WannaCry targeted a Microsoft vulnerability for which a patch had been available for nearly two months. Targeting recently announced vulnerabilities is something we refer to as “hot exploits.” As with zero-day attacks, the idea is to take advantage of the window of opportunity between the announcement of a vulnerability and when an organization applies the patch. 

Ideally, that window should be as narrow as possible. But it’s not. NotPetya not only followed on the heels of WannaCry a month later, but also successfully targeted the exact same vulnerability. Even with the global impact of the first attack ringing in their ears, far too many organizations failed to take action. 

Unfortunately, that’s just a symptom of a much larger problem. During Q2, a full 90% of organizations recorded that they had been the victims of exploits targeted at vulnerabilities that were three or more years old. And worse, 60% of firms experienced successful attacks targeting vulnerabilities for which a patch had been available for ten or more years! 

Think about that for a second. 

Well, like most problems like this, the reasons are complicated. Networks are growing rapidly and span across a variety of highly distributed and extremely elastic ecosystems, including physical, virtual, and cloud environments. In such an extreme landscape, it can be easy to lose track of devices or maintain a systematized patch and replace protocol. Digital business strategies also mean that taking down a server or system to apply a patch can have huge financial ramifications. 

But whatever the reasons, because so many organizations fail to patch or replace devices and systems with known vulnerabilities, cybercriminals simply assume that they are going to be able to get in. So they are shifting resources away from developing new ways to break into networks and are focusing on developing automated and intent-based tools designed to deliver more sophisticated payloads. 

The Challenge of Hyperconnectivity 

In today’s digital economy, speed and efficiency are essential, and access to data is king. Which is why, more and more, everything is connected to everything else. 

This explains why we are seeing so many organizations supporting peer-to-peer (P2P) and proxy applications. However, we also see that organizations that allow P2P applications are reporting seven times as many botnets and malware as those that don’t. Similarly, organizations allowing proxy applications report almost nine times as many botnets and malware as those that don’t allow them. 

Vulnerable systems, like IoT devices, represent a similar challenge. Q2 saw nearly 3 billion botnet detections from about 250 unique botnets. 45% of firms detected at least one active botnet in their environment during the quarter, and about 3% reported being simultaneously infested with 10 or more unique active botnets! 

Exploits are Smarter Than Ever 

With so many organizations figuratively setting out the welcome mat to cybercriminals, attackers now have the luxury to build increasingly complex and sophisticated exploits. 

Once malware has gained entrance, sophisticated, multi-vector intelligence enables malware tools to automatically identify a device or operating system, determine what vulnerabilities exist for that system, and then select the appropriate exploit from its advanced toolkit of options. Then artificial intelligence-like capabilities enable the malware to avoid detection through a variety of sophisticated techniques, such as learning and mimicking traffic patterns and speeds in order to effectively blend into the background. 

For Q2, FortiGuard Labs recorded 62 million malware detections. Out of these, we saw nearly 17,000 malware variants from over 2,500 different malware families. The most common functionality among top malware families is the downloading and uploading of files, followed by dropping other malware onto an infected system. This technique helps slip innocuous files into devices now, in order to deliver malicious payloads later. In addition, 1 in 5 organizations now report malware targeting mobile devices, up from 8% in Q1. 

What You Can Do 

First, get back to the basics. Organizations need to start by identifying all critical assets and services on their network using tools like FortiSIEM combined with actionable threat intelligence services like FortiGuard TIS. Next, restart or double down on your efforts to identify and patch vulnerable systems and replace older systems that are no longer supported. In today’s environments, that may mean implementing some sort of asset tracking and management tool. Then you can build proper mitigation solutions and incident response plans around that. 

Your IT teams will also need to take a hard look at the impact that analyzing high volumes of encrypted traffic will have on the performance of your current security devices and platforms. We not only expect to see the volume and percentage of encrypted traffic to continue to rise, but to also see advanced malware purposefully target the limitations of security devices by exploiting CPU-intensive areas like unstructured data. You are going to need tools that can consume data at scale and not drop to their knees when heavy processing is required. 

Network segmentation must also become a critical part of your digital business strategy. As you consider adopting things like risky apps, IoT devices, and encrypted data, you need to ensure that they are separated as much as possible from the rest of the network. Proper segmentation will drive security deep into the network so infected devices and malware can be detected and isolated anywhere they occur, and before they can spread. Segmentation combined with regular data backup is also an effective way to combat ransomware. 

Finally, attacks are not only coming at us faster, they are also designed to reduce the time between breach and impact. The smarter ones can even learn how to avoid detection. You can no longer afford to hand correlate threat data between devices to detect threats, or respond to attacks at anything less than machine speeds. In the ongoing cyberwar, you need to be able to fight automation with automation. Which means you can no longer afford to deploy isolated devices or platforms. Instead, you need to develop an integrated expert security systems that can automatically collect, correlate, share, and respond to threats in a coordinated fashion, anywhere across your distributed network ecosystems. Security professionals can also ‘join the fight’ by participating in industry forums – like ISAC, ISAO, and other organizations, such as the Cyber Threat Alliance. For fighting cybercrime, we are stronger together. 

You can read more takeaways in the full Global Threat Landscape Report. Also, view our video and infographic summarizing valuable data points from the report. Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.

This byline originally appeared on

For security leaders seeking more information on each of these challenges and what they can do to address them, download a copy of our “A Security Leader’s Definitive Guide to the Threat Landscape” report today.