FortiGuard Labs Threat Research
Cybercrime is big business, and is growing at an exponential rate. British insurer Lloyd’s of London estimated the cybercrime market at $400 Billion in 2015. Today, just two years later, the World Economic Forum estimates that the total economic cost of cybercrime to currently be $3 trillion. And Cybersecurity Ventures is predicting that cybercrime will cost the world in excess of $6 trillion annually by 2021.
One of the forces behind this explosive growth of cybercrime is that illegal business can be safely conducted deep in a part of the Internet that most people have never seen, and have no idea how to access. The “darknet” lies beyond normal web browsers, is protected by layers of anonymity, and has become a haven for criminal commerce.
To get a handle on this explosion of cyberthreats and online criminal activity, we need to start with good information. Today, Fortinet released our quarterly Threat Landscape Report for Q4 of 2016. The data in it was drawn from millions of security devices located around the world that analyze up to 50 billion threats a day. Which means that the conclusions and trends detailed in this report are based on over a trillion security events that occurred between Oct 1 and Dec 31, 2016. View our Threat Landscape Report infographic. Watch a video with more details on the research.
The importance of this sort of threat intelligence cannot be overstated. While most IT security professionals spend their days (and far too many nights) poring over log files and security reports, it is essential to place local threat intelligence into a larger context. New and emerging threats are characterized by attributes and actionable IOCs (indications of compromise) that can help reduce their impact, and in some cases, even stop and/or prevent them. It is always easier to find and prevent sophisticated threats if you know what to look for.
Of course, this becomes increasingly complicated as network infrastructures continue to evolve. Exploits, malware, and botnets do not happen in a vacuum, so considering infrastructure trends and how they relate to and shape the threat landscape is important. Threats evolve and adapt over time as applications, technologies, configurations, controls, and behaviors change.
According to the Q4 report, for example, encrypted traffic using SSL accounted for more than half of all web traffic traversing the network. HTTPS traffic usage is an important trend to monitor because, while it is good for privacy, it presents challenges to detecting threats that are able to hide in encrypted communications. And far too much SSL traffic goes uninspected because of the huge processing overhead required to open, inspect, and re-encrypt traffic. Which forces IT teams to choose between protection and performance.
We also documented that the number of cloud applications being used by organizations also trended up over the year. The new challenge is that nearly a third of all applications running in an organization are now cloud based. This trend, sometimes called Shadow IT, has significant implications for security since IT teams have less visibility into the data residing in cloud applications, how that data is being used, and who has access to it. The problem becomes even worse when that data is accessed off network.
While the report covers and examines a wide range of threats and data, it focuses on three central trends of the threat landscape currently being exploited by cybercriminals - application exploits, malicious software (malware), and botnets. For most organizations, these are the exact issues you have been wrestling with every single day.
1. The application exploits described in this report were collected primarily through network IPS systems. In addition to exploit information, they also provides a view into attacker reconnaissance activities used to identify vulnerable systems, and attempts to exploit those vulnerabilities. One of the best ways to stop an attack is to understand how cybercriminals are going about getting into your network.
2. The malware samples described in this report were collected from perimeter devices, sandboxes, or endpoints. For the most part, this data is focused on the weaponization or delivery stages of an attack, rather than successful installation in target systems.
3. Finally, the botnet activity we report on was collected from a variety of network devices, and represents command and control (C2) traffic observed between compromised internal systems and malicious external hosts.
In addition, the last quarter of 2016 also continued the trend of increasing the volume, prevalence, and intensity of cyber attacks. For example, the quarter sent the security industry reeling from a 1-2 punch of the largest data breach and largest DDoS attack in history, doubling the volume and impact of the previously worst attacks on record.
However, while such targeted attacks often grab the headlines, this report also reminds us that the bulk of threats faced by most organizations, and the therefore majority of financial losses, are opportunistic in nature.
An important takeaway from this report is the critical reminder that the most effective security work still involves reviewing your security posture and policies, minimizing the externally visible and accessible attack surface through patching and hardening, building and implementing advanced threat detection and response throughout the network, and expanding visibility and control across the distributed network, including endpoints, IoT, and the cloud.
Here are a few highlights from the Q4 report:
In addition, the report explores all manner of Q4 2016 threats from global, regional, sector, and organizational perspectives.
When it comes to understanding your organization’s threat landscape, it’s healthy to remember two things: 1) your threat landscape is more similar to that of others than you probably think, and 2) it is also different from others in ways you may not have thought about. Understanding which strategies, tactics, and threat intelligence you can borrow from others, and which can safely be set aside, is valuable knowledge that requires patience and expertise to develop. This report can help.
As part of our commitment to combatting the growing tide of cybercrime, we’ll be publishing the Fortinet Threat Landscape Report on a quarterly basis. As one of the premiere threat research and analysis organizations in the world, we have a lot of great data we look forward to sharing. In the meantime, to keep tabs on the threat landscape between quarters, sign up for our weekly FortiGuard intel briefs and bookmark this blog site.