INTELLIGENT CLOUD
Cybercriminals building army
of things creating tipping point
Derek Manky, Global Security Strategist at Fortinet, looks at the challenges of securing the cloud.
B
ritish insurer Lloyd’s of London
estimated the cybercrime market
at $400 billion in 2015. Today,
just two years later, the World Economic
Forum estimates that the total economic
cost of cybercrime is $3 trillion. And
Cybersecurity Ventures is predicting that
cybercrime will cost the world in excess of
$6 trillion annually by 2021.
One of the forces behind this explosive
growth of cybercrime is that illegal business
can be safely conducted deep in a part of
the Internet that most people have never
seen, and have no idea how to access. The
‘darknet’ lies beyond normal web browsers
and is protected by layers of anonymity.
To get a handle on this explosion of
cyberthreats and online criminal activity,
we need to start with good information.
In our Threat Landscape Report for
Q4 of 2016, the data in it was drawn
from millions of security devices located
around the world that analyse up to 50
billion threats a day, which means that
the conclusions and trends detailed in the
report are based on more than a trillion
security events that occurred between 1
October and 31 December 2016.
The importance of this sort of threat
intelligence cannot be overstated. While
most IT security professionals spend their
days (and far too many nights) poring
over log files and security reports, it is
essential to place local threat intelligence
into a larger context. New and emerging
threats are characterised by attributes
and actionable IOCs (indications of
compromise) that can help reduce their
impact and, in some cases, even stop and/
or prevent them.
Of course, this becomes increasingly
complicated as network infrastructures
continue to evolve. Exploits, malware
and botnets do not happen in a vacuum,
so considering infrastructure trends and
how they relate to and shape the threat
landscape is important. Threats evolve
and adapt over time as applications,
technologies, configurations, controls and
behaviours change.
According to the Q4 report, for
example, encrypted traffic using SSL
accounted for more than half of all web
traffic traversing the network. HTTPS
traffic usage is an important trend to
monitor because, while it is good for
privacy, it presents challenges to detecting
threats that are able to hide in encrypted
communications. And far too much
SSL traffic goes uninspected because of
the huge processing overhead required
to open, inspect and re-encrypt traffic,
which forces IT teams to choose between
protection and performance.
We also documented that the number
of cloud applications being used by
organisations also trended up over the
year. The new challenge is that nearly
a third of all applications running in an
organisation are now cloud-based. This
trend, sometimes called Shadow IT, has
significant implications for security since
IT teams have less visibility into the data
residing in cloud applications, how that
data is being used and who has access to
it. The problem becomes even worse when
that data is accessed off network.
While the report covers and examines
a wide range of threats and data, it focuses
on three central trends of the threat
landscape currently being exploited by
cybercriminals: application exploits,
malicious software (malware) and botnets.
For most organisations, these are the exact
issues they wrestle with every single day.
The application exploits were collected
primarily through network IPS systems.
In addition to exploit information,
they also provide a view into attacker
reconnaissance activities used to identify
vulnerable systems, and attempts to exploit
those vulnerabilities.
The malware samples were collected
from perimeter devices, sandboxes, or
endpoints. For the most part, this data is
focused on the weaponisation or delivery
stages of an attack.
Finally, botnet activity was collected
from a variety of network devices, and
represents command and control (C2) traffic
observed between compromised internal
systems and malicious external hosts.
In addition, the last quarter of 2016
also continued the trend of increasing
the volume, prevalence and intensity of
cyberattacks. For example, the quarter
sent the security industry reeling from a
1–2 punch of the largest data breach and
largest DDoS attack in history, doubling
the volume and impact of the previously
worst attacks on record.
However, while such targeted attacks
often grab the headlines, this report also
reminds us that the bulk of threats faced
by most organisations, and therefore
the majority of financial losses, are
opportunistic in nature.
An important takeaway from this
report is the critical reminder that the
most effective security work still involves
reviewing your security posture and
policies, minimising the externally visible
and accessible attack surface through
patching and hardening, building and
implementing advanced threat detection
and response throughout the network, and
expanding visibility and control across the
distributed network, including endpoints,
IoT and the cloud.
35