‘The Cisco 2014 Midyear Security Report’, examines the ‘weak links’ in organisations that contribute to the increasingly dynamic threat landscape. These weak links which could be outdated software, bad code, abandoned digital properties, or user errors contribute to the adversarys ability to exploit vulnerabilities with methods such as DNS queries, exploit kits, amplification attacks, point-of-sale (POS) system compromise, malvertising, ransomware, infiltration of encryption protocols, social engineering and life event spam.
The report also shows that focus only on high-profile vulnerabilities rather than on high-impact, common and stealthy threats puts these organisations at greater risk. By proliferating attacks against low-profile legacy applications and infrastructure with known weaknesses, malicious actors are able to escape detection as security teams focus instead on boldface vulnerabilities, such as Heartbleed.
Researchers examined 16 large multinational organisations, who, as of 2013, collectively controlled over $4tn ( £2.37tn) in assets with revenues in excess of $300bn ( £178bn). This analysis yielded three compelling security insights tying enterprises to malicious traffic.
1. ‘Man-in-the-Browser’ attacks pose a risk for enterprises
Nearly 94 per cent of customer networks observed in 2014 have been identified as having traffic going to websites that host malware.
2. Botnet hide and seek
Some 70 per cent of networks were identified as issuing DNS queries for Dynamic DNS domains. This shows evidence of networks misused or compromised with botnets using DDNS to alter their IP address to avoid detection/blacklist. Few legitimate outbound connection attempts from enterprises would seek dynamic DNS domains apart from outbound C&C callbacks looking to disguise the location of their botnet.
3. Encrypting stolen data
Nearly 44 percent of customer networks observed in 2014 have been identified as issuing DNS requests for sites and domains with devices that provide encrypted channel services, used by hackers to cover their tracks by exfiltrating data using encrypted channels to avoid detection like VPN, SSH, SFTP, FTP, and FTPS.
However, the number of exploit kits has dropped by 87 per cent since the alleged creator of the widely popular Blackhole exploit kit was arrested last year, according to Cisco security researchers. Several exploit kits observed in the first half of 2014 were trying to move in on territory once dominated by the Blackhole exploit kit, but a clear leader has yet to emerge.
Java continues its dubious distinction as the most exploited programming language. Cisco security researchers found that Java exploits rose to 93 per cent of all indicators of compromise (IOCs) as of May 2014.
There has also been an unusual uptick in malware within vertical markets. For the first half of 2014, the pharmaceutical and chemical industry once again placed in the top three high-risk verticals for web malware encounters. Media and publishing led the industry verticals posting nearly four times the median web malware encounters, and aviation slid into third place with over twice the median web malware encounters globally.