Fortinet’s FortiGuard Labs cybersecurity threat report takes a look at the nature of attacks – how attackers get in, how they manage to persist inside networks, what they want, and who they are. It also provides insight into three key areas of concern that our FortiGuard Labs team has identified, and they bear reviewing here.
2016 Rio Olympics:
Cyberattacks during the Olympic games are not new. We have seen a spike of attacks focused on the Olympics – including targeting vendors and spectators – beginning as far back as the 2004 Summer Olympics in Greece. However, there are three main reasons why the 2016 Rio Olympics deserves special attention:
1. Analysis seems to indicate that cyberthreats and attacks are not (yet) a priority for Brazil. According to the World Economic Forum’s (WEF) ranking of global risks, Brazil only ranks concerns about cyberattacks as #23, and data fraud/theft at #16. This is concerning since countries like the US, Japan, Germany, Netherlands, and a few others rank cyberattacks as their #1 business risk. Given the high profile of the Olympic games, we would expect the risks of cyberattack and data theft to be ranked much higher for Brazil.
2. The volume of malicious and phishing artifacts (i.e. domain names and URLs) in Brazil is on the rise. In June, Brazil’s percentage increase was higher in three of four categories in Fortinet’s report when compared with the global percentage increase. The highest percentage growth was in the malicious URL category at 83% compared to 16% for the rest of the world.
3. As the 2016 Rio Olympics unfold, the history of these increased attacks will undoubtedly continue and FortiGuard Labs is already seeing indicators of repeat techniques such as domain lookalikes for payment fraud and malicious websites or URLs targeting event and government officials.
“Behavior Blending”:
We are seeing signs of increasingly sophisticated methods to help attackers persist inside systems they have breached. It is something we call “behavior blending.”
As the name implies, behavior blending is a technique used by criminals that allows them to blend in with everyone else on a compromised network. Once an attacker succeeds in acquiring valid user credentials, they proceed to assume the identity of the user through monitoring and learning the online behaviors of the authorized credential owner. They then attempt mimic as closely as possible the normal behavior patterns of that user. This allows them to remain unnoticed by the latest generation of automated analysis tools searching for anomalous behaviors.
Of course, this requires considerable research for success. As it’s very difficult to understand and replicate normal behavior patterns right away, we have been able to identify threat actors before they become camouflaged. Traditionally, this sort of obfuscation is difficult even for seasoned penetration experts with authorized access to systems. But new tools are emerging to speed up and enhance this process. Because this evasion technique has a lot of potential for thwarting detection, we expect to see more of it as the technique is refined and new tools are developed to better mimic the behavior of a credentialed target. It also represents a new challenge for defenders and security vendors looking to identify sophisticated attacks based on behavior analysis.
Increased Threats:
Overall, we continue to see an increase in threat activity. This isn’t news, per se, but the implications are worth considering.
First, we are seeing the return of old threats and attack vectors, as well as the continued persistence of classic attacks, such as Conficker and ransomware, through updated variants. Of course, this begs the question: Why, after all the money and research being spent on security, are not only the number of attacks increasing, but many older attacks continuing to persist? Surely, the sophisticated cybercriminal community wouldn’t still be using these if they weren’t successful.
The answer, of course, is complicated. New user devices and applications, new communications methods, the rise of virtualized and cloud-based networking, and things like IoT continue to expand the attack surface. And many organizations continue to adopt and deploy these new technologies before security has rotated to protect them. And far too many organizations are simply skating by on doing the absolute minimum hoping they get overlooked, or because the tradeoff between productivity and security seems too high.
But there is another issue at work here: it’s the industry’s general approach to security that is a critical part of the problem. It’s clear that increased spending on traditional, isolated security devices isn’t working, because networks are still getting broken into pretty consistently. Like the old saying goes, we keep doing the same thing over and over again hoping for a different result. It turns out that the classic arms race approach is a zero sum game.
Companies need something different. Which is why Fortinet, the original innovator of cutting edge ASIC technology designed to increase performance while keeping costs under control, has recently announced the Fortinet Security Fabric.
Of course, a number of vendors have made noise about security platforms and solutions. But until now, none have truly delivered an integrated security architecture designed to unify management, centralize and coordinate threat detection and intelligence, and provide a dynamically coordinated response to threats anywhere across the distributed network, from IoT to the cloud. The Fortinet Security Fabric represents a complete rethinking of how security is to be designed, implemented, and managed, allowing organizations to stop playing catch-up with cybercriminals and finally get out in front of the threat community.
