Opportunistic cybercriminals tweaking old threats for new targets: Forcepoint

Medium-sized businesses face a surging threat from opportunistic cybercriminals who are changing their strategies as large enterprises become more complex to penetrate, a security-strategy director has warned as new figures correlate declines in spam email with a resurgence in time-honoured document-based macro malware.

The warnings come as newly minted security firm Forcepoint releases its Forcepoint 2016 Global Threat Report, which for the first time combines the experience of a global Special Investigations team comprised of security specialists across its former Raytheon Cyber Products, Websense, and Stonesoft constituent organisations.

This year's report, which draws on analysis of security trends across 155 countries, includes the discovery of a new botnet campaign called Jaku that had a mean dwell time – the time between infection and detection – of 93 days and had persisted within the networks of its 19,000 victims, in 134 countries, for up to 348 days without detection.

A significant drop in the volume of email that is classified as spam – from 88.5 percent in 2014 to 68.4 percent last year – suggests that attackers are shifting their approach away from scatterbomb attacks to more focused, carefully-crafted attacks. Nearly 92 percent of spam and malicious email now includes a URL – intended to direct users to malware-laden Web sites – and the inclusion of macros in malicious emails was up 44.7 percent over the previous year, with more than 4 million malicious macros detected.

“We saw a lot of malicious code that wasn't an actual executable attack,” director of security technologies Bob Hansmann told CSO Australia. “This makes sense since in the past few years everyone has been responding to the threat by saying that they need better malware defences, sandboxes, and all this protection against executables.”

“The bad guys are just saying 'OK, we'll go around that'. And all of a sudden, macros are coming back to life. Spam is going down yet new techniques around malicious code are going up – which means you have a greater risk from email now than we have seen in years.”

Many attackers were also sharpening their use of ransomware, which has proven to be remarkably successful – particularly in Australia, with its massive base of vulnerable small and medium businesses. Those businesses were increasingly coming to cybercriminals' attention as larger companies' improved defences drove them to search for softer targets.

“They are realising that the really big companies have invested in defences so they are going to go where the money is easier,” Hansmann said, “and that is the massive middle market. So organisations need to realise that if they pop up in any kind of a Google search as being in a country with a good economy, in an industry that's making money, that a number of factors can make them look like very juicy targets for these criminals.”

Businesses were also often being left exposed through poor integration of security practices during mergers and acquisitions – which, the reports author's warned, represent “one of the greatest cybersecurity risk catalyst across industry sectors.

Blending companies increases the complexity in protecting an organisation's sensitive data.... The creation of a blueprint for secure consolidation and management of critical data is indispensable to the successful integration of formerly independent organisations.” This and other advice, however is often falling on deaf ears, Hansmann said, noting that “people just aren't paying attention to those common good practices” in areas like password protection and that more than half of insider threats were due to accidents rather than malicious Edward Snowden-like compromise.

Lack of investment in insider threat-prevention programs had perpetuated this problem, with less than 40 percent of recently surveyed organisations saying they had dedicated budget to preventing insider threats. This, despite widespread use of remote access and use of easily-compromised credentials providing direct access to key corporate servers. “We are getting cavalier about it,” he says.

“A lot of it comes from the proliferation of mobile apps that encourage us to go and click and interact with the world. There are behaviours that we need to teach people in business and in the office; they need to consider things from a different perspective.”

Join the CSO newsletter!

Error: Please check your email address.

Tags botnet campaignscatterbomb attacksmalware defencesURLssandboxesGlobal threat reportcybercriminalsransomwaremalicious emailMacrosForcepoint

More about CSOGoogleStonesoftWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place