The average business suffered 12 percent fewer attacks in 2016 than 2015 and cut average time to detect attacks by a third – but security specialists caution against complacency amidst suggestions that the declines may be due more to increasing targeting by attackers than any overall improvement in cybersecurity defences.
Drawing on data collected by IBM Security Services across a vast number of endpoints, the company’s X-Force Threat Intelligence Index 2017 highlighted the ‘year of the mega breach’ in which over 4 billion records were compromised.
The average client, the figures found, experienced 1019 attacks across 93 security incidents during 2016 – down 12 percent and 48 percent, respectively, from 2015 figures. Yet this reduction, the report warns, likely signals increased reliance on proven attacks that don’t require as many attempts before they work.
Spam, for example, had surged as a key vector for infection and the proportion of spam emails carrying malicious attachments grew dramatically during 2016 – comprising nearly half of all spam emails in December 2016.
The X-Force figures also noted the record 10,197 software vulnerabilities found in 2016 – up from 8956 the previous year – and the dominance of attack techniques including SQL injection (SQLi) of unexpected items and manipulation of data structures. The Shellshock attack alone made up over a third of all attacks targeting healthcare, for example, during 2016.
The effectiveness of today’s hackers was reinforced by the finding that Information was collected and analysed in just 9 percent of attacks – which nonetheless compromised billions of data records.
Attackers were becoming so successful over time that the exploitation of unstructured data – email archives, business documents, source code and other intellectual property – had become a bigger issue. And that, IBM Security vice president of threat intelligence Caleb Barlow said in a statement, made the changes in attack pattern a “seminal moment”.
“The value of structured data to cybercriminals is beginning to wane as the supply outstrips the demand,” he said. “Unstructured data is big-game hunting for hackers and we expect to see them monetize it this year in new ways.”
After focusing on healthcare organisations during 2015, attackers returned their efforts to compromising financial services organisations – which ranked fourth in terms of the number of attacks and third in terms of the number of compromised records.
The analysis took this as a sign that ongoing investments in security practices amongst financial services organisations were paying off: for example, the analysis noted the increased use of secure hashing functions to store their passwords – making it less likely that compromised records may be exploited if they are stolen.
Yet the pressure is set to continue, with SQLi and OS CMDi attacks accounting for nearly half of attacks against financial-services targets as hackers use them to read, modify and destroy sensitive personally identifiable information (PII).
“Hackers value PII because it can be sold at a handsome profit,” the report’s authors noted, “and also can be held hostage, requiring the financial institution to pay a ransom for its return or to prevent its public disclosure.”
The figures corroborate recent research by FireEye, whose M-Trends 2017 report flagged a reduction in average time to detection – which dropped from 146 days in 2015 to 99 days last year – and also observed “significant sophisticated compromises” against APAC financial institutions in 2016.
This included banking network fraud against organisations in countries like Bangladesh and Vietnam that, the report’s authors suggested, “may lack the rigorous security measure of their Western counterparts in securing key systems such as transactions, internal banking documents and mobile banking apps”.
Indeed, the FireEye analysis concluded, attackers have “become more brazen” as they complement online attacks with techniques such as business email compromise and directly calling their targets.
“Last year saw attackers greatly improve their level of sophistication,” the report’s authors noted, “with some financial threat groups leaving very little evidence behind and making it extra challenging for analysts to investigate and remediate.”
“Nowadays, simply protecting critical business assets isn’t good enough – some attackers are looking to disrupt business until a ransom is paid. Organisations must focus on securing what is needed for regular operations to continue.”