A new type of security threat — “destruction of service” (DeOS) attacks, which could eliminate companies’ backups and safety nets — could cause way more damage to businesses than ransomware.
This is according to Cisco’s 2017 Midyear Cybersecurity Report in which the company coined the term DeOS attack. The report says the Internet of Things (IoT) increases attack surfaces and the potential scale and impact of these threats.
DeOS attacks’ “aim is not just to attack, but to destroy in a way that prevents defenders from restoring systems and data,” writes David Ulevitch, SVP and GM of Cisco’s security business, in a blog post.
Security researchers watched the evolution of malware during the first half of 2017. Attackers increasingly require victims to activate threats by clicking on links or opening files, the report says.
Additionally, they are developing fileless malware that lives in memory and is harder to detect or investigate as it is wiped out when a device restarts.
Adversaries are also relying on anonymized and decentralized infrastructure, such as a Tor proxy service, to obscure command and control activities.
The report notes an increase in spam volumes, in which attackers use email to distribute malware and generate revenue. This coincides with a decline in exploit kit activity since mid 2016.
Spyware and adware pose big risks to enterprises, Cisco says. Attackers can use spyware to steal user and company information, weaken the security posture of devices, and increase malware infections.
Researchers sampled 300 companies over a four-month period and found that three prevalent spyware families (Hola, RelevantKnowledge, and DNSChanger/DNS Unlocker) infected 20 percent. On a monthly basis, these three infected more than 25 percent of all organizations.
Spam-sending botnets are also thriving, the report says. One massive botnet called Necurs earlier this year was spending penny stock “pump-and-dump” spam as a less-resource-intensive way (compared to ransomware, for example) to make money.
However, more recently Necurs was sending Jaff, a new type of ransomware, through large-scale spam email campaigns. The emails included a PDF attachment with an embedded Microsoft Word document, which downloaded the ransomware.
While ransomware has been dominating security news stories and reportedly brought in more than $1 billion in 2016, corporations should be more concerned about business email compromise (BEC). This is a social engineering attack in which an email is designed to trick organizations into transferring money to attackers.
Between October 2013 and December 2016, $5.3 billion — or an average of $1.7 billion per year — was stolen via BEC, according to the Internet Crime Complaint Center, a partnership of the Federal Bureau of Investigation, the U.S. Department of Justice, and the National White Collar Crime Center. Almost 22,300 US organizations experienced BEC fraud between October 2013 and December 2016.
The report also focuses on select verticals, including service providers. Seventy-one percent of the service providers surveyed provide managed security services to end customers.
Attacks on service providers may interrupt their core business and hurt the bottom line: 34 percent of the service providers said they’d lost revenue because of attacks in the past year. And 30 percent said they lost customers or business opportunities because of these attacks.
So what can corporations do to combat attacks? Cisco makes a number of recommendations. These include:
- Keeping infrastructure and applications up to date, so that attackers can’t exploit publicly known weaknesses.
- Battle complexity through an integrated defense. Limit siloed investments.
- Engage executive leadership early to ensure complete understanding of risks, rewards and budgetary constraints.
- Establish clear metrics. Use them to validate and improve security practices.
- Examine employee security training with role-based training versus one-size-fits-all.
- Balance defense with an active response. Don’t “set and forget” security controls or processes.