The Websense 2013 Threat Report culled forensic evidence from 900 million-plus endpoints monitored by the company’s enterprise customers. The analysis was broken down into six areas of concern: web, email, and mobile security, in addition to malware behavior and data theft.
The most significant finding was the dramatic 600% increase in malicious web links worldwide, led a 720% increase in North America and an uptick of 531% in the EMEA region. This increased volume is likely attributed to a fragmentation of attacks, according to Charles Renert, VP of research and development for Websense Labs, the research arm of the data security provider. He told Infosecurity that attacks are now being distributed on a more diverse geographic basis, “and a widening of this net is of value to the attacker community”.
The result, he added, is the exfiltration of high-volume, low-yield data that helps increase return on investment for attackers as the data are sifted through. It also leads to attackers honing in on targets after this data mining is completed. In his analysis: “Cast a wide net, get initial data, and then go after specific targets”.
Renert breaks down a typical, targeted attack as: luring, social engineering, redirection (the compromise step) and, finally, data exfiltration. To combat this attack cycle, the Websense VP asserted that behavioral detection will be the way of the future. “The behavior is more indicative of maliciousness”, and by using real-time behavioral analysis of network activity, “you can detect an attacker’s command and control and encryption (obfuscation) strategies”, he commented during a recent briefing.
By using a behavioral-based detection strategy, Renert continued, security professionals can identify the custom encryption hackers use to cover their tracks. Data theft is indicative of a prior malware infection within a device or network, and Renert said that new-generation data loss prevention (DLP) technologies with a foundation in behavioral analysis will better protect against data theft and leakage. The promise of these technologies is simple, he asserted: “If I actually know about something, then I can stop it”.
Most current security models rely on post-incident detection. In these cases, the data has already left the network, and prevention is impossible. The new standard must be “T = 0” Renert insisted, which means the time to detect a suspicious transaction must be instantaneous to help prevent data loss.
With respect to malware hosting, the report found that the US continues to top the list, followed by Russia, Germany, and China. Renert said China has actually slipped down this list because, in his estimation, attackers there are becoming “more clever about how to kick off attacks and avoid detection”. In addition, the Websense researcher said the US occupies the top malware spot because the country has more web hosting infrastructure, which helps maximize attack yield.
The US also occupied the top spot for ‘victims’ of web-based attacks, with the company’s research indicating 1719 attacks per 1000 customers worldwide. In Renert’s opinion, organizations in the US are attractive targets because of several factors, including volume of web traffic, a propensity for early adoption of mobile devices, a diversity of computing platforms, and the perception that there are more “rich” targets within its borders.
Mobile threat intelligence gathered by the report was mostly ‘par for the course’, reaffirming previously established trends. For example, Websense detected that 82% of malicious mobile apps employed SMS messages as part of their attacks. “We should not expect app stores to be clean pipes”, Renert commented. “Attacks will look different” going forward, he added. The top risk, in his estimation, is not the moment malware infects a device or takes hold within a network. Rather, it’s the subsequent data leakage that is a primary concern for organizations, many of which lack network-level protection to detect these leaks.
To facilitate instant behavioral detection, Renert says organizations must employ an analytic strategy that examines content streams in real-time, and in such a way that it does not require a person in front of a screen to initiate a defensive response. In addition, the strategy must correlate detection capabilities to identify common attacks and the strategic requirements these attacks must employ.
“Defense will never be 100% effective”, Renert admitted, but he added that “effective defense must make attacks far more difficult to execute”. In cases where attackers are seeking out a specific target, early warning responses deployed by the targeted organization can often lead to attackers delaying their exploits, or even moving on to a different one.
“The trust model is gone”, Renert remarked. “Organizations need to build a mesh framework into their security strategy so that attackers find themselves tripped up at some point within the defensive net.”