Thoughts from Radware’s Global Application and Network Security Report
- Rise of cryptocurrency trade and value boosts attacks;
- Notorious attacks of the year point at the human factor to blame;
- Machine-learning technologies are not fully mature nor broadly adopted;
- Despite a notion of tolerance, in one of four cases customers will take action against a targeted organization;
- IoT devices power more effective DDoS attacks, but nobody takes responsibility to patch the known holes;
- Data Leakage is the number one concern of organizations today.
These are just a handful of insights from Radware’s 2017-2018 Global Application and Network Security Report, providing a comprehensive view of the industry trends and evolutions. 2017 was an eventful year, with global cyber-attack campaigns that grabbed headlines in mainstream media and affected the lives of many, in particular the WannaCry, NotPetya and BadRabbit ransom sprees, as well as Equifax and Forever 21 data leaks. Let’s take a closer look at 2017 trends and 2018 predictions:
Is cyber-security pushed to the limit?
The human mind is exceptional in many situations, but has its limits. It seems that the pace of innovation today is much faster than its ability to quickly collect and analyze data patterns and optimize decision making. For instance, 51% of applications undergo changes every week (16% growth from 2016). When the average organization uses dozens of applications, it is also impossible to track and test all these changes, especially when there are time-to-market pressures.
Rise of cryptocurrency trade and value boosts attacks
The top driver of cyber-attacks is now cyber-crime. Attackers are motivated by financial gain and driven by the prosperity of cryptocurrencies. Meanwhile, attacks are becoming more targeted. A determined enemy will take the time to learn the target by investing in reconnaissance, social engineering and specific tools.
Reports of ransomware attacks – in which hackers use malware to encrypt data, systems, and networks until a ransom is paid – surged in the past year, increasing 40% from 2016. Ransom payments of $300 in May, 2017 (WannaCry) made in bitcoin are now worth eight times that amount. Such ROI draws more participants into the game, driving the exponential growth of the value of cryptocurrencies such as Bitcoin, Ethereum, Monero and others. Companies don’t expect this threat to go away in 2018 either. One in four executives (26%) noted that ransom would be the largest threat to their business in the coming year, tied with data theft as the most common concern.
- Ransom is the motivation behind 50% of the attacks
- Incidence has grown by 40% Year-over-Year
- Ransom is the top concern of security professionals in 2018
- One in eight organizations suffered a DDoS Extortion
IoT threat emerges but no one claims responsibility
In late 2016 we all witnessed how the threat of a tremendous amount of connected devices took form in a botnet (named Mirai) of 150K such devices that eventually took down DynDNS servers, causing a major internet services outage in the US. The lessons were quite obvious: 1. These devices are insecurely built and 2. There are billions of them out there. However, neither the manufacturers nor the regulators took action to set a standard that yields in a safer IoT integrated environment. In the interim, more and more IoT botnets are joining the game, most are variations and mutations of previous versions.
The insecure digital experience:
According to Radware’s Global Application and Network Security Report, one in six organizations has suffered a DDoS attack by an IoT botnet. In addition, IoTs are a major contributor to the fact that for the first time the majority of DDoS attacks are utilizing application layer communication rather than network layer. DDoS attacks, however, are not the sole threat – many organizations face a challenge when willing to integrate IoT devices into their own network. The primary concern they report is that it complicates the security management. The information security is only as strong as its weakest link –in this case the IoTs are the usual suspect.
Notorious attacks of the year point at the human factor to blame
Can’t always blame technology though. The major attacks of the year taught us that in many cases, the weakest link is actually the human factor – whether the reason is not patching vulnerabilities on time, or simply leaving a back door open and data exposed. Indeed, three in five information security professionals do not express a high level of confidence in their fellow employees.
However, if you expected that such compelling events would urge organizations to go ahead and make foundational alterations in either their security or way of thinking, you will be surprised to learn that the majority took little to no action.
While in such examples humans fail to protect one organization from a specific attack, let’s not forget that an attack tool – allegedly leaked from a governmental agency – powered the three major ransom sprees of the year.
When asked about future concerns, the human factor also steps onto the podium:
- Misconfigurations – #1 risk in cloud environments
- Better security – #1 reason to adopt machine-learning based solutions
- The user (commercial or private) is responsible for securely operating IoT devices
- 1 in 3 still have no plan for emergency situations
How severe can these human errors be?
Apparently, nearly 80% do not calculate the cost of a cyber-attack. Those who do, provide a higher than double estimate compared to the others ($1.3M vs. $560K). Such costs include revenue loss, production loss, fees and PR and remediation expenses.
Despite a notion of tolerance, in one of four cases customers will take action against a targeted organization
Just like we understand this challenge and can be forgiving, so are business customers in the majority of the cases. Generally, only in one of four cases will customers take action against an organization that has suffered a cyber-attack. However, with attacks now being a fact of life, the absolute number of potential reasons for liability issues is increasing.
Machine-learning technologies are not fully mature nor broadly adopted
Despite the sincere acknowledgement of security professionals in the challenge to fully protect the sensitive information in their organization’s network (68% do not confide in their security posture)* , only one in five has begun relying on machine-learning / AI based solutions for protection. While for another 28% this is on the radar, there is certainly a gap at this point in time between the required level of controlling the security of information and the ability to execute.
Humans simply are not able to identify attacks by sifting through the massive quantity of data generated by network logs and other sources. The sheer number of indicators of compromise (IOCs) that security products generate overwhelm security teams. Many IOCs are false alarms that waste limited security resources.
Where human intelligence and bandwidth fall short, machines can help. Machine-learning algorithms perform exceptionally well in analyzing log data to identify and classify anomalous behavior or subtle differences indicating attempted compromise.
The DDoS Threat Landscape
Ransomware is not the only extortion method. Cyber delinquents today threaten organizations with denial-of-service attacks against their networks and servers unless paid a certain amount of Bitcoin. They usually follow up with a ‘demo’ attack to prove they are serious and capable. This – as well as the growing prevalence of IoT botnets – are just a couple of the emerging DDoS tactics used against businesses in the last year or two. These tactics turn more mature as more attacks end up in a complete outage rather than merely service degradation.
- Bursts – By launching high amounts of traffic in an instant, hackers typically manage to knock firewalls down instantly before a DDoS mitigation workflow kicks in. these bursts come in random volumes, vectors and intervals. This unexpected availability outage causes businesses significant harm.
- Encrypted Attacks: Encrypted SSL floods, SSL renegotiation, HTTPS floods and utilizing encrypted traffic against application vulnerabilities are becoming a more and more favored way of organizations to bypass security controls and take down network or application resources. 28% of businesses reported suffering encrypted DDoS attacks in 2017.
- DNS – Brute force, query floods, recursive floods and cache poisoning are just a handful of techniques hackers use to prevent DNS servers from operating properly and thus creating an effect that goes to whoever relies on these servers – one organization or many more (as happened to DynDNS).
- Reflection and Amplification Attacks:These aren’t new but 2017 also brought an increase in reflection amplification DDoS attacks as a major vector against a wide spectrum of services. Two in five businesses indicated that they experienced a reflected amplification attack in 2017. One-third of those reported that they were unable to mitigate these attacks.
- Application layer DDoS overtakes network layer DDoS
This year brought declines in UDP, ICMP, TCP-Other and IPv6 attack vectors—marking a significant drop in network attacks (51% in 2017 vs. 64% in 2016). The incidence of application attacks remained steady at 64% in 2017 compared to 63% the year before.
Data Leakage is the number one concern of organizations today
More than one-quarter of respondents (28%) cited data leakage/information loss, making it the top concern in the latest survey and continuing the trend from 2016. One in three U.S. and E.U. companies point to data theft as their biggest fear. Data leakage ranks consistently high across all industries. It was especially high in government, suggesting that such organizations are increasingly anxious about their public image. Telecommunications and service providers and high tech companies also cited data leakage as a top fear, reflecting their focus on safeguarding their customer bases.
What to do:
Learn, understand, adopt. Follow the trends and analyze the risks – don’t stay behind. We security companies love to brag about the gaps but remember that the available solutions are quite advanced, and when seamlessly integrated into the business processes and the human behavior, they can provide a decent level of protection that will eventually lead hackers to focus on another target. Radware’s report is rich with information and advice on how to prepare for 2018 application and network security challenges.