Who’s hacking your organisation? Seems like just about everyone

Posted on : 30-04-2013 | By : jo.rose | In : Cyber Security

Tags: , , , , , , , , ,


Last month we wrote about The Evolution of the Cyber Criminal and highlighted how they had developed from the lone (and often lonely) hacker, into organised and “employed” online assailants.

So where are the key locations orchestrating these attacks? Recently informed commentators have pointed towards China as the key driver behind cyber attacks with the primary goal to steal sensitive information, such as intellectual property. However, during 2012 FireEye, the leading solution provider to protect against Advanced Persistent Threats (APTs), monitored more than 12 million malware communications, thus creating a rich view of the threat landscape.

The key findings were;

  • Malware is truly multinational: callbacks were found to 184 countries which had increased 42% over the previous 2 years. The distribution of the countries has also evolved significantly, with the US, Ukraine and Russia top in 2011 whilst in the recent analysis the top countries were US, South Korea and China. The top 20 countries hosting command and control servers is shown below;

  • Asia and Eastern Europe hotspots: contributing 24% and 22% of the malware callbacks respectively. North America still actually topped the league but this was due to them hosting more control servers, both from an evasion and target perspective.
  • The majority of APTs originate from tools “Made in China”: by analysing the DNA of the malware families and matching with callbacks, FireEye some 89% originate from Chinese hackers.
  • Technology Organisations targeted most: there is a large concentration of attacks towards technology organisations, mainly due to their high level of intellectual property.
  • In-country callback evolution: in order to evade detection, malware is increasingly contacting control servers within the target nation (indeed, some 66% of servers were located within the United States).
  • Techniques to evade detection: control servers are using more and more advanced mechanisms to mask against capture, increasingly leveraging social networking infrastructure and embedding in common files.

To see an interactive cyber threat map and to download the full report, go to http://www.fireeye.com/cyber-attack-landscape/.

With such a dynamic landscape, APTs becoming more advanced and cyber criminals adopting a truly global approach to their activities, it is difficult for organisations to stay ahead.

Indeed, arguably it is really about staying close enough to limit the impact to your company sensitive information and assets.

Let’s look at some other key facts from the recent Advanced Threat Report¬†for the second half of 2012.

On average, a malware event occurs once every three minutes within an internal company network. Whilst organisations deploy varying layers of protection such as Firewalls, Antivirus and Intrusion Protection Systems, the sophistication of malware has become so pervasive and successful at penetrating these defences, that without a new approach the fight will be lost.

Whilst some industry verticals are attached cyclically or consistently, such as technology organisations, others such as healthcare tend to be more experience more volatility within cyber criminals focusing on specific events.

Spear phishing remains the most common entry method for cyber attacks, with the initiators using more common business terms and associated file names to lure unsuspecting users into the attack. Indeed, they typically fall into three categories, those being 1) shipping and delivery (the top phrase in malware file names was “UPS”) 2) finance and 3) general business.

File-wise, ZIP remains by far the preferred delivery mechanism for malware over email, with it being used in some 92% of attacks. Also, attackers are avoiding the more common .exe file types as the infection propagates in favour of system files such as DLLs to avoid detection and be more persistent.

Cyber criminals have also spent a lot of time “innovating” in the way that the malware payload is delivered and to avoid detection. Example of these is malware executing when the user moves a mouse (hence duping some detection systems as it doesn’t generate any activity) or incorporating virtual machine detection to bypass sandboxing.

This is certainly a battle that will rage for many years to come.

If you would like more information on how FireEye can assist in protecting your organisation against cyber threats, please contact jo.rose@broadgateconsultants.com.