Testament to the fact that ransomware has truly reared its ugly head is the fact that it's a key preoccupation of the Cisco 2016 Midyear Cybersecurity Report. Cisco not only produces a hefty annual security report, but each year also puts out the midyear report, a welcome addition in this fast-changing time in the industry.
And time seems to be on the side of the cyberattacker, who's gotten good at finding ways to lurk undetected while doing damage. The 2016 midyear report has a lot to say not only about ransomware but about the urgency of narrowing the window of opportunity that attackers have in which to infiltrate and the importance of constraining their operational space.
Cisco Security Leaders Size Up the Threat Landscape
Cisco's SVP for the Networking and Security Business, David Goeckeler, and Steve Martino, Chief Information Security Officer, sat down last month to explore the issues in the 2016 Midyear Cybersecurity Report. You can watch a video of that discussion here. In addition to ransomware, hear what they have to say about the following:
- Windows binaries as a top form of web attack
- Encryption as a tool that attackers are adopting to conceal their activity
- A shift from client-side delivery of malware to include server-side delivery
Even though the video is only about eight minutes long, for those who'd prefer to skim quickly rather than listen, here's a transcript of most of the conversation between Goeckeler and Martino:
Goeckeler: One of the things we see right now in the security market is ransomware. It’s just everywhere. It’s going after every vertical. It’s one of the most prolific forms of attacking that’s out there. Attackers are making lots of money. What is the report telling us about ransomware?
Martino: A couple things … Commercial entities are using "X as a service" to get speed and agility, and the attackers have figured that out as well, and are doing the same thing. And we call it “malvertising as a service.” Essentially, attackers are setting up legitimate ad services, and they’re using that to inject malware into ads or redirect people to malicious sites. This is fast becoming the No. 1 way that attackers are delivering ransomware.
The second thing that is really interesting in the report is the shift in some of the different methods they’re using. In the last report, Windows binaries was No. 4 on the list. Today it’s No. 1. And I think the reason they’re using Windows binaries more and more is to be able to get longevity of their delivery into the platform and really have that foothold for a long time.
Goeckeler: In the whole ransomware space, one of the simple things that customers can do is they can just add a layer of security from the cloud that will help them take care of a lot of this ransomware that’s going on out there. That’s one of the practical things that people can take away and go do, and that’s something that you’ve done for Cisco, is that right?
Martino: Yes, we just recently deployed OpenDNS across our entire network, and that’s giving us that layer—whether people are on the network or off the network—to provide them that protection.
Goeckeler: One of the things we’re always thinking about is, how do we constrain the space of the attackers? We try to keep as many out as we can, but it’s inevitable that somebody is going to get through, and then the question is, how do we find them? How do we limit their ability to do damage?
Martino: We’ve used encryption to protect our communications for a long, long time. Well, the attackers are now pivoting and using encryption to deliver malware in their communications securely to hide themselves. The report indicates that we’ve seen a 300 percent increase in the use of HTTPS by malicious actors. That really is giving them a way of concealing their activities from our services and detection mechanisms.
The second thing we’ve seen is a shift from just client-side, or primarily client-side, to server-side delivery of malware. And don’t get me wrong: Client-side attacks and the use of Adobe Flash are still super, super prevalent, but they’re shifting to using the server as a way of getting at richer, more valuable sources to connect to ransomware and extort more money from individuals and organizations.
Goeckeler: And one of the more practical things that people can do is to use their network to constrain that space in which people can operate. So, segment the network, monitor the interior of the network, and figure out, once somebody gets through, how to constrict their ability to do damage, and find them as quickly as possible.
So, we’ve talked a lot about the attackers. Let’s switch to the defenders like yourself. How is it going and what are we finding in the research about how we’re doing on the defending side—the things that we can do better and things that we can do more of?
Martino: What the research found is that we defenders aren’t necessarily doing a good enough job at what we need to be doing. Specifically, the vendors have stepped up, and the time from public disclosure of vulnerabilities to a patch is almost zero. And yet we as defenders are not deploying and implementing those patches as aggressively as we can and constraining where attackers can come at us. A good example of that is Java. Thirty percent of the browsers that the researchers were able to look at were still running Version 6 of Java Runtime when Version 10 is the current version that is available.
We also looked at infrastructure across the network, and were able to look at three million pieces of infrastructure exposed on the public Internet. We have to do a better job of applying these [patches] and keeping our infrastructure up to date. It constrains the attackers greatly.
I think, secondly—you mentioned it—our ability to aggressively develop and deploy network segmentation to limit the horizontal movement of attackers in our networks, and really use the network as a giant sensor … get data from the network so that when bad things happen, we’re able to find it and constrain it much more quickly.
Goeckeler: Okay, Steve, some great information and perspective from someone who does this every day, trying to go up against the most sophisticated adversaries out there. There are open doors and open invitations for the adversaries to come through. We need to do better on all that. We need to block as much as we can, realize that some stuff is going to get through, find it as quickly as possible—using all the techniques it takes to do that. That’s one of the things that the Midyear Cybersecurity Report talks about a lot: this time-to-detection metric we’re trying to measure ourselves against. We put it out there a year and a half ago, and it was at 46 hours. And now we’re down to 13.
And that’s where we need to go as an industry: get that time-to-detection number down, get it off that industry average of a hundred to two hundred days. At least we’ve got it down to a little over a dozen hours. Let’s drive it lower!
Now that you've checked out this overview, take some time to dig into the complete Cisco 2016 Midyear Cybersecurity Report. It's 59 pages of very current cyber food for thought, especially for those of you thinking of career progression within the field. Have you applied for a Cisco Global Cybersecurity Scholarship? Read about the Cisco CCNA Cyber Ops certification it could lead to.
Gary Pfitzer is a content manager at Learning@Cisco, focused on bringing various aspects of today's IT journey to light through business papers, blogging, customer success stories, and other writing.