We talk about Cylance a lot and with good reason. We’re super keen on what they’re doing in the anti-virus space. They just recently released their first ever Threat Report and it’s a fantastic white-paper.
I thought maybe it’d be worthwhile to offer a summary of that report to you, oh exalted reader. However, it’s not a summary of the complete report. To get your hands on that you’ll need to download the document itself. To do that, all you need to do is register for our Cylance Webinar that’s coming up in July. I’ve included a link at the bottom of the page that’ll help walk you through that process. Once registered we’ll email the 2017 Threat Report right over to you.
So, without further ado, here are some key takeaways from Cylance’s 2017 Threat Report:
1. In 2017, Cylance saw a 13.4% increase in attacks. The Food and Hospitality industries were the hardest hit.
On average Cylance prevented 3918 unique attacks per enterprise across 160 different countries in 2017. Internal numbers show the most significant targets were the food industry (taking 50% of the attacks) and the Hospitality industry (taking 19%).
But why is that? They’re soft targets.
Businesses that fall under this category typically operate on very slim profit margins and as a result are very frugal with their security spend. While securing their endpoints is necessary, it’s not high on the list of priorities, especially considering it can come at a hefty cost.
Malware producers love them though because they know both industries rely heavily on credit card transactions. Honestly, when’s the last time you paid for something at a place like McDonald’s or Dunkin Donuts in cash?
2: Don’t Rely on just Common Vulnerabilities and Exposure (CVE) lists.
Where many companies offer products that rely on things like a Common Vulnerabilities and Exposure list, Cylance says it’s not enough. In 2017, 70% of the attacks Cylance blocked had never been seen before in the wild.
“There is a general misconception that publicly-available repositories of malware signatures are a complete catalog of in-the-wild malware. This misguided perception is further elevated by thin endpoint controls that rely on looking up hashes or validating binaries against these public sources to determine if a file is a threat. The fact of the matter is that public repositories of signatures are by no means comprehensive, complete, up-to-date, or a reliable record of all the malware that could impact an organization…”
– Cylance Threat Report 2017, Page 6
Why can’t you use a CVE list on its own? Simple; successful bad actors are aware these lists exist and do whatever they can to avoid ending up on them. By leveraging things like single-use or host/campaign-specific binaries to remain hidden and prolong persistence, bad actors are available to strike covertly over days, weeks, months or even years before they’re found out.
You can’t update a CVE if you don’t know an attack is happening in the first place.
“Bottom line, you can’t rely on a public repository as a source for all that is evil. The most worrisome malware, from the high- level commodity code to the ultra-sophisticated targeted attacks, will never show up there.”
– Cylance Threat Report 2017, Page 6
Number 3: Attacks like WannaCry and NotPetya changed the way the industry responds to threats.
To say WannaCry and NotPetya were just blips on the radar would be an understatement. I mean, honestly, they were international news stories. In my book, anything that can break the talking head’s cycle of discussing presidential tweets and Washington D.C. name calling must be important, right?
Boy howdy was it ever. The tech industry has a love-hate relationship with patches and patching. Yeah, the might close a vulnerability or two, but at the same time, they can wreak havoc on your system.
WannaCry and NotPetya both utilized avenues of attack that had been developed by the NSA (https://arstechnica.com/information-technology/2017/06/notpetya-developers-obtained-nsa-exploits-weeks-before-their-public-leak/, https://www.wired.com/story/korea-accountable-wannacry-nsa-eternal-blue/, and https://en.wikipedia.org/wiki/EternalBlue for reference) using unpatched Microsoft exploits.(https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/)
“This situation has given rise to the desire by many organizations to look for ways to mitigate attacks leveraging known vulnerability attacks, such as solutions that can detect and block zero-day payloads without a continuous connection to the cloud or requiring continuous detection signature and rule updates.”
– Cylance Threat Report 2017, Page 7
Number 4: Crypto-Currency theft is on the rise.
I’m still pretty torn on whether or not putting money behind a Crypto-Currency is a legitimate investment strategy or not but that hasn’t stopped thousands of people from betting the farm on the likes of Bitcoin, Etherium, and Litecoin (to name a few). That number includes a lot of bad actors who’ve latched on to the movement as well.
Those bad actors are known to prefer the digital currency when it comes to ransomware er…ransoms, as well as crypto-jacking endeavors.
Cylance points out in their report that 2017 saw a 504% growth in Crypto-mining and as many as 2022 trojans specifically designed to steal someone’s crypto-currency wallet. That’s up 1710 from 2016’s number of 314. Overall a 548% increase.
Conclusion: I don’t want to spoil the entire report for you, it’s worth a read. All you have to do to get at it is register for our Cylance Webinar in July and we’ll email the report directly. Simple as that.