“Attack techniques and technology used for global-scale malware deployment continue to mature in terms of scope, resiliency, and effectiveness,” it reports. Furthermore, politically and financially motivated DDoS attacks are increasing, web services software and end-user devices are increasingly targeted, and the attack technology for mobile platforms is rapidly evolving.
In part, this is because there are “systemic threat scenarios that are intrinsically built into the fabric of the global internet.” While the internet is a wonderful tool, it’s very nature makes it insecure. For example, network resources are shared, limited and consumable; meaning they can be used for and are susceptible to DDoS attacks. Software is never completely defect-free; meaning it is exploitable. The huge complexity of interconnected technologies makes it difficult for people to make complex security decisions; meaning that people are susceptible to social engineering, phishing and spear-phishing – often as a pre-cursor to APT-style attacks.
To quantify just these three scenarios, the CTU notes continuing growth in the botnet underground economy, “both in offering DDoS as a service as well as creating DDoS kits usable by threat actors with any skill level.” In particular, the use of DNS amplification or 'reflection' became a more common method of magnifying the amount of bandwidth used in a DDoS attack, leading to “reported bandwidth totals of 30Gbps, 50Gbps, and 65Gbps.” The report also notes the use of DDoS attacks to disguise criminally fraudulent wire transfer activity, “with some attempts in the millions of dollars. Transfers were being made to banks located in Russia, Cyprus, and China.”
CTU documented 7,696 new software vulnerabilities during 2012, an increase of 6% over the previous year. Many of these were relatively trivial and quickly remediated by the vendor concerned. The three most common vulnerabilities are cross-site scripting, SQL injection and buffer overflow flaws. All of these are avoidable through secure coding and improved software development life cycle (SDLC) management.
Social engineering, as part of a more advanced attack, is also increasing. “Social engineering and reconnaissance of targeted organizations is prevalent and advancing, making phishing and spearphishing campaigns more convincing,” notes the CTU. Social engineering is almost impossible to defend other than through user awareness training. Spearphishing in particular is often a precursor to APT attacks.
Defending against such “a full range of threat scenarios requires a persistent, layered approach to security as a system of process.” In other words, companies need to adopt an advanced (layered), persistent (continuing) defense to counter today’s advanced, persistent threats. The report offers a range of advice separated into 3 levels: low complexity (can be implemented by management controls or IT staff); medium complexity (can be implemented by IT staff with support from security professionals); and high complexity (requires a security professional and possible outside consulting services).