Analysis of 3 Billion Attacks Demonstrates the Security Gap Between Attack and Defense


Related Links

Related Stories

  • Comment: APT Detection – Closing the Gaping Hole
    Technology solutions to combat advanced persistent threats are in no short supply, but actually detecting these targeted infiltrations remains difficult. Avishai Ziv of LynuxWorks examines the reasons, and how to overcome the problem
  • Demise of Blackhole Created Only a Temporary Vacuum in Exploit Kit Incidents
    SilverSky provides cloud-based security to the finance industry. Its customers include 1,800 banks, credit unions and other financial institutions with assets exceeding $580 billion. Every six months SilverSky produces a financial institution threat report based not merely on the detection of a threat, but on the outcome of that threat; and it has just published its analysis for 2H 2013.
  • LightOut is Latest Cyber Threat to Target Energy Sector
    What happens when the energy grid goes down? Well the lights, of course, go out. A fresh advanced persistent threat (APT) targeting the energy sector is thus aptly named LightsOut, and like previous attacks, it used a watering hole method to start its system compromise.
  • Warning: DDoS Attack Volume Balloons 807.48% in Fresh Spike
    While network time protocol (NTP) amplification attacks have been a threat for many years, a new DDoS surge is ringing alarm bells: in just one month, February 2014, the number of NTP amplification attacks increased 371.43%. The average peak DDoS attack volume increased a staggering 807.48%.
  • Web-loving Malware Doubles in 2013
    When it comes to the malware threatscape, it turns out that web-based attacks, which typically involve techniques that redirect the browser to malicious sites, were the most commonly reported type of attack for the last half of 2013, making up 26% of detections by F-Secure. In all, web-based malware attacks doubled in the second half of 2013 in comparison to the first half.

Top 5 Stories


Analysis of 3 Billion Attacks Demonstrates Security Gap Between Attack and Defense

27 March 2014

For the first time, NTT has pooled the resources of its group companies and produced a threat report based on an analysis of 3 billion attacks. What it found is that while attackers move faster than defenders, and there are still many basic processes and procedures that companies are failing to implement.

For example, while Target had some good security prior to its breach in 2013, it "failed to observe some basic security controls, including maintaining appropriate network segmentation, an active patch management process and an event response process." Problems include a failure by business to adapt to the changing threat landscape fast enough, and a failure to implement – or in some cases, make use of – the new security controls that are becoming available.

Two key elements are that business does not respond to security issues fast enough, while criminals adapt their own techniques with great speed. For example, criminals are expert at creating new and adapting old malware to defeat anti-virus products. The report suggests that 54% of malware designed to take over a compromised systems went undetected by the anti-virus solutions used, while 71% of data theft malware was similarly undetected. NTT Group does not suggest that anti-virus is no longer necessary, but that this perimeter defense needs to augmented by internal network defense.

Target had actually done just that and installed FireEye software. This software worked in that it detected the breach, but Target management appears to have ignored the warnings or simply reacted too slowly.

Another area in which defense is laggardly is in patch management. 50% of the vulnerabilities detected in scans during 2013 were assigned CVE classification between 2004 and 2011. "This," says the report, "indicates a massive gap between the detection and remediation phases of VLM, indicating failure of a basic security control." But while business is slow to protect old vulnerabilities, the criminals are not slow in exploiting new ones. "Research indicates exploit kit developers are pruning older exploits and favoring newer ones, as 78% of current exploit kits are taking advantage of vulnerabilities less than two years old." The result is a continuing gap between attack and defense.

NTT makes four primary proposals. Firstly, companies should still protect their perimeter, even thought that perimeter is continuing to change and shrink. The primary tool here is still up-to-date anti-virus. Although this would seem to be a given, NTT notes that "43% of incident response engagements were the result of malware against a particular end point," and that significant factors "were missing basic controls, such as anti-virus, anti-malware and effective lifecycle management."

Secondly, patch management needs to be improved. While accepting that this is not easy, and that "timely installation of every patch on every system is often impractical," the report stresses that companies must be aware of the issues "and need to ensure they are prioritizing countermeasures against these exploits."

Thirdly, business needs to define and test incident response. "Too many organizations have untested, immature or non-existent incident response programs. This makes them unprepared for the inevitable attack." Appropriate incident response, it says, "is critical to minimize the impact of security breaches."

But none of this will be enough on its own. So, fourthly, business must learn to be as fast in exploiting new defense technologies as criminals are in exploiting new attack vectors. "The speed of exploit weaponization is increasing," says NTT, "and may surpass an organization’s ability to respond quickly and effectively (if it has not already). New technologies include capabilities such as application isolation techniques, micro VMs, sandboxing and machine learning. These technologies focus on application control and isolation, incident containment and rapid detection via behavioral analytics, are likely to grow in importance. These technologies assume the perimeter will fall and compromise is inevitable, and while some preventive techniques can help, the best defensive approach is to limit exposure and detect (and respond to) incidents quickly."

This article is featured in:
Application Security  •  Business Continuity and Disaster Recovery  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×