April 6 — The 2018 Trustwave Global Security Report — which compiles findings from billions of logged security and compromise events worldwide, hundreds of hands-on data-breach investigations and internal research — found improvement in areas such as intrusion to detection. However, it also found sophistication in areas such as malware obfuscation, social engineering tactics and advanced persistent threats is increasing.
Key findings from the report include:
- North America and retail lead in data breaches. While numbers are down from last year, North America still had 43 percent of global data breaches followed by the Asia Pacific region (30 percent); Europe, Middle East and Africa (23 percent); and Latin America (4 percent). Retail makes up 16. 7 percent of breaches with finance and insurance following at 13.1 percent and hospitality coming in at 11.9 percent.
- Compromise and environment type matters. Up to 43 percent of incidents investigated involved corporate and internal networks. E-commerce environments made up 30 percent of incidents, and point-of-sale incidents increased by more than a third, rising to 20 percent of total incidents. “This is reflective of increased attack sophistication and targeting of larger service providers and franchise head offices and less on smaller high-volume targets in previous years,” the report states.
- Social engineering tops methods of compromise. Phishing and social engineering was the leading method of compromise in corporate network environments (55 percent). Malicious insiders accounted for 13 percent, while remote access made up 9 percent of such incidents. “CEO fraud,” a social engineering scam encouraging executives to authorize fraudulent money transactions continues to increase.
- All web applications were found to be vulnerable. One hundred percent of web applications tested displayed at least one vulnerability with 11 as the median number detected per application. The vast majority (85.9 percent) of web application vulnerabilities involved session management allowing an attacker to eavesdrop on a user session to commandeer sensitive information.
- Web attacks are becoming more targeted. These types of attacks are becoming more prevalent and sophisticated, and many breach incidents show signs of careful preplanning by cybercriminals probing for weak packages and tools to exploit. Cross-site scripting was involved in 40 percent of attack attempts, followed by SQL Injection at 24 percent, path traversal at 7 percent, local file inclusion at 4 percent and distributed denial of service at 3 percent.
- Malware is using persistence techniques. Although 30 percent of malware examined used obfuscation to avoid detection and bypass first line defenses, 90 percent used persistence techniques to reload after reboot.
- Service providers are now in the crosshairs. Businesses that provide IT services (such as web-hosting providers, POS integrators and help-desk providers) are increasingly being targeted. A compromise of just one providers opens the gates to a multitude of new targets. To compare, in 2016, service provider compromises did not register in the statistics.
- Large disparities exist between breach detection internally and externally. The median time between intrusion and detection for externally detected compromises was 83 days in 2017, a stark increase from 65 days in 2016. Median time between intrusion and detection for compromises discovered internally however, dropped to zero days in 2017, down from 16 days in 2016. This shows that businesses discovered the majority of breaches the same day they happened.
- Payment card data remains a top draw. Although a decrease from 2016, payment card data still makes up 40 percent of data types targeted in a breach. The figure is split between magnetic strip data (22 percent) and card-not-present data (18 percent). Interestingly, incidents targeting hard cash are on the rise, up to 11 percent. This is largely due to fraudulent ATM transaction breaches enabled by compromised of account management systems at financial institutions.
- Necurs keeps malware-laced spam high. Several major Necurs botnet campaigns for propagating ransomware (including WannaCry), banking trojans and other damaging payloads kept spam containing malware high at 26 percent (although this is down from 34.6 percent in 2016). More than 90 percent of spam-borne malware are delivered inside archive files such as .zip, .7z and RAR, typically labeled as invoices or other types of business files.
- Database and network security required much critical patching last year. The number of vulnerabilities patched in five of the most common database products was 119, down from 170 in 2016. Fifty-three percent of computers with SMBv1 enabled were vulnerable to MS17-010 “ETERNALBLUE” exploits used to disseminate the WannaCry and NotPetya ransomware attacks.
“As long as cybercrime remains profitable, we will continue to see threat actors quickly evolving and adapting methods to penetrate networks and steal data,” said Steve Kelley, chief marketing officer at Trustwave. “Security is as much a ‘people’ issue as it is a technology issue. To stay on par with determined adversaries, organizations must have access to security experts who can think and operate like an attacker while making best use of the technologies deployed.”
To download the complimentary report, click here.