Look back, move forward
When it comes to the threat landscape, it’s important to take a look in the rearview mirror once in a while.
As with driving, not only do you get a good look at what’s behind you, but you can often spot what’s coming up quick, set to overtake you.
That’s the spirit of this threat report. We’ve picked out five key stories from the last year or so, not just because they were big events, but because we think these threats, or similar ones, could very well appear in the near future.
Take modular threats like Emotet and VPNFilter, for example. These are threats that can deliver an on-demand menu of attacks and threats, depending on which device is infected or the intended goal of the attacker. We saw plenty of such modular threats in recent history, and wouldn’t be surprised if we see more in the future.
Email remains the darling delivery method of attackers, with threats from cryptomining to Emotet using it to spread. It’s also highly likely that other threats, such as unauthorized MDM profile, used it too. This highlights how critical it is to keep a close eye on what is coming in through your mailbox.
Revenue generation continues to be a primary motivation for attackers: malware follows the money. Cryptomining threats, for instance, are laser-focused on this goal. Meanwhile, Emotet has pivoted to a threat distribution network, capitalizing on a variety of options to make money.
Data exfiltration has also taken its time in the spotlight. VPNFilter included the ability to exfiltrate data, among its many features. Emotet, beyond stealing network credentials to help it spread, was also seen spreading Trickbot, another popular infostealing banking trojan.
Finally, some threats just want to watch the world burn, as is the case with Olympic Destroyer. We saw a number of threats like this in the last year, but none grabbed the headlines like an attack whose sole purpose appears to have been to disrupt the Winter Olympics.
So while we look back at some of the most impactful threats of 2018, it’s important to be mindful of what made these threats so successful. Many of them may be in the rearview mirror for now, but have you passed them, or are they speeding up to pass you and your security strategy?
When it comes to the threat landscape, it’s important to take a look in the rearview mirror once in a while. As with driving, not only do you get a good look at what’s behind you, but you can often spot what’s coming up quick, set to overtake you.
Attack types and protection
A layered approach to security is always advised. We’ve included icons at the end of each story to indicate key threat vectors used (or suspected to be used) and tools that can help protect against them in each case. Below we decode the icons and discuss advantages of deploying the various protections as part of an integrated security architecture.
Advanced malware detection and protection technology (such as Cisco Advanced Malware Protection, or AMP) can track unknown files, block known malicious files, and prevent the execution of malware on endpoints and network appliances.
Network Security such as the Cisco Next-Generation Firewall (NGFW) and Next-Generation Intrusion Prevention System (NGIPS) can detect malicious files attempting to enter a network from the Internet or move within a network. Network visibility and security analytics platforms such as Cisco Stealthwatch can detect internal network anomalies that could signify malware activating its payload. Finally, segmentation can prevent the lateral movement of threats within a network and contain the spread of an attack.
Web scanning at a Secure Web Gateway (SWG) or Secure Internet Gateway (SIG) such as Cisco Umbrella, means you can block users from connecting to malicious domains, IPs, and URLs, whether users are on or off the enterprise network. This can prevent people from inadvertently allowing malware to access the network, and can stop malware that makes it through from connecting back out to a command and control (C2) server.
Email security technology (such as Cisco Email Security), deployed on premises or in the cloud, blocks malicious emails sent by threat actors as part of their campaigns. This reduces the overall amount of spam, removes malicious spam, and scans all components of an email (such as sender, subject, attachments, and embedded URLs) to find messages that contain a threat. These capabilities are critical since email is still the number one vector used by threat actors to launch attacks.
Advanced malware detection and protection technology, such as Cisco AMP for Endpoints, can prevent the execution of malware on the endpoint. It can also help isolate, investigate, and remediate infected endpoints for the one percent of attacks that get through even the strongest defenses.