The impact of the COVID-19 outbreak has reinforced the fact that physical-world incidents can be far more damaging than cyber world attacks. However, the coronavirus has also highlighted two other key points:
- A secure and resilient digital infrastructure is necessary to survive medical and environmental catastrophes.
- The time to address the top threats and risks is before they begin having an impact.
There are many places to find backward-looking statistics of how many attacks were launched in cyberspace. Forward-looking guidance areas that security managers should focus on are harder to find. In times of economic uncertainty, it is even more critical for security teams to prioritize resources to increase effectiveness and efficiency in dealing with known threats while also minimizing the risk from emerging attacks. For the past 14 years, the SANS “Five Most Dangerous Attacks” expert panel at the annual RSA Conference1 has filled that gap. This SANS whitepaper begins with a baseline of statistics from three of the most reliable sources of breach and malware data; then it summarizes the expert advice from the SANS instructors on the RSA panel, detailing the emerging threats security teams should look out for in 2020 and beyond— and what to do about them.
2020 Breach and Threat Baseline
Data Vulnerabilities and attacks don’t really pay attention to the calendar: New Year’s Day doesn’t bring a drastic change in threats. So, it is important to look back to understand what has become commonplace in order to predict what will be the likely types and areas of new threats. Many threat reports are published each year, but there are only a few sources that aren’t tied to specific vendor solutions and that use consistent methodologies year over year.
SANS has found the Identity Theft Resource Center (ITRC) Annual Breach Report, the Microsoft Security Intelligence Report (SIR) and the Center for Internet Security’s MultiState Information Sharing and Analysis Capability (MS-ISAC)have been consistently useful through the years.
The ITRC has been tracking publicly disclosed breach information in the US since 2005 and uses a consistent methodology that provides enough visibility and repeatability to make meaningful year-to-year comparisons. About half of the breaches counted do not disclose the number of records exposed, so the absolute value of the numbers underestimates the totals, but still gives a good view of trends.
At first glance, the data shows that the total number of sensitive records exposed dropped by 65%. However, a small number of very large breaches skews the data. In 2018, the 383 million record breach of the Marriott Corporation reservation system alone is responsible for more than double the total number of records exposed in 2019. Similarly, there was one mega breach in 2019, the Capital One breach of 100 million records, which represented 99% of all financial records exposed last year. If we remove those two mega breaches from the calculation, the total number of records exposed in 2019 dropped 26% compared with 2018. This is a continuance of last year’s trend of smaller organizations being targeted. Overall, many large enterprises have improved their defenses against attacks based on malware installation, making the standard data exfiltration attack more difficult.
Highly Targeted Phishing Campaigns
As noted earlier, many enterprises have improved their capability to prevent or more quickly detect and respond to standard malware insertion attacks. That has driven attackers to focus on the vulnerable human beings in the equation—the users of the PCs or the administrators of servers and cloud-based services. Enterprise phishing awareness and education programs and adoption of stronger email and DNS authentication standards have made it more difficult for phishing attacks to succeed. However, phishing attacks have continued to become more sophisticated and more targeted—and use more “channels,” such as text messaging and voice.
The SIR data only shows a minimal year over year growth in phishing encounters but you see spikes that represent “campaigns”—targeted waves of phishing against related targets like healthcare or on headline-grabbing events like the COVID-19 virus. As social media and consumer web meeting systems are increasingly used as a result of social distancing, those attacks will increase. Those sites often expose a lot of information that attackers use to create micro-targeted attacks.
Ransomware: The Bane of State and Local Agencies
By now, almost everyone understands what ransomware is9 —attacks that encrypt files and/or executables to disrupt business and later demand payment (the ransom) for the decryption key. Many of those attacks used simple phishing and malware techniques, and the improvement in anti-phishing and endpoint detection and response have thwarted these attacks. However, many smaller businesses, and in particular state and local government agencies, have been unable to make the same progress. Attackers quickly shifted to target those vulnerable organizations.
Bottom line: Increasing basic security hygiene is key to avoiding or mitigating the majority of commodity attacks. Advances made at this level have caused the overall number of breaches reported in the US to decrease Minimizing vulnerabilities is also key to avoiding making the breach list. Organizations should test all software for vulnerabilities before deploying it in production environments. Further, they should regularly scan all server, PC and network device configurations for discrepancies against secure standards.
The attacks that cause the most damage to each corporate victim are the highly targeted attacks—and those continue to increase and are often impossible to completely prevent. The key to minimizing damage from advanced targeted attacks is quicker detection of suspicious events, leading to faster and more surgical mitigation actions. The use of endpoint detection and response tools and advanced capabilities such as browser isolation technology can augment basic security hygiene with damage minimization or prevention capabilities. Consuming and analyzing accurate and timely threat intelligence should be a key input to optimizing security processes, updating playbooks and making security resource decisions.