"For Best View, Please Open this Website on Laptop / Desktop Or Mobile"

03 April 2018 / Others

The Symantec Threat Report 2018 - and 4 takeaways for the Infosec Professional

Application Controls Audit


The Symantec Threat Report for 2018 is out. It can be downloaded from Symantec’s site here. If you do not have the time to read the entire 89 page report, here is a brief summary and 3 key takeaways for you as an infosec professional to apply to your organisation. Before you read the report, there are a few things that you must know. This is not a general data breach report. If you want statistics about how much data was lost and who was responsible, this is not the report for you. This report focuses only on the threats that Symantec observed on the Internet in the year 2017. It does a good job with that. If you want a more generic understanding of the state of cyber threats and vulnerabilities in general, you should look at other reports in conjunction with this one. I have divided this into three sections for easy reading.

Trends in Malware

The biggest threat that Symantec sees is the rise of coin miners - a type of malware that uses the affected computer’s resources to mine for cryptocurrency. This saw a 8,500% rise. The reason is quite simple - the high value of cryptocurrency makes it very attractive. Add to that, the fact that the entry barrier is very low. Browser based miners can be setup with relatively low effort - as low as 2 lines of code! Both these factors cause a rise in coin miner malware. Symantec says that the trend will continue as long as cryptocurrency continues to be highly valued. Ransomware appears to have peaked in 2016. In 2017, there were fewer ransomware families. Ransom demands also reduced to less than half of its 2016 value. One of the reasons for this could be increased detection capabilities of anti virus and anti malware software. Symantec saw a 92% increase in blocking of scripts and macro downloaders which are a major source of ransomware attacks. In some cases, there was an increase in the number of financial malware delivered by the known groups as against delivering ransomware. Emotet - a financial trojan which first emerged in 2014 saw a resurface. Mobile malware increased by 54% and the privacy risks of the same also increased with the increased use of ‘grayware’ apps - apps that are not really malicious, but can cause a bit of trouble.

Trends in Malware delivery channels

Symantec not only reports on the top malware, but also the way malware is delivered. Symantec saw a substantial (200%) increase in malware being implanted through software supply chains. CCleaner was the big name in this type of delivery in 2017. It's development environment was compromised and the attackers were able to push a malicious tool! While that is really interesting, the most common method for software delivery was spear phishing. Did you scrimp on your training budgets this year? Then you have your work cut out. Exploitation of Zero days has reduced as compared to 2016. The second most common method of malware delivery was watering hole attacks - trying to exploit websites that the intended victim generally browses. This was an interesting delivery channel that I was not even aware of! The other methods of malware delivery that are prominent in this year's report are:
  • Hijacking - DNS, domains, IP routing or network traffic - these are your classic man-in-the-middle attacks and sometimes cybersquatting as well.
  • Hijacking third party hosting services - There seem to be targeted phishing attacks into developer accounts so that binaries can be changed. This is an interesting insight from the report.

Symantec's predictions for the year 2018

Symantec predicts the following things for the year 2018:
  • Mid Tier cloud service providers might find it difficult to handle the Spectre and Meltdown vulnerabilities. This seems a very straightforward prediction by Symantec. However, I am not sure if these vulnerabilities that easy to exploit that they would lead to large scale breaches.
  • The use of Eternalblue exploits to create self propagating malware might lead to the increase of Internet worms. Symantec predicts that there are chances of a large scale worm attack to the scale of slammer because there are many unpatched systems that are still vulnerable to EternalBlue
  • Increase in IoT attacks. All cybersecurity firms worth their salt seem to be making this prediction. The widespread adoption of IoT means that this this prediction is very likely to come true.
  • Coinminer activities will focus on organisations. A shift from individuals to organisations for coinminers seems logical as organisations have larger infrastructure.
  • Increase in attack on critical infrastructure. There seem to be an uptrend in state sponsored malware as per Symantec. This will lead to increase in attacks on critical infrastructure.

Your key takeaways

There are some clear takeaways for infosec professionals and users.

Browser security

Take it seriously. The increase in coin mining can be attributed partly to the ease of browser based exploits. Work on securing the browsers, avoid the overuse of plugins and train your users about safe browsing habits. For a list of the most secure browsers, you can look here: https://www.techworld.com/security/best-8-secure-browsers-3246550/

Smartphone Security

Businesses tend to take mobile security lightly. “They are personal devices, not owned by the company. Also, our MDM controls access to email that they can view on their phones” is a standard response. This needs to change. Organisations should look at mobile security with a new light. As infosec professionals, you need to check how the smartphones connect to your network. Do you allow them to use the guest Wifi? Do you allow them to connect to the corporate wifi? Identify what kind of data is accessible through the smartphone. You will be surprised at the kind of data that mobile phones have access to. After all, there is an app for everything.

Train your people

This is probably the biggest takeaway. The rise of spear phishing means that today’s attacker is not just restricted to sending Nigerian scam email with bad grammar. The phished people would probably have received really genuine looking mails with information that they would believe is only available with the genuine sender. The only way forward in this is to ensure that you have more and more aware users. Seriously, if there is only one takeaway as infosec professionals, let it be this one. Train your users - especially the smart ones who think they will never get phished.

Spend on IoT and industrial IoT security

This is a no brainer. If you are in the business with IoT and industrial IoT, put some effort into securing them. You do not need experts in IoT to start off with securing them. The basics work almost everywhere. Once you have done the basics, you can look at expert help.