The state of information security – 2011-2012

Commentary - Across the board, 2011 has seen a cyber-attack epidemic. According to the Ponemon Institute, in 2011, U.S. companies will spend more than $130 billion combating data breaches. With so many types of attacks to keep track of - APTs, industrialized attacks, insider threats, etc. - it has become difficult to clearly determine which ones should be of most concern to government and enterprise networks.

We once classified various types of attacks and their respective risk levels primarily by the method used – worm, virus, botnet, spam, phishing, and the list goes on. However, due to their ever-increasing sophistication, it is now more valuable to think of attacks in terms of the motivations behind them. So what will we see in 2012?

Today’s threat landscape is resulting in a perfect storm of attacks on corporate and government networks. As automated attacks are moving off the radar, APTs and the insider threat are posing very high risks. Source: Lancope, Inc.

The sections below classify and describe today’s most prominent types of attacks based on the risk they currently pose to your organization, as well as how that risk will evolve in 2012.

Advanced Persistent Threats
2012 Forecast: Trending up
While advanced persistent threats (APTs), also known as targeted attacks, began to surface a few years back, 2011 has certainly brought them to the forefront. This year saw an explosion of APTs launched against high-profile companies and government agencies around the world.

How they work:
APTs are extremely targeted and backed by high levels of motivation. Those launching APTs infiltrate specific corporate and government entities over long periods of time to steal sensitive data or make a political statement.

Risk: Very high
Even organizations with a hardened exterior are at great risk and can suffer tremendous losses in credibility and/or finances, as the targeted attacker will keep going after an organization until they find a hole through which they can gain access.

Examples:
One widely discussed APT discovery this year was Operation Shady RAT. An AntiSec attack was also recently launched against Blue Coat Systems.

Insider Threats
2012 Forecast: Trending up
According to a study by Verizon, 90% of insider breaches in 2009 were the result of deliberate and malicious activity.

How they work:
The insider threat originates from a trusted entity who has been granted access to the internal network. Intentions are malicious, often involving the theft of valuable information to make a profit.

Risk: Very high
Since they occur within the network and by privileged users, insider attacks are not easily thwarted by traditional security measures that detect attacks from the outside.

Example:
By far the most high-profile insider attack in recent history is surrounding WikiLeaks and Bradley Manning.

Industrialized attacks
2012 Forecast: Stable
Though they have been around for several years now, industrialized attacks no longer represent the peak of sophistication in the world of cyber threats. However, due to their profitability, they will not be disappearing anytime soon.

How they work:
Industrialized attacks are orchestrated by well-organized groups of cyber criminals with a sharp focus on ROI and a wide range of targets. Whereas targeted attacks can be compared to carefully calculated sniper fire, industrialized attackers shoot rapidly but inaccurately much like a machine gun.

Risk: High
Industrialized attackers are intent on gaining access to resources that result in real-world dollars. The good news, however, is that they typically focus on softer targets.

Examples:
Recent examples of industrialized attacks include the SpyEye banking malware, as well as the Kelihos botnet recently taken down by Microsoft.

Employee misuse and abuse
2012 Forecast: Stable
With IT consumerization on the rise, employee misuse and abuse is a problem that is not going away anytime soon.

How they work:
Employees purposely circumvent corporate restrictions on IT practices to make their work lives more convenient, but do not mean to cause harm to the organization.

Risk: High
Because these actions can open the corporate network up to attack, they should be considered a fairly high risk.

Example:
The user’s company does not permit access to Facebook.com, so the user sets up a MiFi connection and accesses the Internet directly, bypassing the corporate proxy server.

Fully automated attacks
2012 Forecast: Trending down
Although they are still in use, “drive-by” automated attacks, or traditional viruses and worms, have definitely been trending down over recent years, and will continue to do so in 2012 and beyond.

How they work:
Automated attacks are designed and “set free” by the attacker with the hopes that the malware will propagate automatically with little to no direct management by the author. The primary goal is notoriety rather than financial gain.

Risk: Low
Easily detected with conventional security technologies, the primary concern with automated, indiscriminate attacks is business downtime and loss of worker productivity.

Example:
One of the most prominent recent examples of an automated attack was detected in September 2011 in a U.S. drone fleet.

The future of security
If 2011 taught us anything, it is that the targeted, highly motivated attacker is real. Today’s threat landscape requires a new level of thinking and preparation when it comes to security. Organizations can no longer just buy various tools to protect against the different mechanisms of launching attacks. Instead, we must think about the various forms of attack in terms of the motivation behind them to determine how best to protect our assets.

biography
As CTO of Lancope, Adam Powers is a leading innovator in the development of flow-based network behavior anomaly detection solutions. He possesses over a decade of operational and engineering experience in enterprise IP security technologies.