Hacker tactics becoming much more sophisticated, report finds

July 30, 2015
Cisco's 2015 Midyear Security Report reveals current trends in cyber-attack methods

Nearly seven months into 2015 and there have already been a number of wide-scale data breaches that have grabbed national headlines. From health insurance giant Anthem to the U.S. Office of Personnel Management, hackers have successfully infiltrated the networks of both public and private entities, stealing vital personal information on millions of Americans. The bad news is that most organizations are still woefully behind when it comes to closing the gap on cyber thieves. 

On Tuesday, Cisco released its 2015 Midyear Security Report which sheds light on how hackers are becoming much more sophisticated in their attack methods and the steps that need to be taken to thwart them.  

According to Craig Williams, senior technical leader and security outreach managers for Cisco’s Talos Security and Intelligence Research Group, the tactics being used by today’s hackers are increasingly agile and help them not just gain access to a system, but stay hidden within them for long periods of time.  

“This year, one of the main things we noticed and this is kind of an ongoing trend since our annual security report last year is attackers are really innovating at an increasing rate,” said Williams. “That innovation is being driven by; I guess you could call it, the shadow economy and the way that attackers are monetizing these threats.”

Specifically, Williams pointed to the success hackers have had with the Angler exploit kit. Essentially, exploit kits are malicious toolkits used to take advantage of security vulnerabilities in various software applications and are sold among members of the hacker community. In a sense, Williams said that Angler has proven to be the winner of the exploit kit “arms race” as it is adding more features and capabilities than anything else on the market.

On average, Cisco found that 40 percent of users who encounter an Angler exploit kit landing page on the web have their computers compromised. Conversely, in 2014, other widely used kits that used a mix of exploits had an average success rate of just 20 percent. Given the success of Angler, Williams said that other malicious actors are now trying to copy it with their own offerings.

“It’s just like you might see in a commercial company. If a certain phone manufacturer has a good idea then another manufacturer is going to come up with a similar idea,” he said. “We’re seeing the same thing in the exploit kit arms race. As soon as Angler moved towards domain shadowing, we saw four other exploit kits pick it up within a month.”

Although software vendors, such as Adobe and Microsoft, release frequent patches to account for the vulnerabilities exploited by Angler and others, Williams said that users just don’t update their systems routinely enough. That’s why hackers leveraging older versions of exploit kits are still making their way into various networks, even if their penetration rate is not as successful as those using new versions.

“What really helps mitigate this is when vendors set their patches to automatic, but obviously with some things like Flash and Java that can be problematic, so not everything is automated yet but this is what we are left with when it is not automatic,” said Williams.

Another problem that has become increasingly troublesome for businesses as of late is ransomware, which infects a user’s machine and holds their files and applications hostage until a fee is paid. Oftentimes these fees are not exorbitant, ranging from $300 to $500 in most cases, as criminals have done their research to know that most people will not pay if it is over that.

“I think the biggest threat we’re seeing to customer these days is ransomware,” said Williams. “It’s literally an automated, customer service-type model where the malware will install and the victim can login and pay themselves. There is no person involved, there’s no middle man, the money flows directly into the attacker’s account using bitcoin, and so what we’re stuck with is the victim directly funding the development of the threat that compromised their system.”

Williams added that users are really “stuck between a rock and a hard place” because they either risk losing their files or helping cyber criminals develop better malware. Also, Williams said that ransomware works on a reputation-based system because if people didn’t think they would get their files back they wouldn’t pay.

“What we’ve seen is things like Cryptolocker and Cryptowall have a really high reputation of being trustworthy. They reliably give files back to just about everyone and it has now gotten to the point where we’ve seen pieces of ransomware copy one another to try and steal that reputation to use for their benefit,” he explained.    

One of the biggest problems that organizations face in trying to combat these threats is that most of them rely on a patchwork of IT security products, which typically do not communicate well with each other.

“The problem with that is that it forces people to not be as agile as they need to be. If they let their guard down, even briefly, it allows a chance for an adversary to gain a foothold within the network,” said Williams. “At the end of the day, what we really need to see is more integrated threat defense and a way for defenders to change it and have devices communicate with customers so that threats can be responded to in a more agile environment.”    

Williams said the current industry standard for the time that it takes to detect a cyber intrusion of between 100 to 200 days is simply not good enough and that users need to demand better out of the industry.

“The problem that we have if users are exposed for up to 200 days, their data is compromised, their user accounts are compromised and it just allows the bad guys to get deeper and deeper into those networks,” he said. “I think, as a whole, we need everyone to demand a time to detect rate of closer to 46 hours. Ideally, we would be able to push that down to an hour and maybe even minutes, but 200 days is just not acceptable.”

Williams said the malware economy continues to grow at an ever-increasing rate and that things like ransomware and cryptocurrency, such as bitcoin, have helped hackers directly monetize their actions in ways that were not possible in the past.

“The fact that they can directly take money from their victims has allowed them to go from what was a couple dollar account business model to a couple of hundred dollars per victim so it has really changed the game,” he said. “That economy growing so quickly is going to just keep increasing. They are going to continue to find better and more efficient ways to monetize their networks.”