Computer-based attacks are being leveraged by miscreants to gain a global economic and informational advantage over others. This is the message presented by ScanSafe’s 2009 Annual Global Threat Report, which was released last week. Over the course of 2009, ScanSafe, which was acquired by Cisco in December, 2009, monitored customer web traffic and blocked malicious content through its cloud-based security service. The results of their analysis uncovered some interesting points, the most widely reported being that 80% of exploits in 2009 were based on malicious PDF files. But the subtexts from the report regarding targeted theft and criminal exploitation deserve a deeper look.
What the Data Shows
As Danchev noted, traffic optimization could be a factor. Attackers are looking to exploit victims, and they will use a series of exploits in order achieve this result. An increase in disclosed PDF vulnerabilities and a prevalence of unpatched clients has made them the lowest common denominator for attacks. Attackers have noticed and have chosen PDF as their leading vector for these chained series of attacks.
Having said all of this, I think that the findings presented echo trends that are being seen elsewhere. Based on the analysis that is provided, decision makers can be better prepared to face current threats and deter future trends.
The report highlighted four industries with baselines above average for web-based attacks: Energy & Oil; Pharmaceutical & Chemical; Government; and Banking Finance. These industries showed more than two times the rate of web-based exploits blocked by ScanSafe than other vertical markets, and they all have a compelling common thread. Without exception, injecting backdoors, password stealers, or other trojan horse capabilities could provide an attacker with either direct access to money or valuable intellectual property.
If attackers are in a position to directly siphon money from an organization, as with ACH fraud, a greedy attacker can be satisfied. But targeting industries with a wealth of intellectual property can also be incredibly valuable to an attacker with the right motivation. Better yet, unlike monetary theft, it can be much more difficult to tell whether a file has been copied and uploaded to an attacker, leaving less indication to a victim that a compromise has taken place. Theft of intellectual property can thus be lucrative and pervasive, giving the attackers (or their patrons) consistent access to the work product of their victims.
On the surface, it may appear that this is a black mark against Adobe or against PDF files in general. Surely there is a value to safe implementation of specifications, security responses from vendors, and timely patching; however, it would be unwise to lay all the blame at Adobe’s feet and do nothing else. There are plenty of vulnerabilities that could lead to the installation of trojan malware, and attackers will continue to seek out those that can be weaponized. Organizations must seek out administrative and technical capabilities that will proactively defend themselves from harm.
This will mean more than keeping up on patches, even though that would be a good part of an eventual response to this matter. To me, awareness seems to be the key issue. Malware authors and distributors are using this software for much more nefarious purposes, and their technical capabilities are advancing rapidly. Organizations and their stakeholders need to understand the severity of what is taking place. This report is not showing vulnerabilities that need patched because they exist, it is highlighting reports that are popping up throughout the security community. Targets with electronically available cash or valuable intellectual capital are being struck — with great precision — by determined attackers.
The attackers do not care how they achieve exploitation (through PDFs, or whatever other vector), but only that they get in and get access to their prize. Likewise, defenders must ensure that they are capable to respond to whatever trends emerge in exploitation, that their employees are suitably educated, and that technical defense and detection measures are in place to mitigate emerging threats. Securing the enterprise is now firmly moved from the camp of being a “systems issue” into the realm of being a “business issue”. Failure to ensure data security could mean that organizations are working, researching, and paying salaries just to put profit into competitors hands, at a fraction of their original cost.