It’s time again for our Midyear Cybersecurity Report (MCR), which offers updates on the security research and insights revealed in the recent Annual Cybersecurity Report. The unsettling news at this halfway point in the year is that the bad actors are adding new and sophisticated spins to their exploits. Their aim is not just to attack, but to destroy in a way that prevents defenders from restoring systems and data. We’ve coined a name for adversaries’ new goal: destruction of service (DeOS).

Many of the security trends we explore in the MCR tie to the future emergence of DeOS. For example, attackers are innovating ransomware and DDoS campaigns so that they can seriously disrupt an organization’s networks. By doing so, bad actors also damage the organization’s ability to recover from an attack. In their battle to gain time and space to operate, adversaries remain on the hunt for ways to evade detection, usually by rapidly changing approach when some tactics fail to work. As we explain in the MCR, attackers shift gears by dropping newer tools and going back to old ones – like moving away from exploit kits while shifting to business email compromise (BEC) and social engineering to pull in revenue.

The IoT-DDoS Connection

IoT devices and systems were never designed to protect themselves against cyberattacks, so adversaries are exploiting those myriad of security weaknesses. Naturally, the bad actors have figured out that IoT devices present opportunities to build botnets that can launch DDoS attacks more powerful than we’ve seen in the past by virtue of their prevalence and ease of exploitation. We’ve entered what we’re now calling the “1-TBps DDoS era,” where IoT-driven DDoS attacks can cause wide-reaching attacks with the potential to disrupt the Internet itself.

Malware Evolves

At the same time that they seek out new avenues for launching their campaigns, adversaries are fine-tuning malware, one of the workhorses in their attack toolboxes. Malware is evolving in ways that can help attackers with delivery, obfuscation, and evasion. Some adversaries use malware distribution systems that require users to take positive action to activate the threat. In doing so, they avoid detection, because the malware can’t be identified in a sandbox environment. In addition, some malware authors are developing ransomware-as-a-service (RaaS) platforms that allow adversaries to quickly enter the lucrative ransomware market.

Opportunities for Defenders

Given adversaries’ skill at outwitting defenses, is there good news here? In examining Cisco’s median Time to Detection (TTD), it’s been trending downward from a little more than 39 hours in 2015 to about 3.5 hours for the period from November 2016 to May 2017. This positive trend shows us that defenders are identifying known threats quickly and that attackers are under more pressure than ever to find new tactics to avoid detection. We’re also focusing on ways defenders can address the unique security challenges facing their industries. In a special section of the MCR, we offer more findings from Cisco’s Security Capabilities Benchmark Study, pinpointing how key verticals can reduce complexity in their IT environments and embrace automation.

The key to matching wits with adversaries means understanding every risk in our environment, devoting resources to swiftly responding to threats, and sharing research and ideas across the industry so we’re not in the dark about successful security approaches. Toward that end, we’re grateful that in the MCR, you can read contributions from Cisco partners who’ve generously shared their insights: Anomali, Flashpoint, Lumeta, Qualys, Radware, Rapid7, RSA, SAINT Corporation, ThreatConnect, and TrapX Security.

Learn more by downloading and reading the Cisco 2017 Midyear Cybersecurity Report.


David Ulevitch

No Longer with Cisco