Every security expert knows Wanacry and NotPetya, but what about Bad Rabbit? And when did Panda Banker rise again? 2017 was an eventful cyber year. And it didn’t go unnoticed to the analysts at Fox-IT’s Security Operations Center (SOC). They monitor the data traffic of Fox-IT’s customers 24/7. Which attacks did they see over the past year and what are their expectations for 2018?
The 2017 figures
In the past year, analysts investigated 36,026 incidents, a significant increase compared to 2016 when the SOC analysts investigated 25,406 incidents. The incidents that have been investigated are very diverse. It could be hackers who try to attack a system via a web portal or hackers who start a phishing campaign. We not only see an increase in the number of incidents, but also the average number of incidents per customer increases explosively. Almost 2.5 times as many incidents per customer in 2017 compared to 2016.
This increase can partly be explained by the adapted working method of hackers. Attackers are getting smarter and develop more efficient methods. Attacks are increasingly automated. In addition, this trend fits into the general picture of recent years that Cyber Security is becoming increasingly important. Increasing digitization means more attacks.
|Average number of incidents per client||17,05||40,75|
Not every investigated incident is escalated to the customer. This is because certain incidents do not pose a direct threat. An example of this is an external scan, which is used by hackers to find vulnerabilities. Hackers often do this automatically, so SOC analysts see these scans pass by quite often. Only when a scan has actually found a vulnerability does this constitute a risk, which leads to Fox-IT reporting an incident to the customer. This registration of actual high-risk incidents took place 4.482 times in the past year. Here, too, we see a considerable increase compared to the previous year.
The risk of all those escalated reports varies, as we see many adware activities that are particularly annoying but do not yet pose a risk. However, adware can still be used by hackers to infect a network. Some incidents are much more serious, for example ransomware activities that indicate hacker activity within the network of a customer.
We see an increasing number of attacks that are not directly aimed at an organization but rather at suppliers of software. These so-called ‘Supply chain attacks’ can spread rapidly, for example through a software update.
Another variant that is frequently seen by SOC analysts is the use of ransomware in combination with automatic distribution. So-called ransomware worms. This variant of ransomware can infect other PCs without direct interaction of the hacke
In addition to the well-known ransomware attacks Wanacry and NotPetya, 2017 was also the year of:
- The CCleaner hack. The CCleaner software is used by many to optimize the speed of their computer. In September 2017 a new update of CCleaner came available which was infected with malware. The infected software spread via the update among all users.
- Bad Rabbit. Bad Rabbit pretended to be a Flash Player update via a hacked website. Once inside a network, the malware quickly spread through the reuse of the passwords of the infected users.
- Zeus Panda banking malware. This phishing campaign used fake PostNL e-mails around the 2017 holidays. They focus on customers who made online payments, in order to steal money.
Trends for 2018
- Popularity and value of the crypto market is rising. This means these cryptomarkets also pose a real threat from hackers. Attackers focus both on the crypto exchanges and on the individual wallets.
- Cloud technology is becoming increasingly popular, making it more interesting for hackers. Many organizations are unknowingly vulnerable via their online mail system, where not everyone uses 2 factor authentication. Think about the attacks on Office365 for example.
- The CEO fraud e-mails are still popular; an email addressed to a finance employee, for example, in which the CEO asks to transfer an amount to a specific account. The attacker sends this mail from the CEO (spoofing) but adjusts the account number.
- Attackers use the tools that are already available on a PC or network. This requires organizations to know which tools and behaviors are normal and which are not. For this, the monitoring of networks and endpoints is becoming increasingly important.
- The cyber security awareness is getting higher and higher. There will be more training courses and therefore more cyber security professionals. The market is also increasingly adjusting to the cyber security threats, so we expect more and more organizations to take out cyber security insurance. More awareness will also provide more transparency. The GDPR legislation will certainly contribute to this.
- Machine learning is becoming increasingly relevant. Organizations often receive so many reports that it is impossible to be able to do research themselves anywhere. Machine learning filters all that information to just the relevant reports, so analysts only need to view the real highlights. Automated filtering will play an increasingly important role.
About the SOC of Fox-IT
The Security Operations Center of Fox-IT is ‘home’ to a team of highly skilled cyber experts. This team monitors client networks around the clock. Customers have one or more physical sensors in their network, which ‘go off’ when suspicious traffic is detected. The sensors work with intelligent rules, which are written by security experts and researchers at Fox-IT. The moment a sensor finds suspicious traffic, our cyber experts start an investigation. They’ll research the incident and will inform the client if necessary.