Trustwave Report: Threat Containment Getting Better
Given much of the publicity that is routinely attached to every breach disclosure these days, it’s easy to be pessimistic about the overall state of cybersecurity. But a 2018 breach report from Trustwave, a provider of managed security services, finds that in 2018 significant progress was made in terms of both detecting malware and containing any of the damage potentially inflicted.
According to the report, the median time it took to detect a threat and contain it fell to 27 days in 2018, down from 67 days in 2017. The median time between intrusion and detection for threats discovered by entities other than the internal cybersecurity team fell to 55 days, down from 83 days in 2017.
The number of spam messages containing malware diminished significantly in 2018, to 6%, from 26% in 2017. The report finds that 60% of breach investigations can be attributed to social engineering, with such attacks involved in 46 percent of incidents involving corporate and internal IT environments. An analysis of phishing scams targeting those with authority to transfer company funds, known as business email compromise (BEC), reveals that 84% of BEC messages used free webmail services for distribution, while 12% used spoofed company domains. Only 4% employed misspelled or lookalike domain names to deceive recipients.
The report also notes the largest single category of malware encountered was downloaders at 13%, followed by remote access trojans (RATs) at 10% and web shells at 8%.
For the second year in a row, the report also finds 100% of web applications tested had at least one vulnerability, with the median number of vulnerabilities rising to 15, from 11 in 2017. Of the more than 45,000 vulnerabilities discovered by Trustwave penetration testers, 80% were classified as low risk, with the remaining 20% deemed medium to critical. The most common critical weakness involved omission of Microsoft Security Update MS17-010, which fixes the ETERNALBLUE vulnerability in the Server Message Block (SMB) protocol used for local network communication.
There was in 2018 also a significant increase in cryptojacking malware, which was almost non-existent in 2017. Used to covertly place JavaScript coin miners on websites or infect routers, cryptojacking malware was found on a full 97% of the 2,585 websites observed were known to be compromised, with the now-defunct Coinhive miner being the most prevalent form of cryptojacking malware.
The report finds the number of vulnerabilities patched in five of the most common database products was 148 in 2018, up from 119 in 2017. Denial-of-service (DoS) vulnerabilities accounted for the most vulnerabilities discovered, at 64%. Potentially more serious vulnerabilities used to gain unauthorized access and manipulate sensitive data accounted for only 8.7% and 8.1% of patching incidents, respectively.
Overall, the Trustwave report finds 57% of all incidents investigated involved corporate and internal networks, an increase of 7% year over year. E-commerce environments accounted for 27% of incidents investigated.
Karl Sigler, threat intelligence manager for Trustwave, said it is apparent technologies such as endpoint detection and response (EDR) and behavioral analytics, coupled with better cybersecurity processes, are starting to have an impact in terms of both detecting threats and altering the tactics employed by cybercriminals.
Spamming attacks, for example, are more targeted and regionally focused. For example, sextortion email campaigns, designed to dupe victims into paying large ransoms by playing on fears that compromising videos exist of the recipient, were nearly non-existent in 2017, yet rose toward the end of 2018 to account for 10% of all spam analyzed.
The Asia-Pacific region, meanwhile, overtook North America in 2018 in terms of the number of data compromises investigated, accounting for 35% of instances versus 30%, respectively. Europe, Middle East and Africa (EMEA) came in third at 27%, followed by Latin America and the Caribbean (LAC) at 8%.
In terms of vertical industries being targeted, the Trustwave report finds that retail once again topped the list with the largest share of incidents (18%), followed by the financial services sector (11%). However, payment card data was involved in well over a third (36%) of all data breaches investigated. Card Not Present (CNP) data also accounted for 25% of all incidents in 2018, while magnetic stripe data was involved in only 11% of incidents, down from 22% in 2017. That shift suggest the transition to chip-enabled payment cards at point-of-sale (POS) systems is having a positive impact, noted Sigler. Memory scrapers and dumpers used to steal payment card numbers from point-of-sale (POS) systems saw a sharp decline from 16% in 2017 to just 8%, the report finds.
There’s obviously still a lot of room for cybersecurity improvement. It still takes organizations one to two months to contain a breach once it was discovered. But at this rate of improvement, it would appear that at the very least the tide in the cybersecurity war may finally be starting to turn.
