The global networking vendor has just released its Cisco 2014 Annual Security Report, and in an exclusive interview, Gundert dives into the key findings to offer insight into the top cyberthreats and why the global IT security skills shortage is crippling organizations' defenses.
Among the key findings of the report:
- Attackers are leveraging powerful exploits to gain new access to web servers and sites.
- They are using trusted apps to exploit perimeter security gaps to create "watering hole" attacks that target trusted sites and deliver malware.
- Network intrusions are going undetected - and creating damage - for far too long.
"I really believe that the Web is a primary, target-rich area for threat actors," says Gundert, threat technical leader within Cisco's Security Intelligence Operations. "They are actively compromising web servers and websites. What they are doing is creating new code on the fly, and it was very difficult for researchers to figure out what is going on."
During 2013, Cisco noted a significant evolution in two strains of malware known as CDorked and DarkLeech.
"The way that they stage and spread attacks is very different," Gundert says. "These attacks compromised 20,000 different websites across the globe."
The evolution of DarkLeech illustrates how the compromise of hosting servers can be a springboard for a larger attack campaign, Gundert says. The legitimate websites infected with DarkLeech use Apache HTTP server software and were infiltrated with a Secure Shell daemon [SSHD] backdoor that allowed attackers to remotely upload and configure malicious Apache modules. Attackers were able to dynamically inject HTML elements in real-time on hosted websites, which delivered exploit code and other malicious content via a Blackhole exploit kit, Gundert says.
In April 2013, Linux/CDorked, another backdoor malware, was found to have infected hundreds of servers running Apache HTTP server software. Like DarkLeech, CDorked also uses conditional criteria to dynamically inject iframes, HTML elements, on websites hosted on the compromised server.
"Any visitor browsing an affected website then has malicious content delivered from another malicious website, where a crimeware toolkit attempts to further compromise the user's PC," the Cisco report notes.
It's a Resource Issue
Understanding the security challenges is one thing; fighting them is quite another. Organizations today simply do not have enough skilled IT security personnel to keep pace with the increasing sophistication of these attacks and the actors who wage them, Gundert says.
"There are a lot of academic institutions that recognize the shortfall and the need," he says. "The issue is that ultimately time is required when you come out of school to pick up the requisite experience and skills that you really need to be successful in this type of work. ... So companies need to continue to invest in people, both in training and in resources."
And from a technical perspective, organizations must shift their security resources from pure intrusion prevention to detecting and containing breaches before significant damage is done.
Cisco's primary recommendation: Organizations need to develop a new threat-centric security model that monitors all attack vectors and enables response to threats before, during and after an attack.
"At this point, it's good to assume that you have a compromise in your network - that you have an attacker in your network," he says. "The best way to do that is to identify the data that you have on your network and segment it."
During this interview about the Cisco 2014 Annual Security Report, Gundert discusses:
- Why the categorization of threat actors and attacks must constantly change and remain fluid;
- How criminals are using drive-by download attacks in a more sophisticated manner;
- Why distributed-denial-of-service attacks have become a powerful weapon for criminals and nation-states.
Over the past decade, Gundert has become an internationally recognized information security and risk management leader. At Cisco, Gundert works with the analysis and outreach teams to identify and analyze threats; share cybersecurity information to industry, government and the public; and help continually improve Cisco security technology. Gundert also is a thought leader in the practical application of big data analytics in threat intelligence programs and is focused on developing solutions to help Cisco manage, query and analyze real-time threat data more quickly and efficiently. Before joining Cisco, Gundert was a special agent for the U.S. Secret Service in Los Angeles, where he developed new methodologies for analyzing threat intelligence and producing actionable leads. Additionally, he helped gather criminal intelligence by covertly engaging hackers and fraudsters in the underground economy.