Although China and Russia are often cited as the top countries targeting U.S. organizations, the reality is the majority of attacks are sourced locally from the U.S., says security strategist Don Gray.
"Even though they may be directed by other attackers, the resources being used are localized," says Gray, Solutionary's chief security strategist, in an interview with Information Security Media Group [transcript below].
Gray's remarks stem from Solutionary's recently released 2013 Global Threat Intelligence Report, which highlights the top threats organizations face. Among those top threats are sophisticated malware, the bring-your-own-device trend, and web application security.
The other major highlight from the report: the scale and scope of distributed-denial-of-service attacks are increasing beyond banking.
"Organizations that are currently dealing with those threats, we expect that trend to continue," he says. "And organizations that may not have considered themselves a possible target of those types of attacks in the past should perhaps rethink that."
In an interview about Solutionary's new 2013 Global Threat Intelligence Report, Gray discusses:
- Top threats to global organizations, and differences by region;
- What these threats cost organizations;
- How security leaders can obtain the resources they need to help mitigate these threats.
A veteran of technology applications development since 1991, Gray brings "in-the-trenches" information security experience to his role as Solutionary's chief security strategist. In his role, Gray leads the company's security engineering research team and is directly involved with researching new threats and overall information security trends. He is co-chair of the Cloud Security Alliance's Top Threat Working Group, leading the development of the CSA's Top Threats Report.
2013 Global Threat Intelligence Report
TOM FIELD: I'd like to know what the main headlines are of this new report and how your report is unique from everybody else's top threats report, because, as you know, 'tis the season.
GRAY: The headlines from the report really are that we're focusing on four major threat areas that we've seen from our customer base. These are actual threats that we've seen from our customers. It's not based on a survey; it's not based on a quiz or anything like that. The biggest thing that we've seen is that the pace of DDoS-type threats is increasing and that organizations that may not have considered themselves a possible target of those types of attacks in the past should perhaps rethink that. There's a confluence of consumer activism, social media, and hacktivist tool-kits and organizations that can conspire to bring those kinds of attacks to organizations that may not have experienced them in the past.
The other big thing from the report was that one of the things that we point out is that although China, Russia, other organizations or other parts of the world get a lot of attention, the reality is for organizations in the United States, the bulk of the attacks are sourced locally from the United States. Even though they may be directed by other attackers, the resources being used are localized. We find that in many countries the attackers are trying to localize their resources to make it harder to detect. We talked about that.
At the end, the way our report is different than other reports is we talk about the threats we actually see in our customer base, and then we walk through for each of those threats a tactical and strategic timeline that organizations can use to understand where they are in their security program in relation to those threats and what actions they can take to further protect themselves.
Top Threats to Global Organizations
FIELD: You mentioned DDoS. What do you see as the top threats to global organizations based on this report?
GRAY: The four areas that we focus on are malware. We're seeing increasingly sophisticated malware and we're seeing malware that's aware of attempts to detect it using some sandbox-type tools and can hide its true nature when it's in those environments. We expect that trend to continue.
As I mentioned [with] the DDoS trend, we expect that to increase for organizations that may not have experienced it in the past, and organizations that are currently dealing with those threats we expect that trend to continue.
Bring-your-own-device is something that has come up with our customer base as a new threat vector, and one of the things we focus on in the report is not as much what people would think of from a smishing/SMS-message attack standpoint, or from a malware on the smart phone aspect, but the fact that bring-your-own-device in and of itself, even for things as mundane as laptops, opens up a new threat vector to organizations. It opens up a new way that they can be compromised, and it totally obliterates any sense of a perimeter that they may have had in the past.
Organizations that have been getting by with a hard outer-shell and a soft-gooey center because they've been able to limit the egress points into the network and the threat vectors in the network, we anticipate they're going to be exposed. Those weaknesses are going to be exposed more and more because of that.
The final area we focus on is web application security. The interesting thing about the DDoS attacks that we're seeing is that, in the past, DDoS has been traditionally more of a network packet shaping and malformation kind of exercise, and we're seeing a different kind of DDoS now. We're seeing a DDoS that's targeting the critical applications of the organization and, often times, the DDoS against the application is a smokescreen or used as part of a masking of a specific targeted attack to that application.
Differences by Region
FIELD: What differences, if any, do you see by region in this global study?
GRAY: That's one of the things that was sort of interesting that came out of the report. When we look at the attacks by source, from where they're truly originating from, we see some variations. We see some sort of specialization amongst organizations and nations at sources of attacks. We also see that certain groups prefer certain kinds of attacks. Certain groups are involved in DDoS. Certain groups are more involved in malware distribution and proliferation. And then we also see, interestingly enough, an affinity from different nations to actually attack different things.
When we look at our overall client base, finance is very high as a threat barrier; it's kind of obvious. But the next is technology and business services in healthcare. And that's from an overall standpoint. When we start to break it down by country and we start to look at where attacks are coming from for some of our larger companies, we see China, for instance, which focused heavily on business services and not as much on finance. Japan, for instance, is focused on manufacturing. There's this affinity that happens between the countries that's interesting to me and I think relevant for organizations that have infrastructure in those countries to understand where they may be at higher risk than they would anticipate if they were here in the U.S.
Costs to Organizations
FIELD: What have you learned about what these threats are costing organizations?
GRAY: That's one of the things that we talk about in the report. We have a case study for each of the threats and we attempt to quantify some of the costs that we've seen out of those case studies. The one thing I would say to stress to listeners is that there are some concrete steps that organizations can take to reduce the overall cost of responding to these incidents in a very broad way; for instance, things like making sure that they have a current up-to-date incident response plan that's comprehensive; making sure that they have an established relationship with a partner organization to help them with incidence response; making sure that they've talked to the third parties and they've figured out ahead of time how they're going to communicate in the event of an incident and who they're going to talk to. Finally, test their incident response plan.
Organizations that take those actions and do those steps are going to spend less money on incidence response. Incidence response is a very expensive activity. It has a high collateral cost depending on the nature of the attack. If it's DDoS against an e-commerce site in a retail organization, for instance, the collateral cost can be much higher than the actual mitigation cost. Anything that organizations can do to reduce that time and increase the effectiveness of responding to an incident is money well spent.
FIELD: You and I in the past have talked about actionable threat intelligence. What are some of the ways that organizations can use this actionable intelligence to mitigate some of these threats?
GRAY: This is a favorite subject of mine because people use that word, actionable intelligence, and in our opinion the intelligence, no matter how good, is only actionable if it can be integrated into the detective and preventative systems that are part of an organization's security program. That's one of the things we also talk about in the report, how to get the most out of threat intelligence and how to realize that actionable intelligence, making sure that you have the platforms, tools and systems, but also the expertise to use to configure those systems to be able to take indicators you may be getting from threat intelligence and integrate those into your monitoring program.
Tips to Counter Threats
FIELD: What advice do you offer organizations to help them counter these threats? What are the tips you're giving them?
GRAY: For each of the four threat areas, we're really focused on activities that organizations can take all the way from a tactical standpoint, which is low-cost, easy to implement, and maybe making use of tools that they already have at their disposal. I continue to see organizations that have an infrastructure that gives them the capability to have a better security posture and if they would take advantage of some of the configurations and capabilities, all the way up to much more strategic, longer time frame, bigger investments, longer to implement kind of fixes that may be related to restructuring the organization or the network or the IT infrastructure or maybe integrating an additional security detective or preventive capability into the organization.
We're really focused for each one of these on identifying those steps that an organization can go through to get a higher level of security protection. At the same time, throughout the report, we highlight these areas, these "gotcha's" or "look out" kind of areas that, based on our experience, organizations sometimes fall into a certain trap or they overlook something as they're going through the process of addressing these threats.
Getting the Resources
FIELD: One of the things I found unique about your report is you talk about how organizations can get the resources that they need. What advice are you giving to security leaders so they can get the resources necessary to take action against these threats?
GRAY: That's another area where it depends on the organization, the maturity of the security organization, within the overall organization. But we're really focused. We have thousands of customers. We've talked to many CISOs. We've talked to a lot of CISOs, and I sort of understand the ones that are what I call "high-performing" CISOs and the kinds of things that they do. We have some specific recommendations that say, "This is how those guys behave. These are the actions they take. These are the things they do." We think that if organizations would adopt some of those strategies, they'd be more effective as well. [These are] things like basing your security program off of a third-party framework to bring credibility to the program so that it's not just you as the CISO saying that the organization should be doing it, but you're able to point to a critical third-party and say, "It's not just me; they say it. We should be doing it."
The other thing is really understanding more from a business perspective what's important to the organization and how to identify not only the explicit cost that an organization is going to incur within their security program, but looking for what I like to call "debt" that the organization is accumulating. By not taking some sort of action or not performing an activity, there's a debt that's accumulating, and if there's an incident that debt will come due. The organization will experience higher cost and larger impact because they did not choose to do that.
I think having the CISOs talk to executive senior management from more of a business standpoint, and understanding really well what the goal of their business is and any initiatives that the business is undertaking, being able to have that conversation with them is more of an investment conversation or a financial conversation than they may have had in the past. That's where we see CISOs that are appreciated by their fellow senior executives and understood, more importantly, by their fellow senior executives. They're not trying to hit them with a bunch of technical jargon or overwhelm them. They're focusing on the business at hand and how to optimize and reduce the risk for the business.