This blog post was written by Vincent Weafer.
In the McAfee Labs Threats Report: December 2016 published today, we write about three seemingly disparate topics. However, on closer inspection, they have a common thread. All discuss deception in one way or another, whether ways in which ransomware authors have enhanced their code to sidestep sandboxes, how Trojans infect legitimate code to appear benign, or the challenges SOCs face as they try to detect potential attacks from malware that uses increasingly sophisticated evasion techniques.
In the ransomware story, we summarize “the year in ransomware,” as that form of threat saw a huge jump in the number of ransomware attacks; it captured most of the cyberattack headlines. To fuel its growth, ransomware authors made many technical advances this year:
- Anti-sandboxing: Detecting and evading security sandboxes used to test suspicious code.
- Exploit kits: A cat-and-mouse game of increasing exploit kit sophistication to stay ahead of defenses.
- Disk encryption: Partial disk encryption that overwrites the master boot record and full disk encryption that encrypts a compete partition.
- Website encryption: Encryption of websites used by legitimate applications, making the apps useless until the site is decrypted.
- Ransomware-as-a-service: Attackers pay service providers for the use of infrastructure and ransomware.
The good news is that the white hats are fighting back, with some success. Defenses are getting better, law enforcement and security vendors are collaborating to take down ransomware networks, and a jointly founded initiative, No More Ransom!, was formed to provide prevention advice, investigation assistance, and decryption tools. More than one dozen law enforcement agencies and multiple security technology vendors are now part of the No More Ransom! collaboration, with more to come in the very near future!
The Trojan story explains how this type of malware infects legitimate code and hides out, hoping to go unnoticed as long as possible to maximize payouts. We show how attackers create long-lasting, fully undetectable malware by modifying source code or executables, inserting patches on the fly through man-in-the-middle attacks, or tricking application authors to include malicious libraries.
Attackers who specialize in Trojans enjoy an impression of legitimacy, as their malware hides behind recognized brands or apps. The “Trojanized” legitimate apps often provide cover during security scans and forensic analysis. And the Trojans enjoy free persistence, courtesy of app users who depend on the apps for day-to-day activities.
To learn more about defending against Trojanized legitimate software, read our Solution Brief How to Protect Against Trojans.
Our third story is about security operations centers, or SOCs. McAfee commissioned a primary research study to gain a deeper understanding of the ways in which enterprises use security operations centers, how they have changed over time, and what they will look like in the future.
Among other things, we learned of:
- Alert overload: SOC managers are unable to sufficiently investigate 25% of their security alerts.
- Triage trouble: 93% of SOC managers are overwhelmed by alerts and unable to triage all potential threats.
- Incidents on the rise: 67% of SOC managers report an increase in security incidents.
- Proactive vs. reactive: 26% of SOCs operate in a reactive mode with ad-hoc approaches to security operations, threat hunting, and incident response.
- Highest priority for SOCs growth and investment: SOC owners want to improve their ability to respond to confirmed attacks, which includes the ability to coordinate, remediate, eradicate, learn, and prevent recurrences.
To learn how to optimize security operations centers, read our white paper Sustainable Security Operations.
Finally, we highlight significant threat activity and statistics for Q3.
- Malware: McAfee Labs measured 245 new threats every minute, or more than four every second. New malware dropped 21% in Q3, but total malware has grown 29% in the past year.
- Ransomware: Total ransomware grew by 18% in Q3 and 80% since the beginning of the year.
- Mobile malware: There were two million new mobile malware threats in Q3, the highest ever recorded. Total mobile malware has grown 138% in the past year.
- Mac OS malware: New Mac OS malware skyrocketed by 637% in Q3, but the increase was due primarily to a single adware family, Bundlore.
- Macro malware: New Microsoft Office macro malware continued the increase first seen in Q2. Total macro malware has grown 115% since the beginning of 2016.
For more information on these key topics, or more threat landscape statistics for Q3 2016, click here.