HP Bromium has just published its extensive THREAT INSIGHTS REPORT Q4-2020, which documents that Q4 2020 saw a 239 percent increase in malicious spam distributing Dridex malware, a substantial rise in malicious executable email attachments, and across the board increases in other major threats. Experts offer perspective.
<p>This report notes that 29 percent of discovered threats were previously unknown. Defense is always playing catch-up – it’s mostly driven by discovering today what was happening yesterday and implementing those controls. Controls take time to implement so attackers can use that window of known techniques to continue to successfully breach enterprises which is why they are the majority of threats in the wild. Meanwhile, they are continually innovating with new techniques (the 29% noted in the report).</p> <p> </p> <p>Email is such a major threat vector because it reflects economic utility of attack vectors. There is a marginal cost difference between sending one email and sending one million emails. Then, it’s a game of statistics: of those one million emails, I only need one person to click and I’m in as an attacker. To make it even harder to spot, they can reuse breached credentials from suppliers and relationships to look even more legitimate. With email, an attacker is going to get in, it’s just a question of when.</p> <p> </p> <p>The report also notes it takes 8.8 days for AV engines to identify threats. That’s because AV is constrained to looking at what’s happening on a host computer and it can’t annoy the user too much trying to do legitimate work. It’s a generally static defense that is just a part of an attacker’s test matrix before they deploy their malware.</p> <p> </p> <p>Also, threat actors gain the same benefit of cloud computing that the enterprise does – it provides scalable and easy-to-move resources for attackers. Furthermore, the leaking of so much sophisticated attack code has made it even easier for less technically sophisticated attackers.</p>
<p>A Zero Trust Architecture can address the threat vectors that threat actors are exploiting, because it asserts that every interaction between the network, the endpoint, and the user is a potential avenue for compromise. Being able to micro-segment endpoints from networks and have direct control of the network traffic allows security teams to stop lateral movement infections when the endpoint is outside of the corporate perimeter.</p>
<p>There is no question that credential led attacks are on the rise. One of the primary reasons for this is rapid proliferation of APIs, many of which are not well protected against scripting attacks. Buying valid credentials on the dark web and using them within a script to generate API requests which look genuine is very effective against many enterprises. In the end, bad actors are precious about the use of their time and will always find the easier path to their desired outcome so if malware detection is more effective than synthetic API traffic detection, it\’s the APIs which will be the number 1 target.</p> <p> </p> <p>As a general concept in security, taking a zero-trust approach allows the organization to move away from playing whack-a-mole with the bad guys. Traditional security approaches are often based on knowledge about previous attacks and while it is certainly true that attack vectors do get plenty of reuse, new attacks will always sail through those traditional defenses. Mitigating the risk of new exploits means utilizing the principles of positive security where each platform element remains untrusted until independently and individual authenticated. Only then can we finally put away our whack-a-mole mallets.</p>