Massive spamming botnets such as Necurs are behind this recent spike in junk and malicious email, Cisco found and noted in its 2017 Annual Cybersecurity Report published this week. Why the revival in spam campaign volume? It’s becoming more of a commercial business enterprise, which in part is driving its explosion, says Cisco vice president and CISO Steve Martino “There are organizations building tools and technologies that let other people use and build spam campaigns without knowledge of how to build a spam campaign. As a service model, it’s proliferating and allowing more people with less technical skills participate and leverage the technical skills of somebody who has” those skills, Martino says.
Cisco found that the DNS-based blackhole list, the Composite Blocking List, shows spam volume reaching the record highs last seen in 2010. The Necurs botnet, which has been used to spread Locky ransomware as well as the Dridex banking Trojan, is the main driver of the spam spike: around June of last year, Necurs added over 200,000 IP addresses in under two hours after a brief respite in the wake of a cybercrime crackdown of the Lurk Trojan in Russia.
“New antispam technologies, and high-profile takedowns of spam-related botnets, have helped to keep spam levels low in recent years,” Cisco said in its report. That is, until Necurs started to change the game with more malicious activity.
Another relatively old-school cybercrime method had a big year in 2016: adware. Some 75% of organizations have been infected via adware, according to Cisco. “Sadly, this is not a big surprise. We have seen a proliferation and move to malvertising” on legitimate websites, says Franc Artes, architect for Cisco’s Security Business Group. There are plenty of malvertising development kits available to would-be criminals that, like spam kits, make it easy for a non-technical bad guy to spread malicious adware.
Malicious adware is used for so-called click fraud to make money off of online ads, and is also used as an initial vector for other attacks. Of 130 organizations across various industries, Cisco found 80 different adware variants that conducted everything from ad injection to malware download duties. Three-fourths of those organizations had been hit by an adware infection.
Driving malvertising attacks are so-called “bad bots” that pose as real humans. “The environment is changing and bots are getting more and more sophisticated as more tools are out there to detect them,” says Edward Roberts, director of product marketing at Distil Networks. “Across the board, there are silent victims across industries.”
Even so, malvertising and spam are nothing new. “We’re seeing a return, I think, to the classics. What was old is new again, using techniques we’ve forgotten about because they were low-profile and are [now] becoming high-profile,” Cisco’s Martino says.
“Where the attackers can maximize profits, they collaborate with each other, buying and selling services like we sell cloud services. This is giving them opportunities to move faster and to leverage various experts to attack organizations,” Cisco’s Martino says.
Meanwhile, 44% of security alerts are ignored, according to Cisco’s findings. The study found that security pros say they can only investigate 56% of the security alerts they receive each day. About half of those they investigate are real issues (not false alarms), and some 46% of legitimate alarms investigated get fixed. Nearly 45% of security operations managers say they receive some 5,000 security alerts per day.
Cisco’s Artes says there are several reasons why SOC managers can’t keep up with security alerts. For 35% of those in the study, budgets are the biggest obstacle, he says. “Some 55% of respondents have anywhere from six to 50 different security vendors,” which can complicate proper correlation and alarms, he notes.
“In every breach that I’ve seen or looked at or know about, there’s been more than one alert. More than one piece of data – had someone seen it or if the system had been able to react, it would’ve deterred that particular attack,” Martino says.
Time to detection is a big issue for organizations today, notes Julien Bellanger, CEO and Co-Founder of Prevoty. “The time to detection is critical. The more relevant the intelligence that’s coming from security tools at the network, the endpoint and the application, the faster that detection can happen,” he says. “A lot of information is generated, but too little is correlated to other events to make sense and be actionable.”
Then there’s the business fallout of missing that needle in the haystack. According to the Cisco report, nearly half of organizations say they lost “substantial” business opportunities after a breach: one in five lost customers and 30% lost revenue.