Research: Fortinet Threat Landscape Report Released for Q1 2017

2016 saw continued cybercrime growth, including hackers breaking into government agencies, ransomware hijacking healthcare networks, high profile data theft, and massive global malware epidemics. Just one quarter into 2017, and things haven’t slowed down at all.

The WannaCry ransomware outbreak, which was a direct result of the Shadow Brokers leak, had the world in tears for several days. Daily FortiGuard IPS hits peaked at 22 million globally for the DoublePulsar tool that WannaCry used as its primary attack vector. The secondary exploit leveraged in the attack, CVE-2017-0144, spiked to over 7 million attempts blocked by Fortinet on May 13, before trailing off as security firms tightened their defenses and organizations updated their software.

But this wasn’t the only issue. WannaCry aside, nearly 10% of organizations recorded ransomware activity during Q1. In fact, on any given day, an average of 1.2% of organizations worldwide were dealing with ransomware botnets running somewhere in their environment. In addition, 80% reported high or critical-severity exploits against their infrastructure. Even more concerning is that the vast majority of these cyberattacks successfully targeted vulnerabilities that were five years old, with some that predate the year 2000.

This discouraging trend reveals several really important security issues organizations are facing in today’s digital society.

1. Basic security practices have declined. Even simple network hygiene, such as maintaining and updating policies, patching systems, upgrading older devices that are no longer supported, and hardening devices are just simply not being done. Some of this may be due to the continuing growth of the cybersecurity skills gap. But some is directly related to the next point, which is complexity.
2. Networks are becoming increasingly complex and distributed. The rush to adopt private and public cloud solutions, the growth of IoT, the variety and volume of smart devices connecting to the network, and out-of-band threat vectors like shadow IT shadow IT has stretched security professionals past their limits. For example, the median number of cloud applications used per organization in Q1 was 62 (33 SaaS + 29 IaaS), with IaaS apps hitting a new high point. As the number of potential attack vectors continues to grow, visibility and control over today’s distributed and highly elastic infrastructure have diminished.
3. The volume of encrypted traffic is making it worse. This last quarter, the median ratio of HTTPS to HTTP traffic hit a high mark in Q1 2017 of nearly 55%. While helpful for maintaining privacy, this trend presents challenges to threat monitoring and detection. Organizations—especially those with higher HTTPS ratios—cannot afford to turn a blind eye toward threats that might be lurking within encrypted communications.
4. Hyperconvergence is accelerating the spread of malware. As networks and users increasingly share information and resources, we are seeing attacks like WannaCry spread rapidly across widely distributed geographic areas, and across a wide variety of industries. Analysis shows that exploit distribution is pretty consistent across geographical regions. What’s highly prevalent for one region appears to be, for the most part, highly prevalent for them all. The same is true for the most virulent malware strains affecting organizations last quarter, though there are still some interesting variations for less common threats.

There are a couple of important takeaways from this report.

First, while the more high profile attacks have dominated the headlines, the reality is that the majority of threats faced by most organizations are opportunistic in nature. Criminals tend to target low hanging fruit, so it is critical that you minimize your visible and accessible attack surface.

Second, you need to up your game regarding network hygiene. Identify, patch, update, and replace vulnerable devices and systems on your network. Far too often, routine and complexity combine to allow overlooked systems that fall out of the patch cycle persist in your network. If you can’t secure it, get rid of it. If you can’t get rid of it, segment it and protect it.

Finally, your security strategy needs to meet the demands of your current network.  You need to build advanced malware defenses into (what’s left of) the perimeter, across the network, and into endpoints, whether user-based or IoT, that can detect both known and unknown threats. Defenses should be spread along the entire kill chain, from IoT to the cloud. We recommend reviewing your current security posture to assess capabilities at each phase.