Analyzing Attack Vector Trends by Industry, Country, and More
By Chris on July 23, 2015
Cyber security professionals are flooded with issues requiring their attention. Identifying the most significant risks can be challenging, which makes choosing where to allocate resources even more difficult. This applies to both short term tactical decisions (e.g., Which vulnerabilities do I prioritize this week?) and longer term strategic decisions (e.g., Where do I invest in technology?) for the organization.
Recorded Future provides real-time situational awareness of trending information security topics to support those critical choices. This is done by analyzing millions of documents from the Web daily. The unstructured text from security blogs, threat researchers, mainstream media, and much more is mined and given structure to quantify collective knowledge for the threat intelligence community.
For example, we recently launched the Recorded Future Cyber Daily. This daily email provides at-a-glance summaries of information security topics published during the past 24 hours to supplement our visualization and alerting toolkit, at no cost to security professionals looking to enhance their security with threat intelligence.
We’ve also developed a variety of customized, cyber trend offerings for our customers. In each case, we worked hand in hand with threat intelligence analysts to identify information sets in support of their missions.
Below, you’ll find examples of such offerings using aggregated information from Recorded Future to identify trends in cyber activity reported on the open Web.
Weekly Trends in Exploited Vulnerabilities
Takeaway: Burst of Adobe Flash exploits developed by Hacking Team.
The trove of information released following a breach at Italian security company Hacking Team continues to reveal zero-days developed by the organization. Several now very public exploits were ascribed to vulnerabilities in quick common products and technologies.
From the thousands of references to cyber vulnerabilities on the Web every day, Recorded Future isolates mentions of vulnerabilities being exploited. This allows us to surface vulnerabilities that are viewed by the community as highly sensitive based on known exploitation or available proof of concept code.
Recorded Future’s Cyber Weekly email, a spinoff of the above referenced Cyber Daily, detailed exploitation of CVE-2015-5122, CVE-2015-5123, and CVE-2015-5119, all linked to Adobe Flash and Hacking Team.
Above: This is a sample of the Recorded Future Cyber Weekly. This table summarizes the number of references to particular vulnerabilities being exploited.
We’ll use CVE-2015-5123 as an example and follow through to “Analyze” the reported exploit events found in Recorded Future. In doing so, we identify references and links to proof of concept (PoC) code that can be aggregated by security teams and researched further.
Click image for larger view
Cutting Through the Noise
Interestingly, amongst all of the attention to the above mentioned Hacking Team exploits, a handful of other notable vulnerabilities were at the same time being discussed. The fifth entry in the table refers to a privilege escalation vulnerability in several VMWare products for which a researcher at Nettitude published a proof-of-concept video demonstrating exploitation.
If an organization is already well prepared with defensive measures for Adobe Flash but could be exposed through its users of VMWare, it is important to not miss information CVE-2015-3650 due to the security community’s higher volume interest in and hype about the Hacking Team exploits.
The Recorded Future Cyber Weekly summary of exploited vulnerabilities and details related to those vulnerabilities can be useful to a security organization as a factor in their patch management process.
Cyber Attack Corporate Target Trends by Country
Takeaway: Hacking Team data breach drives short term spike in references to cyber attack events against Italian organizations. Reported attacks against Indian and Polish companies return to typical levels after recent incidents against Bharat Sanchar Nigam Limited and LOT Airlines.
From the thousands of references to cyber attacks seen every day by Recorded Future, the reported targets are tagged and catalogued. This allows analysts to isolate the specific target element and through the attributes of those targets (location, industry, market cap, etc) better understand trends in adversarial activity and potential risks.
A recent example of this type of summary comes from the week of July 6-13, which is topped by the surge in reporting on attacks against Italian companies, specifically Hacking Team. We also see a notable increases in reported attacks or data breaches affecting companies headquartered in the United States – Walmart, CVS, and Costco – and Banorte in Mexico.
The above table (delivered weekly via email with accompanying raw data) summarizes the number of documents reporting cyber attacks targeting companies headquartered in various countries. This project specifically supports a customer’s weekly strategy session to determine analyst research focus but could be put to use in longer term threat intelligence reports.
You can also hop directly into a visualization specific to the location targets of interest, making it easy to review any incidents about a country. Below is a set of results for the United States corporate targets detailed in the table above.
Click image for larger view
It is easy to consider other interesting ways to organize cyber attack data geographically: region, GDP, language, etc. Separately, this trend research could be extended to include government entities or broadened in scope to quarterly or annually.
Emerging Cyber Attack Vectors
Takeaway: Spear phishing, VBA malware, and man-in-the-middle attacks on the rise early in 2015.
Recorded Future also identifies attack methods being reported as part of incidents. This allows us to isolate attack vectors (e.g., DDoS, Phishing, XSS, etc.) reportedly used by threat actors.
An experiment we ran, born out of conversations at RSA Conference 2015, sought to measure “emerging” methods of attack. As of early May 2015, coverage of several attack vectors was notably higher compared to 2014. Specifically, we find increased reporting of spear phishing (targeted attacks), VBA malware (old versions of MS Office), and man-in-the-middle attacks (e.g., Lenovo, Android, and iOS).
Technically, we were looking for attack methods reportedly used more frequently than the previous year. Practically, we are working to provide CISOs strategically useful information on attack vectors they might want to prioritize as they tweak their defensive toolkit.
Identifying this sort of pattern, only possible to derive with a sufficient historical archive like Recorded Future provides, can support prioritization of defensive measures and evaluation of exposure to increasingly prevalent tactics.
Have a research project that would be valuable to your threat intelligence team?
The above examples show how Recorded Future can provide valuable situational awareness of information security trends that are tactically useful in a security operations center (SOC) or strategically valuable in the board room.
We’re already working on more with customers – say, trends in methods used against specific industries – but we hope these examples provided a sense of the research, analysis, and regular reporting our data can support. We can package this information in a variety of forms to best suit your organization’s needs.
Want to subscribe to one of the regular reports described above? Interested in discussing a related project? To learn more about how we can support your threat intelligence program, please get started by requesting a demo.