We analyzed over 250,000 security events in 2018, this is what we found
In the first 10 months of 2018, SecureLink Cyber Defense Centers have digested just south of a quarter of a million security events. These events were triggered from various security solutions and logs, and then processed and digested by our detection and response platforms.
Malware, network and application anomalies, and account anomalies, represent 96% of the incidents. With regards to malware, we’re seeing the tides rising and falling with the seasons. Ransomware attacks are especially prone to decline in holiday seasons. We’re observing an interesting 5 time increase of RATs and backdoors over the last months.
Social engineering attacks are in the early stages of the kill chain in many known attack types, but they’re not always easy to detect. Let’s look at an example. A phisher sends an email with a malicious link to a victim. If the malicious e-mail isn’t detected, and the “click” on the link goes undetected, it will usually be detected as a malware execution attempt, and become a malware incident. As our brains are hard-wired to fall for there tricks, especially if they’re targeted, we’re not expecting social engineering to decline. Interestingly we saw more social engineering over summer than during business seasons. This seems to break the trend, although some of our analysts believe it might correlate with a “more relaxed management” during holidays.
The impact of attacks is shifting. In 2018, low impact incidents declined and were replaced with medium and high impact incidents. In other words, average attacks seem to put more pressure on organisations. On the other hand, critical events (although it’s never been a tremendous number) have sharply declined. So there’s a silver lining.
As you would expect, more incidents happen in larger companies.The impact of incidents needs to take organisation size in to account: in a large enterprise multiple incidents per day is business as usual, while in a small company, it would be disastrous. When we took organisation size into account, we saw, in 2018, that larger companies have a fairly consistent number of incidents: between 1.3 and 1.5 per 100 heads.
For organisations under a 1000, we saw a very steep increase: the number of incidents per 100 persons is 5 times higher. We suspect the impact for an individual incident might be higher too, so that’s a double impact whammy for smaller organisations.
Advanced Persistent Threats (many sponsored by nation states) are becoming more prevalent, likely due to geo political tensions. The three most seen motivations are:
- (Industrial) espionage
- Large scale financial theft
- Destruction, “rolling muscles”
Just a few years ago, many organisations believed themselves to be uninteresting or irrelevant for these kinds of threats. Nowadays we see the large scale theft is targeting certain verticals, like finance and the bitcoin community. Espionage increasingly happens via stepping stones in smaller, less mature companies in supply chains. These destructive attacks, even if some are targeting certain verticals like critical infrastructure, yield collateral damage.
We would argue that the chances of these attack types happening to you are indeed smaller, but impact is much higher.
As cyber tech is progressing, solutions are at an all time high quality level. With AI handling more events than ever, they make increasingly better predictions. The industry is converging on capable personnel to be in the driver’s seat. Handling detection and response processes means transforming prediction into decision. This is where the industry is headed, and human capital remains a big part of the equation.
Read the full report, learn more, get the backgrounds, and find a reference list here: lp.securelink.net/asr