For more than a decade, Cisco’s security reports have been a definitive source of intelligence for security professionals interested in the state of the global industry. These comprehensive reports provided detailed accounts of the threat landscape and their organizational implications.
Attack types and protection
A layered approach to security is always advised. We’ve included icons at the end of each story to indicate key threat vectors used (or suspected to be used) and tools that can help protect against them in each case. Below we decode the icons and discuss advantages of deploying the various protections as part of an integrated security architecture.
Advanced malware detection and protection technology (such as Cisco Advanced Malware Protection, or AMP) can track unknown files, block known malicious files, and prevent the execution of malware on endpoints and network appliances.
Network Security such as the Cisco Next-Generation Firewall (NGFW) and Next-Generation Intrusion Prevention System (NGIPS) can detect malicious files attempting to enter a network from the Internet or move within a network. Network visibility and security analytics platforms such as Cisco Stealthwatch can detect internal network anomalies that could signify malware activating its payload. Finally, segmentation can prevent the lateral movement of threats within a network and contain the spread of an attack.
Web scanning at a Secure Web Gateway (SWG) or Secure Internet Gateway (SIG) such as Cisco Umbrella, means you can block users from connecting to malicious domains, IPs, and URLs, whether users are on or off the enterprise network. This can prevent people from inadvertently allowing malware to access the network, and can stop malware that makes it through from connecting back out to a command and control (C2) server.
Email security technology (such as Cisco Email Security), deployed on premises or in the cloud, blocks malicious emails sent by threat actors as part of their campaigns. This reduces the overall amount of spam, removes malicious spam, and scans all components of an email (such as sender, subject, attachments, and embedded URLs) to find messages that contain a threat. These capabilities are critical since email is still the number one vector used by threat actors to launch attacks.
Advanced malware detection and protection technology, such as Cisco AMP for Endpoints, can prevent the execution of malware on the endpoint. It can also help isolate, investigate, and remediate infected endpoints for the one percent of attacks that get through even the strongest defenses.
Emotet’s pivot: From banking to distribution
Quite often in the threat landscape, the stories that grab the headlines are the ones that do something new or novel: a vulnerability is discovered that impacts a large quantity of devices, or an attack against a major organization comes to light.
However, some of the most prevalent threats aren’t the ones that steal the limelight. They may rely on tried and tested methods, rather than the latest and greatest techniques. And this plays into the hands of attackers. Something that can fly under the radar has the potential to grow, where a more attention-grabbing counterpart may not.
Emotet is a perfect example of this. While the headlines have been filled with discussions of threats like WannaCry and NotPetya, Emotet has sat in the background for years. This tactic has served it well as it has grown to become one of today’s most successful threat families.
Emotet’s success lies in the way it has evolved. From “humble” beginnings as a banking trojan, the threat actors quickly pivoted into making the threat a modular platform capable of carrying out a variety of different attacks. Fast forward to today, and other threat families once seen as competitors now use it to spread their wares. And as the threat landscape shifts once again, Emotet appears to be rising to the top of everyone’s radar.
Honor among thieves
What really sets Emotet apart from many threats in today’s threat landscape is not just its reach and modularity, but that the actors behind the threat appear to be shopping it around as a distribution channel for other attack groups.
For instance, we’ve observed situations where Emotet infects a computer only to drop Trickbot onto the system as the payload. In this seemingly contradictory case, Emotet, which has a well-known reputation as a banking trojan, is actually dropping another banking trojan instead of utilizing its own information-stealing modules. Even more interesting is that Trickbot, after being dropped by Emotet, sometimes drops the Ryuk ransomware.
As strange as this may seem, it appears that cooperation between groups could simply come down to the fact that working together leads to the largest paychecks. If Emotet can’t utilize a device to spread further, Trickbot can steal the banking records. If no banking records are found, Ryuk can encrypt the device and demand a ransom. Of course, how long this unholy alliance lasts is anybody’s guess.
Emotet is unlikely to fade away and may very well dominate the threat landscape for the foreseeable future. And if the past is any predictor of the future, Emotet will eventually subside, only to be replaced by another dominant player in the threat landscape.
IoT Machinations: The case of VPNFilter
There have been a number of notable internet-of-things (IoT) related threats in the last decade. There was the Mirai botnet, which infected IP cameras and routers to carry out DDoS attacks. And who can forget baby monitor hacks, where parents walk into the nursery to hear hackers talking to their children after breaking into the device?
Like it or not, from smart assistants to internet-connected hospital devices, IoT has entered our homes and businesses. Unfortunately in many cases, proper security practices have been overlooked in the process. As a result, we’ve seen such devices targeted by malicious actors.
Download Cybersecurity Threat Report
Would you like to know more about the latest study reveals CISO successes, shortcomings, and future challenges? Download the Cybersecurity Threat Report in defending against today’s critical threats or contact us for free advice.