New Research Reveals Top Tactics Behind Today’s Cyber Attacks

For over 15 years, IBM X-Force has been tracking trends and emerging threats. Today we released the 2013 mid-year trend and risk report which highlights some of our key findings.

While vulnerability statistics, attack trends, and data breaches are all covered in detail, one of the more interesting points of discussion is a look at the psychology and social engineering around how these attacks are implemented. We explore how attackers have learned to capitalize and take advantage of the human factor in trust relationships.

Attackers are Optimizing Tactics

Attackers are optimizing their operations around many key initiatives which include a path of least resistance to reach the largest number of potential targets for the minimal amount of exploit effort.

For example, attackers are optimizing:

  • The exploitation of trust via social media.
  • Coordinated operations leaking user data as well as exploiting weak entry points into global brands such as foreign local language or franchise sites.
  • Mobile malware with Android devices as the market expands.
  • Take over of central strategic targets to access and exploit a broader base of end users.
  • Diversion and distraction techniques which throw security administrators off path, while breaching targets under the cover.

Download: IBM X-Force 2013 Mid-Year Trend and Risk Report

Consider the following…

As technology began its meteoric rise alongside humanity, the maturity and understanding of how we react to each other face-to-face was left behind. Suddenly we were getting schooled on how to send proper emails. Companies began to initiate programs to teach human users how to use technology responses so conversations didn’t leave a harsh two-dimensional trail of requests. Users had to begin learning new phrases like spam, phishing and spear-phishing. In one quick decade, the way we create and transact business with each other had changed drastically.

How is this relevant to today’s ever changing technology?

Rise in Exploitation of Trusted Relationships

In this quickening pace of technology, it is imperative for security professionals to understand how attackers are taking advantage of trust in relationships to breach an organization, target groups of users, and create methods of diversion.

Attackers today are operating more like marketing organizations in professional enterprises by leveraging metrics such as return on investment (ROI) and search engine optimization (SEO) to gain higher click through rates with maximum reach, to ultimately optimize their capital gain.

There’s also shattered trust or diminished trust relationships that continue to affect business practice. Some examples:

  • Enterprises who trust the correct security procedures and policies are implemented on their networks but are shown differently by high breach activity that continues.
  • Users who trust that a company is protecting their personal data.
  • Enterprises that “want to trust” the growing wave of infrastructure that is social media and mobile as it expands the fluidity of our lives.
  • Network and security admins who trust that “old attack methods and historic vulnerabilities” are not as important as other more current issues.
  • Software developers and technical, security-savvy people who visit a trusted site not thinking that they have to protect themselves from drive-by-downloads.

Each of these areas of diminished trust is enabling attackers to quickly employ operational sophistication in ways that advance their intentions and efforts.
Methods of Operational Sophistication

In the previous IBM X-Force 2012 Trend and Risk Report, we discussed the idea of operational sophistication versus technical sophistication. Throughout the first half of 2013, we observed a continuation of this trend in both the type of breaches that have occurred and the motivations behind them.

Security incidents and data breach activity continues into the year crossing many geographies and industries. In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.

2013 H1 Security Incidents

A sampling of global security incidents by attack type and industry from the first half of 2013


2013 H1 Geography of Security Incidents

A sampling of global security incidents by geography from the first half of 2013

Many of the breaches reported in the last year were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice. Attackers seem to be capitalizing on this “lack of security basics” by using a model of operational sophistication that allows them to increase their return on exploit. The idea that even basic security hygiene is not upheld in organizations, leads us to believe that, for a variety of reasons, companies are struggling with a commitment to apply basic security fundamentals.

Poisoning the Waterhole

An interesting area where trust relationship has taken a turn is the attack technique called a “waterhole.”

Attackers focusing on a central, strategic target like special interest Websites that are heavily frequented by a select group of potential targets is an effective and optimized means of exploitation. These central targets may not always have strong security solution and policies deployed, and even if they do, the cost of figuring out how to get through them is worth the opportunity to compromise the user-base.

These “watering hole” attacks are a great example of how operational sophistication is being used to reach targets not previously susceptible. By compromising the central site and using it to serve malware, attackers are able to reach more technically savvy victims who may not be fooled in phishing attempts, but would not suspect that sites they trust could be malicious.

Distraction and Diversion Techniques

Another very popular technique given new life in the last two years is the distributed denial-of-service (DDoS) attack.

While disruptive and damaging on their own, DDoS attacks can also be used as a distraction, allowing attackers to breach other systems in the enterprise while IT staffs are forced to make difficult risk-based decisions, possibly without visibility of the full scope of what is occurring. Attackers have demonstrated enhanced technical sophistication in the area of DDoS using methods of increasing the amounts of capable bandwidth as a new and powerful way to halt business by interrupting online service as well as new DDoS mitigation evasion techniques.

The banking industry has been heavily attacked, causing downtime and business interruptions for online banking customers. An interesting emerging trend in DDoS targets has been unfolding since June where many DNS providers have reported service interruptions and downtime. Open DNS Resolvers, which serve a legitimate purpose, can also allow attackers to amplify DDoS attacks to create a huge burst of traffic directed at a single target. Several prominent DNS providers were knocked offline impacting their own business and customers, while serving as unwilling accomplices in large scale DDoS attacks. Attacks on the DNS providers are another example of compromising central strategic targets to reach a larger group of potential victims.

Disenfranchised Far from Home

Additional operational sophistication was seen in the attack of major global corporations by breaching franchises or local language sites in countries outside of corporate headquarters. These satellite sites are not always secured with the same standard as the home office. By going after a weaker point of entry into larger enterprises, attackers were able to reach and tarnish well-known brands. This can result in a reputation hit as well as legal implications for leaking sensitive customer data. These types of leaks affected the food, consumer electronics, automotive, and entertainment industries in particular.

Social Media – A Tool for Business, Reconnaissance and Attacks

Social media has quickly become the new playground as a top target for attacks and we see mobile devices expanding those targets in different ways.

Criminals are selling accounts on social networking sites, some belonging to actual people whose credentials were compromised, others fabricated and designed to be credible through realistic profiles and a web of connections. As a minimum function their use is to inflate page ‘likes’ or falsify reviews; though more insidious uses include hiding one’s identity to conduct criminal activities – the online equivalent of a fake ID, but with testimonial friends, adding to the deception.

IBM X-Force expects to see these newer applications of social engineering become more sophisticated as attackers create complex internetworks of identities while refining the art of deceiving victims. Users must adopt a mindset of guilty until proven innocent when it comes to social media and companies should engender suspicion to protect users and assets.

Technology advancements and controls are available, best practices continue to be refined and taught, but ultimately the trust the user believes they have, may circumvent anything security practitioners put into place.

Recent Advances in Android Malware

In the past few years, there has been explosive growth in Android devices and malware authors are turning their attention in that area of growth.

As the number of users who own and operate Android devices is rapidly expanding, so too have malware authors increased their effort to take advantage of this larger market. Older mobile devices are even more vulnerable as only 6% of Android devices are running the latest version of the platform which has the security enhancements needed to combat these threats.

For the rest of 2013, X-Force expects to see the number of Android malware apps continuing to rise. We also anticipate that the degree of sophistication for this malware will eventually rival those found in desktop malware. There could be more improvements to combat malware in future versions of Android, but we believe that OS fragmentation (older versions that are being used as much as newer ones) will remain a problem.

Android Malware and Security Settings

Android Chuli malware (left) and Android 4.2 OS security enhancements (right)

Zero-day Attacks in 2013 H1

Another example of how attackers are increasing their return on exploit is in the way they are targeting cross platform services to reach a maximum number of potential targets.

It is worth noting that almost 80 % of the zero-day vulnerabilities covered by IBM X-Force in the first half of 2013, were vulnerable on Microsoft Windows and Apple Mac OSX. Nearly half were also vulnerable on some Linux distributions. This cross-platform reach emphasizes the operational sophistication which has been utilized for widespread exploitation.

Exploit Effort vs. Potential Reward

As cyber-attacks intensify, monitoring the numerous vulnerability disclosures every day becomes daunting. Within IBM X-Force, we track publicly issued vulnerabilities through a triage process to identify which ones are most likely to be used by an attack, and then determine which ones require deeper research.

By performing this review, we recognize that all vulnerabilities are characterized by two factors; the exploit “potential reward” that entices the attacker and the “exploit effort to achieve” that deters the attacker from further development. The exploit-probability matrix is devised by charting the “exploit reward” and “exploit effort to achieve” along the axes. By assigning vulnerabilities to the appropriate quadrant, it becomes clear which are favored by attackers.

As illustrated in the exploit-probability matrix, easy exploitation with high potential reward – aka target impact, is still the sweet spot for the most prevalent attacks.

2013 H1 Exploit Matrix

X-Force Trends by the Numbers

In the first half of 2013, we entered just over 4,100 new publicly reported security vulnerabilities. If this trend continues throughout the rest of the year, the total projected vulnerabilities would approach 8,200 total vulnerabilities, virtually the same number we saw in 2012.

2013 Vulnerability disclosures by year

Web Application vulnerabilities, which have been on the rise in recent years, are down slightly in 2013. More than half of all web application vulnerabilities are cross-site scripting.

2013 H1 Web application vulnerabilities by attack technique

The most prevalent consequence of vulnerability exploitation for the 1st half of 2013 was “gain access” at 28 percent of all vulnerabilities reported. In most cases, gaining access to a system or application provides the attacker complete control over the affected system, which allows them to steal data, manipulate the system, or launch other attacks from that system.

2013 H1 Consequences of exploitationIn countries where malware is distributed, we see the United States dominates the scene by hosting more than 42 percent of all malicious links. The geography with the second highest concentration of malicious links is Germany, with nearly 10 percent.

June 2013 Top malware hosting countriesThe top three campaigns observed, enticing users to click on bad links and attachments in emails, are Internet payment companies, social networks, and internal scanners or fax devices. Together these three focus areas account for more than 55 percent of all scam and phishing incidents.

Scam phishing targets by area

As discussed throughout the report, while attackers continue to optimize their operational sophistication, a return to security basics is still one of the most effective strategies to mitigate both old established, as well as evolving techniques.

Read the latest research and analysis from IBM X-Force

Share this Article:
Leslie Horacek

IBM X-Force Offering Manager for Security Content and Research

Leslie Horacek is the X-Force Offering Manager for Security Content and Research and has worked in IT security since 1999. She has held various roles as a QA engineer, product manager and strategist, creating a diverse and complimentary skill set that plays a pivotal role across the IBM Security portfolio.