Cisco report sheds light on advanced persistent threat trend

10 Aug 2011

Data breaches during the first half of this year were “seemingly nonstop”, with advanced persistent threats playing a key role in many of the breaches, according to the latest security report from Cisco.

The latest Global Threat Report from the networking company found that the rate of unique instances of malware more than doubled during the second quarter of 2011. In March, the number was 105,536; by June there were 287,298 unique instances, Cisco found.

Based on the number of events triggered by intrusion prevention systems, the company said denial of service (DoS) attempts increased during the same period.

The report went into more detail about advanced persistent threats, a type of malware fast becoming part of cyber-security language but for all the publicity around it, Cisco said it is not well understood.

“The key lies in its ability to remain surreptitious: It must enable the attacker to remotely manipulate a system while remaining virtually invisible to standard defences,” the report said, adding that detecting APTs is not easy. Given the way they operate, there is no “silver bullet” for identifying them in a network.

“If we could identify APTs by a software signature, we wouldn’t need to call them ‘advanced persistent threats’,” said Gavin Reid, manager of the Computer Security Incident Response Team (CSIRT) at Cisco. “If anyone attempts to sell your organisation a hardware or software solution for APTs, they either don’t understand APTs, don’t really understand how computers work, or are lying – or possibly all three.”

Scepticism surrounds APTs

Mostly because of the difficulty in detecting APTs, the report acknowledges that some were sceptical about their very existence. It said this changed following Google’s disclosure in January 2010 that it had experienced an APT on its own network and reported “at least 20 other large companies” had been similarly targeted.

“Today, the challenge isn’t in proving that APTs exist – the challenge is to separate the APT from other malware and forensically identify it in a timely manner,” the report said. Acknowledging there was no easy answer, Reid advised treating them like any other tough security problem. “The solutions may be complex, but the methodology is simple: Identify what your available options are, and then execute.”

In other findings, global spam volumes remained fairly steady throughout the first half of 2011, with a slight decrease observed in the second quarter. Phishing levels as a percentage of all unsolicited email increased, and were 4pc of the total spam volume during May.

Summing up the threat landscape, Cisco said: “The first half of 2011 witnessed a seemingly nonstop array of data breaches directed at companies, and sometimes individuals, across many sectors.”

The report also remarked on the shift away from attacks carried out purely for theft to incidents of hacktivism. “In many of the breach incidents, customer data was stolen and publicly published. In some of those cases, the attackers claimed the motive was to shed light on security issues. But in other cases of stolen and published customer data, attackers claimed to be doing it for the ‘lulz’,” it said.

Gordon Smith was a contributor to Silicon Republic