Cybercrime gets easier, attribution gets harder

Threat actors are gaining capabilities through the adoption of cutting-edge tools instead of technical expertise, according to Websense. Redirect chains, code recycling and a host of other techniques are allowing these actors to remain anonymous, making attribution time consuming, difficult and ultimately unreliable.

Widespread use of older standards in lieu of newer and more secure options continues to leave systems vulnerable and exposed. A brittle infrastructure allows threats to expand into the network framework itself, including the code base of Bash, OpenSSL, and SSLv3.

“Cyber threats in 2014 combined new techniques with the old, resulting in highly evasive attacks that posed a significant risk for data theft,” said Charles Renert, vice president of security research for Websense. “In a time when Malware-as-a-Service means more threat actors than ever have the tools and techniques at hand to breach a company’s defenses, real-time detection across the Kill Chain is a necessity.”

Cybercrime just got easier

In this age of MaaS (Malware-as-a-Service), even entry level threat actors can successfully create and launch data theft attacks due to greater access to exploit kits for rent, MaaS, and other opportunities to buy or subcontract portions of a complex multi-stage attack.

In addition to easier access to cutting-edge tools, malware authors are also blending new techniques with the old, resulting in highly evasive techniques. Even while the source code and exploit may be unique and advanced, much of the other infrastructure used in attacks is recycled and reused by the criminal element.

Digital Darwinism: Surviving evolving threats

Threat actors have focused on the quality of their attacks rather than quantity. Websense Security Labs observed 3.96 billion security threats in 2014, which was 5.1 percent less than 2013. Yet, the numerous breaches of high profile organizations with huge security investments attest to the effectiveness of last year’s threats.

Attackers have restructured the methodology of attacks to reduce their threat profile. They do this by becoming less linear in following the traditional Kill Chain. These are harder to detect, as stages are skipped, repeated or only partially applied, thereby reducing the threat profile. Activity at any one stage of the Kill Chain varied widely. Just as spam probe activity focuses upon the first stages of the Kill Chain, other stages of the Kill Chain saw varying levels of activity. Some stages saw more activity; others had much less than the year before.

Avoid the attribution trap

It is particularly difficult to do attribution, given the ease by which hackers can spoof information, circumvent logging and tracking or otherwise remain anonymous. Often, analysis of the same circumstantial evidence can lead to widely different conclusions; use the valuable time following an attack on remediation efforts.