Trustwave released the 2017 Trustwave Global Security Report which reveals the top cybercrime, data breach and security threat trends from 2016. The report demonstrates both good and bad news in the world of cybersecurity as intrusion detection and breach containment times were relatively better, but other threats like malvertisements became cheaper and malicious spam saw increases.
Intrusion detection gets better, especially when breaches are self-detected: The median number of days from an intrusion to detection of a compromise decreased to 49 days in 2016 from 80.5 days in 2015, with values ranging from zero days to almost 2,000 days (more than five years). For internally detected incident the median was 16 days, while 65 was the median number of days for externally detected incidents.
Once detected, victims contain breaches relatively quickly: The median number of days from detection to containment was 2.5 in 2016 with values ranging from −360 days, meaning the intrusion ended 360 days before detection, to 289 days. In cases where containment occurred after detection, the median duration was 13 days from detection to containment.
Intrusion containment remains stagnant: The median number of days from an intrusion to containment of a compromise stayed relatively the same at 62 days in 2016 compared to 63 days in 2015.
North America and retail lead in data breaches: Similar to previous years, 49% of data breaches investigated by Trustwave were in North America, while 21% were in Asia-Pacific, 20% in Europe, Middle East and Africa, and 10% in Latin America. The largest single share of incidents involved the retail industry, at 22%, followed closely by the food and beverage industry, at nearly 20%.
POS breaches increase: Environments most breached in 2016 again consisted of corporate and internal networks, at 43%. Incidents affecting POS systems increased to 31% in 2016, from 22% in 2015, while incidents affecting e-commerce environments fell to 26% from 38%. Incidents involving POS environments were most common in North America, which has been slower than much of the world to adopt the EMV payment card standard.
Payment card data most at risk: More than half of the incidents investigated targeted payment card data: Card track (also called magnetic stripe) data, at 33% of incidents, primarily came from POS environments. Card-not-present (CNP) data, at 30%, mostly came from e-commerce transactions. Financial credentials, including account names and passwords for banks and other financial institutions, accounted for 18% of incidents, followed by other targets.
Attackers seek stiff prices for their zero-day vulnerabilities: In 2016, Trustwave discovered an alleged undisclosed Windows zero-day vulnerability and accompanying exploit code on sale for an initial price of $95,000.
Exploit market disruption: The most common exploit kits in the world — Angler, Magnitude and Nuclear — disappeared or went private in 2016, leading to a shakeup of the exploit kit market.
Malvertisements get dirt cheap: In 2016, the estimated cost for cybercriminals to infect 1,000 vulnerable computers with malvertisements was only $5 — less than $.01 per vulnerable machine. Malicious advertising remains the number one source of traffic to exploit kit landing pages.
Malware tries to hide itself: 83% of malware samples Trustwave examined in 2016 used obfuscation, while 36% used encryption.
Malware-laden spam creeps up: In 2016, 35% of spam messages contained malware, up from 3% in 2015. Meanwhile, 60% of all inbound email was spam, up from 54% in 2015.
Database flaws increase: Database vendors patched 170 vulnerabilities in the most common database products in 2016, up from 139 vulnerabilities in 2015.
Applications are almost always vulnerable: 99.7% of web applications Trustwave application scanning services tested in 2016 included at least one vulnerability, with the mean number of vulnerabilities detected being 11 per application.
“Cybersecurity in 2016 had both highlights and lowlights. As our data breach investigations and threat intelligence show attackers continue to evolve their tactics and focus on extreme paydays as cybercrime becomes more like genuine businesses. Meanwhile security skills and talent remain scarce. As an industry, we must continue to focus on key areas like threat detection and response, security scanning and testing and cloud security services that provide meaningful layers of protection from constantly evolving threats,” said Trustwave CEO and President Robert J. McCullen.