Cybersecurity is in a state of constant change. The attack surfaces on which cybercriminals capitalize are as versatile as the overall development of information technology. Insight into both attackers and this attack surface is essential. Only by knowing what a threat looks like can we defend ourselves and our customers from ever-changing digital risks.
The necessity of insight brings with it a challenge. The causes of a data breach can occur at any layer and corner of an infrastructure. Solutions to IT problems are rarely “one size fits all” — and that rule holds for cybersecurity in particular.
On the other hand, patterns can be identified. While the cause of two data breaches is seldomly identical, attackers and their methods have enough in common to categorize risk areas.
In this article, we will be focussing on the latter. An overview of the most common attack types and causes is not only valuable, but challenging to create.
The information needed to layout security trends has only been centralized on a large scale for a few years. Individual reasons for this add up to an important context for understanding the state of global cybersecurity and crime in 2021.
Therefore, we start off by exploring said reasons — and run into the dilemma called security oversight.
In the report ‘Cyberthreats: a 20-year retrospective‘, security vendor Sophos looks back at the trends that have marked the security landscape since the breakthrough of the Internet.
The organization states that 2005 marks the beginning of the large-scale commercialization of cybercrime. Virus propagation in the years before 2005 supposedly revolves around small-scale gain, curiosity, disruption and notoriety instead.
In part, Sophos’ assertation is confirmed by the creation of ILOVEYOU, a worm widely known as the world’s first massive, global malware threat.
ILOVEYOU was not created to rob large companies. Onel de Guzman, a 24-year-old student at the time, developed the worm to steal passwords from accounts that provided access to the Internet, thus allowing him to use the Internet for free.
Initially, De Guzman took precautions to limit the functionality of ILOVEYOU to his home town. After local distribution proved particularly successful, De Guzman withdrew said precautions. Not because of anger, aggression or envy. No, he declared in an interview with Wired on September 12, 2020: curiosity was the culprit that led to global billion-dollar damage in the same year as its development.
De Guzman wanted to see what ILOVEYOU was capable of. It is plausible that the curiosity which sparked his debacle played an increasingly smaller role in the motivations of malware developers in the years following ILOVEYOU. Questions about the potential of malware were answered by the undeniable destruction of Code Red, Nimda, SQL Slammer, Blaster and dozens of other worms that followed in ILOVEYOU’s footsteps between 2000 and 2004.
Between 2005 and 2013, the world was forcefully introduced to giant botnets for mass referral to fraudulent websites and DDoS attacks on anti-spam websites. The purposes and processes of malware broadened. Curiosity gave way to financial motives. Banking trojans, which focus on the theft of personal data, saw the light of day. The concept of malvertising — where a frequently visited website is infiltrated and modified to redirect visitors to malware sites — was incepted.
More market, more data
Cybercrime took on the colour of money. Attack types broadened — and cybersecurity broadened accordingly. Whereas the global cybersecurity market was worth only 3 billion euros in 2004, U.S. organizations collectively spent more than 35 billion euros ($40.8 billion) on cybersecurity in 2019. Furthermore, Gartner recently predicted that global spending on risk management and security will reach $150.4 billion by the end of 2021.
The emergence of giant security vendors is a consequence of the above. In times of the ILOVEYOU worm, few dared to dream of security firms with thousand-strong departments. Nowadays, enormous vendors like Trend Micro, Palo Alto Networks, Check Point Software, Fortinet and Zscaler are a fact.
These vendors take care of the digital defence of millions of organizations worldwide. They find particular relevance in information about attackers and attacks. As such, said information is centralized, used to develop defences, and report on encountered attack types and vulnerabilities.
Cybercrime grew, security vendors grew, and more importantly: detailed reporting on attack types and vulnerabilities became increasingly available. The latter is of the utmost importance for this article, as it allows us to arrive at the beginning of an answer to the question of the state of cybersecurity in 2021.
Malware types according to vendors
Some vendors use the networks of customers as nodes to register global attacks. Reporting is done in part through threat maps. These maps paint a picture of the threat landscape at a level of detail unprecedented in the ’00s and ’10s. Geographic data is somewhat limited, as the locations of attackers are usually hidden via VPNs. On the other hand, information on the forms and operation of malware is accurate.
For example, Check Point’s ThreatCloud threat map claims to be able to categorize attacks on 150,000 global network nodes based on malware type. The most recent findings came to light in a report which states that 150,000 traced networks were attacked by the following malware forms between January 2020 and December 2020:
- Botnet (28 percent)
- Cryptominers (21 percent)
- Infostealer (16 percent)
- Mobile (15 percent)
- Banking (14 percent)
- Ransomware (5 percent)
Available data on the distribution of the inputs these attacks targeted — also known as attack vectors or attack surfaces — are limited to two categories: web and email.
- 83 percent of global attacks on Check Point tracked networks occurred via email in 2020.
- A meager 17 percent via “web,” which includes 3rd party apps.
Impressive but limited
With 150,000 network nodes, Check Point’s threat map is considered one of the larger data sources security experts use to report on attack types and vulnerabilities. Yet, both Check Point’s threat map and that of any other vendor have a major flaw. The primary data source is limited to the networks of customers with whom the vendor does business. Resultingly, findings can hardly be called representative.
A probing of every single global network theoretically bridges the problem, but is highly illegal. Hence, a holistic, definitive overview of the world’s major attack types and vulnerabilities remains just out of reach. The good news is that multiple roads lead to Rome.
Growing market, growing voice
As well as a growing centralization of threat intelligence among security vendors, cybersecurity’s market growth expresses itself through a growing representation of executives with a technical background, such as CISOs.
This growing group is leveraged annually by VMware Carbon Black to outline an alternative picture of the cybersecurity landscape. Unlike the aforementioned vendor service-based reports, the insights of VMware Carbon Black’s ‘Global Security Insights Report‘ are not derived from anonymized cloud data, but the voices of thousands of CIOs, CTOs and CISOs.
In the most recent survey, VMware Carbon Black asked 3,542 CIOs, CTOs and CISOs from 14 different countries and diverse industries about their experience with cybercrime and security. Their insight reveal that eight in 10 organizations were affected by a data breach between 2019 and 2020. Attack types were ranked in order of frequency:
- Cloud-based attacks accounted for 10 percent of the attacks suffered. Such attacks have the theft of data stored in the cloud in common.
- Ransomware attacks accounted for 9 percent. VMware Carbon Black highlights a notable doubling from the previous June 2020 report, when the share of ransomware attacks was only 4.5 percent.
- 9 percent of the occurrences revolved around the attack on a third-party app. In the Netherlands, this attack type peaked at number one with 15 percent.
The question about the causes that led to the success of the above attack types was answered as follows:
- Vulnerabilities in third-party applications appear to be the most common cause of international data loss (14.4 percent). In the Netherlands, 36 percent of all data breaches were due to these vulnerabilities.
- Non-payment of a ransomware ransom follows in position two (14.3 percent).
- Outdated security technology and vulnerabilities in processes share position three (14 percent).
- Vulnerabilities in operating systems were mentioned the least often (8 percent).
Learning from the differences
The overall growth of cybercrime is one of the few certainties that match in reports from Check Point, VMware Carbon Black and others. Named malware types vary drastically, as do causes.
At a glance, that information does not help you much. In reality, the diversity of perceived attack and breach types is perhaps the most indicative aspect of today’s landscape.
Both the spread and the demise of the ILOVEYOU worm, an early global virus threat we cited at the beginning of this article, were caused by Windows 2000 endpoint security. That world is long gone. While it would be wonderful to be able to point to one developer as the responsible party for countering every existing and future cyber threat, the infrastructures on which businesses are built consist of increasingly diverse applications and processes, each with increasingly diverse origins.
Information technology is diversifying – and cybercrime is diversifying along with it. There is no such thing as a ‘primary’ attack type or vulnerability. Every data breach has a price; every cause can consist of multiple attack types and vulnerabilities, and every cyber risk is worthy of attention.
How do we move forward?
A key question. On April 5, 2021, Gartner summarized a series of security trends with promising, comprehensive solutions. Some of the most interesting topics can be found below.
- The so-called ‘cybersecurity mesh’, a concept introduced by Gartner, stands out. Like “zero trust,” the idea behind the cybersecurity mesh revolves around a strategy rather than a technology. Cybersecurity has traditionally been accomplished by barricading entire infrastructures off from the outside world. Cybersecurity mesh encompasses an approach in which the individuals and devices on a network are individually barricaded off.
- In addition, Gartner suggests that a stronger representation of (ex-)cybersecurity professionals on the boards of organizations can make a difference.
- Gartner also identifies the potential of a strategy for centralizing security tools purchased from vendors. Gartner’s 2020 CISO Effectiveness Survey shows that 78 percent of CISOs have tools from 16 or more vendors in their portfolio. Attention to the centralization of this portfolio can eliminate risks.
- Finally, Breach Attack Simulation, or BAS. A promising, emerging market with solutions for testing security measures and the overall resilience of an organization. Similar to penetration testing, but with an emphasis on cost-effective automation and long-term training.