Today’s threats are so rampant and complex that preventing them appears no longer enough. In fact, experts say they are inevitable. Compounded by the cybersecurity skill gap, they present a slew of risks to an organization’s bottom line, operations, and reputation. To address these, enterprises are increasingly shifting their approach by complementing defensive measures with proactive detection and incident response strategies. This means that while organizations may not avert all breaches or cyberattacks, they can be better equipped to prepare for, mitigate, manage, and be resilient against these potentially damaging events.
But what has been bringing about this shift? What factors have been driving organizations to incorporate detection, response, and remediation to their cybersecurity defenses? We look at some of the defining moments in the threat landscape that helped steer organizations toward implementing more proactive incident response strategies.
The Cascade virus (also known as Herbstlaub in Germany) appears. It is so named because once it’s activated, the string of letters on the screen cascades down to the bottom of the screen. Cascade is coded to avoid infecting IBM computers but a coding mistake ironically lets it spread across nearly all computers of an office in Belgium. The emergence of Cascade prompts the development and public release of antivirus (AV) software.
The Lehigh virus (or command.com virus) affects the systems file required for booting a computer running on a disk operating system (DOS). Named after the university where it was discovered, it is one of the first data-wiping viruses. In response, the university’s computer center sends an alert to students and faculty members. The author of the virus also notifies other universities about its impact.
The Morris worm wreaks havoc with its denial-of-service (DoS) and propagation mechanisms, reportedly crashing 10 percent of computers on the internet. It is one of the first to significantly affect the then nascent backbone of the internet. The incident sheds light on the need for coordinated responses to emergencies in the cyberspace, prompting experts to establish what will be known as computer emergency response teams (CERTs). The Morris worm also lays the groundwork for many of the threats that organizations will contend with in the coming years and decades.
The AIDS Trojan (aka Aids Info Disk or PC Cyborg trojan) surfaces, becoming arguably the first piece of ransomware. Its creator distributes 20,000 floppy-disk copies of the trojan to attendees of the World Health Organization’s AIDS conference. It works by counting the number of times the computer is booted; once it reaches 90, it will hide directories and encrypt filenames on the C drive. After analyzing the trojan’s code, experts develop a decryption tool named AIDSOUT, which is made available for free.
Polymorphic viruses emerge in the form of Chameleon (aka 1260 or V2P1), created by its author by building on the earlier Vienna and Cascade viruses’ capabilities. Chameleon’s code changes with every infection. This renders contemporaneous AV solutions ineffective, which rely on simple context (that is, pieces of known virus code). In response, experts create special algorithms to detect and block polymorphic viruses — these algorithms will remain vital components in AV solutions.
The Michelangelo virus creates cybersecurity panic, since it’s expected to cause significant damage. In reality, it doesn’t. Nonetheless, Michelangelo is also a turning point. It is one of the early viruses to use a time bomb, with the payload triggering at a predetermined time or date. This technique will become a staple for evading traditional sandboxes. At the same time, several methods will be created to diffuse these time bombs, such as using virtual machines and analyzing logs.
The drive-overwriting CIH virus (aka Chernobyl or Spacefiller) is reportedly written, though it won’t be until April 26, 1999, that its payload triggers. CIH is believed to spread through pirated software, although it also, perhaps inadvertently, makes its way to commercially shipped software. The impact: 250,000 affected computers and US$250 million in damage in South Korea alone. The author of CIH apologetically releases an antivirus against it. The CERT Coordination Center (CERT/CC) issues an advisory, including best practices on recovering systems.
The infamous Melissa macro virus is released, eventually causing over US$80 million in damage worldwide. Melissa places heavy burden on email servers, incessantly emailing itself to unwitting recipients. High-profile enterprises and government agencies temporarily shut down their email gateways to mitigate the network traffic congestion. Incident response experts provide recommendations including the use of email filters against Melissa.
The ILOVEYOU (aka Love Bug or Love Letter) worm demonstrates the adverse impact of social engineering, enticing victims with a seemingly heartwarming missive. ILOVEYOU hides and overwrites files, then emails itself to the victim’s contact list in Microsoft Outlook. It kicks off a tsunami of emails that crashes email servers, affecting US$55 million computers and causing over US$1 billion in damage. The impact of ILOVEYOU prompts government agencies to improve their coordination capabilities and enterprises to harden their security defenses.
The year marks the rise of vulnerability-exploiting worms, including Code Red I and II, Klez, Nimda, Sadmind, and Sircam. They exploit security flaws in Solaris and Microsoft Internet Information Services (IIS) servers. Code Red, in particular, becomes a wake-up call to businesses worldwide, costing US$2.6 billion in productivity loss and server cleanup. They underscore the importance of patching and securing the network to businesses, particularly against threats that exploit unsecure network shares.
Beast, originally a remote access tool, is developed. It is among the first pieces of malware to incorporate techniques that will become mainstays in many later backdoors, such as built-in functionalities that can bypass firewalls and terminate AV software. These evasion methods are countered with mechanisms such as network traffic inspection and protocol analyzers.
Backdoors and worms are more endemic as more security flaws are reported. DoS attacks become large-scale — so much so that one worm, SQL Slammer, hits more than 75,000 computers in just 10 minutes. The Blaster worm makes headlines when it disrupts some of the government services in the U.S. state of Maryland. SoBig.F becomes the fastest spreading virus yet. These instances spur system and network administrators to have better foresight with regard to how they respond to network-based malware.
Mydoom (aka Shimg or Novarg) reteaches a lesson on network security. Delivered via emails and file-sharing applications, it becomes the fastest spreading virus ever. Mydoom’s extent is far-reaching: One in every 49 emails is Mydoom-laced, it slows down search engines, and it forces at least one company to relocate to a new domain. At its peak, Mydoom accounts for 20 to 30 percent of all internet traffic. Tools for system administrators are created to specifically block Mydoom. Incident responders counter with network traffic filters and firewalls to block Mydoom’s backdoor component.
Mobile malware starts gaining traction against Symbian devices. Most are offshoots of the proof-of-concept Cabir that was released the year before. Commwarrior becomes the first mobile phone virus that spreads through Multimedia Messaging Service (MMS). It won’t be until 2010, arguably the advent of smartphones, that hackers will begin cashing in on their malware.
Storm Worm emerges, combining the tactics of a worm, a trojan, and a botnet. At its peak, it accounts for 8 percent of all malware infections, becoming one of the most prolific threats of 2007 and 2008. Storm Worm sets off various researches on mitigating peer-to-peer botnets. The infamous ZeuS/ZBOT trojan is also uncovered at this time, stealing data from a number of organizations in various industries.
The Koobface worm appears, affecting the Windows, Mac OS X, and Linux platforms and even social media sites. Like ZeuS/ZBOT, Koobface constitutes a paradigm shift: Cybercriminals will keep up to technology’s speed and exploit and abuse its security gaps. Koobface is also a reflection of the real-life significance of actionable threat intelligence that law enforcement and enterprises can use to stamp out cybercrime.
Conficker (aka Downad) worms its way into as many as 9 million vulnerable computers, spawning several variants and picking up new tricks in the process. Security experts, law enforcement agencies, the Internet Corporation for Assigned Names and Numbers (ICANN), and domain registrars around the world combine efforts to thwart Conficker’s developers from using thousands of domains algorithmically generated daily to communicate with the worm’s command-and-control (C&C) hosts. Conficker, however, will continue to be a perennial problem for enterprises.
Stuxnet comes into view. It is the first worm to target supervisory control and data acquisition (SCADA) systems, prompting discussions on securing industrial infrastructure. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) conducts on-site assessment and forensics to Stuxnet-infected facilities. Several patches are issued to fix the security flaws Stuxnet exploits.
Data breaches become more prominent, including security incidents involving RSA and Sony. Cybercriminal activities burgeon with the monetization of stolen information. Politically charged campaigns are also observed. SpyEye, a banking trojan, swipes US$3.2 million in the first half of the year. There are 3.5 threats detected per second, or 12,600 per hour.
Targeted attacks and data breaches become more common. The Middle East-targeting Flame data stealer and wiper comes to light, taking cues from Stuxnet’s modus. Disttrack (aka Shamoon) affects the workstations of an oil firm. By this time, the pieces of malware affecting Android devices have amounted to 350,000. While exploits kits have been around since as early as 2006, they start gaining momentum in the form of Blackhole 2.0. Ransomware becomes a buzzword, apparently succeeding the extortion tactics of FAKEAV malware and Reveton/Police Trojans.
A rash of spam emails starts delivering the CryptoLocker ransomware, one of the first to scramble the infected system’s files and take them hostage. CryptoLocker’s operators reportedly earn millions. This apparently lucrative business model will drive ransomware’s maturity. Exploit kit and ransomware developers start banding together. The emergence of CryptoLocker and its ilk highlights the significance of defense in depth for organizations, particularly their system administrators.
Sony Pictures suffers a major cybersecurity incident that leaks the personally identifiable data of its staff and wipes parts of its online infrastructure. Point-of-sale (PoS) malware also flourishes, having victimized Target with a data breach that will cost the company as much as US$18.5 million. The Sony hack and Target breach propel discussions on incorporating preventive and remediation strategies that enterprises can adopt to better prepare against cyberattacks, if not avoid the same pitfalls.
Data breaches become more potent, affecting the healthcare industry the most with the exposure of more than 90 million patient records. A bevy of zero-day vulnerabilities are dumped and then weaponized in cyberespionage campaigns. The cybercriminal underground develops into hotbeds of illicit activities. Internet-of-things (IoT) devices and smart technologies succumb to hacks. By the end of the year, Angler has dominated the exploit kit scene, delivering a plethora of threats to unwitting victims.
The number of ransomware families in 2016 increases drastically year on year. Ransomware takes on many forms and business models and has various capabilities. By this time, business email compromise (BEC) schemes has caused over US$3 billion in global losses. More zero-day vulnerabilities are uncovered and disclosed. The Mirai IoT botnet disables several high-profile websites and its impact elevates conversations on IoT security. Yahoo discloses a record-breaking data breach in 2013 that exposed 3 billion user accounts.
Cryptocurrency mining becomes the most prevalent network event in devices connected to home routers. Email remains a common infection vector for malware and other threats, with BEC scams reaching US$5 billion in global losses. The growth of ransomware reaches a plateau, but the scope of damage from WannaCry, Petya, and Bad Rabbit is unprecedented. Potent exploits and hacking tools are still used. Mobile ransomware and banking trojans continue to thrive.
As the threat landscape’s history shows, response to cybersecurity incidents has tended to be reactive. This approach is hardly effective, especially in light of the realization that systems have become so complex and malware has become so prevalent that it seems almost impossible to keep pace with the need to thwart threats. Consequently, the scale, scope, and diversity of recent, current, and emergent threats warrant nothing less than a proactive incident response strategy.
The shift in motivations — from juvenile mischief and innocuous fame to cybercrime and cyberespionage — is also driving organizations to constantly adapt to the ever-growing myriad of threats that risk their bottom line, operations, and reputation.
And with the upcoming implementation of the EU General Data Protection and Regulation, the stakes are becoming higher for organizations especially against threats that may not be visible to traditional security solutions. This is particularly true for those that don’t have the resources, skills, or time to actively monitor their online perimeters. Complementing defense in depth with a proactive incident response strategy arms enterprises with actionable intelligence and insights that can help them actively hunt for, detect, analyze, and respond to threats and malicious activities.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.