Setting the Stage: Landscape Shifts Dictate Future Threat Response Strategies

A broader and deeper threat landscape greeted 2016–a playing field shaped by the introduction of new technologies and attack models from the year before. 2015 had laid the groundwork for what we can now consider the new status quo in cybersecurity. Will current security strategies hold against this existing paradigm or will organizations need to consider a change?

Dissecting Data Breaches

Data breaches do not just end with scandal. If 2015’s incidents are to go by, we can expect more potent attacks resulting from compromised data. The users affected by the Ashley Madison breach, for example, not only had to endure embarrassment, they also experienced rounds of online extortion after their personal data was was publicly leaked. Milan-based IT-company, Hacking Team also had a rough year after their data, which included a database of vulnerabilities and exploits, was used in cyberattack campaigns in Japan and Korea.

[Read: Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1]

Premera Blue Cross
Industry: Healthcare
Record Type: Personal information
Financial data
Number of Records Lost:
Industry: Government
Record Type: Personal information
Number of Records Lost:
Industry: Healthcare
Record Type: Personal information
Number of Records Lost:
Hacking Team
Industry: IT
Record Type: Trade secrets
Number of Records Lost: Undetermined
UCLA Health System
Industry: Healthcare
Record Type: Personal information
Medical records
Number of Records Lost:
Excellus BlueCross BlueShield
Industry: Healthcare
Record Type: Personal information
Financial data
Number of Records Lost:
Industry: Business Service
Record Type: Personal information
Number of Records Lost:
Ashley Madison
Industry: Commercial
Record Type: Personal information
Number of Records Lost:
Biggest breaches of 2015

The previous year's top reported incidents were consistent with the analysis we did on data breaches. Healthcare remained the most affected industry, with the Anthem and Premera Blue Cross breaches as the most notable incidents. Combined, over 90 million patient records were exposed. This included social security numbers, clinical data, and even some financial details.

On a federal level, the U.S. Office of Personnel Management (OPM) breach—one of the largest government-related breaches in US history—exposed the personal information of around 21.5 million federal employees, including retirees.

[Read: Follow the Data: Dissecting Data Breaches and Debunking the Myths]

Perpetrators who compromise sensitive data are a diverse group that includes insiders, individual criminals, as well as organized and state-sponsored groups. Stolen data is commonly used to commit crimes such as financial fraud, identity and intellectual property theft, espionage, revenge, blackmail, and extortion.

The eventual penalty of having sensitive data stolen is high and some victims (identity theft and fraud victims, for instance) are left suffering for years through no fault of their own. - Numaan Huq, Senior Threat Researcher

Pawn Storm Zero-Days and Other Vulnerabilities

The Hacking Team breach resulted in the discovery of several zero-day vulnerabilities in Adobe, Windows, and Java. These same vulnerable platforms were also targeted using other zero-days in Pawn Storm—a long-running cyberespionage campaign we’ve been monitoring since 2014.

Pawn Storm is known to use zero-days in credential phishing attacks. The targets of this ongoing campaign include high-profile personalities in the United States and Ukraine, and even political figures in Russia.

[Read: Operation Pawn Storm: Fast Facts and the Latest Developments]

  • Zero-Day
  • Trend Micro Discovery
  • Reset

  •  Mobile
  •  PC
  •  Pawn Storm related
Click the buttons to find out which vulnerabilities were zero-days

Although not zero-days, other notable vulnerabilities discovered this year exposed weaknesses in mobile platforms. The Android MediaServer vulnerability, for instance, allowed attackers to either render devices silent or force them into an endless reboot.

[Read: MediaServer Takes Another Hit with Latest Android Vulnerability]

Attackers leverage vulnerabilities and weaknesses in all platforms. They just need a way to get in. Enterprises must be very watchful of vulnerabilities in the core software and plug-ins that they use. A focused and continuous vulnerability assessment program must be complemented by a configuration assessment program. - Pawan Kinger, Director, Deep Security Labs

Deep Web and Underground Explorations

The regional cybercrime trends of 2015 paint a picture of a thriving global underground economy, which should be a concern not only for the security industry but for international law enforcement. The Russian and Chinese markets remain global leaders in the development of crimeware. Forays into the Chinese underground reveal technological advancements in credit card skimming and the querying of stolen data.

[Read: Prototype Nation: Innovations in the Chinese Cybercriminal Underground]

Click on a region to see how they fared in 2015

Newer marketplaces like that of Brazil and Japan are slowly building communities of would-be cyber crooks. Due to looser penalties for cybercrime in Brazil, underground players in that country brazenly operate through public channels and social media. In the case of Japan, it is the opposite. Strong law enforcement efforts directed against organized criminal groups may start driving young tech-savvy recruits to migrate their operations underground.

[Read: Think, Learn, Act — Training for Aspiring Cyber Criminals in the Brazilian Underground]

Should both these marketplaces move deeper into darknets, it will be crucial for law enforcement to partner with security researchers so they can keep tabs on illegal activities that may become detrimental to the well-being and safety of their citizens.

Anonymity in the Deep Web will continue to raise a lot of issues and be a point of interest for both law enforcers and Internet users who want to circumvent government surveillance and intervention. Right now, there seems to be a race between “extreme libertarians” and law enforcement agencies, with the former trying to find new ways to become even more anonymous and untraceable.

As such, security defenders like Trend Micro need to continue keeping tabs on the Deep Web as its role in the Internet and the real world grows. - Vincenzo Ciancaglini, Senior Threat Researcher

Smart Technology Nightmares

The contention regarding the safety of IoT devices (Internet of Things) may have been settled in 2015 as hacks on smart technology were brought to the fore. Our homegrown GasPot research on automated pump systems resulted in actual attacks, 20 in six months. If attackers from across the globe were able to tamper with these IoT devices, what else could they do to fully automated systems?

[READ: The GasPot Experiment: Hackers Target Gas Tanks]

We also conducted research on Škoda Auto’s SmartGate System and found that it is possible to tamper with a smart car’s data from a certain range. Other researchers were able to simulate successful hacking attempts, like the Jeep Cherokee hack that showed that it was possible to kill a vehicle’s engine in the middle of a highway. These incidents put pressure on device manufacturers to consider user safety and security while making their devices ready for connectivity.

[READ: Is Your Car Broadcasting Too Much Information?]

Given their susceptibly to attacks, IoT devices within the enterprise ecosystem can become liabilities. Unlike Android devices, which already have fragmentation problems of their own, IoT devices run on several different platforms, making device and system updates as well as data protection more complex than ever

[READ: 2016 Trend Micro Security Predictions: The Fine Line]

The Internet of Things can be a venue for innovation and new possibilities, but it can also be used to break basic notions of privacy and confidentiality. Companies should endeavor to keep the interests of users in mind, otherwise, I can foresee government regulations being used to protect consumers. This may have consequences that we cannot predict. - Raimund Genes, Chief Technology Officer

The 2015 Threat Landscape

The Trend Micro Smart Protection Network™ blocked over 52 billion threats in 2015, a 25% decrease from 2014. This decrease is consistent with the downward trend of system infections since 2012, caused by attackers who have become more selective of their targets as well as the shift in technologies they use.

Total number of threats blocked in 2015

Despite takedown efforts at the beginning of the fourth quarter of 2015, DRIDEX, the online banking malware, still emerged the top malware we detected by the end of the year. This is partly due to bulletproof servers hosting DRIDEX C&C infrastructure. It is crucial to not only block these said servers, but to also identify and take them down.

Angler dominated as the king of exploit kits throughout 2015. The reason behind this is Angler’s design, which makes it easier to integrate the kit into cybercriminal operations and campaigns like Pawn Storm.

Rounding up the prominent malware threats of the previous year is ransomware. In a span of twelve months, it has evolved not only in functionality but also in its modus operandi and targets.


Setting the Stage: Landscape Shifts Dictate Future Threat Response Scenarios


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.