Once the threat is in position, it installs a back door on a target’s system, providing adversaries with persistent access.
Web Attack Methods: “Long Tail” Snapshot Reveals Threats That Users Can Easily Avoid
The so-called long tail of the web attack methods spectrum (Figure 20
) includes a collection of lower-volume malware types that are employed at a later stage in the attack chain: installation. In this phase, the threat that has been delivered—a banking Trojan, a virus, a downloader, or some other exploit—installs a back door in the target system, providing adversaries with persistent access and the opportunity to exfiltrate data, launch ransomware attacks, and engage in other mischief.
The threats listed in Figure 20
are samples of malware signatures found outside the top 50 most commonly observed malware types. The long tail of web attack methods is, essentially, a snapshot of threats that are quietly at work on a machine or system after a successful attack. Many of these infections were first spawned by an encounter with malicious adware or exposure to a wellcrafted phishing scam. These are situations that users can often easily avoid or quickly remediate.Vertical Risk of Malware Encounters: Attackers See Value Across the Board
In the Cisco 2016 Midyear Cybersecurity Report
, a key message about the risk of malware was that “no vertical is safe.” Judging from our researchers’ periodic examination of attack traffic (“block rates”) and “normal” or expected traffic by industry, this message held true in the latter half of the year.
In looking at verticals and their block rates over time (Figure 21
), we see that, at some point over the course of several months, every industry has been subject to attack traffic and at varying levels. It’s clear that as attacks rise and fall, they affect different verticals at different times— but none are spared.
Regional Overview of Web Block Activity
Adversaries frequently shift their base of operation, searching for weak infrastructure from which they can launch their campaigns. By examining overall Internet traffic volume and block activity, Cisco threat researchers can offer insight on where malware is originating.
As Figure 22
shows, traffic from the United States edged up slightly from the block rates seen in the Cisco 2016 Midyear Cybersecurity Report
. The United Stateshouses the far greater share of blocks, but this should be considered a function of the country’s far greater share of online traffic. In addition, the United States is one of the world’s largest targets of malware attacks.
The takeaway for security professionals: Much like the vertical web block activity, the regional web block activity shows that malware traffic is a global problem.Time to Detection: An Essential Metric for Measuring Defenders’ Progress
Cisco is continually refining our approach to measuring TTD so that we can ensure we are tracking and reporting the most accurate estimate of our median TTD. Recent adjustments to our approach have increased our visibility into files that were categorized as “unknown” when first seen and then later identified as “known bad” after continuous analysis and global observation. With a more holistic view of data, we are better able to pinpoint when a threat first emerged and exactly how long it took for security teams to determine that it was a threat.
This new insight helped us to determine that our median TTD was 39 hours in November 2015. (See Figure 23
.) By January 2016, we had reduced the median TTD to 6.9 hours. After collecting and analyzing data for October 2016, our threat researchers determined that Cisco products had achieved a median TTD of 14 hours for the period from November 2015 to October 2016. (Note: The median TTD figure for 2016 is the average of the medians for the period observed.)
The median TTD fluctuated throughout 2016 but trended downward overall. Increases in the median TTD indicate times when adversaries launched a wave of new threats. The subsequent decreases reflect periods where defenders gained the upper hand and could identify known threats quickly.Figure 23
also shows that the median TTD was about 15 hours by the end of April 2016, which is greater than the 13-hour figure we reported in the Cisco 2016 Midyear Cybersecurity Report
.¹⁴ That 15-hour figure is based on data collected from November 2015 through April 2016. It was not derived using our modified approach to analyzing more detailed retrospective information about files. Using the new midyear TTD figure, we can report that TTD declined to about 9 hours for the period from May through October 2016.
Reviewing retrospective data is important not only for determining a more accurate measure of our median TTD, but also for studying how threats evolve over time. Numerous threats in the landscape are particularly evasive and can take a long time to identify even though they are known to the security community.
Adversaries will evolve certain malware families to avoid detection and increase their time to operate. This tactic hinders defenders’ progress in gaining, and then maintaining, an edge in detecting many types of known threats. (For more on this topic, see “Time to Evolve: For Some Threats, Change Is Constant,” page 34). However, the fact that cybercriminals are evolving their threats frequently and rapidly indicates that they are facing intense and constant pressure to find ways to keep their threats operating and profitable.Cisco defines “time to detection,” or TTD, as the window of time
between a compromise and the detection of a threat. We determine this
time window using opt-in security telemetry gathered from Cisco security
products deployed around the globe. Using our global visibility and a
continuous analytics model, we are able to measure from the moment
malicious code runs on an endpoint to the time it is determined to be a
threat for all malicious code that was unclassified at the time of
Time to Evolve: For Some Threats, Change Is Constant
Cybercriminals use various obfuscation techniques to keep their malware strong and profitable. Two common methods they employ are evolving their payload delivery types and quickly generating new files (defeating hash-only detection methods). Our researchers closely examined how adversaries have used these two strategies to help six well-known malware families—Locky, Cerber, Nemucod, Adwind RAT, Kryptik, and Dridex—evade detection and continue compromising users and systems.
Through our analysis, we sought to measure the “time to evolve” (TTE): the time it takes adversaries to change the way specific malware is delivered and the length of time between each change in tactics. We analyzed web attack data from different Cisco sources—specifically, web proxy data, cloud and endpoint advanced malware products, and composite antimalware engines.
Our researchers looked for changes in file extensions delivering the malware and the file content (or MIME) type as defined by a user’s system. We determined that each malware family has a unique pattern of evolution. For each family, we examined the patterns in both web and email delivery methods. We also tracked the ages of unique hashes associated with each malware family to determine how quickly adversaries are creating new files (and thus, new hashes).
Through our research, we learned that:
TTE and TTD
- Ransomware families appear to have a similar rotation of new binaries. However, Locky uses more file extension and MIME combinations to deliver its payload.
- Some malware families employ only a handful of file delivery methods. Others use 10 or more. Adversaries tend to use effective binaries over long periods. In other cases, files pop up and then drop off quickly, indicating that the malware authors are under pressure to switch tactics.
- The Adwind RAT and Kryptik malware families have a higher median TTD. (For more on TTD, see page 33.) We also see a greater mix of file ages for these families. This suggests that adversaries reuse effective binaries that they know are difficult to detect.
- Looking at the file ages for the Dridex malware family, it appears that the shadow economy may be abandoning use of this once-popular banking Trojan. In late 2016, detection volume for Dridex declined, as did the development of new binaries to deliver this malware. This trend suggests that the malware’s authors no longer see value in evolving this threat—or that they have found a new way to package the malware that has made it harder to detect.
The six malware families we analyzed in our TTE study are listed in Figure 24
. The chart depicts the median TTD for the top 20 malware families (by detection count) that our researchers observed from November 2015 to November 2016. Our average median TTD for that period was about 14 hours. (For details on how we calculate TTD, see page 33.)
Many of the malware families that Cisco products are detecting within the median TTD are industrialized threats that spread quickly and are therefore more prevalent. Cerber and Locky, which are both types of ransomware, are examples.
Old and pervasive threats that adversaries don’t bother to evolve much, or at all, are also typically detected below the median TTD. Examples include malware families like Bayrob (botnet malware), Mydoom (a computer worm that affects Microsoft Windows), and Dridex (the banking Trojan).
In the following sections, we present research highlights on TTE and TTD for the Locky, Nemucod, Adwind RAT, and Kryptik malware families. Detailed findings for Cerber and Dridex are included in the Appendix on page 78.TTE Analysis: Locky
Through our TTE research, we learned that Locky and Cerber employ a limited number of file extension and MIME combinations to deliver malware through the web or by email. (See Figure 25
.) We observed several combinations that included file content types related to Microsoft Word (msdownload, ms-word). However, the associated file extensions (.exe and .cgi) did not point back to a Word file. We also identified content types that pointed to malicious .zip files.
Both Locky and Cerber also appear to use new binaries frequently as an attempt to evade file-based detection. File ages for the Locky malware family are shown in Figure 26
. The top half of the chart depicts the ages of files that were observed during a specific month. The bottom portion of the chart shows monthly changes in the volume of Lockyrelated hashes, both new and previously observed files.
In Figure 26
, also note the decline in volume in June as well as the distribution of file ages. The Necurs botnet, which was known to deliver Locky, was taken down in June. This likely sidelined the malware authors’ efforts to keep the malware fresh during that month. However, it’s clear that they recovered quickly. By July, the malware had returned to its more standard mix of file ages with the majority (74 percent) being less than a day old when first detected.
The rapid cycling of binaries for this ransomware is not surprising. Instances of Locky and Cerber are often detected either on the same day they are introduced or within 1 to 2 days after, making it imperative for adversaries to evolve these threats continually if they want them to remain active and effective. (Figure 24
, discussed earlier, shows that Cisco products detected both Locky and Cerber ransomware within the median TTD in 2016.)Figure 27
shows the median TTD for Locky ransomware, which declined dramatically from about 116 hours in November 2015 to just under 5 hours in October 2016.TTE Analysis: Nemucod
In 2016, Nemucod was the most frequently detected malware among the top 20 families shown in Figure 24
. Adversaries use this downloader malware to distribute ransomware and other threats, such as backdoor Trojans that facilitate click fraud. Some variants of Nemucod also serve as engines for delivering the Nemucod malware payload.
One reason Nemucod malware was so prevalent in 2016, according to our threat researchers, is that its authors frequently evolved this threat. Cisco identified more than 15 file extension and MIME combinations associated with the Nemucod family that were used to deliver malware through the web. Many more combinations were used to deliver the threat to users through email (Figure 28
Several file extension and MIME combinations (web and email) were designed to point users to malicious .zip files or archives. Adversaries also reused many combinations during the months we observed.
As Figure 29
shows, many Nemucod hashes are less than 2 days old when they are detected. In September and October 2016, almost every binary related to the Nemucod family that was blocked was less than a day old.TTE Analysis: Adwind RAT
Cisco threat researchers found that Adwind RAT (remote access Trojan) malware is delivered through file extension and MIME combinations that include .zip or .jar files. This is true whether the malware is being delivered through the email or web attack vector. (See Figure 31
Adwind RAT used a wide range of hash ages throughout most of the period observed in 2016, except during September and October, when most files seen were 1 to 2 days old (Figure 32
We also found that the median TTD for Adwind RAT is consistently higher than the median TTD for other malware families we analyzed (Figure 33
). The malware’s authors have apparently developed hard-to-detect delivery mechanisms that keep Adwind RAT successful. Therefore, they don’t need to rotate through new hashes as frequently or as rapidly as the actors behind other malware families do. The Adwind Trojan is also known by other names, such as JSocket and AlienSpy.TTE Analysis: Kryptik
Kryptik, like Adwind RAT malware, had a median TTD that was consistently higher (about 20 hours) than other malware families Cisco analyzed for the TTE study from November 2015 through October 2016 (Figure 36
). However, by October, Cisco products had reduced the median TTD window for Kryptik malware to less than 9 hours (Figure 36
The Kryptik malware family also used a wider range of hash ages than the other malware families we analyzed, particularly during the first half of 2016. The ability of Kryptik’s authors to rely on older hashes for so long indicates that defenders had trouble detecting this malware type.
.) Some of the combinations date back to 2011.
In our analysis of the six malware families, we find that adversaries must shift tactics frequently to take advantage of the small window of time during which their threats can operate successfully. These adjustments indicate that defenders are getting better at detecting known malware quickly, even after a threat has evolved. Attackers are under pressure to find new ways to avoid detection and keep their campaigns profitable.
In this complex landscape of rapid evolution, where all malware families behave differently, human expertise and point solutions are not enough to identify and respond quickly to threats. An integrated security architecture that provides real-time insight into threats, along with automated detection and defense, is essential for improving TTD and ensuring swift remediation when infections occur.