1、SANS Institute Information Security Reading Room SANS Top New Attacks and Threat Report _ John Pescatore Copyright SANS Institute 2020. Author Retains Full Rights. This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Introduction The

2、 impact of the COVID-19 outbreak has reinforced the fact that physical-world incidents can be far more damaging than cyber world attacks. However, the coronavirus has also highlighted two other key points: A secure and resilient digital infrastructure is necessary to survive medical and environmenta

3、l catastrophes. The time to address the top threats and risks is before they begin having an impact. There are many places to find backward-looking statistics of how many attacks were launched in cyberspace. Forward-looking guidance areas that security managers should focus on are harder to find. In

4、 times of economic uncertainty, it is even more critical for security teams to prioritize resources to increase effectiveness and efficiency in dealing with known threats while also minimizing the risk from emerging attacks. For the past 14 years, the SANS “Five Most Dangerous Attacks” expert panel

5、at the annual RSA Conference1 has filled that gap. This SANS whitepaper begins with a baseline of statistics from three of the most reliable sources of breach and malware data; then it summarizes the expert advice from the SANS instructors on the RSA panel, detailing the emerging threats security te

6、ams should look out for in 2020 and beyond and what to do about them. 2020 SANS Institute A SANS Whitepaper Sponsored by: Anomali Cisco Systems Cyberinc DomainTools InfoBlox Mandiant Security Validation RSA Unisys Written by John Pescatore April 2020 1 SANS Top New Attacks and Threat Report 2020 Bre

7、ach and Threat Baseline Data Vulnerabilities and attacks dont really pay attention to the calendar: New Years Day doesnt bring a drastic change in threats. So, it is important to look back to understand what has become commonplace in order to predict what will be the likely types and areas of new th

8、reats. Many threat reports are published each year, but there are only a few sources that arent tied to specific vendor solutions and that use consistent methodologies year over year. SANS has found the Identity Theft Resource Center (ITRC) Annual Breach Report,2 the Microsoft Security Intelligence

9、Report (SIR)3 and the Center for Internet Securitys Multi- State Information Sharing and Analysis Capability (MS-ISAC)4 have been consistently useful through the years. The ITRC has been tracking publicly disclosed breach information in the US since 2005 and uses a consistent methodology that provid

10、es enough visibility and repeatability to make meaningful year-to-year comparisons. About half of the breaches counted do not disclose the number of records exposed, so the absolute value of the numbers underestimates the totals, but still gives a good view of trends. As noted in Table 1, the total

11、number of breaches in 2019 increased 17% over 2018 after declining 23% the previous year.5 At first glance, the data shows that the total number of sensitive records exposed dropped by 65%. However, a small number of very large breaches skews the data. In 2018, the 383 million record breach of the M

12、arriott Corporation reservation system alone is responsible for more than double the total number of records exposed in 2019. Similarly, there was one mega breach in 2019, the Capital One breach of 100 million records, which represented 99% of all financial records exposed last year. If we remove th

13、ose two mega breaches from the calculation, the total number of records exposed in 2019 dropped 26% compared with 2018. This is a continuance of last years 2SANS Top New Attacks and Threat Report Table 1. ITRC Comparison of Breaches in 2018 and 20196 Industry 18,824,975 39,378,157 3,606,114 100,621,

14、770 2,252,439 164,683,455 Sensitive Records Exposed 438,952,056 10,632,600 18,447,924 1,778,658 1,414,624 471,225,862 Sensitive Records Exposed 705,106,352 1,852 22,747 20,000 23,103 705,174,054 Non-Sensitive Records Exposed 1,570,602,391 2,800 60,085,000 Unknown 39,690 1,630,729,881 Non-Sensitive R

15、ecords Exposed Data Breaches and Records Exposed per Industry per Year 20192018 644 525 83 108 113 1,473 Number of Breaches 575 369 100 135 78 1,257 Number of Breaches Business Medical/Healthcare Government/Military Banking/Credit/Financial Education Totals 2 “2019 End-of-Year Data Breach Report,” w

16、ww.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf 3 4 www.cisecurity.org/ms-isac/ 5 “SANS Top New Attacks and Threat Report,” April 2019, www.sans.org/reading-room/whitepapers/analyst/top-attacks-threat-report-38908, p. 2,

17、Table 1. Registration required. 6 “2019 End-of-Year Data Breach Report,” www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf trend of smaller organizations being targeted. Overall, many large enterprises have improved their

18、defenses against attacks based on malware installation, making the standard data exfiltration attack more difficult. The ITRC data shows that healthcare organizations experienced a big jump in both the number of breaches and the size of the breaches. This is a glaring statistic, given the importance

19、 of medical services to deal with the COVID-19 pandemic. Early 2020 reports show an increase in attacks against medical services and related sites. The ITRC Breach Report supports the calculation of a very useful metric each year: the average number of records exposed per breach. Because the variabl

20、e costs to the business scale with the number of records exposed, this metric provides a good estimation of the average cost per incident. The average number of records per breach seems to have declined a whopping 70%, from 374,881 in 2018 to 111,801 in 2019. However, removing the two mega breaches

21、from the data lowers this to only a 37% decrease in the average breach size. For breaches in the 50,000500,000 record range, a rule of thumb estimate of $100 per record in hard costs (not including soft costs such as stock price fluctuation or reputation damage) has proven to be accurate.7 This indi

22、cates that the average cost of a breach in 2019 was about $4.4 million versus $7 million in 2018. Because the ITRC reports focuses on breaches, DoS and “denial of access” attacks such as ransomware and other compromises that dont involve data exfiltrationare not represented. The Microsoft SIR contin

23、ually collects information from hundreds of millions of Windows devices that are running AutoUpdate and popular built-in tools such as Microsofts Malicious Software Removal Tool, Safety Scanner, Windows Defender and other sources. The Microsoft SIR is nearly 100%-focused on attacks against Windows P

24、Cs and serversand the majority of successful user-focused attacks are aimed at Windows users. In addition, Windows comprises a large share of the server OS market. The SIR generally comes out twice per year, but as of this writing, Microsoft is providing only an online data analysis site rather than

25、 formal reports. Mirroring the trend across 2018, the latest data from the SIR showed declines in simple malware attacks. However, two key areas showed continued increases: phishing encounters and ransomware attacks. Highly Targeted Phishing Campaigns As noted earlier, many enterprises have improved

26、 their capability to prevent or more quickly detect and respond to standard malware insertion attacks. That has driven attackers to focus on the vulnerable human beings in the equationthe users of the PCs or the administrators of servers and cloud-based services. Enterprise phishing awareness and ed

27、ucation programs and adoption of stronger email and DNS authentication standards have made it more difficult for phishing attacks to succeed. However, phishing attacks have continued to become more sophisticated and more targetedand use more “channels,” such as text messaging and voice. 3SANS Top Ne

28、w Attacks and Threat Report 7 Subscription required. 4 The SIR data only shows a minimal year over year growth in phishing encounters (see Figure 1), but you see spikes that represent “campaigns”targeted waves of phishing against related targets like healthcare or on headline-grabbing events like th

29、e COVID-19 virus. As social media and consumer web meeting systems are increasingly used as a result of social distancing, those attacks will increase. Those sites often expose a lot of information that attackers use to create micro-targeted attacks. Ransomware: The Bane of State and Local Agencies

30、By now, almost everyone understands what ransomware is9attacks that encrypt files and/or executables to disrupt business and later demand payment (the ransom) for the decryption key. Many of those attacks used simple phishing and malware techniques, and the improvement in anti-phishing and endpoint

31、detection and response have thwarted these attacks. However, many smaller businesses, and in particular state and local government agencies, have been unable to make the same progress. Attackers quickly shifted to target those vulnerable organizations. Bottom line: Increasing basic security hygiene

32、is key to avoiding or mitigating the majority of commodity attacks. Advances made at this level have caused the overall number of breaches reported in the US to decrease, as illustrated in Figure 2. Minimizing vulnerabilities is also key to avoiding making the breach list. Organizations should test

33、all software for vulnerabilities before deploying it in production environments. Further, they should regularly scan all server, PC and network device configurations for discrepancies against secure standards. SANS Top New Attacks and Threat Report Jan 2019Apr 2019Oct 2019Jul 2019 0.9% 0.8% 0.7% 0.6

34、% 0.5% 0.4% Dec 2019 Percentage of Detected Phishing Emails out of Total Emails Analyzed Worldwide Figure 1. Percentage of Phishing Emails in 20198 8 “Microsoft Security Intelligence Report: Phishing email detection,” 9 “OUCH Newsletter: Ransomware,” August 2016, www.sans.org/security-awareness-trai

35、ning/ouch-newsletter/2016/ransomware 10 “Microsoft Security Intelligence Report: Ransomware encounter rates,” Figure 2. Ransomware Attacks in 201910 Jan 2019Apr 2019Oct 2019Jul 2019 0.04% 0.03% 0.02% Jan 2020 0 Month-over-Month Change -0.02 Same Month Last Year Change 5 The attacks that cause the mo

36、st damage to each corporate victim are the highly targeted attacksand those continue to increase and are often impossible to completely prevent. The key to minimizing damage from advanced targeted attacks is quicker detection of suspicious events, leading to faster and more surgical mitigation actio

37、ns. The use of endpoint detection and response tools and advanced capabilities such as browser isolation technology can augment basic security hygiene with damage minimization or prevention capabilities. Consuming and analyzing accurate and timely threat intelligence should be a key input to optimiz

38、ing security processes, updating playbooks and making security resource decisions. Ransomware Drill Down: State and Local Governments The Center for Internet Security runs the MS-ISAC, which provides a central resource for gathering information on cyber threats and sharing of information across stat

39、e, local and tribal agencies. In 2019, the MS-ISAC observed a 153% increase in state, local, tribal and territorial (SLTT) reporting of ransomware incidents. These incidents were either reported by the victim, disclosed by a trusted third party or found in open source reporting. Figure 3 shows the m

40、onthly percentage breakdown of reported ransomware incidents in 2018 and 2019. The MS-ISAC mainly attributes the growth to two types of attacks: a surge in Ryuk ransomware cases and an increase in incidents associated with attackers compromising managed service providers (MSPs) to push ransomware ou

41、t to their clients. Ryuk, Sodinokibi and Phobos were the three most reported ransomware variants in 2019. Ryuk establishes network access through the TrickBot banking Trojan. This works because TrickBot infections are widespread, often go undetected for an extended period of time, and can quickly sp

42、read throughout a network. The Sodinokibi ransomware variant is most responsible for the increase in MSP-related infections, which leverages the trusted relationship between third-party vendors and their clients. The Phobos ransomware variant typically targets poorly secured Remote Desktop Protocol

43、(RDP) ports as an initial infection vector, despite this being a well- known technique by ransomware attackers for several years. Table 2 shows the 2019 breakdown for these variants. SANS Top New Attacks and Threat Report Figure 3. Ransomware Incidents in 2018 and 201911 Jan 2018Apr 2019Jan 2019Oct

44、2018Jul 2018Oct 2019Jul 2019 16% 12% 8% 4% 0% Dec 2019 Percentage of 20182019 SLTT Ransomware Incidents by Month (Source: Victim disclosure, third-party disclosure, open source) Apr 2019 Table 2. Top 3 Ransomware Variants in 201912 Ransomware VariantPercentage of Reported Incidents Ryuk Sodinokibi P

45、hobos 22.7% 10.9% 2.8% 11 www.cisecurity.org/ms-isac/ 12 www.cisecurity.org/ms-isac/ 6 Hear from the Experts: SANS Threat Panel at RSA Conference 2020 The RSA Conference started in 1991 and has grown to be the largest cybersecurity conference in the world. For the past 14 years, SANS has presented a

46、 panel featuring top SANS experts who detail their views of the most dangerous attacks starting to impact enterprises.13 Through the years, the predictions made by the SANS instructors at these sessions have proven to be highly accurate predictors of real-world damage. The 2020 threat expert panel,

47、moderated by SANS Founder and Research Director Alan Paller, consisted of: Ed Skoudis, SANS Faculty Fellow and Director of SANS Cyber Ranges and Team-Based Training Heather Mahalik, Senior Instructor, SANS Institute, and Senior Director of Digital Forensics, Cellebrite Dr. Johannes Ullrich, Dean of

48、Research, SANS Technology Institute, and Founder and Director, Internet Storm Center Each SANS expert focused on areas they believed would have the highest impact in the coming year. The key areas include the proliferation of command and control toolkits and frameworks, “living off the land” attacks

49、, very deep persistence, rising risks when users lose even temporary physical control of their mobile devices, and vulnerabilities in perimeter security controls and web agents that span the perimeter. The following summarizes the experts views of each issue and their advice on how to avoid or minimize damage. Command and Controls Tools and Frameworks Ed Skoudis f