My reading of the “ENISA Threat Landscape” report

The European Network and Information Security Agency (ENISA) is the EU’s agency responsible for cyber security issues of the European Union, its last report “ENISA Threat Landscape – Responding to the Evolving Threat Environment”, summarizing the principal threats and providing also useful indication on the emerging trends.

The report proposes the list of top threats drawn up based on publicly available data on cyber attacks and security incidents providing an independent view on principal malicious agents.

The report identifies and lists the top threats and their trends, and concludes that drive-by exploits have become the top web threat. To draw a pictures of current security landscape the document contemplates data relates 120 recent reports, released from 2011 and 2012, from the security industry, CERTs, standardization bodies and other independent parties.

ENISA report identifies the following top ten cyber threats:

• Drive-by exploits (malicious code injects to exploit web browser vulnerabilities)
• Worms/trojans
• Code injection attacks
• Exploit kits (ready to use software package to automate cybercrime)
• Botnets (hijacked computers that are remotely controlled)
• (Distributed) Denial of Service attacks (DDoS/DoS)
• Phishing (fraud mails and websites)
• Compromising confidential information (data breaches)
• Rogueware/scareware
• Spam.

TOP 3 THREAT IN DETAIL

Drive-by exploits

The most dangerous threat that is showing a growing trend is Drive-by Exploits, malicious code injected in HTML code of legitimate compromised websites to exploits vulnerabilities into user’s web browsers. This schema of attacks has been detected in several occasions, the victims are infected visiting a drive-by download website, attackers are mainly exploiting  browser plugins such as Java, Adobe Reader and Adobe Flash. This type of attacks is also interesting mobile platforms, in May 2012 it has been observed the first drive-by download for Android OS. The techniques is usually adopted by cyber criminals but recent events demonstrated its use also for targeted attacks having cyber espionage purpose. One of the most known exploit kit widely diffused in the underground is the Blackhole.

Worms/Trojans 

Needless to spend words on these dreaded malware, varied and versatile, they are used by cyber criminals and governments for various purposes such as offensive attacks, cyber espionage and for realization of sophisticated cyber scams. Cybercrime makes extensive use of malware especially for the realization of bank frauds, the situation regarding the use of mobile platforms and social networks is concerning, these platforms are exploited to spread on large-scale malicious agents.

The report states:

• Data theft trojans are widely used by cyber criminals for money making.
• Trojans are the most reported type of malicious code. Although a relatively small amount of computer systems were infected by worms, massive worm epidemics observed in the past have been replaced by an increasing number of targeted trojans.
• Trojan Autorun and Conficker worm are still two of the top threats worldwide. These two pieces of malware are more than four years old and, even though the vulnerabilities that allow them to infect systems have been addressed, they still claim victims.
• Social networks are an appealing distribution channel for malware authors, e.g. the Koobface worm that targeted and infected users of major social networking sites.
• Trojans is the major malware threat in mobile platforms. These trojans vary in nature from simple SMS-Trojans to multifunctional and more sophisticated trojans (e.g. data stealing trojans). “

Code Injection Attacks

During the last years a huge quantity of attacks and data breaches have been conducted against web applications using well-known attack techniques such as SQL injection (SQLi), cross-site scripting (XSS), cross-site request forgery (CSRF), Remote File Inclusion (RFI) etc. The intent is to inject code in applications to steal sensible information, meanwhile SQL injection attacks are very common techniques used by hacktivist to dump database of their victims, it has been observed also a sensible increase of cross-site scripting attack cases during the last months due the versatility of the offensive mode.  For obvious reasons, I refer the reader to a thorough reading of the interesting report that enumerates other dangerous cyber threats such as botnets, phishing, DDoS or Targeted attacks.

WHO AND WHY?

The ENISA has identifies the following principal threat agents in cyberspace:

• Corporations. This kind of threat refers to corporations/organizations/enterprises that adopt and/or are engaged in offensive tactics. Corporations can be considered as hostile threat agents their motivation is to build competitive advantage over competitors, who also make up their main target. Depending on their size and sector, corporations usually possess significant capabilities, ranging from technology up to human engineering intelligence, especially in their area of expertise.
• Cybercriminals. Cybercriminals are hostile by nature. Moreover, their motivation is financial gain and their skill level is, nowadays, quite high. Cybercriminals can be organized on a local, national or even international level. It should be taken as given, that a certain degree of networking between cybercriminals is being maintained.
• Employees. This category refers to the staff, contractors, operational staff or security guards of a company. They can have insider access to company’s resources and they are considered as both non-hostile threat agents (i.e. distracted employees) as well as hostile ones (i.e. disgruntled employees). This kind of threat agents possesses a significant amount of knowledge that allows them to place effective attacks against assets of their organization.
• Hacktivists. Hacktivism is a new trend in threat agents. Hacktivists are politically and socially motivated individuals that use computer systems in order to protest and promote their cause. Moreover, they are usually targeting high profile websites, corporations, intelligence agencies and military institutions.
• Nation States. Nation states can have offensive cyber capabilities and could potentially use them against an adversary. By their very nature and due to the importance of the means at their disposal, Nation States may present a threat in the area of cyber warfare.
• Terrorists. Terrorists have expanded their activities and engage also in cyber-attacks. Their motivation can be political or religious and their capability varies from low to high. Preferred targets of cyber terrorists are mostly critical infrastructures (e.g. public health, energy production, telecommunication etc.), as their failures causes severe impact in society and government. It has to be noted, that in the public material analysed, the profile of cyber terrorists still seems to be blurry.

THE TREND

The current threat trends have been derived analyzing information on cyber threats detected during the last years,  the areas of Information Technology most impacted are mobile computing, social technology, critical infrastructures, trust infrastructures, cloud computing and big data. Due technologic push it is easy to predict a sensible increase of cyber threats, in many articles I described the urgency to address them with proper strategies, in both private and public sectors. Due their large audience, and leak of awareness on cyber threats, social networking and mobile are more exposed to the incoming menaces.

But those areas are strictly correlated, the term Mobile Computing according the report covers several aspects of Consumerization of IT, BYOD (Bring Your Own Device) and mobile services, such as social networking, business applications and data, use of cloud services, all infrastructures and services exposed to high risks. Very concerning are also the increase of the attacks against Critical Infrastructures, operated not only by state sponsored hackers and against cloud infrastructures.

I’ve extracted the top 5 emerging cyber threat respectively for the mobile and for infrastructures sure that could be of your interest:

 

MOBILE

CRITICAL INFRASTRUCTURES

BEST PRACTICES

ENISA proposes in the document best practices to follow to mitigate cyber threats to business, homeland security and the digital economy:

• Use a common terminology within threat reports
• Include the end-user perspective
• Develop use cases for threat landscapes
• Collect security intelligence of incidents including starting point and target of an attack
• Perform a shift in security controls to accommodate emerging threat trends
• Collect and develop better evidence about attack vectors (methods) so as to understand attack workflows
• Collect and develop better evidence on the impact reached by attackers
• Collect and maintain more qualitative information about threat agents.