Reading the Global Threat Intelligence Report (GTIR)

The Global Threat Intelligence Report (GTIR) addresses the security challenges of organizations globally analyzing 3 billion worldwide attacks occurred in 2013.

The NTT Innovation Institute has released the new Global Threat Intelligence Report (GTIR), a document structured to raise awareness of the rapidly evolving global threat landscape.

The GTIR was based on threat intelligence and attack data from the NTT Group companies which include Solutionary, NTT Com Security, Dimension Data, NTT Data and support from NTT R&D. The security experts have analyzed approximately three billion worldwide attacks occurred in 2013, the Finance and Technology industries are that most targeted by attackers which used mainly botnet for their offensives. The majority of the vulnerabilities listed in the report are related to patch management, firewall and application settings.

 The data fueled the report was collected from 16 Security Operations Centers (SOC) and 7 R&D centers.

 The NTT researchers identified five critical areas of security:

1. Threat avoidance
2. Threat response
3. Threat detection
4. Investigative
5. Response capabilities.

The report correctly highlight the necessity to find solutions that represent the best balancing between cost and risks, the document is based on real-world case studies and it tries to figure out recommendations and strategies to  mitigate the threats and reducing the impact on the company operation.

The impact of cyber threats is even more dangerous and is not depending strictly on the dimension of the organizations (e.g. SMBs, enterprises) neither from the physical location of victims.

“The rise of borderless capabilities overwhelms and breaks the implementation of traditional security controls. Managing the perimeter is the new paradigm. While the traditional perimeter was between “us” and “them” it has changed to include our partner or team for today which will be different than the one for tomorrow.” states the Global Threat Intelligence Report (GTIR).

It’s crucial to consider each enterprise like live entities that grow and interact with actors, like customers and contractors, its employees are around the world demanding resources and exchanging information. The data is the real value of the companies and the security model must be focused on the protection of functionality and data and assets. Security must be ensured into applications by design, simple and inflated concept that is often ignored by IT community.

“It’s not just how well the application is secured; but how well it is developed, architected, configured and maintained over time which matters.” 

Key findings in the 2014 GTIR include:

• Cost for a ‘minor’ SQL injection attack exceeds $196,000 – Organizations must realize the true cost of an incident and learn how a small investment could reduce losses by almost 95 per cent. Case Study: “Massive Data Exfiltration via SQL Injection”.
• Anti-virus fails to detect 54 per cent of new malware collected by honeypots – Additionally, 71 per cent of new malware collected from sandboxes was also undetected by over 40 different anti-virus solutions. This supports the premise that simple endpoint solutions must be augmented with network malware detection and purpose-built solutions.
• 43 per cent of incident response engagements were the result of malware – Missing anti-virus, anti-malware and effective lifecycle management of these basic controls were key factors in a significant portion of these engagements. Read the “Administrator Releases a Worm” case study to see how it cost one organization $109,000.
• Botnet activity takes an overwhelming lead at 34 percent of events observed – Almost 50 per cent of botnet activity detected in 2013 originated from US based addresses. The fact that healthcare, technology and finance account for 60 per cent of observed botnet activity reflects the information worker burden that accompanies these industries.
• PCI assessed organizations are better at addressing perimeter vulnerabilities – Organizations performing quarterly external PCI Authorized Scanning Vendor (ASV) assessments have a more secure vulnerability profile, as well as a faster remediation time (27 per cent), than organizations performing unregulated assessments.
• Healthcare has observed a 13 per cent increase in botnet activity – Due to increased reliance on interconnected systems for the exchange and monitoring of health related data, more systems are potentially affected by malware.

The recommendations provided in the GTIR report are:

• Address the eroding perimeter adopting proper defense measures and handle with care asset inventories and escalation SLA.
• Use effective patch management to protect against real-world threats.
• Define and test incident response, an efficient incident response could help to minimize the impact of security breaches.
• Take advantage of new technologies and techniques, include capabilities such as application isolation techniques, micro VMs, sandboxing and machine learning. These technologies focus on application control and isolation, incident containment and rapid detection via behavioral analytics, are likely to grow in importance.

I suggest you to carefully read the report that is full of interesting data.

Pierluigi Paganini

(Security Affairs –  Global Threat Intelligence Report (GTIR), security)