Backgrounder The good news for enterprise security is that the number of reported cyberattacks is going down, in the UK at least.
The cloud behind that silver lining? According to the British government, 61 per cent of large businesses experienced some sort of breach last year and, more worryingly, 20 percent of large firms were hit on a weekly basis.
Trying to keep one step ahead of the bad guys has proved tricky, and enterprise security professionals who have moved to protect themselves in one area will invariably find cyber-criminals probing a new spot. According to Peter Firstbrook, research director at Gartner, “Whenever they do a new method of attack, then it’s going to work because we haven’t worked out how to build a defense for the countermeasure.”
In other words, there’s always going to be a way in to the enterprise – even the best protected ones. So what are the attack vectors, and how can you protect yourself?
One of the most common methods used to introduce malware remains, still, the faithful email attachment. According to a 2018 survey from Verizon, this was the chosen method for 94 per cent of all attacks, with Office and PDF documents the favorite delivery vehicles.
One of the newer forms of techniques deployed by cyber criminals is to use non-standard server ports for incursion into corporate systems.
Paul Kenealy, head of cyber incident response at PA Consulting, said it’s a method that’s been made possible because sysadmins put development servers on non-standard ports, or because there’s a proliferation of IoT devices that have been put by default onto non-standard ports. Going through such ports gives attackers a vital means of establishing a beachhead because the servers that employ these ports are connected via the corporate network so once in the malware can spread. “Ideally the entire infrastructure should be separated – development, pre-development, production environment – but we know they’re not, generally for cost reasons,” Kenealy adds.
One route that’s proving a particular favorite in this field is port 8080 or similar, which can be a shortcut for attackers. “It’s more usually used for a web proxy, but a sysadmin could put a development server there,“ Kenealy explains. The reason these ports are left hanging is a consequence of the fast pace of corporate IT. Somebody invariably wants to provision development servers quickly to work on a new project or product, but the sysadmins then move on and forget about these unsecured connections.
Another growing threat to the enterprise is fileless malware. A Ponemon Institute survey [PDF] found 77 per cent of compromised malware employs fileless. What’s more, the report suggests these types of attacks are more likely to succeed. Fileless doesn’t require executable code for a way in and can hide in places like memory that make it difficult for conventional anti-virus software to pick up. Further, fileless is versatile: it can get in through one of those non-standard ports or an attached document.
There are, of course, other methods being employed in attack that are proving fruitful, not least the growing use of encryption. A few years back, Gartner Research highlighted how encrypted and encapsulated traffic “weakens defense-in-depth efficiency, exposing endpoints and DMZ servers to threats from outbound and inbound traffic.”
Encryption can be a force for good in the enterprise, but Kenealy warns organisations now need to be wary of its use against them. “Encryption, like many things, is a double-edged sword,” he says. “It means that attacks can’t be unpicked so easily. And as more attacks get encrypted, it’s easier for malware to hide.”
So, how does the enterprise defend itself against attacks, new and old?
Bill Mew, managing director of The Crisis Team, says people are increasingly interested in measuring the strength of their protection using the services of cyber risk agencies who claim they can give your organisation a risk rating.