McAfee Labs Report Finds 93 Percent of Security Operations Center Managers Overwhelmed by Alerts and Unable to Triage Potential Threats
Intel Security‘s McAfee Labs Threats Report: December 2016 provides insights into how enterprises are using security operations centers (SOCs), details key 2016 developments in ransomware, and illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans. The December report also details the growth of ransomware, mobile malware, macro malware, Mac OS malware and other threats in Q3 2016.
“One of the harder problems in the security industry is identifying the malicious actions of code that was designed to behave like legitimate software, with low false positives,” said Vincent Weafer, vice president of Intel Security’s McAfee Labs. “The more authentic a piece of code appears, the more likely it is to be overlooked. Just as 2016 saw more ransomware become sandbox-aware, the need to conceal malicious activity is driving a trend toward ‘Trojanizing’ legitimate applications. Such developments place an ever greater workload on an organization’s SOC – where success requires an ability to quickly detect, hunt down, and eradicate attacks in progress.”
In mid-2016, Intel Security commissioned a research study to see how enterprises use SOCs, how they have changed over time, and what they will look like in the future. Interviews with nearly 400 security practitioners across several countries, industries and company sizes yielded valuable information on the state of the SOC in 2016:
• Alert overload. On average, organizations are unable to sufficiently investigate 25 percent of their security alerts, with no significant variation by country or company size.
• Triage trouble. While most respondents acknowledged being overwhelmed by security alerts, as many as 93 percent are unable to triage all potential threats.
• Incidents on the rise. Whether from an increase in attacks or better monitoring capabilities, 67 percent of respondents reported an increase in security incidents.
• Cause of the rise. Of the respondents reporting an increase in incidents, 57 percent report they are being attacked more often, while 73 percent believe they are able to better spot attacks.
• Threat signals. The most common threat detection signals for a majority of organizations (64 percent) come from traditional security control points, such as antimalware, firewall and intrusion prevention systems.
• Proactive vs. reactive. The majority of respondents claim to be progressing toward the goal of a proactive and optimized security operation, but 26 percent still operate in reactive mode, with ad hoc approaches to security operations, threat hunting and incident response.
• Adversaries. More than two-thirds (68 percent) of investigations in 2015 involved a specific entity, either as a targeted external attack or an insider threat.
• Causes for investigation. The respondents reported that generic malware led the list of incidents (30 percent) leading to security investigations, followed by targeted malware-based attacks (17 percent), targeted network-based attacks (15 percent), accidental insider incidents resulting in potential threats or data loss (12 percent), malicious insider threats (10 percent), direct nation-state attacks (7 percent), and indirect or hacktivist nation-state attacks (7 percent).
Survey respondents said that the highest priority for the growth and investment of SOCs is to improve the ability to respond to confirmed attacks, which includes the ability to coordinate, remediate, eradicate, learn and prevent reoccurrences.
Emergence of “Trojanized” Legitimate Software
The report also detailed some of the many ways attackers place Trojans within commonly accepted code to obscure their malicious intent. McAfee Labs identified a variety of approaches to accomplishing this:
• Patching executables on the fly as they are downloaded through man-in-the-middle (MITM) attacks.
• Bundling “clean” and “dirty” files together using binders or joiners.
• Modifying executables via patchers, seamlessly maintaining application use.
• Modifying through interpreted, open-source or decompiled code.
• Poisoning the master source code, especially in redistributed libraries.
2016: The Year of Ransomware?
Through the end of Q3, the number of new ransomware samples in 2016 totaled 3,860,603, leading to an increase of 80 percent in total ransomware samples since the beginning of the year. Beyond the leap in volume, ransomware exhibited notable technical advances in 2016, including partial or full disk encryption, encryption of websites used by legitimate applications, anti-sandboxing, more sophisticated exploit kits for ransomware delivery, and more ransomware-as-a-service developments.
McAfee2821 Mission College Blvd.
Santa Clara, CA, 95054