In my travels abroad over the years, I have had the great opportunity to meet with many enterprise customers to discuss the evolving threat landscape. In addition to helping inform customers, these meetings have provided me with an opportunity to learn more about how customers are managing risk within their environments. Many of these customers are interested in learning about the top threats found in enterprise environments. Visibility into what threats are most common in enterprise environments helps organizations assess their current security posture and better prioritize their security investments. Given the high level of interest in this information, I thought it would be helpful to take a close look at the top 10 threats facing enterprise customers based on new intelligence from the latest Microsoft Security Intelligence Report (SIRv15).
The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The “encounter rate” is defined as the percentage of computers running Microsoft real-time security software that report detecting malware – typically resulting in a blocked installation of malware. This is different from the number of systems that actually get infected with malware, a measure called computers cleaned per mille (CCM).
Figure 1 (left): The malware encounter rates for consumer and enterprise computers, 3Q12-2Q13. Figure 2 (right): The quarterly trends for the top 10 families detected by Microsoft enterprise security products, 3Q12-2Q13, by percentage of computers encountering each family in 2Q13.
When we look at the top 10 enterprise threats worldwide from the list above, it gives us insight into the most common ways in which enterprise organizations are coming into contact with malware today. Based on this list, there are three primary methods in which enterprises are encountering malware:
- Via malicious or compromised websites
- Worms that spread through network drives, Autorun feature abuse, and/or weak passwords
- Social engineering that tricks the user into installing malware on their system
Malicious or Compromised Websites
By the end of 2012, web-based attacks had surpassed traditional network worms to become the top threats facing enterprises. The latest Security Intelligence Report shows this trend is continuing in the first half of 2013.
Figure 3: The quarterly trends for the top 10 families detected by Microsoft enterprise security products, between the third quarter of 2012 and the second quarter of 2013, by percentage of computers encountering each family
In fact, in 2Q13 six out of the top ten threats facing enterprises were associated with malicious or compromised websites. These threats include JS/Seedabutor, HTML/IframeRef, Win32/Sirefef, JS/BlacoleRef, Java/CVE-2012-1723 and Blacole. Computer users in organizations typically come into contact with these types of malicious or compromised websites unexpectedly when browsing the web while using their organization’s systems.
For example, in the case of HTML/IframeRef, attackers have built automated systems that probe websites to identify and infect vulnerable web servers. Once compromised, an infected server can then host a small, seemingly benign, piece of code that is used as a redirector. However, this code is part of a chain, and when victims visit the website, the redirector can serve malicious pages from another malicious server to infect the victim with malware. You can read about the mechanics of this type of attack in a series of articles I wrote previously:
Once a system is compromised with malware, it not only disrupts the infected machine but also has the potential to cause harm to the systems it interacts with. The infected system may be used to spread malware both inside and outside the organization, and steal information such as intellectual property.
Network Drives, Autorun, Weak Passwords
While web-based attacks have become the most common threats facing enterprises, worms cannot be ignored. In 2Q13 three out of the top ten threats facing enterprises were associated with worms (Win32/Conficker, INF/Autorun, Win32/Dorkbot). Worms are commonly spread through network drives, abusing the Autorun feature or exploiting weak passwords.
For example, the Conficker worm is commonly spread by exploiting weak passwords. The worm uses a built-in list of common or weak passwords to attempt to compromise other computers in addition to stealing the credentials of any user that logs into the infected system. Passwords such as “admin,” “admin123,” “administrator,” “default,” “test,” “12345” and even “security” are part of Conficker’s list of passwords. Once Conficker compromises a systems it can steal the credentials of an IT administrator to spread on the internal network. Here’s how Conficker spreads using this technique:
- A system becomes compromised
- The user suspects a problem and reports the issue to the administrator for help
- The administrator logs onto the infected machine with the network admin password to troubleshoot the problem
- Conficker steals the Admin credentials, and immediately uses it to log onto every other machine in the network and compromise those machines
The third most common way in which enterprise organizations are encountering malware, based on the latest threat intelligence, is through social engineering; Win32/Obfuscator is an example of this. Cybercriminals will try to hide the malware using deceitful tactics to trick you into installing it. There are a number of ways this may occur.
For example, a compromised system may be used by attackers to send out erroneous emails, friend requests or instant messages which contain links to malicious sites or malware. Another common way in which attackers try to trick people into installing malware is by bundling it with popular software, movies or music that can be downloaded online. We talked about this method in detail when we released the Microsoft Security Intelligence Report Volume 13.
The good news is that there are effective mitigations and best practices that can be used to help to protect enterprises:
- Keep all software up-to-date: Attackers will try to use vulnerabilities in all sorts of software from different vendors, so it is important for organizations to keep all of the software in their environment up to date and run the latest versions whenever possible. This will make it harder for the types of threats we see in the enterprise today to be successful. This tactic would have helped to mitigate six out of the top ten threats detected in enterprise environments in the first half of 2013.
- Demand software that was developed with a security development lifecycle: Until you get a software update from the affected vendor, test it, and deploy it, it’s important that you manage the risk that attackers will attempt to compromise your environment using these vulnerabilities. A very effective way for software vendors to help you do this is by using security mitigations built into the platform, such as ASLR, DEP, SEHOP and others. These mitigations can make it much harder for attackers to successfully exploit vulnerabilities. Demand software from your vendors that use these mitigations. You can check if the software you have in your environment have these mitigations turned on, using a tools like Binscope or EMET. In cases where you have software deployed in your environment that do not use these mitigations, in some cases EMET might be able to turn them on for you. These mitigations can help you manage risk by giving you more time to test and deploy security updates or new versions of software. An easy way to ask your vendors if they use a security development lifecycle is to ask them if they meet the guidance in an international standard called ISO 27034.
- Restrict websites: Limit web sites that your organization’s users can visit. This likely won’t be popular in the office, but given the majority of threats found in the enterprise are delivered through malicious websites, you might have the data needed to make a business case. Also, restricting web access from servers has been a best practice for a long time.
• Manage security of your websites: Many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks. Organizations should regularly assess their own web content to avoid a compromise that could affect their customers and their reputation.
- Leverage network security technologies: technologies like Network Access Protection (NAP), Intrusion Prevention System (IPS), and content filtering can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.
Of course, there is plenty of other data and guidance in the latest Microsoft Security Intelligence Report; it is designed to provide prescriptive guidance which can help our customers manage risk and protect their assets. If you are responsible for managing risk for your organization, then I encourage you to download it today at www.microsoft.com/sir to learn about the latest threat trends.