You are here

5 highlights from the HPE Cyber Risk Report 2016

public://pictures/Jaikumar-Vijayan-Freelance-Writer.png
Jaikumar Vijayan, Freelance writer

Change has been the one constant in the cybersecurity landscape over the past few years. Every time security researchers have found a way to shut a threat down, or extinguish a malware operation, something new and more sophisticated has inevitably emerged to take its place

Businesses, forced into an increasingly costly arms race with threat actors, have had to constantly reassess, reorganize, and redouble their efforts to keep up with adversaries that have gotten more sophisticated, organized, and resourced.

And so it was in 2015 as well. 

Hewlett Packard Enterprise's Cyber Risk Report 2016, a comprehensive review of the 2015 cybersecurity threat landscape, has revealed some fundamental shifts in malware development practices, attack trends, mobile threats, and government attitudes toward security and privacy. The 96-page report is based on data from HPE’s own security teams, open-source intelligence sources, ReversingLabs’ cyberthreat detection and analytics data, and Sonatype.

Here are the top five examples of how the threat landscape shifted yet again in 2015, highlighted from the HPE Cyber Risk Report 2016.

[ Get valuable insights to improve your SOC’s maturity and success. Download the 2019 State of Security Operations report today. ]

1. Malware expected to grow more slowly

Malware remained a massive threat to enterprise security in 2015. But somewhat inexplicably, the year-over-year growth in new malware samples that many had expected in 2015 did not materialize. In fact, the number of new malware samples discovered in 2015 was smaller than the number of malware samples for 2014.

While it's difficult to isolate the exact reason for the apparent stagnation, there are several factors that likely contributed to the situation, HPE said in its report. For instance, the decline could be due to improved enterprise security measures and in operating system and application software components, the HPE researchers said. 

Law enforcement takedowns of several major malware operations in 2015 could also have played a role and so too could the shift from traditional computers to laptops and mobile systems. 

“The centralized distribution model for apps used by iOS and Android has proven more difficult for malware attackers despite the obvious growth in interest in attacking mobile platforms,” HPE said.

Windows continued to be by far the most heavily targeted platform for malware, accounting for 94 percent of all new samples discovered last year. Researchers counted between 135 million and 140 million Windows malware samples in 2015, compared to about 4.5 million samples for Android, the second most heavily targeted platform.

But in terms of growth rate, at least, there was a shift away from Windows-only malware to mobile malware in 2015

Malware targeting Apple’s iOS, for instance, remained fairly low, at a mere 70,000 samples. But that number represented a stunning 230 percent increase from 2014. The growth rate for Android malware, while somewhat lower, was still an alarmingly high 153 percent. Meanwhile, the popularity of Linux as a Web hosting platform put it increasingly in the crosshairs of malware writers, with Linux malware samples growing 212 percent year over year.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

2. Ransomware, banking trojans and ATM malware set to grow

Continuing efforts by malware writers to monetize their products led to the proliferation of banking Trojans, ransomware, and ATM malware tools in 2015. 

Among the ransomware tools posing the biggest threat to users last year were Cryptolocker, Cryptowall, TorrentLocker, and TeslaCrypt. Cyber criminals used such tools widely to extort money from victims by encrypting the contents of their computers and then demanding a ransom for unlocking them.

The threat was not confined to desktop users alone; 2015 witnessed the emergence of ransomware targeted at Android mobile device users as well.

The Dridex malware, meanwhile, embodied the threat to individuals posed by banking Trojans last year. The malware, which spread through phishing emails and innocuous-looking Word documents, was used extensively to steal banking credentials and other data from infected computers and is believed to have caused tens of millions of dollars in damages. Law enforcement shut down the Dridex operation last October, but several other Trojans have surfaced in recent months to take its place.

ATM-related malware posed another major threat in 2015, according to HPE. Many of the attacks against ATM systems last year took advantage of unsupported and misconfigured operating systems and a failure by ATM operators to update their systems against vulnerabilities.

3. Bug bounty programs become more bountiful

The rush to find and close bugs in software products widely used by enterprises was highlighted by an increase in the number of organizations offering rewards and incentives to vulnerability researchers.

Venerable, long-established bug bounty programs like HPE’s Zero Day Initiative (ZDI), which was sold along with security vendor Tipping Point to Trend Micro last year, and those offered by companies like Google and Microsoft have been joined by a slew of others in recent years. Examples include HackerOne, Bugcrowd, and Crowdcurity

HPE researchers noticed an “observable increase” in the number of bug bounty programs from 2014 to 2015. Bugsheet, which maintains a community-curated list of such programs, counted 350 in 2015, while Bugcrowd listed over 450 programs.

In addition to software vendors and technology companies that have been offering such programs for some time, the last couple of years witnessed the emergence of bug bounty programs from nontechnology vendors. One example is United Airlines, which last May announced that it would reward researchers who found bugs in its websites and applications with 50,000 to 1 million free air miles. 

“Rewarding skilled researchers for identifying potential avenues to the enterprises’ crown jewels has taken many forms, from public recognition to money, and everything in between,” the HPE researchers said in their report. 

The potential for security researchers to make substantial amounts of money from bug discoveries unfortunately also spurred the growth of gray-market brokers willing to sell bug discoveries to government agencies and those with unclear motives, and black marketers selling to criminal elements.

One development that could have a lasting impact on security research was the implementation of the Wassenaar Agreement in 2015. The 40-nation agreement, which covers the transfer of conventional arms and so-called dual-use technologies, has a clause pertaining to “intrusion software” of the kind used by security researchers for penetration testing. There is some concern that the ambiguous language in the agreement could create problems down the line for security researchers who use software covered under the agreement for software testing purposes.

4. Privacy and security's marriage is on the rocks

Information security and data privacy have long been inextricably linked together. Many have argued that there can be no data privacy without strong information security.

But a confluence of events on the global stage in 2015, particularly the terror attacks in Paris last November, led to growing calls for an abridgment of privacy rights in the interests of national security in the United States, HPE said.

“A difficult and violent year on the global scene, combined with lingering distrust of American tech initiatives in the wake of revelations by Edward Snowden and other whistleblowers, led to a fraught year for data privacy, encryption, and surveillance worldwide,” the HPE report noted.

Despite some privacy-friendly developments, such as the passage of the USA Freedom Act and the phasing out of the NSA’s authority to collect bulk data in 2015, the mood considerably soured by year's end.  

Following the Paris attacks, several US lawmakers revived calls for bulk-data collection and for giving law enforcement authorities new capabilities for accessing data. Though there was no evidence that encryption played a role in enabling the terrorists to communicate surreptitiously, the Paris attacks also fueled renewed calls on technology vendors to make it easier for law enforcement to crack encrypted communications and data. 

“Those evaluating the security of their enterprises would do well to monitor government efforts such as adding 'backdoors' to encryption and other security tools,” the Risk Report warned.

5. The year of collateral damage

As with many other years in recent times, 2015 had its share of mega-breaches, starting with one disclosed by health insurer Anthem last February that exposed sensitive data on some 80 million people. But what made some of the breaches different was how they affected people who had no direct business relationship or contact with the organization that was breached.

HPE’s report highlighted two breaches in particular that epitomized this trend. One of them was the breach disclosed by the US Office of Personnel Management (OPM) in June 2015 that resulted in the theft of background investigation records of current, former, and potential government employees and contractors. Over 22 million people were affected in the theft, including the spouses, children, and relatives of those who had submitted to the background checks.

The other breach highlighted in the report was the one disclosed by adult dating site Ashley Madison last July. Millions of records containing highly intimate details of extramarital relationships among Ashley Madison’s members were publicly released, raising considerable privacy concerns and worries about victims being targeted by blackmailers and extortionists.

“These breaches don’t initially look the same; however, both breaches had terrible effects on people who never had direct contact with the keepers of the data, and whose information appeared in it only as it related to someone else,” researchers said in the HPE Cyber Risk Report 2016.

[ Data privacy regs GDPR and CCPA are the new norm. Learn best practices from top organizations for staying on the right side of the law. ]