24/10/2017
176 new cyber threats were cataloged every minute, nearly three per second
McAfee Inc. released its McAfee Labs Threat Report: April 2017, which details the challenges faced by threat intelligence-sharing efforts, examines the architecture and internal mechanisms of Mirai botnets, assesses reported attacks across industries, and reveals growth trends. in malware, ransomware, mobile malware and other threats in Q4 2016.
“The security industry faces fundamental challenges in our efforts to share threat intelligence across entities, across vendor solutions, and even within vendor portfolios,” said Vincent Weafer, vice president, McAfee Labs. “Working together is strength. Addressing these challenges will determine the effectiveness of cybersecurity teams to automate detection and orchestrate responses, and ultimately tip the balance in favor of defenders.”
The report reviews the history and drivers of threat sharing; the various components, sources, and models for sharing threat intelligence; how consolidated security operations can make use of shared data; and the main sharing challenges that the industry must overcome. These challenges include:
• Volume. A massive signal-to-noise ratio problem continues to plague defenders trying to triage, prosecute and act on the highest-priority security incidents.
• Validation. Attackers can file false threat reports to mislead or overwhelm threat intelligence systems, and data from legitimate sources can be tampered with if handled incorrectly.
• Quality. If vendors just focus on gathering and sharing more threat data, there is a risk that much of that data will be duplicated, wasting valuable time and wasted effort. Sensors should capture richer data to help identify key structural elements of persistent attacks.
• Speed. Intelligence received too late for the prevention of an attack is still valuable, but only for the cleanup process. Security sensors and systems must share near real-time threat intelligence to match attack speeds.
• Correlation. Failure to identify relevant patterns and key data points in security data makes it impossible to turn the data into intelligence and then into knowledge that can inform and guide security operations teams.
To take intelligence sharing to the next level, McAfee Labs suggests focusing on three areas:
• Triage and prioritization. Simplify event triage and provide a better environment for security professionals to investigate high-priority threats.
• Connect the dots. Establish relationships between indicators of compromise so threat hunters can understand their connections to attack campaigns.
• Best sharing templates. Improve ways to share threat intelligence between your own products and with other vendors.
“Increasingly sophisticated attackers are evading discrete security systems, and siled storage systems let in threats that were stopped elsewhere because they didn't share information,” continued Weafer. “Sharing threat intelligence allows us to learn from each other's experiences, gaining insights based on various attributes that make up a broader and more complete picture of the context of cyber events.”
Mirai Botnet Proliferation
Mirai was responsible for the highly widespread DDoS attack on Dyn, a leading DNS service provider. Mirai is notable because it detects and infects poorly protected IoT devices, turning them into bots to attack their targets.
The release of the Mirai source code in October resulted in a proliferation of derived bots, although most appear to be driven by amateur scripters and relatively limited in their impact. However, source code disclosure has also resulted in Mirai-based “DDoS-as-a-Service” offerings, making it simple for unsophisticated but willful attackers to execute DDoS attacks that affect other IoT devices with low security. DDoS attacks based on the Mirai botnet are available as a service in the cyber criminal market for $50 to $7,500 per day.
McAfee Labs estimates that 2.5 million Internet of Things (IoT) devices were infected by Mirai in Q4 2016, with about five IoT IP addresses added to Mirai botnets every minute at that time.
See the full report.
EN 
PT 
