McAfee Labs Report reveals 93% of security operations center managers overwhelmed by alerts



Intel Security released Tuesday its McAfee Labs Threats Report: December 2016, which provides insights into how enterprises are using security operations centers (SOCs), details key 2016 developments in ransomware, and illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible.

The December report also details the growth of ransomware, mobile malware, macro malware, Mac OS malware and other threats in the third quarter.

In mid-2016, Intel Security commissioned a primary research study to gain a deeper understanding of the ways in which enterprises use SOCs, how they have changed over time, and what they will look like in the future.

The McAfee Labs team of researchers collects threat data from millions of sensors across key threat vectors—file, web, message and network. It then performs cross-vector threat correlation analysis and delivers real-time threat intelligence to tightly integrated McAfee endpoint, content and network security products through its cloud-based McAfee Global Threat Intelligence service. McAfee Labs also develops core threat detection technologies – such as application profiling and graylist management – that are incorporated into its security product portfolio.

Interviews with nearly 400 security practitioners across several countries, industries and company sizes yielded valuable information on the state of the SOC in 2016. On average, organizations are unable to sufficiently investigate 25 percent of their security alerts, with no significant variation by country or company size. While most respondents acknowledged being overwhelmed by security alerts, as many as 93 percent are unable to triage all potential threats.

Whether from an increase in attacks or better monitoring capabilities, 67 percent of respondents reported an increase in security incidents. Of the respondents reporting an increase in incidents, 57 percent report they are being attacked more often, while 73 percent believe they are able to better spot attacks.

The most common threat detection signals for a majority of organizations (64 percent) come from traditional security control points, such as antimalware, firewall and intrusion prevention systems. The majority of respondents claim to be progressing toward the goal of a proactive and optimized security operation, but 26 percent still operate in reactive mode, with ad hoc approaches to security operations, threat hunting and incident response.

Over two-thirds (68 percent) of investigations in 2015 involved a specific entity, either as a targeted external attack or an insider threat. The respondents reported that generic malware led the list of incidents (30 percent) leading to security investigations, followed by targeted malware-based attacks (17 percent), targeted network-based attacks (15 percent), accidental insider incidents resulting in potential threats or data loss (12 percent), malicious insider threats (10 percent), direct nation-state attacks (7 percent), and indirect or hacktivist nation-state attacks (7 percent).

Survey respondents said that the highest priority for the growth and investment of SOCs is to improve the ability to respond to confirmed attacks, which includes the ability to coordinate, remediate, eradicate, learn and prevent reoccurrences.

The report also detailed some of the many ways attackers place Trojans within commonly accepted code to obscure their malicious intent. McAfee Labs identified a variety of approaches to accomplishing this patching executables on the fly as they are downloaded through man-in-the-middle (MITM) attacks; bundling “clean” and “dirty” files together using binders or joiners; modifying executables via patchers, seamlessly maintaining application use and through interpreted, open-source or decompiled code; and poisoning the master source code, especially in redistributed libraries.

Through the end of the third quarter, the number of new ransomware samples in 2016 totaled 3,860,603, leading to an increase of 80 percent in total ransomware samples since the beginning of the year. Beyond the leap in volume, ransomware exhibited notable technical advances in 2016, including partial or full disk encryption, encryption of websites used by legitimate applications, anti-sandboxing, more sophisticated exploit kits for ransomware delivery, and more ransomware-as-a-service developments.

“Last year we predicted that the incredible growth in ransomware attacks in 2015 would continue into 2016,” said Vincent Weafer, vice president of Intel Security’s McAfee Labs. “The year 2016 may indeed be remembered as ‘the year of ransomware,’ with both a huge jump in the number of ransomware attacks, a number of high-profile attacks that generated wide media interest, and significant technical advances in this type of attack. On the other side of the ransomware attacks, greater cooperation between the security industry and law enforcement, and constructive collaboration between industry rivals truly began to deliver results in taking the fight to the criminals. As a result, we expect the growth of ransomware attacks to slow in 2017.”

In the third quarter of 2016, McAfee Labs’ Global Threat Intelligence network registered notable surges in ransomware, mobile malware and macro malware. The count of total ransomware grew by 18 percent in the third quarter and 80 percent since the beginning of the year.

New Mac OS malware skyrocketed by 637 percent in the third quarter, but the increase was due primarily to a single adware family, Bundlore. Total Mac OS malware remains quite low in comparison to other platforms. The growth of new unique malware dropped 21 percent in the third quarter; McAfee cataloged over 2 million new mobile malware threats in the third quarter. Infection rates in Africa and Asia each dropped by 1.5 percent, while Australia increased by 2 percent in the third quarter.

New Microsoft Office (primarily Word) macro malware continued the increase first seen in the second quarter. The Necurs botnet multiplied its second quarter volume by nearly seven times, becoming the highest-volume spam botnet of the third quarter. We also measured a sharp drop in spamming by Kelihos, which resulted in the first decline in quarterly volume we have observed in 2016.

Global botnet prevalence. Wapomi, which delivers worms and downloaders, remained on top during the third quarter, declining from 45 percent in the second quarter. CryptXXX ransomware served by botnets jumped into second place; it was responsible for only 2 percent of traffic last quarter.

Leave a Reply

WWPI – Covering the best in IT since 1980