The NTT Security SERT Q4 ‘16 Threat Intelligence Report

Key points: decline in attacks, challenges in securing the retail industry, and an apparent increase in nation state-sponsored cyberattacks

Danika Blessman

January 26, 2017 - Posted by Danika Blessman to Threat Intelligence

NTT Security SERT Q4 Threat Intelligence Report

The NTT Security SERT (Security Engineering Research Team) released its Q4 ‘16 Threat Intelligence Report today.

During Q4 ’16, NTT Security researchers observed a noticeable shift in the types of attacks from previous quarters – particularly exhibited by a much narrower scope of attack vectors. Several vulnerabilities such as Oracle Server Backup in the retail industry and Linux password files in the finance industry were specifically targeted – likely indicative of criminals identifying specific flaws and crafting attacks to fit, a sign of more sophisticated and directed efforts.

This shift was also evident in an overall 35 percent decrease in total security-related events across client networks from Q3 ’16 to Q4 ’16, including continued declines of 25 percent in reconnaissance and 47 percent in suspicious activity, continuing the downward trend NTT Security researchers predicted in Q2 ’16.

Q3 to Q4 Attack Category Differences

If attackers continue this trend, NTT Security expects Q1-Q2 ‘17 will also be characterized by more focused targeting, as criminals realize the effectiveness of exploiting specific vulnerabilities rather than casting a wide net, which may or may not prove to be profitable.

The retail industry remains an attractive target, and has placed in the top 3 most targeted industries in each of the last eight quarters. Overall, the volume of attacks against retail clients rose by 11 percent from 2015 to 2016. During Q4 ’16, key loggers and spyware accounted for 68 percent of all malware in Q4 ’16 across retail clients, as cybercriminals no doubt continue their attempts to collect customer credit card data, since full details can garner up to $40 per card on the black market.

NTT Security researchers expect to see attackers continuing to narrow their focus, even in opportunistic attacks, for a variety of reasons. These could include a decline in exploit kits which may have forced attackers to employ other attack vehicles, or in response to the ever-shifting geo-political climate - but all reasons likely involve “following the money.”  These focused attacks may well turn into longer, persistent campaigns, as evidenced by the fact that the average length of time it takes to discover a breach is 146 days.

Along with the current evolution in attack tactics, there has been an overall increase in media reporting on attacks against U.S. and other Western industries from threat actors sponsored by nation-states, particularly Russia and China. It may very well be that campaigns which started nearly 5 months ago, are just now being discovered, and coming full-circle.

One focus of NTT Security researchers during Q4 ’16 stemmed from what was probably an expected increase of activity appearing to come from Russia, already in the news and under considerable scrutiny, rising from tenth in Q3 ‘16 to third in Q4 ’16 of the top non-U.S. attack countries. NTT Security researchers noted a spike in activity from Russian hosts in the weeks leading up to the U.S. election. Of the activity during this spike, 28 percent appeared to be associated with RIG exploit kit (EK), likely indicating cybercriminal activity rather than nation-state activity.

Russian Federation Activity Timeline

To further complicate matters, nation-state actors seem to be gravitating toward tactics and techniques used by cybercriminals, likely to hide in the noise, or as a smokescreen for other activity. Cybercriminals, in turn, are able to acquire more sophisticated tools as they become more readily available online, and may attempt to appear as a state-sponsored actor to cover their trail as well. It is also quite possible that some of these cybercriminals ARE state-sponsored. As the lines between criminals and nation-states continue to blur, NTT Security cautions clients in jumping to conclusions in attributing attacks, as often, more than publicly known indicators of compromise (IoCs) are needed to fully investigate the true nature of an attack.

Download and read the complete Q4 ‘16 Threat Intelligence Report to use this information to help protect your organization from the latest security threats now and in the future.

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)