Intel Security’s “McAfee Labs Threats Report: December 2016” Reveals the State of Security Operations Centers, Key 2016 Developments in Ransomware, Difficult-to-Detect Malware

The following video presents McAfee: Together Is Power:
“The McAfee brand is built on the belief that there is power in working together. By enabling protection, detection, and correction to work together, and integrating partner products, we can react to cyberthreats faster.”

“McAfee Labs Threats Report: December 2016” explains:

• how enterprises are using security operations centers (SOCs),
• key 2016 developments in ransomware,
• how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible, and
• the growth of ransomware, mobile malware, macro malware, Mac OS malware, and other threats in Q3 2016.

Security Operations Center (SOC)

• A SOC is a facility in which information systems (websites, applications, databases, data centers and servers, networks, desktops, and other endpoints) are monitored, assessed, and defended.

The current state of and future plans for the security operations center

A few years ago, dedicated security operations centers (SOCs) seemed to be going the way of the dinosaur—the era of big rooms with big monitors and teams of analysts seemed ready to be replaced by distributed teams, outsourced, or disbanded entirely. If you were not in the defense department or on Wall Street, many thought, then you did not need a SOC. Then targeted attacks and insider threats moved from movie and government plots to an everyday reality for enterprises. According to an Intel Security survey, 68% of investigations in 2015 involved a specific entity, either as a targeted external attack or an insider threat.
—Douglas Frosst, Barbara Kay, Bart Lenaerts-Bergmans, and Rick Simon
http://www.mcafee.com/ca/resources/reports/rp-quarterly-threats-dec-2016.pdf (pdf)

Variety of SOC models

Companies run SOCs in a variety of styles. The study used the following definitions for five distinct operating models, listed here in increasing order of maturity:

• Virtual SOC: No dedicated facility, part-time team members, reactive; activated only when a critical alert or incident occurs; primary model when fully delegated to a managed security services provider (MSSP).
• Distributed/Co-managed SOC: Dedicated and semidedicated team members; typically operates during standard business hours (8 hours per day/5 days per week); co-managed if used with an MSSP.
• Multifunction SOC/NOC: Dedicated facility with a dedicated team performing not just security, but other critical IT operations 24/7 from the same facility to reduce costs.
• Dedicated SOC: Fully in-house, 24/7 operations with dedicated facility and a dedicated team.
• Command SOC: Coordinates other SOCs, provides threat intelligence, situational awareness and additional expertise; typically not involved in day-to-day operations.

This distribution of SOC implementations has several implications. The majority operate at or past the midpoint of SOC maturity, progressing toward the goal of a proactive and optimized security operation. However, more than a quarter (26%) still operate in reactive mode, with ad-hoc approaches to security operations, threat hunting, and incident response. This can significantly extend detection and response times, leaving the business at greater risk of significant damage, as well as facing a higher cleanup cost.
http://www.mcafee.com/ca/resources/reports/rp-quarterly-threats-dec-2016.pdf

PRESS RELEASE

McAfee Labs Report Finds 93% of Security Operations Centre Managers Overwhelmed by Alerts and Unable to Triage Potential Threats

Security Operations Center Survey Respondents Acknowledge Inability to Keep Up with Cyber Security Alerts or Triage Relevant Events for Investigation

NEWS HIGHLIGHTS

• Enterprise security operations centre survey found 93% of respondents acknowledged being unable to triage all potential cyber threats.
• On average, organizations are unable to sufficiently investigate 25% of security alerts.
• 67% of respondents reported an increase in security incidents.
• 26% acknowledge operating in a reactive mode despite having a plan for a proactive security operation.
• New ransomware samples increased 80% since the beginning of 2016.
• Bundlore adware drove a 637% surge in new Mac OS malware in Q3, but total Mac OS samples still remain quite low.

SANTA CLARA, Calif., December 13, 2016 – Intel Security today released its McAfee Labs Threats Report: December 2016, which provides insights into how enterprises are using security operations centers (SOCs), details key 2016 developments in ransomware, and illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible. The December report also details the growth of ransomware, mobile malware, macro malware, Mac OS malware, and other threats in Q3 2016.

“One of the harder problems in the security industry is identifying the malicious actions of code that was designed to behave like legitimate software, with low false positives,” said Vincent Weafer, Vice President of Intel Security’s McAfee Labs. “The more authentic a piece of code appears, the more likely it is to be overlooked. Just as 2016 saw more ransomware become sandbox aware, the need to conceal malicious activity is driving a trend toward ‘Trojanizing’ legitimate applications. Such developments place an ever greater workload on an organization’s SOC—where success requires an ability to quickly detect, hunt down, and eradicate attacks in progress.”

The State of the SOC in 2016

In mid-2016, Intel Security commissioned a primary research study to gain a deeper understanding of the ways in which enterprises use SOCs, how they have changed over time, and what they will look like in the future. Interviews with nearly 400 security practitioners across several geographies, industries, and company sizes yielded valuable information on the state of the SOC in 2016:

• Alert overload. On average, organizations are unable to sufficiently investigate 25% of their security alerts, with no significant variation by country or company size.
• Triage trouble. While most respondents acknowledged being overwhelmed by security alerts, as many as 93% are unable to triage all potential threats.
• Incidents on the rise. Whether from an increase in attacks or better monitoring capabilities, 67% of respondents reported an increase in security incidents.
• Cause of the rise. Of the respondents reporting an increase in incidents, 57% report they are being attacked more often, while 73% believe they are able to spot attacks better.
• Threat signals. The most common threat detection signals for a majority of organizations (64%) come from traditional security control points, such as antimalware, firewall, and intrusion prevention systems.
• Proactive vs. reactive. The majority of respondents claim to be progressing toward the goal of a proactive and optimized security operation, but 26% still operate in reactive mode, with ad-hoc approaches to security operations, threat hunting, and incident response.
• Adversaries. More than two-thirds (68%) of investigations in 2015 involved a specific entity, either as a targeted external attack or an insider threat.
• Causes for investigation. The respondents reported that generic malware led the list of incidents (30%) leading to security investigations, followed by targeted malware-based attacks (17%), targeted network-based attacks (15%), accidental insider incidents resulting in potential threats or data loss (12%), malicious insider threats (10%), direct nation-state attacks (7%), and indirect or hacktivist nation-state attacks (7%).

Survey respondents said that the highest priority for SOCs growth and investment is to improve the ability to respond to confirmed attacks, which includes the ability to coordinate, remediate, eradicate, learn, and prevent reoccurrences.

For more information on McAfee Labs research into the state of SOCs, please see “Do you need to pull up your SOCs?”

Emergence of “Trojanized” Legitimate Software

The report also detailed some of the many ways in which attackers place Trojans within commonly accepted code in order to obscure their malicious intent. McAfee Labs identified a variety of approaches to accomplishing this:

• Patching executables on the fly as they are downloaded through man-in-the-middle (MITM) attacks
• Bundling “clean” and “dirty” files together using binders or joiners
• Modifying executables via patchers, seamlessly maintaining application use
• Modifying through interpreted, open-source, or decompiled code
• Poisoning the master source code, especially in redistributed libraries

For more information on the Trojanization of legitimate software, please see Trojanization is on the rise.

2016: The Year of Ransomware?

Through the end of Q3, the number of new ransomware samples this year totaled 3,860,603, leading to an increase of 80% in total ransomware samples since the beginning of the year. Beyond the leap in volume, ransomware exhibited notable technical advances in 2016, including partial or full disk encryption, encryption of websites used by legitimate applications, anti-sandboxing, more sophisticated exploit kits for ransomware delivery, and more ransomware-as-a-service developments.

“Last year we predicted that the incredible growth in ransomware attacks in 2015 would continue into 2016,” Weafer said. “The year 2016 may indeed be remembered as ‘the year of ransomware,’ with both a huge jump in the number of ransomware attacks, a number of high profile attacks that generated wide media interest, and significant technical advances in this type of attack. On the other side of the ransomware attacks, greater cooperation between the security industry and law enforcement, and constructive collaboration between industry rivals truly began to deliver results in taking the fight to the criminals. As a result we expect the growth of ransomware attacks to slow in 2017.”

For more information on the developments in the ransomware space, please see A Year at Ransom.

Q3 2016 Threat Activity

In the third quarter of 2016, McAfee Labs’ Global Threat Intelligence network registered notable surges in ransomware, mobile malware, and macro malware:

• Ransomware. The count of total ransomware grew by 18% in Q3 2016 and 80% since the beginning of the year.
  Mac OS malware. New Mac OS malware skyrocketed by 637% in Q3, but the increase was due primarily to a single adware family, Bundlore. Total Mac OS malware remains quite low in comparison to other platforms.
• New Malware. The growth of new unique malware dropped 21% in Q3.
• Mobile malware. We cataloged more than two million new mobile malware threats in Q3. Infection rates in Africa and Asia each dropped by 1.5%, while Australia increased by 2% in Q3.
• Macro malware. New Microsoft Office (primarily Word) macro malware continued the increase first seen in Q2.
• Spam botnets. The Necurs botnet multiplied its Q2 volume by nearly seven times, becoming the highest-volume spam botnet of Q3. We also measured a sharp drop in spamming by Kelihos, which resulted in the first decline in quarterly volume we have observed in 2016.
• Worldwide botnet prevalence. Wapomi, which delivers worms and downloaders, remained number one in Q3, declining from 45% in Q2. CryptXXX ransomware served by botnets jumped into second place; it was responsible for only 2% of traffic last quarter.

For more information on these trends, or more threat landscape statistics for Q3 2016, visit www.mcafee.com for the full report.

For guidance on how organizations can better protect their enterprises from the threats detailed in this quarter’s report, visit Enterprise Blog.

About McAfee Labs

McAfee Labs is the threat research division of Intel Corporation’s Intel Security Group, and one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership. The McAfee Labs team of researchers collects threat data from millions of sensors across key threat vectors—file, web, message, and network. It then performs cross-vector threat correlation analysis and delivers real-time threat intelligence to tightly integrated McAfee endpoint, content, and network security products through its cloud-based McAfee Global Threat Intelligence service. McAfee Labs also develops core threat detection technologies—such as application profiling, and graylist management—that are incorporated into the broadest security product portfolio in the industry.

About Intel Security

McAfee Labs is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security and unique McAfee Global Threat Intelligence, Intel Security is intensively focused on developing proactive, proven security solutions and services that protect systems, networks and mobile devices for business and personal use around the world. Intel Security is combining the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. The mission of Intel Security is to give everyone the confidence to live and work safety and securely in the digital world. www.intelsecurity.com