3. 3
The Executive’s Guide to the 2016 Global
Threat Intelligence Report provides insights
on the latest security threats and offers
recommendations for protecting organisations
from cybersecurity incidents as they accelerate
to become digital businesses.
This year’s analysis is based on validated log, attack, incident,
and vulnerability data gathered from across Dimension Data
and NTT’s Managed Security Services platforms, as well as
from NTT’s research sources, including its global honeypots
and sandboxes which are located in over 100 countries.
The Report aggregates threat data from:
• over 3.5 trillion logs
• 6.2 billion attacks
• 8,000 clients worldwide
In addition, the inclusion of data from the 24 Security
Operations Centres and 7 research and development centres
of the NTT Group security companies enables us to provide a
highly accurate representation of the global threat landscape.
Introduction
4. 4
In this section, we analyse global
attack data gathered by NTT Group
security companies during 2015.
2015
attack analysis
5. 5
This continues the trend we’ve observed over the past three
years. During 2013, 49% of attacks originated from within
the US, while that number increased to 56% in 2014.
2.1. Sources of attacks
65% of attacks detected originated
from IP addresses within the US.
Year % attacks from US
% increase
year-on-year
2013 49%
2014 56% 14%
2015 65% 16%
Figure 1: US as a source of attacks
Figure 2: 2015 top attack source countries
Interestingly, China – which was the source of the second-largest number of attacks in 2014 (9%), accounted for only 4% of attacks in
2015. Similarly, Australia – which was in a close third place in 2014, also featured less prominently as a source of attacks in 2015 (1%).
This continues the history of the US serving as a major
source of hostile activity due to the ease of provisioning
and low cost of US cloud hosting services. A significant
number of the detected attacks are targeting US clients,
so attackers often host such attacks locally, in the same
geographic region as their victims, to reduce the chances
they’ll experience potential geolocation blocking or alerting.
While the source IP address is based in the US, the actual
attacker could be anywhere in the world. Due to the ease
with which attackers can disguise their IP addresses, attack
sources can often be more indicative of the country in which
the target is located, or perhaps of where the attacker is
able to compromise or lease servers, rather than where the
attack actually originates.
2015 top attack source countries
0% 10% 20% 30% 40% 50% 60% 70%
US
UK of Great Britain
Turkey
China
Norway
Germany
Netherlands
Sweden
Japan
France
Australia
Russian Federation
Canada
Brazil
Thailand
Other
US
UK
Turkey
China
Norway
Germany
Netherlands
Sweden
Japan
France
Australia
Russia
Canada
Brazil
Thailand
Other
0% 10% 20% 50%30% 60%40% 70%
65%
5%
4%
4%
3%
2%
2%
2%
1%
1%
1%
1%
1%
1%
1%
7%
The top five attack
source countries
accounted for 81%
of all identified
attacks in 2015.
These countries were the US, the UK, Turkey, China, and Norway.
6. 6
In 2015, attacks from addresses based in the UK rose slightly
from 3% to 5% – making this country the primary source of
non US-based attacks.
Turkey emerged as a primary source of attacks; this was
based on a wide variety of attacks and malware delivered
to clients throughout the US and Europe, spread across the
year. Activity from Turkey included several campaigns directed
against government agencies in Europe.
The UK became the number one
source of non-US based attacks.
Other observations:
• We detected attacks from a total of 217 different
countries during 2015.
• 38% of the attacks that originated outside the US
showed IP addresses from the top three source countries.
• Beyond the top 10 source countries, the distribution of
source IP addresses was flat.
Figure 3: 2015 non-US attack source countries
2015 non-US attack source countries
UK
Turkey
China
Norway
Germany
Netherlands
Sweden
Japan
France
Australia
Russia
Canada
Brazil
Thailand
Malaysia
India
Republic of Korea
Ukraine
Italy
Other
0% 2% 4% 10%6% 12%8% 14% 16%
0% 2% 4% 6% 8% 10% 12% 14% 16%
United Kingdom of Great Britain and Northern Ireland
Turkey
China
Norway
Germany
Netherlands
Sweden
Japan
France
Australia
Russian Federation
Canada
Brazil
Thailand
Malaysia
India
Republic of Korea
Ukraine
Italy
Other
7. 7
Figure 4: 2015 attacks by sector
2.2. Attacks by sector
The retail sector showed the highest number of attacks, at just under 11% …
knocking the finance sector out of first place.
Clients in the retail sector experienced nearly three
times as many attacks as those in the finance sector –
which was the target of just 4% of all attacks in 2015,
compared to 18% in 2014.
2015 attacks by sector
Retail
Hospitality,leisure,andentertainment
Insurance
Government
Manufacturing
Telecommunications
Healthcare
Pharmaceuticals
Public
Businessandprofessional
Technology
Transportanddistribution
Non-profit
Finance
Media
Gaming
Legal
Education
12%
10%
8%
6%
4%
2%
0%0%
2%
4%
6%
8%
10%
12%
R
etail
H
ospitality,leisure
InsuranceG
overnm
entM
anufacturing
Telecom
m
unications
H
ealthcare
Pharm
aceuticals
Public
Business
and
Professional
Technology
Transportand
distribution
N
on-Profit
Finance
M
edia
G
am
ing
Legal
Education
11%
10% 9%
8%
7%
7%
6%
6%
5%
5%
3%
2%
2%
2%
4% 4%
4% 4%
The fact that cybercriminals are turning their attention away
from the finance sector – possibly in search of easier or
more lucrative targets – is an interesting development. Retail
companies are becoming increasingly popular targets as they
often process large volumes of personal information, including
credit card data, in highly distributed environments with
many endpoints and point of service devices. Such diverse
environments can be difficult to protect.
8. 8
Attacks related to the hospitality,
leisure, and entertainment sector
increased in 2015.
The hospitality, leisure, and entertainment sector faces
many of the same challenges as the retail sector, as they
also process high volumes of sensitive information including
credit card data. Transactions in the hospitality sector, which
includes hotels and resorts, tend to be sizable, which can
make compromise of those card numbers more attractive
to attackers. The hospitality sector also participates in a
significant number of loyalty plans which include even more
personal information.
This sector fell victim to several high profile breaches during
2015, including properties from Starwood Hotels Resorts,
the Trump Hotel Collection, Hilton Worldwide, Mandarin
Oriental, and White Lodging Services Corporation. Not all of
these were attacked directly; many of the breaches involved
point-of-sale malware directed against providers and retail
companies which offered service on hospitality properties.
The end result targets the same clients, without directly
targeting the property’s information security programme.
2.3. Types of attack
Anomalous activity represented the most common type of
attack and jumped from 20% of all attacks in 2014 to 36%
during 2015.
Figure 5: 2015 attacks by type
Other
Evasion attempts
Client botnet activity
Service specific attack
DoS/DDoS
Network manipulation
Malware
Known bad source
Brute forcing
Application specific attack
Reconnaissance
Web application attack
Anomalous activity
0% 5% 15%10% 30%20% 35%25% 40%0% 5% 10% 15% 20% 25% 30% 35% 40%
Anomalous activity
Web application attack
Reconnaissance
Application specific attack
Brute forcing
Known bad source
Malware
Network manipulation
DoS/DDoS
Service specific attack
Client botnet activity
Evasion attempts
Other 2%
2%
3%
3%
3%
4%
5%
5%
7%
8%
9%
15%
36%
2015 attacks by type
What is?
Anomalous activity: includes privileged access attempts,
exploitation software, and other unusual activity
Web application attacks represented the second highest
volume of attacks, accounting for 15% of attacks, the same
percentage as last year.
Other observations:
• The insurance and government sectors both ranked in
the top five ‘most attacked’ sectors in 2015.
• The manufacturing sector continued to be the target of
significant attacks, consistent with levels experienced in
previous years.
• Overall, clients in the top five sectors experienced over
44% of attacks.
9. 9
Malware jumped from less than
2% of attacks in 2014 to 5%
during 2015.
The volume of denial of service (DoS)
and distributed denial of service
(DDoS) attacks dropped by 39%.
Brute force attacks jumped
135% from 2014 levels.
Malware detection rose gradually throughout 2015,
including a 6% jump during the fourth quarter alone.
This increase in malware was not due to a specific
campaign, malware, or source but resulted from
increases in most malware categories across the
entire year.
Brute force attacks jumped from less than 2% in 2014 to
almost 7% in 2015. Throughout the year, we detected
SSH brute-force attacks across our entire client base, from
75 different source countries. Threat actors are always on
the lookout for ‘low hanging fruit’, the weakest link in the
chain. Weak passwords remain an easy target for hackers
to break into systems. It’s far simpler than creating custom
malware, or building exploits for new vulnerabilities.
It appears this drop was due to a combination of events.
First, attackers simply conducted fewer DoS/DDoS
attacks during 2015 than they had in previous years.
Second, 2015 saw the improved adoption of more
effective DoS/DDoS mitigation techniques and services.
However, extortion based on victims paying to avoid or
stop DDoS attacks became more prevalent.
We also experienced a reduction in the number of
DoS/DDoS incident response engagements, as shown
in the section titled Incident response – many still on
the back foot.
2.4. Vulnerabilities analysis
We compiled vulnerability data for 2015 from clients in every industry sector and geographic location serviced. Vulnerability
results included information from a wide range of scanning data, and from multiple vendor products, including Qualys,
Nessus, Saint, McAfee, Rapid7, Foundstone, and Retina. The findings are based on analysis of any vulnerability with an
assigned common vulnerability scoring system (CVSS) score of 4.0 or higher.
What is?
Denial of service (DoS) and distributed denial
of service (DDoS): attacks which make a machine or
network resource unavailable to intended users; a DDoS
attack originates from many devices at once
What is?
Brute force attack: a trial-and-error method used to
obtain information such as a user password or personal
identification number (PIN)
10. 10
Figure 6: 2015 vulnerabilities by year of disclosure
Our analysis also revealed some interesting vulnerability
trends relating to the finance sector:
• Some of the older vulnerabilities detected in 2015 were
Heartbleed and POODLE.
• Since 2015 included some notable breaches in the finance
sector, Recorded Future1
analysed exploited vulnerabilities
in the finance industry and identified Heartbleed, POODLE,
and a vulnerability tied to Dyreza as the top three.
Finance sector still falling victim to
older, well-known vulnerabilities
• First identified by researchers in June of 2015, updated
versions of Dyreza used CVE-2015-0057 and CVE-2013-3660
to target banking customers using spam campaigns.
• CVE-2014-0160 (Heartbleed) appeared prominent partially
due to linkage with a large financial breach the previous year.
Multiple banks were identified as vulnerable to
CVE-2014-3566 (POODLE) in August 2015 – months
after the exposure of the vulnerability.
Older vulnerabilities remain in client environments: nearly
21% of vulnerabilities are more than three years old.
Along with considering the volume and types of identified
vulnerabilities, we evaluated their ages, as presented in Figure 6.
Over 79% of identified vulnerabilities were disclosed within
the past three years, which means nearly 21% of vulnerabilities
are more than three years old. Continuing the trend from
2015 vulnerabilities by year of disclosure
0% 5% 10% 15% 20% 25% 30% 35% 40%
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
0%
4%
4%
4%
34%
25%
20%
0%
0%
1%
1%
1%
2%
3%
0%
0%
0%
0%
5% 10% 25%15% 30%20% 35% 40%
1
NTT Group has expanded its view of the threat landscape to include findings from some of our key partners, including Recorded Future.
What is?
Dyreza: a banking Trojan that steals user
credentials and attempts to take money from
a victim’s bank account
previous years in which old vulnerabilities are remaining in client
environments, more than 12% of vulnerabilities observed were
more than five years old. We observed vulnerabilities as much
as 16 years old, and over 5% of vulnerabilities were more than
10 years old.
11. 11
Figure 7: 2015 ‘popular’ vulnerabilities in the finance sector
2.5. Malware observations
We analysed malware samples from a wide range
of sources, including:
• security platforms
• incident response investigations
• malware repositories and feeds
• interaction with clients
• privately maintained honeypot networks
The analyses enable us to develop proprietary detection
and prevention signatures.
Source country % of malware
China 32%
Netherlands 18%
Germany 16%
Turkey 8%
Norway 4%
Figure 8: Top five non-US countries as sources of malware
2015 reference counts for the top three vulnerabilities targeting the finance sector
CVE-2014-0160 (Heartbleed)
CVE-2014-3566 (POODLE)
CVE-2015-0057 (via Dyreza)
Vulnerability
Reference counts
0 75 150 225 300
What is?
Malware: a general term for malicious software
including viruses, worms, Trojans, and spyware
Key findings relating to malware:
• We detected malware from 191 different countries
during 2015.
• The US was the source of over 62% of malware detected.
• Almost 79% of all non-US malware originated from the top
five non-US sources.
12. 12
2015 showed a decrease in total
malware volume compared to 2014,
largely due to changes within a single
industry – education.
Malware detection for all
other industries shows an 18%
increase for the year.
The volume of malware detections within the education
industry showed a 94% decrease from 2014 to 2015. This was
after a drop from 2013 to 2014. This most recent drop does
not necessarily represent a decrease in malware as much as it
indicates a shift in the way the education industry managed
their environments. During 2015, educational institution clients
tended to reduce their focus on managing student and guest
environments, and increased their focus on internal, institutional
environments. Less focus on student and guest networks
dramatically decreased the emphasis on the portions of their
networks which have historically been the most vulnerable,
so resulted in drastically fewer logs and events for the entire
education sector.
The majority of this malware increase was a combination of
sustained, elevated activity across several industries throughout
the year:
• Rising from 8% of malware detected in 2014, the
government sector climbed to the top of the list of sectors
affected by malware, as seen in Figure 9.
• This was primarily due to a sustained increase in a large
variety of malware targeting multiple government clients
throughout the year, and included campaigns against
several government agencies in Europe.
Figure 9: 2015 malware by sector
2015 malware by sector
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
Non-Profit
Gaming
Transport and Distribution
Insurance
Education
Business and Professional Services
Technology
Telecommunications
Public
Pharmaceuticals
Healthcare
Retail
Finance
Hospitality, Leisure and Entertainment
Manufacturing
Government
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
Government
Manufacturing
Hospitality, leisure and entertainment
Finance
Retail
Healthcare
Pharmaceuticals
Public
Telecommunications
Technology
Business and professional Services
Education
Insurance
Transport and distribution
Gaming
Non-profit
18%
16%
9%
9%
8%
7%
5%
5%
4%
4%
4%
3%
3%
2%
2%
1%
13. 13
The volume of malware detected in the
finance sector rose sharply.
The retail; government; hospitality,
leisure and entertainment; and
manufacturing industry sectors are most
highly victimised across the board.
The total volume of malware detected in the finance sector
increased dramatically, up by over 140% from 2014. Detections
in the finance industry included both long-term sustained
activity and targeted attack campaigns such as the
Dyreza malware.
• Malware detected within the manufacturing sector,
along with the hospitality, leisure and entertainment
sector, both rose over 30% during 2015. These
sectors ranked second and third, respectively, for
malware per client.
• The retail sector also showed a modest increase
over 2014 numbers. Retail clients experienced 8%
of detected malware, making retail the fifth most
affected industry.
These results show the retail; government; hospitality,
leisure and entertainment; and manufacturing industry
sectors appear in both the top five sectors targeted by
malware and the top five sectors targeted by attacks,
making them the most highly victimised of any sectors.
Malware is only one of many attack vectors used, and
can be a key component of modern exploit kits.
We’ll explore our key findings relating to exploit kits in
the next section, where we consider the importance of
end-point security.
Malware is only one of
many attack vectors
used, and can be a key
component of modern
exploit kits.
14. 14
End-point security
remains a key
weakness
End-users are the weakest link …
and the target of most attacks; user
education and training and disciplined
patch management are critical to
raising organisations’ defences.
15. 15
Our analysis of 2015 data points to a lack of focus on
bolstering end-point security and a lack of user awareness
within most organisations … the continuation of a trend
that we’ve observed over the last several years.
This is even more concerning when you consider that
attackers are increasingly targeting end users.
In 2015, spear phishing attacks accounted for
approximately 17% of incident response activities
supported in 2015, up from 2% the previous year.
These types of attacks are typically targeted at individual
users within organisations. The objective is to acquire
information such as user names, passwords, and credit
card details (and indirectly, money) by masquerading
as a trustworthy entity in an electronic communication
such as email. In 2015, many of the attacks were related
to financial fraud and targeted executives and finance
department personnel in retail clients. Attackers often
gained detailed knowledge of the organisational structure
and performed well-crafted social engineering and spear
phishing attacks.
We’ve also noted an increase in attacks related to
internal threats, often involving employees and
contractors. In 2015, internal threats jumped to 19% of
overall investigations compared to the previous year’s 2%.
Vulnerability exposure and remediation time
remain an organisational challenge. Organisations are
slow to patch and inadequately safeguard their assets.
As businesses increasingly adopt and transform their
operations using a digital strategy, this challenge is set to
remain and become even more complex. While new attacks
are constantly emerging, exploitation of old vulnerabilities
and misconfigurations afford attackers the most success.
This is directly attributable to the reality that attackers
exploiting out-of-date software and misconfigurations
continues to outpace organisations’ ability to repair or
replace the same.
Client-side vulnerabilities still remain high and expose
organisations to inherent risk. Again, it seems that
the message that effective patch management involves
remediating both internal and external vulnerabilities, isn’t
getting through. The vulnerabilities that we’ve detected in
Adobe Flash and Internet Explorer represent a case in point.
Securing the endpoint against next-generation threats is
an essential element in a security programme aimed at
reducing and mitigating risk.
The evolving nature of exploit kits also supports the
notion that cybercriminals are keeping end users firmly in
their sights.
All this points to the growing need for organisations to put
end-user and end-point security firmly on their agenda.
In the rest of this section, we review the technologies
targeted by exploit kits in 2015, and provide some
recommendations on how organisations can improve their
end-point security and raise their defences against end-user
related attacks.
What is?
Spear phishing: attempting to acquire
individuals’ information such as user names,
passwords, and credit card details (and indirectly,
money) by masquerading as a trustworthy entity
in an electronic communication such as email
Exploit kit: a malicious toolkit often used
in cybercrime to exploit vulnerabilities in
software applications
Patch management: a systematic process for
installing vendor-supplied software patches
16. 16
Technologies targeted by
exploit kits in 2015:
We’ve tracked unique exploits targeted by popular exploit kits
released in the years 2012-2015. This information, organised
by the technology targeted, is presented in Figure 10.2
There are three clear trends in this data:
• Adobe Flash was the most dominant software targeted in
exploit kits in 2015.
• New Java exploits virtually disappeared from exploit kits
during 2015.
• Internet Explorer exploitation remained consistent.
0%
10%
20%
30%
40%
50%
60%
70%
Java Adobe
Acrobat
Internet
Explorer
Adobe
Flash
Firefox Microsoft
Windows
Silverlight
2012
2013
2014
2015
Other
Figure 10: Technology targeted in exploit kits
Unique vulnerabilities targeted in exploit kits by technology 2012-2015
Exploits are increasingly targeting
end-user technologies.
Exploits can allow attackers to install malicious software
on vulnerable devices. Software exploits take advantage
of unpatched flaws in operating systems and applications.
Exploit kits are software packages commonly sold in hacking
forums and IRC channels, and capitalise on software
exploits for known vulnerabilities across a range of end-user
technologies (Internet Explorer, Adobe Flash, etc.). Exploit kits
are most often delivered via social engineering and phishing
attacks. As a result, they enable attackers to execute
large-scale attacks against vulnerable systems and individuals
without needing a great deal of expertise.
2
This chart includes data from http://contagiodump.blogspot.com, an excellent resource for historical and current exploit kit data.
It also includes data from http://malware.dontneedcoffee.com/, an indispensable source for exploit kit analysis and exploit kit tracking.
17. 17
Figure 11: Adobe Flash vulnerabilities by year
Adobe Flash vulnerabilities discovered by year adapted from cvedetails.com
The trends observed in this graph are discussed below:
• Increase in Adobe Flash targeting – There was a steady
increase in Adobe Flash exploit usage in exploit kits from
2012 to 2014, followed by a dramatic increase in 2015.
Exploit researchers have increasingly focused on Flash after
significant improvements were made to Java security in 2014.
The total number of Flash vulnerabilities identified in 2015
was the highest ever, with an almost 312% increase from
2014, as shown in Figure 11.
- 50 100 150 200 250 300 350
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
0 50 100 250150 300200 350
Flash is in widespread use on the Internet, and is supported
across all modern operating systems. These facts, coupled with
a stream of significant security flaws that have not always been
patched in a timely manner, explain the dramatic shift toward
Flash in exploit kits since 2014.
18. 18
Figure 13: Internet Explorer vulnerabilities by year
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2004
2003
2002
2001
2000
1999
0 50 150100 300200 250
0 50 100 150 200 250 300
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
Internet Explorer vulnerabilities published by year adapted from cvedetails.com
Figure 12: Java vulnerabilities by year
Oracle Java JRE vulnerabilities published by year
adapted from cvedetails.com
2010
2011
2012
2013
2014
2015
- 50 100 150 200
2010
2011
2012
2013
2014
2015
0 50 100 150 200
• Decrease in Java targeting – The number of Java
vulnerabilities targeted in exploit kits has decreased
steadily from 2013 to 2015, due at least in part to
security improvements introduced in Java (including
blocking of unsigned applets by default). These security
improvements are reflected in the decrease of Java
vulnerabilities identified over the last two years, as
displayed in Figure 12.
• Consistent targeting of Internet Explorer – Internet
Explorer is still the default browser on Windows
operating systems and is common on end-user systems
in the corporate environment. Internet Explorer
continues to be a target of choice, not only because
it’s common, but because vulnerabilities continue to be
discovered in Internet Explorer at a consistent rate, as
shown in Figure 13.
19. 19
In 2013, only one Adobe Flash exploit was among the 10 most
popular exploits included in exploit kits. In 2014, four Adobe
Flash exploits were included in the top 10. In 2015, the top
10 consist exclusively of Adobe Flash exploits.
Recommendations for bolstering your
end-point and end-user defences and
protecting your organisation from
exploit kits:
Adobe Flash dominates the list of most
popular vulnerabilities targeted in 2015
exploit kits; Java falls off the list.
Ensure effective patch management – Exploit kits typically
use exploits for which patches exist. Exploit kit developers
take advantage of the time between initial vulnerability
disclosure and the implementation of patches by end users or
organisations. Ensuring effective patch management processes
for end-user devices is a critical first step to protect against
exploit kits. Organisations should pay particular attention to
Web browser plugins and technologies such as Adobe Flash.
These do not have the same types of enterprise class rollout
capabilities as Microsoft technologies, and organisations need
to ensure there are tools in place to deploy and measure
adoption of patches.
Social engineering (phishing) training – Exploit kits are
most often delivered via social engineering and phishing
attacks. Standard security awareness training is no longer
adequate for organisations that maintain highly sensitive data.
Organisations should implement real world social engineering
testing for key employees, to confirm their ability to respond
to actual phishing scenarios.
Endpoint protection – Implementation of endpoint protection
can help detect malware dropped on a device by an exploit kit
before significant damage occurs.
Threat intelligence – Threat intelligence services can help
organisations identify vulnerabilities that are being actively
exploited. These services act as a complementary control to
patch management processes, to ensure patching is prioritised
for vulnerabilities that attackers are targeting.
Ad-blocking software – Attackers frequently use malvertising
to lure victims onto exploit kit landing pages. Use of ad-blocking
software, or Web proxies with content filtering, can limit the
effectiveness of this attack approach.
IP reputation services – IP reputation services can warn or
block users from visiting known bad IP addresses and domains.
These services should only be considered a supplemental
control. Addresses of exploit kits are constantly changing
in order to evade detection, and the services are unlikely to
maintain accurate and comprehensive real-time lists of landing
page URLs. Attackers regularly use new IP addresses which have
clean reputations, and ‘bad URL’ lists take time to update.
What is?
Social engineering: gaining unauthorised access
through methods such as personal visits, telephone
calls or social media websites; these attacks primarily
target people and take advantage of human
weaknesses associated with security
Malvertising: malware that appears as a benign
advertisement on a Web page, and is activated when
a user clicks on it
21. 21
Incidents do happen … and when they do, you need to be
prepared to respond. Throughout the year there were many
media headlines due to confidential information being stolen,
denial of service attacks, and insider threats, but the data
we collected in 2015 indicates organisations are not making
focused efforts to prepare for such attacks.
Organisations need to invest not only in detective and
defensive controls, but also in the ability to take action
when an attack is occurring.
In this section we discuss how prepared organisations are, the
types of incidents we’ve observed, and basic steps that should
be considered for an effective incident response.
Lack of investment in preparedness
continues to prevail.
During incident response engagements, we track metrics related
not only to the impact of the incident, but also to how well
organisations are prepared to respond. Unfortunately, many
that engage us for incident support do so because they have
little investment in their own incident response capabilities, do
not have the technical knowledge to respond, or the ability to
attribute the attack back to its source.
2013 2014 2015
No plan Actively Maturing
2013
2014
2015
77
74
79
No formal plan Actively maturing
2123
26
Figure 14: Percentage of organisations that are
preparing response cababilities
Incident preparedness
Organisations need
to invest not only in
detective and defensive
controls, but also in the
ability to take action
when an attack is
occurring.
22. 22
Similar circumstances resulted in the creation of a separate
category for spear phishing attacks. Spear phishing attacks
accounted for approximately 17% of incident response
engagements, up from 2% the previous year. Many of the
attacks were related to financial fraud targeting executives and
finance department personnel in retail clients. Attackers often
gained detailed knowledge of the organisational structure and
performed well-crafted social engineering and spear phishing
attacks. Several of these attacks were focused on duping
organisations into paying phony invoices.
Although 2015 saw the rise of DDoS hacking groups like
DD4BC and the Armada Collective, we again noticed a drop
in DDoS related support compared to the previous two years.
This drop is likely related to a continuing investment in defence
against these types of threats. Adoption of the proper tools
and services for DDoS mitigation is vital to surviving a well-
coordinated attack. There has also been a decline in successful
DDoS attacks, resulting in less support required during 2015.
0%
10%
20%
30%
40%
50%
60%
Malware DDoS Breach Internal
threat
Spear
phishing
43
52
19
31
18
6
17 16
28
2 2
19
2 2
17
5
10 11
Other
2013
2014
2015
Figure 15: Percentage of incidents across three years of data
Percentage by year and incident category
Types of incident response:
Observing the trend of incidents supported since 2013, there
has been little improvement in preparedness. In 2015 there was
a slight increase in organisations that were unprepared and
had no formal plan to respond to incidents. Over the last three
years, an average 77% of organisations fall into this category,
leaving only 23% having some capability to effectively respond.
In 2015, we continued to provide client support focused on
several core incident categories (malware, DDoS and breach
investigations, spear phishing, and internal threats). Within
these areas there were some notable changes from previous
years, including a rise in breach investigations, internal threats
and spear phishing, and a drop in malware and DDoS mitigation
support. In cases where incidents spanned types, they were
categorised according to their most significant threat vector.
Figure 15 presents our incident response engagements from
2013 through 2015.
We measured an increase in breach investigations, with 28%
this year compared to 16% last year, and many of the activities
focused on theft of data and intellectual property. Analysis
indicated these were targeted and not opportunistic attacks.
Due to an increase in attacks related to internal threats,
often involving employees and contractors, we created a
new category for these types of attacks. In 2015, internal
threats jumped to 19% of overall investigations compared to
the previous year’s 2%. Many of these investigations were
the result of internal employees and contractors abusing
information and computing assets, and were initiated by
Human Resource departments.
23. 23
Incidents by vertical market
Incident response recommendations
Although finance was the leading sector for incident response
in our previous annual reports, the retail sector took the lead
this year with 22% of all response engagements, up from 12%.
This matches data that shows retail clients experienced the
highest number of attacks per client, as shown in the ‘Attacks
by sector’ section. The financial sector declined approximately
10% from last year’s observations. Most of the spear phishing
attacks previously discussed focused on the retail sector and
help account for the increase in incident response in this area.
During 2015, we supported many different types of incident
response activities affecting clients in diverse vertical markets.
There are several places where organisations consistently fell
short in their capabilities to respond effectively. The following
recommendations represent only a fraction of what needs to go
into a comprehensive programme and is intended to highlight
some of the common issues observed.
Figure 16: Percentage of incident response engagements by
vetical smarket
Incident response engagements by vertical market
0 5 10 15 20 25
ENERGYUTILITIES
GAMINGENTERTAINMENT
GOVERNMENT
TECHNOLOGY
MANUFACTURING
EDUCATION
BUSINESSSERVICES
FINANCE
RETAILRetail
Finance
Business services
Education
Manufacturing
Technology
Government
Gaming and entertainment
Energy and utilities
0 5 10
22
18
17
15
13
5
4
3
3
15 20 25
• Prepare incident management processes and run
books – Many organisations have limited guidelines
describing how to declare and classify incidents. These are
critical to ensuring a response can be initiated. Depending
on the type of attack, potential impact, and other factors,
response activities will be very different for each. Common
practices for incident response also suggest organisations
should develop ‘run books’ to address how common
incidents should be handled in their environment. For
instance, if DDoS activities are often used against your
organisation, it’s a good investment to create a run book
describing the procedures your response team can follow
based on the tools and capabilities available.
• Evaluate your response effectiveness – We don’t see a
significant number of organisations testing the effectiveness
of their plans. When incidents occur, the last thing you want
is to lack an understanding of standard incident response
operating procedures. Evaluation of preparedness should
include regular test scenarios. Consider post-mortem
reviews to document and build upon response activities that
worked well, as well as areas needing improvement.
• Update your escalation rosters – As organisations grow
and roles change, it’s important to update documentation
related to who is involved in incident response activities.
Time is critical to incident response, and not being able
to quickly involve the correct people can hamper your
effectiveness. Updating contact information for vendors
such as your ISP, external incident response support, and
other providers is just as important.
• Prepare technical documentation – To make accurate
decisions and identify impacted systems you must have
comprehensive and accurate details about your network.
This should include:
• IP ranges and host names
• DNS information
• software and operating system names, versions, and
patch levels
• user and computer roles
• ingress and egress points between networks
Only when you’re prepared to respond to incidents can you
hope to effectively mitigate their impact.
24. 24
Cybercriminals
continue to up
their game
The data we gathered and analysed
in 2015 indicates that cybercriminals’
intentions and capabilities are
increasingly mirroring the goals
of a robust security programme:
survivability and resilience.
25. 25
Cybercriminals are increasingly leveraging malware to
breach perimeter defences: In 2015 we detected an 18%
increase in malware across all industries, with the exclusion
of education.
The frequency and complexity of malware is becoming
more stealthy and sophisticated: While organisations are
developing sandboxes to better understand cybercriminals’
tactics and protect themselves from attacks, malware
developers are just as aggressively developing anti-sandbox
techniques. (Read more about sandboxes later in this section).
Cybercriminals have identified the value in breaching
organisational defences: Rather than engaging in distributed
denial of service activities, hackers are starting to recognise
the intrinsic value in breaching organisational defences
and conducting data and intellectual property exfiltration.
This causes legitimate business to become competitively
disadvantaged and often times financially unviable over the
long term. In 2015, breaches and social engineering activities
increased. Often, this involved the use of malware that enabled
attackers to gain a foothold into the organisation, laterally
move, and maintain persistence once compromised. The longer
an attacker’s ‘dwell time’ in a compromised network, the larger
the opportunity to exfiltratel, commercially and personally
sensitive data.
Sandboxes have become essential analysis systems for detecting
malware and acquiring deep visibility into the behaviour of that
malware. Sandboxes execute suspicious code in a controlled
environment, where they observe malware behaviours such as
network-related activities, file changes, and registry operations.
Although malware developers can easily evade signature-based
and static analysis-based detection methods by using encryption
or polymorphism, sandboxes are able to detect malware by
observing known malicious activities.
5.1. Anti-sandbox techniques
Cybercriminals have shifted attack targeting toward
the retail vertical away from traditional financial
markets: Retail and financial verticals process large volumes
of personal information, and credit card data. This supports
the notion that cybercriminals are targeting less mature
verticals involved in high volume financial transactions.
Gaining access to these organisations enables cybercriminals
to monetise sensitive data in the black market. This points
to the fact that cybercriminals are increasingly motivated
by financial crime and its rewards. Retailers largely rely on
dated security technologies and have not kept pace by
investing in the maturity of their security programmes in line
with the evolving threat landscape. This disparity exposes
retailers to financial and reputation losses, and incentivises
cybercriminals to accelerate their campaigns targeting
businesses in this space.
Cybercriminals are increasingly adopting low-
cost, highly available, and geographically strategic
infrastructure to perpetrate malicious activities: This
can be seen by the increase in US-sourced attacks leveraging
cloud infrastructure and highlights the importance of cloud
security as business migrate towards more flexible, scalable,
and efficient environments.
Knowing that sandboxes are widely used for analysis, attackers
have developed anti-sandbox techniques to evade detection.
Some of these techniques detect the presence of a sandbox
by inspecting specific artifacts related to the sandbox. These
techniques then thwart malware analysis by terminating
malware processes or showing fake behaviour. Another
common anti-sandbox technique uses the act of stalling
execution or waiting for an event such as a reboot.
To ensure researchers can continue effectively using sandboxes
for analysis, it is imperative to gain an understanding of
anti-sandbox techniques attackers are currently using.
What is?
Sandboxes: analysis systems for detecting malware
and acquiring deep visibility into the behaviour of
that malware
26. 26
About
NTT Group Security
NTT Group Security is a portfolio
of operating companies within
the NTT Group – Dimension Data’s
security business, NTT Com Security,
and Solutionary. We function in a
complementary and collaborative
manner while preserving the
services and regional strengths of
each organisation.
27. 27
NTT Group Security develops and delivers a full lifecycle
of security services that draws on our global threat
intelligence capabilities, technology, and security
expertise to:
• help businesses keep pace with the constantly changing
threat landscape
• enhance business and government efforts to protect
social and economic activities globally
Our services:
• security assessment and planning
• risk and compliance management
• security services integration
• security consulting
• managed security services
• cloud security services
• incident response 24/7
• global threat intelligence
nttgroupsecurity.com
