2012 Sophos security report: The threat landscape

Patrick Lambert breaks down the threat types that the Sophos 2012 security report identified in their annual survey. What's still around and what threats are on the rise?

Sophos, a well known security firm, published their annual security threat report last week for 2012. In it, they go over some of the topics we've become familiar with. Hacks and malware infections aren't new and they aren't going away soon. But the threat model is evolving and ever changing, based on where the juiciest targets are, and what makes more sense for cybercriminals to use.

Before, we used to see email as the primary vector for infection. Whether it was phishing emails trying to get people to click on a link, or simply a message carrying a payload like embedded JavaScript, or even a Word or PDF document trying to exploit a vulnerability in software. But now, email isn't such a target anymore. Email clients have become much better at protecting users, and so have gateways and spam-scanning services. Today, the web is the main vector of attack, but perhaps not for long. With the increasing activity of hacktivists, the advent of cloud services of all types, and of course the mobile landscape, newer threats are emerging, and so the IT community must adapt.

Anonymous and other hacktivist groups

Hacktivism is something we didn't hear much about before 2011. The concept is simple: a group of individuals, who may or may not be all that technically savvy, decide to cause trouble behind some cause -- as opposed to simply getting money from it. The media focused on Anonymous and LulzSec throughout the year, and the idea of thousands of people sitting behind their computers and flooding "evil" corporations and governments became more than a good movie plot. Their effectiveness is pretty hard to deny, with many sites being brought down at various times, confidential information being stolen and published online through WikiLeaks and others, and mass protests against oppression leading to the disruption of major networks. But beyond the hype, it's important to remember that these attacks use new tactics that can be employed by the masses. Things like easy-to-use denial of service tools, scripts that can exploit a vulnerable website from the click of a button, and exploit frameworks that can be downloaded by anyone.

Another interesting point that the report makes about hacktivism is that because their motivation is different, political versus financial, they can't be analyzed the same way. It used to be that a corporation would secure itself based on how much financial incentive someone would have to gain access, but now that model has changed. For example, a typical bank would be constructed with a heavy vault, and many security measures on the reinforced steel door. But their offices would tend to be located behind a simple locked door. This made sense, because thieves would go for the money, so that's where the protection was. Now, hacktivists don't care about financial gains, they go for the offices, where the compromising paperwork might be, or in our digital world, the file servers, as opposed to the secure transaction servers. Data theft and loss can also lead to other problems, like identity theft and loss of reputation. So if your corporation thought about placing heavy security on its website, shopping card and payment processing system, but left its email and file servers wide open, that's a problem -- something several corporations learned the hard way in 2011, and it's likely to get worse in 2012.


On the malware front, the report reminds us that even three years after having been released, the Conficker worm remains widespread on the net, representing 14.8% of all infection attempts seen by Sophos customers in the last six months. They also point out that proactive detection, or using heuristics to find malware before they can even be fingerprinted, is still a very useful tool. Any antivirus software in use should have some type of heuristic function, because that allows future malware to be detected based on patterns instead of having to rely on getting a good fingerprint first, allowing a window of opportunity for the malware to strike. According to their data, 80% of unique malware seen by their customers was detected by this proactive detection. Since the web is the primary factor of infection these days, to reduce risk of malware infection, corporations and individuals should deploy protection technologies at the network level that can detect malware on compromised sites and respond quickly to emerging malware domains and URLs.

The report then goes on to recount some of the major security events that we've seen in the past year, such as the Rustock botnet being brought offline by Microsoft and U.S. authorities in March, which led to a significant decrease in spam. The report also highlighted the fact that targeted attacks aren't just going after government targets anymore, but even small companies can be targeted by social engineering, or crafted emails with a payload designed to infect a particular network.

Looking ahead

As for current and upcoming threats, they point out that while fake antiviruses are on the decline, drive-by downloads are on the rise, with Blackhole, a popular crimeware kit sold to cybercriminals, being one of the most insidious ones. This product injects a large amount of obfuscated code into compromised websites, and is very aggressive in its attempts to hide and stay undetected. There's no doubt that these more complex attacks will keep spreading, and IT professionals will need to stay on guard for new and evolving threats.