Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In my travels abroad over the years, I have had the great opportunity to meet with many enterprise customers to discuss the evolving threat landscape. In addition to helping inform customers, these meetings have provided me with an opportunity to learn more about how customers are managing risk within their environments. Many of these customers are interested in learning about the top threats found in enterprise environments. Visibility into what threats are most common in enterprise environments helps organizations assess their current security posture and better prioritize their security investments. Given the high level of interest in this information, I thought it would be helpful to take a close look at the top 10 threats facing enterprise customers based on new intelligence from the latest Microsoft Security Intelligence Report (SIRv15).
The latest report found that in the enterprise environment, on average about 11% of systems encountered malware, worldwide between the third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The “encounter rate” is defined as the percentage of computers running Microsoft real-time security software that report detecting malware - typically resulting in a blocked installation of malware. This is different from the number of systems that actually get infected with malware, a measure called computers cleaned per mille (CCM).
Figure 1 (left): The malware encounter rates for consumer and enterprise computers, 3Q12-2Q13. Figure 2 (right): The quarterly trends for the top 10 families detected by Microsoft enterprise security products, 3Q12-2Q13, by percentage of computers encountering each family in 2Q13.
When we look at the top 10 enterprise threats worldwide from the list above, it gives us insight into the most common ways in which enterprise organizations are coming into contact with malware today. Based on this list, there are three primary methods in which enterprises are encountering malware:
Malicious or Compromised WebsitesBy the end of 2012, web-based attacks had surpassed traditional network worms to become the top threats facing enterprises. The latest Security Intelligence Report shows this trend is continuing in the first half of 2013.
Figure 3: The quarterly trends for the top 10 families detected by Microsoft enterprise security products, between the third quarter of 2012 and the second quarter of 2013, by percentage of computers encountering each family
In fact, in 2Q13 six out of the top ten threats facing enterprises were associated with malicious or compromised websites. These threats include JS/Seedabutor, HTML/IframeRef, Win32/Sirefef, JS/BlacoleRef, Java/CVE-2012-1723 and Blacole. Computer users in organizations typically come into contact with these types of malicious or compromised websites unexpectedly when browsing the web while using their organization’s systems.
For example, in the case of HTML/IframeRef, attackers have built automated systems that probe websites to identify and infect vulnerable web servers. Once compromised, an infected server can then host a small, seemingly benign, piece of code that is used as a redirector. However, this code is part of a chain, and when victims visit the website, the redirector can serve malicious pages from another malicious server to infect the victim with malware. You can read about the mechanics of this type of attack in a series of articles I wrote previously:
What You Should Know About Drive-By Download Attacks - Part 1
What You Should Know About Drive-By Download Attacks – Part 2
Once a system is compromised with malware, it not only disrupts the infected machine but also has the potential to cause harm to the systems it interacts with. The infected system may be used to spread malware both inside and outside the organization, and steal information such as intellectual property.
Network Drives, Autorun, Weak PasswordsWhile web-based attacks have become the most common threats facing enterprises, worms cannot be ignored. In 2Q13 three out of the top ten threats facing enterprises were associated with worms (Win32/Conficker, INF/Autorun, Win32/Dorkbot). Worms are commonly spread through network drives, abusing the Autorun feature or exploiting weak passwords.
For example, the Conficker worm is commonly spread by exploiting weak passwords. The worm uses a built-in list of common or weak passwords to attempt to compromise other computers in addition to stealing the credentials of any user that logs into the infected system. Passwords such as “admin,” “admin123,” “administrator,” “default,” “test,” “12345” and even “security” are part of Conficker’s list of passwords. Once Conficker compromises a systems it can steal the credentials of an IT administrator to spread on the internal network. Here’s how Conficker spreads using this technique:
Social EngineeringThe third most common way in which enterprise organizations are encountering malware, based on the latest threat intelligence, is through social engineering; Win32/Obfuscator is an example of this. Cybercriminals will try to hide the malware using deceitful tactics to trick you into installing it. There are a number of ways this may occur.
For example, a compromised system may be used by attackers to send out erroneous emails, friend requests or instant messages which contain links to malicious sites or malware. Another common way in which attackers try to trick people into installing malware is by bundling it with popular software, movies or music that can be downloaded online. We talked about this method in detail when we released the Microsoft Security Intelligence Report Volume 13.
The good news is that there are effective mitigations and best practices that can be used to help to protect enterprises:
Of course, there is plenty of other data and guidance in the latest Microsoft Security Intelligence Report; it is designed to provide prescriptive guidance which can help our customers manage risk and protect their assets. If you are responsible for managing risk for your organization, then I encourage you to download it today at www.microsoft.com/sir to learn about the latest threat trends.
Tim Rains DirectorTrustworthy Computing