eSentire 2019 Threat Intelligence Spotlight: United Kingdom (U.K.)

Cyberattacks against businesses in the U.K. are becoming more frequent, more sophisticated and more successful as the arms race continues between adversaries and targets.

eSentire 2019 Threat Intelligence Spotlight: United Kingdom (U.K.)
eSentire 2019 Threat Intelligence Spotlight: United Kingdom (U.K.)

This report shares actionable intelligence to those responsible for defending valuable business targets. Readers will gain a better understanding about the nature of cyberattacks in the U.K. and be more prepared to implement defensive measures needed to protect their infrastructure, data and customers.

Going forward, threat actors will continue to evolve their techniques and increase attack volume. In order for U.K. businesses to prepare for what is next, this report serves as required reading to identify what we are doing well and what we need to do better.

Content Summary

Introduction
Growth in Attacks
Exploits
Malware
Phishing
Industry Trends in the U.K.
Takeaways and Recommendations
Methodology
References

Introduction

For several years, eSentire has published globally focused Threat Reports based on data from our Security Operations Centres (SOCs) that monitor 650-plus customers around the world. Over the last two years, eSentire’s European business has grown by over 90 percent to 120-plus customers across 10 European markets. The bulk of this growth has come from the United Kingdom (U.K.). This expanded European footprint delivers a sample size large enough to publish a dedicated U.K. Threat Report for the first time.

Globally, Managed Detection and Response (MDR) is a rapidly growing segment of the security market, but it is still one that is seeing early adoption in some regions and verticals. According to research from Gartner, five percent of organisations are currently using MDR services and that is predicted to increase to 15 percent by 2020.

Because of the need to protect sensitive business data, industries such as finance and legal were among the earliest adopters of eSentire’s MDR services, and as such, these industries represent the majority in this report’s dataset. This report leverages eSentire’s anonymised customer network traffic and is being released to complement survey data from private and public sector sources that already exist. One such example is the Department of Digital, Culture, Media and Sport’s 2019 Cyber Security Breaches Survey which revealed that 60 percent of medium businesses and 61 percent of large businesses reported having a breach in 2018. While the incident rates discussed in this report are slightly lower than what is reported in the U.K Government’s survey, this is largely driven by the fact the eSentire customer base is typically more mature in their security posture than a small or medium business which does not have a dedicated managed security service.

The analysis of the cyber threats revealed by eSentire in this report is valuable for security practitioners, IT decision makers and senior executives tasked with protecting business data for companies based solely in the U.K. It also is applicable for the growing number of international businesses with customers, employees and offices in the region who want to better understand the threat landscape.

Growth in Attacks

In 2018, eSentire observed that the use of botnets increased by 500 percent when compared to 2017. As first reported in eSentire’s Q2 2018 Quarterly Threat Report, a significant degree of this traffic appears to come from compromised servers distributed throughout the globe. This observation is consistent with recent trends whereby threat actors initiate multistage attacks to compromise low-hanging, low-value devices for which there is no immediate opportunity for monetary gain. Once these devices are compromised however, they become a small piece of a larger-scale attack infrastructure that can be leveraged when it is more likely to yield a financial benefit for the threat actor.

Figure 1: Change in Observed Event Types Between 2017 and 2018 - U.K.
Figure 1: Change in Observed Event Types Between 2017 and 2018 – U.K.

In the U.K., this increase in global botnet activity drove significant increases in the number of exploit (190 percent), malware (45 percent) and scanning (15 percent) detections observed by eSentire during 2018. The only attack type to decrease in observed incidents was phishing, which while still a significant threat to U.K. businesses.

Figure 2: Observed Incident Rates - All Attack Types
Figure 2: Observed Incident Rates – All Attack Types

An examination of eSentire’s observed incident data reveals that the increased amount of malicious activity across the globe caused almost 40 percent of U.K. businesses to experience at least one form of cybersecurity incident during the last year. When benchmarked against eSentire’s customer base, the U.K. has a slightly higher incident rate than the global average (38 percent). While not a statistically significant difference, a deeper dive into these different event types reveals that there are some event types that businesses in the U.K. appear to be better at preventing (phishing and malware), but there are other types where they lag behind.

Exploits

In 2018, businesses in eSentire’s U.K. customer base saw a 190 percent increase in observed exploits driven primarily by the targeting of web servers and routers.

Figure 3: Observed Web Server Exploit Attempts - U.K. (2018).
Figure 3: Observed Web Server Exploit Attempts – U.K. (2018).

When examining U.K. web server exploits, attacks on Microsoft’s web server solution known as Internet Information Services (IIS) are a constant fixture in hostile internet background radiation. Only a handful of clients were susceptible to this type of exploit, but when they were, typically only the server hosting the company’s webpage was impacted. This lack of susceptibility means that sensitive business data was, in most instances, not breached because most companies opt to host their websites in an environment completely separate from their internal operational network.

Throughout 2019, we expect web servers will continue to be a favourite target in the U.K. and around the world as their exposure to the internet makes them an easy target for threat actors. To limit the damage of future attacks, it is essential for businesses to keep financial and operational networks isolated from public web servers to reduce the risk of critical systems being compromised.

Figure 4: Observed IoT and Router Exploit Attempts - U.K. (2018).
Figure 4: Observed IoT and Router Exploit Attempts – U.K. (2018).

In addition to web servers, home routers have also been the subject of continuous targeting as vulnerabilities and exploits are regularly published. When exploits are made publicly known, botnets can quickly execute successful exploitation campaigns because of the vast quantity of routers that are deployed globally. In the U.K., attacks associated with a variant of the Mirai botnet that specifically targeted D-Link routers was the most observed exploit incident, with spikes in detections coming after exploits were published in July and October of 2018.

Figure 5: Observed Exploit Attempts
Figure 5: Observed Exploit Attempts

An examination of eSentire’s U.K. customer base reveals that 27 percent of businesses experienced at least one attempted exploit attack between February 2018 and February 2019. The nuance here is important because an attempted exploit attack does not necessarily mean a successful one, as many businesses purposely leave assets exposed to the Internet in order to conduct their daily business operations.

Attempted exploit attacks are the only attack type where the U.K. observed rate is ahead by just over one percent of the global average of eSentire’s customer base. The spread between the global average and what occurred in the U.K. is not significant, but this still should serve notice to U.K. businesses to do a thorough examination of any exploitable services sitting on internal networks that are reachable from the internet.

Malware

In the U.K., 87 percent of malware incidents observed by eSentire in 2018 was classified by the SOC as malicious documents or MalDocs. In most instances, the MalDocs detected were disguised as invoices or missed payment notifications which attempt to entice employees to download and execute a payload that can carry out further malicious objectives once inside a network.

Figure 6: Malware Incident Share - U.K. (2018)
Figure 6: Malware Incident Share – U.K. (2018)

One interesting observation from our 2018 dataset is the lack of detected coin mining malware in eSentire’s U.K. customer base. Coinmining malware mines cryptocurrency (typically Monero) directly on infected endpoint devices (CoinMiner) or in web browsers (Coinhive) when a user visits a website running malicious code. Once infected, the coin mining malware silently mines cryptocurrency while consuming a significant amount of processor cycles, resulting in devices with sluggish performance and reduced battery life. In eSentire’s 2018 Annual Threat Report, we observed that coin mining malware experienced a 1,500 percent increase worldwide when compared to rates observed in 2017, but the U.K. only experienced a handful of observed incidents. This lack of coin mining malware detections may be partially driven by the smaller sample size of eSentire’s U.K. customer base, but it is a phenomenon that may warrant additional investigation in future reports.

Figure 7: Observed Malware Incidents
Figure 7: Observed Malware Incidents

An examination of detected malware threats in the U.K. shows that in the last 12 months, 13 percent of eSentire’s U.K. customers experienced some form of malware incident, compared to the global average of 17 percent. It is difficult to determine the exact cause for the gap, but one consideration for the difference is the higher concentration of regulated industries, such as finance, that make up eSentire’s U.K. customer base. Because these industries often have more mature security hygiene, they are also likely to have more robust security training for their employee base, which will usually include a focus on email and web browsing best practices. With the most commonly observed methods for deploying malware originating via email and browsing, this training may be helping to protect U.K. businesses from experiencing higher rates of malware incidents observed in other parts of the world.

Phishing

As part of eSentire’s global reports, DocuSign, Office365 and OneDrive have remained consistently popular phishing lures throughout 2018. In the U.K., however, the highest success rate came from lures mimicking Dropbox logins. In this instance, they were able to successfully entice users to submit credentials at a higher rate vs. other phishing lures that got users to open an email and click a link.

Figure 8: Observed Phishing Rates - U.K. (2018).
Figure 8: Observed Phishing Rates – U.K. (2018).

For a phishing attack to be successful, a user typically must be enticed into action three times. First, the user has to be convinced to open the email. Second, the user must click a link in an email. Finally, they must then submit their credentials on a website that typically simulates the look and feel of a legitimate site. For Drobox credential submissions (step three) to occur at a higher rate than other lures made it to step two, it reveals that threats actors have been able to accurately recreate the look and feel of both Dropbox emails and its website.

For businesses that store sensitive data in cloud storage, the success rate of the Dropbox campaign should be an eye-opening observation, as one compromised Dropbox account could give threat actors access to a company’s entire cache of sensitive files.

This should also be a revelation for businesses that do not use Dropbox (or other cloud storage services) as a corporate tool because the reality is that many employees may be using personal cloud storage services to store business files in the cloud. Additionally, because personal accounts for services such as Dropbox do not come with additional security measures such as Active Directory authentication or mandatory two-factor authentication (2FA), data stored in personal clouds may be even more susceptible to being accessed by unauthorized users.

Figure 9: Observed Phishing Lures by Industry - U.K. (2018).
Figure 9: Observed Phishing Lures by Industry – U.K. (2018).

eSentire’s data reveals that when looking at phishing at an industry level, marketing agencies received a significant number of Apple-related lures in 2018. This concentration of Apple lures in an industry perceived to have a high number of Apple desktops and laptops reveals that threat actors are customising lures to specific sectors in an attempt improve their success rate. This ability to potentially tailor lures to specific industries based on knowledge of their internal tools highlights the importance for companies to train staff on how to recognise possible phishing attempts and why it is essential to have the ability to detect and respond to threats in near real-time. It also underscores that while there is sometimes a perception among users that Apple devices (iPhones and Macs) are more secure at a system level, the existence of web browsers on these devices make them no less immune to falling victim to a phishing attack.

Figure 10: Observed Phishing Incidents
Figure 10: Observed Phishing Incidents

An examination of observed phishing incidents, which includes the submission of credentials to an illegitimate site clicking on known phishing links, reveals that nearly 10 percent of U.K. businesses experienced a successful phishing incident in the last 12 months. Like malware, this rate is below the global observed average of eSentire’s global customer base of 12 percent. Also like malware, it is difficult to pinpoint an exact reason why the U.K. performs significantly better than the worldwide average at falling for phishing attempts, but our central hypothesis remains that employees at eSentire’s core customer verticals may receive more security training because of the regulated industries they conduct business in.

Figure 11: Comparison of Observed Incident by Industry - U.K.
Figure 11: Comparison of Observed Incident by Industry – U.K.

A comparison of the most affected industries within eSentire’s U.K. customer base reveals little change between 2017 and 2018. This is primarily driven by the fact that eSentire’s current customer base mix, dominated by the financial industry, remained the same in both years. However, an interesting observation is that the total number of alerts continues to increase even as U.K businesses continue to evolve their security posture as a result of recent U.K. regulatory initiatives. These initiatives include GDPR and new legislation implemented in May 2018 that implement a hefty fine for critical national infrastructure (CNI) companies such and financial and technology firms that fail to protect against loss of service due to cyberattacks.

Figure 12: Normalized Comparison of Observed Incident by Industry - U.K.
Figure 12: Normalized Comparison of Observed Incident by Industry – U.K.

When eSentire’s industry data is normalized to a per sensor basis (a network sensor is deployed at each eSentire customer site to enable our MDR service), a clearer picture of how specific industries are impacted is revealed. Specifically, in the U.K., the marketing and manufacturing industries were recipients of the highest number of incidents on a per site basis in 2018.

For the casual reader of this report, marketing agencies may not be considered a prime target for cyberattacks, but it is important to remember that marketing agencies often will be contracted to work on marketing campaigns well in advance of the release of a new product or service. If a threat actor is able to access this sensitive product or service information before a public launch, this information could be sold to a competitor or used to trade stock using knowledge that has not yet been disclosed to the public.

Attacks on IoT Devices

In 2018, eSentire Threat Intelligence observed a growing trend in IoT exploits targeting cameras, door controllers, surveillance equipment and media devices throughout our global customer base. In the U.K., the vast majority of the observed exploits specifically impacted devices manufactured by AVTech, a leading manufacturer of video surveillance and monitoring equipment.

Figure 13: Observed IoT Exploit Attempts - U.K. (2018).
Figure 13: Observed IoT Exploit Attempts – U.K. (2018).

Significant annual growth of Internet-connected devices drives the number of exploitable endpoints. The best way to prevent IoT devices from being exploited is to ensure that default credentials are changed and firmware is continuously updated. From an IT administration standpoint, it may be easiest to use default or shared credentials when deploying devices en masse but taking the extra time to secure the device upon deployment will prevent future security incidents.

Another strategy to consider when procuring IoT devices is to purchase from known vendors with a track record of providing regular firmware and security updates. In recent years, there has been an influx of commoditised white-label hardware available from wholesalers such as Alibaba and Amazon resellers. While the discounted upfront cost is appealing, these companies do not always have a track record of supporting devices and the long-term damage of a security breach caused by an unpatched device will quickly outweigh initial upfront cost savings.

Takeaways and Recommendations

eSentire Threat Intelligence has several recommendations that organisations can implement to prevent their networks from being compromised by common types of attacks.

Email-based Attacks (Phishing and Malware)

Email is one of the most common attack vectors observed by eSentire. Reducing this attack surface will protect U.K. organisations from both phishing and email-borne malware.

  • User-awareness training for employees, including continuous simulated phishing exercises to assess effectiveness
  • Implement a simplified process for reporting and responding to suspicious emails
  • Deploy spam filtering, URL rewrite and attachment sandboxing
  • Block macros in Microsoft Office documents that originate from the internet
  • Block Microsoft Office execution from temporary directories such as Outlook and internet browsers

Exploits (Webservers, Switches, Routers and IoT Devices)

The number of Internet-connected devices grows significantly each year and brings an increased number of exploitable endpoints that threat actors can leverage as part of an attack.

  • Work with your IT or security department to put a regular patching schedule in place
  • Implement monitoring and detection of asset exposure to external networks
  • Consider two-factor authentication for externally-facing remote access points
  • Implement better perimeter protections, such as application firewalls or IPS systems, to weed out known attacks from reaching potentially vulnerable devices that must be exposed to provide services

Improving Cybersecurity Leadership

While the above recommendations are best implemented by the IT department, senior executives are playing an increasingly important role in securing a business. Recently, the National Cyber Security Centre released its Board Toolkit which outlines key obligations and priorities for board members and senior executives in the U.K.

eSentire strongly recommends that executives in the U.K. leverage this toolkit so that they can familiarise themselves with the information required to make informed decisions about the risks their businesses face. Once armed with this information, executives are encouraged to evaluate and prioritize the risk management programs they need to put in place, including:

  • Implementing effective cybersecurity measures
  • Collaborating with suppliers and partners to mitigate security threats
  • Planning responses to cyber incidents

Methodology

eSentire Threat Intelligence used data gathered in 2018 from over 2,000 proprietary network and host-based detection sensors distributed globally across multiple industries. Raw data was normalized and aggregated using automated machine-based processing methods. Processed data is reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence analysis results were further processed by a qualitative intelligence analyst resulting in a written analytical product.

Source: eSentire