Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : Hack

Eight Security Predictions for 2014

Posted: 14 Nov 2013 03:18 PM | Elisabeth Olsen

2013 was not an easy year in cybersecurity—and we expect 2014 attacks will be even more complex. In a new report out today, Websense Security Labs researchers collectively outlined eight predictions and recommendations for 2014. To read the full report, please visit www.websense.com/2014predictions . In addition, below is an infographic for quick reference. Here are the highlights: 1. Advanced malware volume will decrease. According to the real-time telemetry feeds in Websense ThreatSeeker® Intelligence Cloud, the quantity of new malware is beginning to decline. Unfortunately, this is bad news for organizations. Cybercriminals will rely less on high-volume advanced malware because over time it runs a higher risk of detection. They will instead use lower volume, more targeted attacks to secure a foothold, steal user credentials and move unilaterally throughout infiltrated networks. Although the volume of attacks will decrease, the risk is even greater. 2. A major data-destruction attack will happen. Historically, most attackers have used a network breach to steal information for profit. In 2014, organizations need to be concerned about nation-states and cybercriminals using a breach to destroy data. 3. Attackers will be more interested in cloud data than your network. Cybercriminals will focus their attacks more on data stored in the cloud vs. data stored on the network. This tactical shift follows the movement of critical business data to cloud-based solutions. Hackers will find that penetrating the data-rich cloud can be easier and more profitable than getting through the “castle walls” of an on-premises enterprise network. 4. Redkit, Neutrino, and other exploit kits will struggle for power in the wake of the Blackhole author arrest. We will see a fight for market leadership between a number of new entrants and existing exploit kits in 2014. We anticipate Redkit and the Neutrino exploit kit will secure a strong foothold in the coming year. 5. Java will remain highly exploitable and highly exploited—with expanded repercussions. Most end points will continue to run older versions of Java and therefore remain extremely exposed to exploitation. In 2014, cybercriminals will devote more time to finding new uses for tried-and-true attacks and crafting other aspects of advanced, multi-stage attacks. 6. Attackers will increasingly lure executives and compromise organizations via professional social networks. As social networking continues to appeal to the business community in 2014, attackers will increasingly use professional websites, such as LinkedIn, to research and lure executives. This highly targeted method will be used to gather intelligence and compromise networks. 7. Cybercriminals will target the weakest links in the “data-exchange chain.” Attackers will go after the weakest links in the information chain and target the consultants outside the network who have the most information. This includes consultants...


Filed under: , , , , , , ,

no comments

DNS Poisoning Hits Kenya Google, MSN, Skype...

Posted: 15 Apr 2013 08:14 AM | uwang

Websense® Security Labs™ got an alert from Websense ThreatSeeker® Network just one hour ago. The ThreatSeeker Network has detected that a DNS poisoning attack is happening in Kenya, with local big name websites in information technology targeted including Google, Bing, and LinkedIn. Although it is just a defaced page, it could easily be replaced with a malicious page by the attackers.



Filed under: ,

no comments

APT1: A Prevention Perspective

Posted: 20 Feb 2013 07:01 PM | Charles Renert

There's been increased interest in targeted attacks and advanced persistent threats in the news lately, from the intrusions on large media outlets and hacks on social networking sites to a recent detailed report of the tactics behind the infiltration of a sophisticated attack family dubbed "APT1". Much of the controversy swirling around these reports stems from the attempt to identify the perpetrators behind the attacks -- a decidedly difficult enterprise. While the balance of evidence presented for APT1 does appear to point toward authorship in China (after exhaustive analysis), sophisticated attacks are faceless at the moment of attempted compromise. Here are a few data points we've already put together from our own analysis of the ThreatSeeker Network: We have observed more than 2,000 unique cases of APT1 attacks since 2011 against all major industry segments. China has a disproportionately large share of web-based attack traffic in the United States. For example, in February 0.49 percent of all web requests from US manufacturing companies land on servers in China. 11.21 percent of all malicious web requests from US manufacturing companies land on servers in China. If you're looking at traffic patterns, that's more than a 20X traffic disparity toward malware. US news & media companies are also disproportionately driven to malware located in China: legitimate requests to China make up 7.47 percent of overall traffic, whereas China's portion of all malicious traffic goes up to 21.21 percent. As the APT1 report suggests, China currently has much less web-based attack traffic originating from the rest of the world at 0.76 percent. That may change. A more interesting question than authorship for us is: "How can you proactively stop targeted attacks like APT1?" Signatures are obviously not the answer. Here are some of the ways that we block APT1 along the kill chain without the need for signature updates: Full content scanning within SSL, including preventing rogue certificates and criminal encryption (as we blogged about previously) File sandboxing (find two examples of APT1's telltale behavior in ThreatScope reports here and here ) URL sandboxing in e-mails to prevent spear phishing Data loss prevention technology to fingerprint and identify legitimate data as it exits Dynamic DNS request interception Web reputation / destination awareness. Many domains, hosts, IP addresses, and even ASNs used by APT1 have been classified for years. Block known compromised hosts for the hops and the outbound C&C traffic. One trend that you can confidently predict: the attackers will continue to adapt and get smarter, and the techniques to thwart them will need to do the same.


Filed under: , , , , , ,

no comments