As we enter 2018, the financial cybercrime landscape is evolving. IBM X-Force research has been tracking malware trends around the world, and in a new report, examined the cybercrime shifts of 2017 and what financial institutions can expect to see in 2018. Last year saw the rise of new cybergangs and the demise of others, proving that only the fittest and most sophisticated survive in the dog-eat-dog world of organized cybercrime.

Survival of the Fittest

Rising awareness and the increasing effectiveness of banking controls mean that less sophisticated malware operators and smaller cybercriminal operations that rely on commercial codes are on their way out. Those with limited skills are simply unable to keep up with technological advances in banking security, especially in terms of machine learning and artificial intelligence.

Within that context, 2017 saw several notable exits of crime gangs that just couldn’t keep up. The Shifu Trojan, which emerged in Japan in 2015, departed from the scene this year after researchers noticed that its operators were using webinjections purchased from underground vendors. This outsourcing of code indicated that the group did not have its own developers and likely was not connected enough to operate globally.

Another banking Trojan, IcedID, which just emerged in the past year, is already reducing its activity. Its reliance on the Emotet group as a distributor suggests that the gang is not planning to spread aggressively or launch wider campaigns.

Read the report: Cybercrime Shifts of 2017 and What to Expect in 2018

Organized Cybercrime Evolves

In 2017, Gozi activity outpaced that of Zeus Trojan variants for the first time. The group behind Gozi is considered a cybercrime-as-a-service operation, with links to an increasing number of actors across different geographical hubs. This new dominance proves that cybercrime is further evolving in the direction of organized, businesslike gangs.

Complex cybercrime organizations, such as those operating the Dridex and TrickBot Trojans, can employ dozens of people and include orchestration of the entire supply chain. These gangs target high-value marks, such as banks and their customers, all over the globe.

Sophisticated coding is another indication of a highly organized cybergang. As security technologies continue to improve in 2018, malware codes will need to constantly evolve to evade detection. To keep their attacks concealed, cybergangs such as Dridex, GootKit, TrickBot and IcedID use complex redirection attacks. Others, such as Client Maximus, which is currently targeting Brazil, use stealthy delivery tactics.

Big Wins for Law Enforcement in 2017

One encouraging trend is the number of malware exits that came about due to the efforts of law enforcement. Key members of the Neverquest, GozNym and Andromeda operations were successfully arrested in the past year. This likely influenced each of the gangs to disband or reduce operations. Europol’s takedown of the Avalanche cybercrime infrastructure in late 2016 also had significant impact on malware gang exits in 2017.

Malware Trends to Watch in 2018

Financial cybercrime is not expected to slow down in 2018. Rather, it is becoming the business of elite groups, evolving further toward complex, organized operations. Financial malware is already adopting ideas from high-profile attacks while cybercriminal groups increase their focus on high-value business targets and bank heists.

The IBM X-Force team is following all these malware trends. To learn more, read the new report, “Cybercrime Shifts of 2017 and What to Expect in 2018.”

Attacks come from all directions, and many of them originate on endpoints. In fact, according to IDC, 70 percent of successful breaches begin at the endpoint. As of this writing, the National Institute of Standards and Technology (NIST) is tracking 100,311 known CVE vulnerabilities in its National Vulnerability Database (NVD). Of these, 15 percent were new vulnerabilities identified in 2017.

The Ponemon Institute’s “2017 State of Endpoint Security Risk” report found that 69 percent of companies believe that endpoint security risk to their organizations has significantly increased over the past 12 months, yet only 36 percent have adequate resources to address the risk. Most companies take an average of 100 to 120 days to patch vulnerabilities. In addition, many companies have critical vulnerabilities that go unpatched altogether.

Further complicating matters, up to 67 percent of systems administrators have trouble determining which patches need to be apply to which systems. A Gartner report titled “It’s Time to Align Your Vulnerability Management Priorities With the Biggest Threats” revealed that many security teams struggle to prioritize the most important threats. It’s no surprise, then, that vulnerability management is one of the most significant problems facing the security industry. Without adequate visibility into potentially infected endpoints across the enterprise, teams often patch these vulnerabilities in a non-directed, broad-based manner, which can leave endpoints vulnerable to the most damaging attack vectors.

Register for the Feb. 13 Webinar: Show Your Endpoints Some Strategic Love

Eight Steps to Improve Endpoint Management and Security

When new vulnerabilities are announced, IT teams must quickly query endpoints to understand which devices are at risk and determine their level of exposure. Once a remediation path is determined, security personnel must collaborate closely with infrastructure teams to ensure that the highest-priority patches are rolled out as quickly as possible to prevent exploitation of these new vulnerabilities. But this can get tricky, especially for organizations with remote locations and low bandwidth, or locations that only occasionally connect to the corporate network.

Below are eight best practices to help security professionals improve endpoint management:

1. Use an endpoint management solution that supports bandwidth throttling so that remote endpoints can be continuously patched and secured rather than having to sporadically send IT resources to remote locations. (Hint: Check to see if bandwidth consumption can be set to less than 5 percent. This will ensure that remote productivity is not impacted while reducing IT time spent on patching and minimizing operational expenditures.)
2. Consider an endpoint management that that delivers patches via the internet – without requiring corporate network access. This ensures that internet-facing systems are patched in a proactive, timely manner rather than IT having to wait for these devices to visit the corporate network before they can be scanned and remediated. (Hint: Look for cloud based content creation capabilities – This saves significant IT staff time that would have been spent creating patch packages.)
3. Evaluate the scalability and administrative overhead of endpoint management solutions to accommodate tight budgets and future growth. Look for solutions that can support many endpoints using a single management server and make sure to understand how many IT resources will be needed to manage the solution on a daily basis. (Hint: Many companies can manage up to 250,000 endpoints using a single management console with one or two administrators.)
4. Consolidate endpoint management tools. Use a single tool to patch systems across Windows, Mac and variations of Unix operating systems to simplify administration, minimize the number of open network ports, and reduce the number of active agents on endpoints. (Hint: Look for solutions that require only a single open network port to minimize risk.)
5. Validate that the endpoint management solution provides accurate, real-time endpoint data and reports. End users make changes to endpoints all the time and information that is hours or days old may not reflect a current attack surface. (Hint: Seconds matter when under attack and real-time querying and reporting enables security teams to better prioritize patches based on actual risk.)
6. Apply patches that address the highest levels of risk first based on current endpoint status. This gives the biggest impact from remediation efforts. (Hint: Aligning patching order to descending risk levels addresses the biggest and most serious vulnerabilities faster to better reduce overall attack surface.)
7. Make sure the endpoint management solution enforces regulatory and corporate compliance policies on all endpoints constantly to avoid unintended drift and introduction of new vulnerabilities. (Hint: Not only does this reduce risk, it makes passing security and regulatory audits faster and easier saving IT organizations time and money.)
8. Finally, check to see what other applications integrate with the endpoint management solution. (Hint: Look for tools that enable security teams to see endpoint data within existing security information and event management (SIEM), incident response and endpoint detection and response (EDR) tools to streamline remediation prioritization.)

Endpoint Security Is a Daily Battle

Endpoint landscapes change constantly, and keeping up with these changes can be challenging. End users download unapproved applications all the time, some of which can contain malware. Operating system and application patches are difficult to prioritize and are not always successfully applied the first time, especially on remote or roaming endpoints with low bandwidth or inconsistent corporate network connectivity.

Visibility into endpoint status can be inaccurate, incomplete and ineffective. This increases the time and effort IT must spend on endpoint management and can impact your budget — as well as your weekends, credibility and even job security. Together, these things make passing regulatory and security audits difficult. What’s worse, it increases your attack surface and risk.

Let’s face it: Endpoint management and security is a daily battle. That’s why you need a solution that helps you discover, manage and secure your endpoints faster, more easily and more consistently.

Read the report: CISOs Investigate — Endpoint Security Peer-Authored Research

This is the final installment in a three-part series. Be sure to read Part 1 and Part 2 for more information.

Improving integration, visibility and analytics with a platform approach to security information and event management (SIEM) is the means to the business value of security, compliance and operational efficiency.

Security teams are operating in an evolving macro environment, which presents three challenges:

1. The incredible rate of change in information technology infrastructure has led to such complexity in our networks, systems and applications that most organizations struggle with the in-house capabilities and resources to keep up.
2. Regulatory and legal responses to these issues can literally be years behind, and yet the intensifying requirements for demonstrating compliance represent another significant demand on limited in-house resources.
3. At the same time, the attackers are increasingly sophisticated, focused and disruptive.

These forces — in combination with a critical skills shortage in cybersecurity — are driving a significant shift in how enterprise security operations centers (SOCs) are evolving.

Download the Report: The Business Value of a Security Analytics Platform

Four Capabilities to Build a More Efficient Security Operations Center

To keep up with the complexity and compliance of their computing infrastructures — and to get ahead of the current time advantage of the attackers — enterprise SOCs need to build on the foundation of their existing SIEM platforms with additional capabilities such as:

• Advanced threat monitoring that leverages the rules engines of the leading SIEM platforms, in combination with the specialized expertise and focus of full-time threat hunters, to make continuous improvements in use cases;
• Advanced threat detection that combines context-specific data with analytics and machine learning to look for suspicious patterns, behaviors and anomalies across a wider range of both historical and real-time data;
• Accelerated incident investigation of suspected incidents with increasingly automated triage, prioritization and validation of alerts based on context-specific data — in addition to a final review and validation by human security analysts; and
• Faster incident response by replacing purely ad hoc activities with common playbooks, analytical tools, incident management tools and reporting, which liberates security analysts to spend less time doing research and more time doing analysis.

Ultimately, these capabilities help to deliver value by reducing the total time needed to detect, investigate, respond and remediate security-related incidents — from the status quo of weeks and months to as short as hours and days.

Taking SIEM to the Next Level

Many organizations lack the resources — both bandwidth of existing personnel and specialized technical expertise — and the tactical focus to perform well at these types of activities. Their primary strategic focus is on running and growing their business, not security, compliance, privacy and risk.

Even if a given organization is capable of traditional, do-it-yourself integration of on-premises security solutions using in-house resources, is it really better off doing these activities on its own? A growing number of companies choose to leverage the expertise, scale and scope of a specialized, third-party security services provider and prioritize other activities for their own staff. Regardless of how you implement — whether in-house, software-as-a-service (SaaS) or fully outsourced — what’s important is that you address these needs by taking your SIEM platform to the next level.

Either way, the platform approach to security monitoring and analytics is well-aligned with these capabilities, while a traditional, tools-based approach is not.

Download the Report: The Business Value of a Security Analytics Platform

At the recent Black Hat event, Mike Oppenheim, global research lead for IBM X-Force Incident Response and Intelligence Services (IRIS), took the time to share his thoughts on some of the major threats that have wreaked havoc so far in 2017. He also discussed the successes of X-Force IRIS and revealed why combining incident response and intelligence into a single team is so crucial to the fight against cybercrime.

Question: We’re now more than halfway through 2017, and the year has already seen some serious and far-reaching cyberattacks. Where do you think the industry stands today, and what are the major lessons we can draw from attacks such as WannaCry and Petya?

Oppenheim: This year, we’ve seen some huge global events utilize destructive malware to take down customers’ environments. These types of attacks are truly impactful to people’s businesses and people’s lives.

I think what we’ve seen so far really highlights the need for visibility within networks and underscores the need for companies to have a good incident response plan so that they know how to respond in the face of these huge global incidents.

At the end of the day, it comes down to having visibility within your network as well as the speed at which you’re able to respond. These are two lessons the industry has learned from recent events, especially those that were as widespread as WannaCry and Petya/NonPetya.

Let’s talk a bit now about X-Force IRIS. Your team combines incident response and threat intelligence. Why do you think putting these two services together is such a good fit?

IRIS is indeed two different practices within one. And the combination of incident response and intel really does prove beneficial. I am the global lead for research on the IRIS Intel team, and we learn a lot from incident response incidents. We’re on the ground when attackers are most likely active in an environment, so we’re able to collect a lot of data and understand how the attacks and attackers are actually operating. But we’ve also been through a lot of cases and do a lot of external research so that once we start dealing with a particular threat actor or a particular technique or methodology, we very likely already know what it is. And then we, of course, try to determine how to respond appropriately to the given threat.

By having the incident response team on the ground and the intel team helping support them not only with collection of data, but also providing operational and tactical data to the team on the front line, we can provide a really good response service to try to figure out root cause analysis and also stop attackers from actually accomplishing their goals.

What do you consider some of the IRIS team’s major successes this year?

As I just said, we do a combination of intelligence work and incident response work for our customers. Earlier this year, we responded to a couple Shamoon incidents. Shamoon is another piece of destructive malware, one that is a more targeted than, say, WannaCry.

But we ended up focusing not on Shamoon directly, because a lot of people already knew what Shamoon was doing, which was destroying networks. So instead, we tried to focus on the other parts of the attack life cycle, like how did these attackers who were using Shamoon actually get within victim environments? How did they escalate privileges and then move the Shamoon malware throughout the network to take it down?

We were actually able to do a lot of research to try to figure out how this particular set of actors who were responsible for Shamoon ended up getting within victim environments. What we ended up finding is that they were using spear phishing emails with an attachment, utilizing a malicious Word document that utilized a macro that invoked PowerShell.

While most people were just focusing on the end results of these attacks, we were striving to understand how the attackers went about their attack and what they did to accomplish their mission once they were in. I consider this one of our biggest successes because, ultimately, we were able to provide our data and analyses and intelligence to our customers so that they could defend themselves and, getting back to the importance of speed, also respond much more quickly in the future to prevent an attack like Shamoon.

It definitely sounds like IRIS is doing important work to help customers, but how does the work you do impact the overall IBM Security organization?

On the intel side, what IRIS is trying to do is focus on all the different threat actors and track as much of their activity as we can. Again, we want to spot them across the entire attack life cycle, not just looking at the final goal of what they’re trying to accomplish, but understanding how they get to that point. Just as in the case of Shamoon, we’re continually asking: How do these threat actors first get into the network? How do they escalate privileges? How do they move laterally? What types of tools and infrastructure are they using?

By tracking these types of activities, we can improve not only IBM Security Services such as our incident response practice, but also IBM products. If we’re able to track all the different malware and techniques that threat actors are using, we can build it into detection and into our response plans on the services side and also in our IBM products.

Learn More About IBM’s Incident Response and Intelligence Services