Cisco Systems, recently announced the release of ‘Cisco Global Threat Report’ for 4Q11, containing threat intelligence based on Cisco’s observation of the malicious threat landscape.
Key summary points:
- Enterprise users experienced an average of 339 Web malware encounters per month in 4Q11
- An overall average of 362 Web malware encounters per month occurred throughout 2011
- The highest rate of encounters occurred during September and October 2011 at 698 and 697 on average per enterprise, respectively
- An average of 20,141 unique Web malware hosts were encountered per month in 2011, compared to a monthly average of 14,217 in 2010
- During 4Q11, 33 percent of Web malware encountered was zero-day malware not detectable by traditional signature-based methodologies at the time of encounter
- The rate of SQL injection signature events remained fairly steady throughout 4Q11, with a slight decrease observed as the quarter progressed
- Denial-of-service events increased slightly over the course of 4Q11
- Global spam volumes continued to decline throughout 2011
What kind of conclusions can we draw based on the shared data?
Zero-day malware is still actively circulating around the globe — during 4Q11, 33 percent of Web malware encountered was zero-day malware — thanks to the quality assurance processes applied by cybercriminals aiming to ensure that their malicious executables don’t end up in the hands of security researchers and antivirus vendors.
The same goes for mass SQL injection attacks, which according to Cisco Systems showed a fairly steady growth rate throughout 4Q11. Mass SQL injection attacks are most commonly launched using DIY (do-it-yourself) SQL injection tools that rely on search engine’s reconnaissance in order for the malicious attackers to detect and exploit vulnerable sites in an automated fashion.
What’s particularly interesting is the fact that, based on Cisco’s data, global spam volumes continued to decline throughout 2011:
What factors are contributing to the decline of global spam levers? According to Cisco “The 2011 takedown of segments of Rustock, combined with multiple spam botnet takedowns in 2010, continues to have apositive impact on overall spam volume.” What’s also worth pointing out is that although global spam levels are declining, numerous vendors are noticing an increase in targeted malware attacks, also known as advanced persistent threats.
Over time, the underground ecosystem matured to the point where basic market targeting concepts such as market segmentation and positioning started getting used by spammers in order to ensure a higher click-through rate for their campaigns. Thanks to the market segmentation and positioning, for the time being, spear phishing and targeted malware attacks remain the techniques of choice for the majority of malicious attackers.