The New FireEye Advanced Threat Report

Today, we released our latest Advanced Threat Report (ATR). It summarizes data from the second half of 2012 collected from more than 89 million events. In this case, events mean a malicious email file attachment or web link as well as malware communication—or callback—to a command and control (CnC) server.

Our findings are summarized into four main areas:

1) Malware continues to be the cyber weapon of choice. We found that, on average, a malware event occurs at a single organization once every three minutes. Malware activity has become so pervasive that once every three minutes organizations will experience a malicious email file attachment or web link as well as malware communication—or callback—to a command and control (CnC) server. Across industries, the rate of malware activity varies, with technology experiencing the highest volume with about one event per minute.

2) While all verticals are infected by malware attacks, some industries are attacked cyclically, while some verticals experience attacks erratically.

  • Technology is the most targeted vertical. Due to a high concentration of intellectual property, technology firms are hit with an intense barrage of malware campaigns, nearly double the next closest vertical.
  • Certain verticals, such as technology, experience fairly consistent attacks while others, such as healthcare, see much more volatility due to key events or attackers selectively focusing on specific verticals. For instance, recently healthcare was listed as one of China's priorities in its 15-year science and technology development strategy for 2006 to 2020, which led to a surge in campaigns against healthcare firms.

3) The use of file attachments by attackers indicates two specific trends:

  • Attackers use common business terms in the file names as bait. Spear phishing remains the most common method for initiating advanced malware campaigns. When sending spear phishing emails, attackers opt for file names with common business terms to lure unsuspecting users into opening the malware and initiating the attack. These terms fall into three general categories: shipping and delivery, finance, and general business. The top phrase in malware file names, for example, was “UPS”.
  • ZIP files remain the preferred file of choice for malware delivery over email. Malicious malware is delivered in ZIP file format in 92 percent of attacks.

4) Malware writers have focused significant effort on evasion and persistence.

  • Several innovations have appeared designed to better evade detection. For example, several instances of malware were uncovered that execute only when users move a mouse, a tactic which could dupe current sandbox detection systems since the malware doesn’t generate any activity. In addition, malware writers have also incorporated virtual machine detection to bypass sandboxing.
  • Attackers are increasingly using DLL files to improve persistence. By avoiding the more common .exe file type, attackers leverage DLL files to prolong infections.

We hope our research helps security teams understand how sophisticated attacks are deployed. Tactically, the fact that 92 percent of attachments in email attacks are ZIP files should encourage serious debate on how to filter such files in corporate networks.  But more importantly, from a strategic perspective, we hope our report encourages companies to rebalance their security portfolio. Our data reflects and attacks so successful at penetrating legacy defenses—network firewalls, Intrusion Prevention Systems (IPS), or anti-virus (AV)—all of which represent the bulk of today’s security spend. According to IDC, between 2003 and 2011, total IT security spend grew from $12 billion to $28 billion while the mix of security technologies purchased remained consistent. In effect, organizations have been spending more, while not making major changes to their security strategies. This stasis has helped malware writers move into the pole position in the cyber arms race.