During recent years, we have observed an increase of severe cyber attacks targeting classified financial information, legal acts, business communication, and military or other governmental highly sensitive information.
In order to investigate the “unknown threat” in Sweden, KPMG, together with FireEye, conducted a study of the Swedish threat landscape and to ascertain what the real risk is to businesses in Sweden.
Each organisation participating in the study were provided a FireEye NX 7400 appliance. The appliance was strategically placed on the edge of the organisations infrastructure, between the actual network security layers and the client hosts. The appliance was either positioned inline with the firewall or in mirror mode in order for the appliance to receive an integral copy of the traffic passing through the firewall and/or proxy. Both incoming and outgoing traffic were monitored.
The study shows that all the organisations were exposed to infection attempts, where malware had successfully passed through the organisations’ perimeter defence and had reached internal hosts. 93% of the organisations were actually found to be infected as we observed communication attempts towards callback servers and in 79% we were able to observe attempts to exfiltrate data from the organisations.
According to the study:
- An average organization generates 43 security incidents a day, with an average of 2 new infected hosts a day
- 93% of Organizations were breached
- 79% were exfiltrating data
- 49% of the detected malware was unknown
- 52% of the identified malware was unknown to anti-virus vendors
- 83% of the callbacks were related to data exfiltration
- Call back destinations according to verticals:
- Government exfilterates to USA, France and Asia
- Manufacturing organizations to USA and China
- Industrial companies to US, Ukraine, Russia, Germany and UK
- Retail towards USA
Despite best efforts to maintain a tight security posture across networks and systems; cyber attacks do, and more importantly will occur. Security is a process and not a solution, and as such safeguarding IT networks and sensitive data from electronic attack and exposure, both from the internet and internally at an organisation is a constant effort.
The slightest lapse in security processes could prove detrimental to an organisation, resulting in critical system down-time or exposure of sensitive corporate and customer information with severe consequences of financial and reputational loss, and potential legal implications.
Advanced Persistent Threats (APTs) to organisations are ever increasing with nefarious individuals or organisations devoting significant time and effort in gaining unauthorised and persistent access to networks and systems. APT actors will most likely not be discouraged if an occurrence of their targeted attacks was once successfully contained.
The inevitability of cyber attacks whether small isolated events or large-scale network compromise, outage or data exfiltration therefore presents a strong business case for developing an effective response capability.
A comprehensive cyber response capacity should cover all facets of proactive and reactive cyber response, consisting of Prepare & Train, Detect & Initiate, Contain & Investigate, Recover and Report & Improve.
NB: This study included 14 organisations, from which we selected a representative amount of client hosts to monitor during the month of June 2014. The incoming and outgoing internet traffic was monitored for a period of four weeks, between June 2 and June 27.
The average number of employees in these organisations is approximately 5 000. Due to the large variety of organisations participating to this study, in terms of vertical and size, we are confident to consider those organisations as a representative sample of the Swedish business landscape. For the purpose of the study, and in order to preserve the anonymity of the participating organisations, we have grouped organisations into six verticals: Finance, Government, Manufacturing, Retail, Industry and Service.
The study focused on gathering information related to malicious traffic. We only logged communications triggering security alerts. Since legitimate traffic was not logged we cannot track the exact amount of endpoints that were actually communicating through the FireEye appliances. However, we estimate the total number of unique internal hosts within participating organisations to approximately 70 000. During the measurement period, we recorded a total of 15 586 security alerts.