Beruflich Dokumente
Kultur Dokumente
Table of Contents
EXECUTIVE SUMMARY AND MAJOR FINDINGS.............. 3 DEFENDER BEHAVIOR.................................................... 42
INTRODUCTION................................................................ 8 Vulnerabilities on the Decline in 2016............................ 42
THE EXPANSION OF THE ATTACK SURFACE................. 10 Middleware: Adversaries See Opportunity in
ATTACKER BEHAVIOR....................................................13 Unpatched Software...................................................... 44
Time to Patch: Closing the Recovery Time Frame......... 45
The Reconnaissance Phase........................................... 13
Web Attack Methods: Short Tail Threats Help CISCO 2017 SECURITY CAPABILITIES
BENCHMARK STUDY...................................................... 49
Adversaries Lay the Groundwork for Campaigns........... 13
Perceptions: Security Professionals Confident
The Weaponization Phase............................................. 15 in Tools, Less Sure Theyre Using Them Effectively....... 49
Web Attack Vectors: Flash Is Fading, but Constraints: Time, Talent, and Money
Users Must Remain Vigilant........................................... 15 Affect the Ability to Respond to Threats........................ 51
Application Security: Managing OAuth Connection
Impact: More Organizations Experiencing Losses
Risk Amid an App Explosion.......................................... 16
from Breaches............................................................... 55
The Delivery Phase........................................................ 20
Outcomes: Increased Scrutiny Will Play a Role in
Disappearance of Major Exploit Kits Presents Security Improvements.................................................. 58
Opportunities for Smaller Players and New Entrants....... 20 Trust Versus Cost: What Drives
Malvertising: Adversaries Use Brokers to Increase Security Purchases?...................................................... 61
Speed and Agility.......................................................... 22 Summary: What the Benchmark Study Reveals............. 62
Investigation Finds 75 Percent of Organizations
INDUSTRY...................................................................... 64
Affected by Adware Infections...................................... 23
Global Spam Is Increasingand So Is the Value Chain Security: Success in a Digital
Percentage of Malicious Attachments........................... 25 World Hinges on Mitigating Third-Party Risk.................. 64
Geopolitical Update: Encryption, Trust, and a
The Installation Phase.................................................... 30 Call for Transparency..................................................... 65
Web Attack Methods: Long Tail Snapshot High-Speed Encryption: A Scalable Solution
Reveals Threats That Users Can Easily Avoid................ 30 to Protecting Data in Transit.......................................... 66
Vertical Risk of Malware Encounters: Attackers Network Performance and Adoption Versus
See Value Across the Board.......................................... 31 Security Maturity............................................................ 67
Regional Overview of Web Block Activity...................... 32
CONCLUSION................................................................. 71
Time to Detection: An Essential Metric for
A Rapidly Expanding Attack Surface Requires an
Measuring Defenders Progress.................................... 33
Interconnected and Integrated Approach to Security........ 71
Time to Evolve: For Some Threats,
The Key Goal: Reducing Adversaries
Change Is Constant........................................................ 34
Operational Space......................................................... 73
ABOUT CISCO................................................................ 74
Contributors to the Cisco 2017 Annual
Cybersecurity Report..................................................... 75
APPENDIX...................................................................... 78
2 Table of Contents
Cisco 2017 Annual Cybersecurity Report
Executive Summary
As the attack surface increases, defenders must focus on their most
important goal: reducing their adversaries operational space.
Adversaries have more tools at their disposal than ever of opportunity that attackers try to exploit. We examine
before. They also have a keen sense of when to use each data compiled by Cisco threat researchers and other
one for maximum effect. The explosive growth of mobile experts. Our research and insights are intended to help
endpoints and online traffic works in their favor. They have organizations respond effectively to todays rapidly evolving
more space in which to operate and more choices of and sophisticated threats.
targets and approaches.
This report is divided into the following sections:
Defenders can use an array of strategies to meet the
challenges of an expanding threat landscape. They can
Attacker Behavior
purchase best-of-breed solutions that work separately to
provide information and protection. And they can compete In this section, we examine how attackers reconnoiter
for personnel in a market where talent is in short supply and vulnerable networks and deliver malware. We explain how
budgets are tight. tools such as email, third-party cloud applications, and
adware are weaponized. And we describe the methods
Stopping all attacks may not be possible. But you can that cybercriminals employ during the installation phase
minimize both the risk and the impact of threats by of an attack. This section also introduces our time to
constraining your adversaries operational space and, thus, evolve (TTE) research, which shows how adversaries keep
their ability to compromise assets. One measure you can their tactics fresh and evade detection. We also give an
take is simplifying your collection of security tools into an update on our efforts to reduce our average median time to
interconnected and integrated security architecture. detection (TTD). In addition, we present the latest research
from Cisco on malware risk for various industries and
Integrated security tools working together in an
geographic regions.
automated architecture can streamline the process of
detecting and mitigating threats. You will then have time
Defender Behavior
to address more complex and persistent issues. Many
organizations use at least a half dozen solutions from just We offer updates on vulnerabilities in this section. One
as many vendors (page 53). In many cases, their security focus is on the emerging weaknesses in middleware
teams can investigate only half the security alerts they libraries that present opportunities for adversaries to use
receive on a given day. the same tools across many applications, reducing the
time and cost needed to compromise users. We also share
The Cisco 2017 Annual Cybersecurity Report presents Ciscos research on patching trends. We note the benefit
research, insights, and perspectives from Cisco Security of presenting users with a regular cadence of updates to
Research. We highlight the relentless push-and-pull encourage the adoption of safer versions of common web
dynamic between adversaries trying to gain more time browsers and productivity solutions.
to operate and defenders working to close the windows
Major Findings
Three leading exploit kitsAngler, Nuclear, and An investigation by Cisco that included 130
Neutrinoabruptly disappeared from the landscape organizations across verticals found that 75 percent
in 2016, leaving room for smaller players and new of those companies are affected by adware infections.
entrants to make their mark. Adversaries can potentially use these infections to
facilitate other malware attacks.
According to the Cisco 2017 Security Capabilities
Benchmark Study, most companies use more than five Increasingly, the operators behind malvertising
security vendors and more than five security products campaigns are using brokers (also referred to as
in their environment. Fifty-five percent of the security gates). Brokers enable them to move with greater
professionals use at least six vendors; 45 percent use speed, maintain their operational space, and evade
anywhere from one to five vendors; and 65 percent detection. These intermediary links allow adversaries
use six or more products. to switch quickly from one malicious server to another
without changing the initial redirection.
The top constraints to adopting advanced security
products and solutions, according to the benchmark Spam accounts for nearly two-thirds (65 percent)
study, are budget (cited by 35 percent of the of total email volume, and our research suggests
respondents), product compatibility (28 percent), that global spam volume is growing due to large and
certification (25 percent), and talent (25 percent). thriving spam-sending botnets. According to Cisco
threat researchers, about 8 percent to 10 percent of
The Cisco 2017 Security Capabilities Benchmark
the global spam observed in 2016 could be classified
Study found that, due to various constraints,
as malicious. In addition, the percentage of spam
organizations can investigate only 56 percent of
with malicious email attachments is increasing, and
the security alerts they receive on a given day. Half
adversaries appear to be experimenting with a wide
of the investigated alerts (28 percent) are deemed
range of file types to help their campaigns succeed.
legitimate; less than half (46 percent) of legitimate
alerts are remediated. In addition, 44 percent of According to the Security Capabilities Benchmark
security operations managers see more than 5000 Study, organizations that have not yet suffered a
security alerts per day. security breach may believe their networks are safe.
This confidence is probably misplaced, considering
Twenty-seven percent of connected third-party cloud
that 49 percent of the security professionals surveyed
applications introduced by employees into enterprise
said their organizations have had to manage public
environments in 2016 posed a high security risk.
scrutiny following a security breach.
Open authentication (OAuth) connections touch the
corporate infrastructure and can communicate freely
with corporate cloud and software-as-a-service
(SaaS) platforms after users grant access.
The Cisco 2017 Security Capabilities Benchmark Vulnerabilities in middlewaresoftware that serves
Study also found that nearly a quarter of the as a bridge or connector between platforms or
organizations that have suffered an attack lost applicationsare becoming more apparent, raising
business opportunities. Four in 10 said those concerns that middleware is becoming a popular
losses are substantial. One in five organizations lost threat vector. Many enterprises rely on middleware,
customers due to an attack, and nearly 30 percent so the threat could affect every industry. During the
lost revenue. course of a Cisco project, our threat researchers
discovered that a majority of new vulnerabilities
When breaches occur, operations and finance
examined were attributable to the use of middleware.
were the functions most likely to be affected (36
percent and 30 percent, respectively), followed The cadence of software updates can affect user
by brand reputation and customer retention (both behavior when it comes to installing patches and
at 26 percent), according to respondents to the upgrades. According to our researchers, regular and
benchmark study. predictable update schedules result in users upgrading
their software sooner, reducing the time during which
Network outages that are caused by security breaches
adversaries can take advantage of vulnerabilities.
can often have a long-lasting impact. According to
the benchmark study, 45 percent of the outages The 2017 Security Capabilities Benchmark Study
lasted from 1 to 8 hours; 15 percent lasted 9 to 16 found that most organizations rely on third-party
hours, and 11 percent lasted 17 to 24 hours. Forty- vendors for at least 20 percent of their security, and
one percent (see page 55) of these outages affected those who rely most heavily on these resources are
between 11 percent and 30 percent of systems. most likely to expand their use in the future.
Introduction
Adversaries have a vast and varied portfolio of techniques to valuable enterprise resources and to conduct their
for gaining access to organizational resources and for activities without being detected.
attaining unconstrained time to operate. Their strategies
Automation is essential to achieving this goal. It helps
cover all the basics and include:
you understand what normal activity is in the network
Taking advantage of lapses in patching and updating environment, so you can focus scarce resources on
Luring users into socially engineered traps investigating and resolving true threats. Simplifying
security operations also helps you become more effective
Injecting malware into supposedly legitimate online content
such as advertising at eliminating adversaries unconstrained operational
space. However, the benchmark study shows that most
They have many other capabilities, as well, from exploiting organizations are using more than five solutions from
middleware vulnerabilities to dropping malicious spam. And more than five vendors (page 53).
once theyve achieved their goals, they can quickly and
quietly shut down their operations. Such a complex web of technology, and the overwhelming
number of security alerts, is a recipe for less, not more,
Adversaries work nonstop to evolve their threats, move with protection. Adding more security talent can help, of
even more speed, and find ways to widen their operational course. With more experts on board, the logic goes, the
space. The explosive growth in Internet trafficdriven better the organizations ability to manage technology and
largely by faster mobile speeds and the proliferation of deliver better outcomes. However, scarce security talent
online devicesworks in their favor by helping to expand the and limited security budgets make hiring sprees unlikely.
attack surface. As that happens, the stakes grow higher for Instead, most organizations must make do with the talent
enterprises. The Cisco 2017 Security Capabilities Benchmark they have. They rely on outsourced talent to add muscle to
Study found that more than one-third of organizations that their security teams while also conserving budget.
have been subject to an attack lost 20 percent of revenue
or more. Forty-nine percent of the respondents said their The real answer to meeting these challenges, as we
business had faced public scrutiny due to a security breach. explain later in this report, is to operationalize people,
processes, and technology in an integrated manner. To
How many enterprises can suffer such damage to their operationalize security is to truly understand what the
bottom line and remain healthy? Defenders must focus their enterprise needs to protect, as well as what measures
resources on reducing their adversaries operational space. should be used to protect those vital assets.
Attackers will then find it extremely difficult to gain access
The Cisco 2017 Annual Cybersecurity Report presents our latest security industry advances designed to help
organizations and users defend against attacks. We also look at the techniques and strategies that adversaries
use to break through those defenses. The report also highlights major findings from the Cisco 2017 Security
Capabilities Benchmark Study, which examines the security posture of enterprises and their perceptions of their
preparedness to defend against attacks.
8 Introduction
The Expansion of the
Attack Surface
Cisco 2017 Annual Cybersecurity Report
User Behavior
Mobile Devices Data in Public Cloud Cloud Infrastructure (For Example, Clicking Malicious
Links in Email or Websites)
Attacker Behavior
Reconnaissance Weaponization Delivery Installation
an example of PUAs.
18,505 Browser Redirection-Downloads
13 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Browser redirection malware rounded out the top five most 10 most commonly seen types of malware in 2016. Loki
commonly observed malware types for 2016. As discussed malware, which appears toward the very end of the short
in the Cisco 2016 Midyear Cybersecurity Report, browser tail shown in Figure 2 (see previous page), is particularly
infections can expose users to malicious advertising troublesome because it can replicate and infect other files
(malvertising), which adversaries use to set up ransomware and programs.
and other malware campaigns. Cisco threat researchers warn
Figure 3 helps to illustrate malware trends that Cisco
that malicious adware, which includes ad injectors, browser-
threat researchers have observed since late 2015. It
settings hijackers, utilities, and downloaders, is a growing
shows that adversaries have made a definite shift in the
problem. In fact, we have identified adware infections in 75
reconnaissance phase of web-based attacks. More threats
percent of the companies we recently investigated as part
now specifically seek vulnerable browsers and plugins. This
of our research into the adware problem. (For more on this
shift corresponds with adversaries growing reliance on
topic, see Investigation Finds 75 Percent of Organizations
malvertising, as it becomes more difficult to exploit large
Affected by Adware Infections, page 23.)
numbers of users through traditional web attack vectors.
Other malware types listed in Figure 3, such as browser (See the next section, Web Attack Vectors: Flash Is
JavaScript abuse malware and browser iFrame abuse Fading, but Users Must Remain Vigilant, page 15.)
malware, are also designed to facilitate browser
The message for individual users, security professionals,
infections. Trojans (droppers and downloaders) also
and enterprises is clear: Making sure that browsers are
appear among the top five most commonly observed
secure, and disabling or removing unnecessary browser
malware types, which indicates that they remain popular
plugins, can go a long way toward preventing malware
tools for gaining initial access to users computers and
infections. These infections can lead to more significant,
to organizational networks.
disruptive, and costly attacks, such as ransomware
Another trend to watch: consistently high use of malware campaigns. These simple steps can greatly reduce your
that targets users of the Android operating platform. exposure to common web-based threats and prevent
Android Trojans have been moving steadily up the short- adversaries from finding the operational space to carry out
tail list over the past 2 years. They ranked among the top the next phase of the attack chain: weaponization.
50K
40K
Sample Count
30K
20K
10K
0K
iFrame
Trojans
Android
Trojans
(lop)
Browser
Redirection-
Downloads
Phishing
Links
Browser
Redirection
(JS)
Heuristic
Blocks (Win32)
Trojan
Downloaders
(JS)
Facebook
Hijacking
PUA and
Suspicious
Binaries
Packed
(Multipacked)
Browser
Redirection
Trojan
Droppers
(VBS)
Trojan
Downloaders
(Scripts)
Facebook
Scam Links
iFrame
Downloaders
14 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Web Attack Vectors: Flash Is Fading, but Users Must Remain Vigilant
Adobe Flash has long been an attractive web attack Users must remain cautious and should uninstall Flash
vector for adversaries who want to exploit and unless they need it for business reasons. If they must use it,
compromise systems. However, as the amount of they must stay current with updates. Using web browsers
Adobe Flash content on the web continues to decline that feature automatic patching capabilities can help. As
and awareness about Flash vulnerabilities growsit is noted in Web Attack Methods: Short Tail Threats Help
becoming more difficult for cybercriminals to exploit Adversaries Lay the Groundwork for Campaigns on
users at the scale they once enjoyed. page 13, using secure browsersand disabling or removing
unnecessary browser pluginswill significantly reduce your
Adobe itself is moving away from full development and
exposure to web-based threats.
support of the software platform and has encouraged
developers to adopt newer standards such as HTML5. Java, PDF, and Silverlight
Providers of popular web browsers are also taking a strong
Both Java and PDF Internet traffic experienced notable
position on Flash. For example, Google announced in 2016
declines in 2016. Silverlight traffic has already reached a
that it will phase out full support for Adobe Flash on its
level that is not worthwhile for threat researchers to
Chrome browser. Firefox is continuing to support legacy
track regularly.
Flash content, but it is blocking certain Flash content that
is not essential to the user experience. Java, once the dominant web attack vector, has seen
its security posture improve significantly in recent years.
Flash may be fading, but exploit kit developers are helping
Oracles decision in early 2016 to eliminate its Java
it endure as an attack vector. However, there are signs this
browser plugin has helped to make Java a less attractive
may be changing. After three leading exploit kitsAngler,
web attack vector. PDF attacks are also increasingly rare.
Nuclear, and Neutrinoabruptly disappeared from the
For that reason, they can be easier to detect, which is why
threat landscape in 2016, our threat researchers observed
many adversaries now use this strategy less often.
a significant decline in Flash-related Internet traffic. (See
Disappearance of Major Exploit Kits Presents Opportunities However, as with Flash, cybercriminals still use Java, PDF,
for Smaller Players and New Entrants, page 20.) The and Silverlight to exploit users. Individual users, enterprises,
actors behind the Angler exploit kit heavily targeted Flash and security professionals must be aware of these potential
vulnerabilities to compromise users. The Nuclear exploit kit roads to compromise. To reduce their risk of exposure to
had a similar focus on Flash. And Neutrino relied on Flash these threats, they must:
files to deliver exploits.
Download patches
Flash, HTML5 and Open Web Standards, Adobe News, November 2015: https://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html.
Flash and Chrome, by Anthony LaForge, The Keyword blog, Google, August 9, 2016: https://blog.google/products/chrome/flash-and-chrome/.
Reducing Adobe Flash Usage in Firefox, by Benjamin Smedberg, Future Release blog, Mozilla, July 20, 2016:
https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/.
15 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
16 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
After categorizing third-party cloud applications using the CARI, CloudLock assigns a risk score for each app
on a scale of 1 (lowest risk) to 5 (highest risk).
An app that would score 1 on the scale might have, for example, minimal access scopes (it can see email only),
a 100 percent community trust rating, and no breach history.
An app that would score 5 on the scale might be one with full account access (it can see all emails,
documents, navigation history, calendar, and more), an 8 percent trust rating (meaning, only 8 percent of
administrators trust it), and no security certification.
15%
Low Risk
222,000
Third-Party
Applications
58%
Medium Risk
SHARE
17 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
12 10 11
15
31 30 32 30
North
America LATAM EMEA APAC
54 58 58 59
8 10 16 16 17 8
35 33 28 31 31 31
57 57 56 53 52 61
16 10 14 12 16
28 32 30 30 32
56 58 56 58 52
18 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Anomalies
Suspicious Activities
0.02% of All Activities
True Threat
113X
Than Average 58% Abnormal Behavior
Login Failures
227X
1 Billion User Activities Per Month Than Average 31% Login Activities
File Downloads
141X
Than Average 11% Admin Actions
Data Asset Deletion
Policie
s alysis
alized al An
Centr extu
Cont
rch
Resea ence
Cyber tellig
e unity In
igenc Com
m
t Intell
Threa
sight
ity In
lnerabil
d Vu
Clou
SHARE
19 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Through the malicious use of email, file attachments, websites, and other tools, attackers transmit
their cyberweapons to targets.
Feb
Mar
Apr
Jul
Aug
Sep
Oct
Nov
May
Jun
Flash remains an attractive web attack vector for
adversaries, but it is likely to become less so over time. Source: Cisco Security Research
Fewer sites and browsers are supporting Flash fully or
at all, and there is generally greater awareness about
Flash vulnerabilities. (For more on this topic, see Web
Attack Vectors: Flash Is Fading, but Users Must Remain Download the 2017 graphics at: www.cisco.com/go/acr2017graphics
Vigilant, on page 15.)
20 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Figure 11 Top
Figure 11 TopVulnerabilities
Vulnerabilitiesin in Exploit
Exploit KitsKits
Angler
Neutrino (1,2)
Magnitude
RIG
Nuclear
Sundown
Hunter
CVE- 2015- 2015- 2015- 2016- 2016- 2016- 2016- 2016- 2015- 2015- 2015- 2015- 2015- 2015-
7645 8446 8651 0034 1019 1001 4117 0189 5119 5122 3043 0318 3113 2419
SHARE
Russian Hacker Gang Arrested Over $25M Theft, BBC News, June 2, 2016: http://www.bbc.com/news/technology-36434104.
For more on this topic, see the July 2016 Cisco Talos blog post, Connecting the Dots Reveals Crimeware Shake-Up.
21 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Users are directed to exploit kits in two primary ways: affected millions of users in North America, Europe,
compromised websites and malvertising. Adversaries Asia-Pacific, and the Middle East. The campaigns
will place a link to an exploit kit landing page into a global reach and use of many languages are noteworthy.
malicious ad or a compromised website, or they will
ShadowGate, which used domain shadowing, was
use an intermediate link, known as a broker. (These
first seen in early 2015. It would go quiet at times
links, positioned between compromised websites and
and then randomly start up again to direct traffic to
exploit kit servers, are also referred to as gates.)
exploit kit landing pages. Initially, ShadowGate was
The broker serves as an intermediary between the
used to direct users to the Angler exploit kit only.
initial redirection and the actual exploit kit that delivers
But after Angler disappeared in the summer of 2016,
the malware payload to users.
users were directed to the Neutrino exploit kit, until
The latter tactic is becoming more popular as attackers that vanished as well a few months later. (For more
find they must move faster to maintain their operational on this story, see Disappearance of Major Exploit Kits
space and evade detection. Brokers allow adversaries Presents Opportunities for Smaller Players and New
to switch quickly from one malicious server to another Entrants, on page 20.)
without changing the initial redirection. Because they
Even though ShadowGate saw a high volume of web
dont need to constantly modify websites or malicious
traffic, only a tiny fraction of interactions led to a user
ads to start the infection chain, exploit kit operators
being directed to an exploit kit. The malicious ads
can carry out longer campaigns.
were mostly impressionsads that render on the page
ShadowGate: A Cost-Effective Campaign and require no user interaction. This online advertising
model allowed the actors responsible for ShadowGate
As it becomes more difficult to compromise large
to operate their campaign more cost-effectively.
numbers of users through traditional web attack
vectors alone (see page 15), adversaries are Our research into ShadowGate led to a joint effort with
relying more on malvertising to expose users to a major web hosting company. We worked together to
exploit kits. Our threat researchers dubbed a recent mitigate the threat by reclaiming registrant accounts
global malvertising campaign ShadowGate. This that adversaries had used to host the activity. We then
campaign illustrates how malicious ads are providing took down all applicable subdomains.
adversaries with more flexibility and opportunity to
target users across geographic regions at scale. For more details on the ShadowGate campaign,
see the September 2016 Cisco Talos blog post,
ShadowGate involved websites ranging from popular Talos ShadowGate Take Down: Global Malvertising
culture to retail to pornography to news. It potentially Campaign Thwarted.
22 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Change browser and operating system settings to We determined that 75 percent of the organizations in our
weaken security study were affected by adware infections.
Break antivirus or other security products
>75%
To assess the scope of the adware problem for enterprises,
Cisco threat researchers examined 80 different adware
variants. About 130 organizations across verticals were
included in our investigation, which took place from
November 2015 to November 2016. of organizations investigated
have adware infections
SHARE
23 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Figure 13 shows the types of incidents we observed All the adware components we identified during our
in the organizations included in our investigation. Ad investigation can place users and organizations at risk
injectors were the primary source of infections. This for malicious activity. Security teams must recognize the
finding indicates that most of these unwanted applications threat that adware infections pose and make sure that
target web browsers. We have also seen an increase users in the organization are fully aware of the risks.
in browser-based infections during the last few years,
For additional information on this topic, see the February
which suggests adversaries are finding success with this
2016 Cisco Security blog post, DNSChanger Outbreak
strategy for compromising users.
Linked to Adware Install Base.
2.0%
Percentage of Users Infected
1.5%
1.0%
0.5%
0
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
Percentage of Users Infected with Adware
60%
50%
40%
30%
20%
10%
0%
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
24 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Germany
414K | 548K Russia
343K | 352K
France
United States 222K | 467K
1351K | 2046K Japan
China 194K | 286K
903K | 760K
Vietnam
Mexico 990K | 1684K
214K | 495K
Brazil India
252K | 587K 254K | 1662K
SHARE
IP connection blocks are spam messages that are blocked immediately by spam-detecting technology because the spam sender has a bad reputation score. Examples include
messages that have originated from known spam-sending botnets or compromised networks that are known to participate in spam attacks.
25 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
The five-year graph from the Composite Blocking List volume observed in 2016. This graph shows the overall
(CBL), a DNS-based blackhole list of suspected spam- size of the SpamCop Block List (SCBL) from November
sending computer infections, also shows a dramatic 2015 to November 2016. Each row in the SCBL
increase in total spam volume during 2016 (Figure 15). represents a distinct IP address.
A review of 10-year data from CBL (not shown) suggests Between November 2105 and February 2016, SCBL size
that 2016 spam volume is close to the record-high levels hovered below 200,000 IP addresses. In September and
seen in 2010. New antispam technologies, and high-profile October, SCBL size exceeded 400,000 IP addresses before
takedowns of spam-related botnets, have helped to keep dropping off in October, which our threat researchers
spam levels low in recent years. Our threat researchers attribute to the operators of Necurs simply taking time off.
attribute the recent increase in global spam volume to Also note the significant decline in June. At the end of May,
the Necurs botnet. Necurs is a primary vector for Locky there were arrests in Russia related to the Lurk banking
ransomware. It also distributes threats such as the Dridex Trojan (see page 21). Subsequently, several high-profile
banking Trojan. threats, including Necurs, went silent. However, 3 weeks
later, Necurs was back in action, adding more than 200,000
Figure 16 is an internal graph generated by Ciscos
IP addresses to the SCBL in less than 2 hours.
SpamCop service that illustrates the change in spam
2.5K
2K
1.5K
1K
0.5K
0
2012 2013 2014 2015 2016
Source: CBL
Figure 16 Overall
Figure 16 OverallSize
Sizeofof SCBL
SCBL
500k
400k
Rows
300k
200k
100k
0
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov
2015 2016
Source: SpamCop
SHARE
26 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Many of the host IPs sending Necurs spam have been Patterns with .wsf files during 2016 (see Figure 17) provide
infected for more than 2 years. To help keep the full scope an example of how adversaries will evolve malicious
of the botnet hidden, Necurs will send spam only from a spam tactics over time. This file type was rarely used as
subset of infected hosts. An infected host might be used a malicious attachment before February 2016. Then, the
for 2 to 3 days, and then sometimes not again for 2 to use of this file type begins to grow as the Necurs botnet
3 weeks. This behavior complicates the job of security becomes more active. By July, .wsf files accounted for
personnel who respond to spam attacks. They may believe 22 percent of all malicious spam attachments. This was
they have found and successfully cleaned an infected host, also around the time that global spam activity increased
but the actors behind Necurs are just biding their time until dramatically (see previous section), an uptick that was due
they launch another attack. largely to the Necurs botnet.
Seventy-five percent of total spam observed in October Through August, September, and October, we saw
2016 contained malicious attachments. Most of that spam fluctuations in the percentages of .wsf files. This indicates
was sent by the Necurs botnet. (See Figure 17.) Necurs that adversaries were pulling back at times when the file
sends malicious .zip attachments that include embedded type was being detected more frequently.
executable files such as JavaScript, .hta, .wsf, and VBScript
downloaders. In calculating the percentage of total spam
containing malicious attachments, we count both the
Figure 17 Percentage
Figure 17 Percentageofof Total
Total Spam
Spam Containing
Containing
container file (.zip) and the child files within it (such as
Malicious Attachments
Malicious Attachments
a JavaScript file) as individual malicious attachments.
80%
Attackers Experiment with Attachment Types to Keep
Malicious Spam Campaigns Fresh Containing Malicious Attachments
Contains Malicious .hta
Our threat researchers examined how adversaries use
different types of file attachments to help prevent malicious 60%
Percentage of Total Spam
Jul
Aug
Sep
Oct
Nov
Dec
2016 Jan
Feb
Mar
Apr
May
Jul
Aug
Sep
Oct
Jun
Jun
27 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
The spike in Figure 18 is a hailstorm attack. The activity Emulate marketing mail with professional content and
is shown in the Cisco Investigate interface. Just before subscription management
the attack, no one was resolving the IP address. Then, Use well-configured email systems rather than sloppy scripts
suddenly, the number of computers resolving the domain or spam bots
in DNS spiked to more than 78,000 before dropping back Properly set up forward-confirmed reverse DNS and Send
down to zero. Policy Framework (SPF) records
Figure 18 Comparison
Figure 18 Comparisonofof Hailstorm
Hailstorm andand Snowshoe
Snowshoe Spam
Spam Attacks
Attacks
50,000
25,000
0
16 18 20 22 24 26 28 30 2 4 6 8 10 12 14
Sep Oct
DNS Queries / Hour
SHARE
28 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Adversaries can also impair content detection by mutating Figure 19 shows top threat outbreak alerts; this is an overview
text and cycling through file types. (For more details on of the spam and phishing messages that we observed
how cybercriminals evolve their threats to evade defenders, adversaries frequently updating in 2016 in order to bypass
see the Time to Evolve section on page 34.) For more email security checks and rules. It is important to know what
information on how they experiment with malicious file types of email threats are the most prevalent so that you can
attachments for spam, see the previous section. avoid being duped by these malicious messages.
Figure 19
Figure 19 Top
TopThreat
ThreatOutbreak
OutbreakAlerts
Alerts
Purchase Order,
74 38971 RuleID15448 .zip, .gz English 08/08/16
Payment, Receipt
Order, Payment,
72 41513 RuleID18688 .zip English 09/01/16
Seminar
Purchase Order,
70 40056 RuleID6396 .rar English 06/07/16
Payment, Receipt
29 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Once the threat is in position, it installs a back door on a targets system, providing adversaries with
persistent access.
Figure 20 Sample of Observed
Lower-Volume Malware
Web Attack Methods: Long Tail Figure 20 Sample of Observed Lower-Volume Malware
Snapshot Reveals Threats That Users
Can Easily Avoid
91 PUA and Suspicious Binaries
The so-called long tail of the web attack methods spectrum
(Figure 20) includes a collection of lower-volume malware
types that are employed at a later stage in the attack
36 Heuristic
chain: installation. In this phase, the threat that has been
delivereda banking Trojan, a virus, a downloader, or some
other exploitinstalls a back door in the target system, 16 Worm (Allaple)
providing adversaries with persistent access and the
opportunity to exfiltrate data, launch ransomware attacks, 14 Trojans Downloader (HTML)
30 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Vertical Risk of Malware Encounters: Attackers See Value Across the Board
In the Cisco 2016 Midyear Cybersecurity Report, a key In looking at verticals and their block rates over time
message about the risk of malware was that no vertical is (Figure 21), we see that, at some point over the course of
safe. Judging from our researchers periodic examination several months, every industry has been subject to attack
of attack traffic (block rates) and normal or expected traffic and at varying levels. Its clear that as attacks rise
traffic by industry, this message held true in the latter half and fall, they affect different verticals at different times
of the year. but none are spared.
Figure
Figure21
21 Percentage
Percentageofof
Monthly Vertical
Monthly Block
Vertical Rates
Block Rates
0% 0% 0% 0%
Accounting Agriculture and Mining Automotive Aviation
0% 0% 0% 0%
Banking and Finance Charities and NGOs Education Electronics
0% 0% 0% 0%
Energy, Oil, and Gas Engineering and Construction Entertainment Food and Beverage
0% 0% 0% 0%
Government Healthcare Heating, Plumbing, and A/C Industrial
0% 0% 0% 0%
Insurance IT and Telecommunications Legal Manufacturing
0% 0% 0% 0%
Media and Publishing Pharmaceutical and Chemical Professional Services Real Estate and Land Mgmt.
0% 0% 0% 0%
Retail and Wholesale Transportation and Shipping Travel and Leisure Utilities
SHARE
31 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
3.88 Germany
0.94 Russia
France 0.87
Canada 2.11
1.47 Ukraine
Belize 1.54
1.07 Vietnam
Panama 1.46 1.15 Venezuela
2.84 Indonesia
Peru 1.43
1.60 Australia
1.00 Turkey
Chile 0.83
Malaysia 3.52
Romania 2.77
SHARE
32 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Dec
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
not derived using our modified approach to analyzing more
detailed retrospective information about files. Using the new
2016
Cisco defines time to detection, or TTD, as the window of time between a compromise and the detection of
a threat. We determine this time window using opt-in security telemetry gathered from Cisco security products
deployed around the globe. Using our global visibility and a continuous analytics model, we are able to measure
from the moment malicious code runs on an endpoint to the time it is determined to be a threat for all malicious
code that was unclassified at the time of encounter.
33 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Through our analysis, we sought to measure the time to The Adwind RAT and Kryptik malware families have a higher
evolve (TTE): the time it takes adversaries to change the median TTD. (For more on TTD, see page 33.) We also see
way specific malware is delivered and the length of time a greater mix of file ages for these families. This suggests
between each change in tactics. We analyzed web attack that adversaries reuse effective binaries that they know are
difficult to detect.
data from different Cisco sourcesspecifically, web proxy
data, cloud and endpoint advanced malware products, and Looking at the file ages for the Dridex malware family, it
composite antimalware engines. appears that the shadow economy may be abandoning use
of this once-popular banking Trojan. In late 2016, detection
Our researchers looked for changes in file extensions volume for Dridex declined, as did the development of new
delivering the malware and the file content (or MIME) binaries to deliver this malware. This trend suggests that
type as defined by a users system. We determined that the malwares authors no longer see value in evolving this
each malware family has a unique pattern of evolution. threator that they have found a new way to package the
For each family, we examined the patterns in both web malware that has made it harder to detect.
34 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Figure 24 TTD
Figure 24 TTDMedians
Mediansof of
TopTop Malware
Malware Families
Families (Top
(Top 20 20 Families
Families by Detection
by Detection Count) Count)
35
nemucod
Percentage of Total Detections
30
25 bayrob
20
15
10
docdl
locky dridex
5 donoff
insight
fareit kryptik
mabezat adwind
mydoom cerber mamianune razy upatre
0 hancitor adnel zbot zusy
0 5 10 15 20 25 30 35 40 45 50
SHARE
35 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
100%
May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Oct
Jul
Unique Vectors
Percentage of Locky
js & text/html
php & application/zip
5%
rtf & application/msword
docm & application/vnd.open...
no extension & application/vnd... 0%
no extension & application/ms-wo... Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
cgi & application/ms-word.doc... 2015 2016
wsf & text/html
doc & application/vnd.open...
wsf & application/xml Source: Cisco Security Research
no extension & application/vnd...
js & text/javascript
xls & application/vnd.openxml...
vbs & text/plain
Email Web
SHARE
36 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Median Hours
remain active and effective. (Figure 24, discussed earlier, 80
60
shows that Cisco products detected both Locky and Cerber
40
ransomware within the median TTD in 2016.)
20 7.1 5.9
4.7
Figure 27 shows the median TTD for Locky ransomware, 0
which declined dramatically from about 116 hours in Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
November 2015 to just under 5 hours in October 2016.
Source: Cisco Security Research
37 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
TTE Analysis: Nemucod One reason Nemucod malware was so prevalent in 2016,
In 2016, Nemucod was the most frequently detected according to our threat researchers, is that its authors
malware among the top 20 families shown in Figure 24. frequently evolved this threat. Cisco identified more than 15
Adversaries use this downloader malware to distribute file extension and MIME combinations associated with the
ransomware and other threats, such as backdoor Trojans that Nemucod family that were used to deliver malware through
facilitate click fraud. Some variants of Nemucod also serve as the web. Many more combinations were used to deliver the
engines for delivering the Nemucod malware payload. threat to users through email (Figure 28).
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Unique Vectors
js & application/javascript and October 2016, almost every binary related to the
html & text/html
Nemucod family that was blocked was less than a day old.
zip & application/zip
js & text/javascript
Percentage of Nemucod
38 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Oct
1.5%
Hash Volume
1%
Download the 2017 graphics at: www.cisco.com/go/acr2017graphics 0.5%
0%
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
80 70.7
Median Hours
60
40
20 30.0 25.3 13.0
0 16.2
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
39 Attacker Behavior
Cisco 2017 Annual Cybersecurity Report
TTE Analysis: Kryptik In our analysis of the six malware families, we find that
Kryptik, like Adwind RAT malware, had a median TTD that adversaries must shift tactics frequently to take advantage
was consistently higher (about 20 hours) than other malware of the small window of time during which their threats
families Cisco analyzed for the TTE study from November can operate successfully. These adjustments indicate that
2015 through October 2016 (Figure 36). However, by defenders are getting better at detecting known malware
October, Cisco products had reduced the median TTD quickly, even after a threat has evolved. Attackers are under
window for Kryptik malware to less than 9 hours (Figure 36). pressure to find new ways to avoid detection and keep their
campaigns profitable.
The Kryptik malware family also used a wider range of
hash ages than the other malware families we analyzed, In this complex landscape of rapid evolution, where all
particularly during the first half of 2016. The ability of malware families behave differently, human expertise and
Kryptiks authors to rely on older hashes for so long indicates point solutions are not enough to identify and respond
that defenders had trouble detecting this malware type. quickly to threats. An integrated security architecture
that provides real-time insight into threats, along with
During the period that we observed, Kryptiks authors automated detection and defense, is essential for improving
employed a wide range of payload delivery methods through TTD and ensuring swift remediation when infections occur.
the web attack vector. The authors used JavaScript files Figure 35 Hash Ages for the Kryptik Malware
and archive files such as .zip files in file extension and MIME Family and Percent of Total Hash Volume
combinations for both web and email. (See Figure 34.) Figure 35 Hash Ages for the Kryptik Malware Family
Observed Per Month
Some of the combinations date back to 2011. and Percent of Total Hash Volume Observed Per Month
100%
Hashes, Hash Age <24 Hours
Percentage of Kryptik
75%
Figure 34 50%
Figure 34 File
FileExtension
Extensionand
andMIME Combinations
MIME for
Combinations
Kryptik (Web and Email Vectors)
for Kryptik (Web and Email Vectors) 25%
0%
May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Oct
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
Jul
Unique Vectors
2015 2016
js & application/javascript
Percentage of Total
63.7
gif & text/html
no extension & application/archive 60
vbs & text/plain 34.4
40 55.1 22.4
asp & text/html
no extension & application/java... 20
php & application/exe 8.7
tbz2 & application/x-rar 0
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
Email Web 2015 2016
40 Attacker Behavior
Defender Behavior
Cisco 2017 Annual Cybersecurity Report
Defender Behavior
Vulnerabilities on the Decline in 2016
In the second half of 2016, vendor-disclosed vulnerabilities paying off. That is, vendors are now focusing on identifying
dropped significantly from 2015, according to our research vulnerabilities and correcting them before products reach
(Figure 37). The National Vulnerability Database shows the market.
a similar decline. The reasons for the drop in disclosed
In 2016, Apple was the vendor showing the most dramatic
vulnerability advisories are not entirely clear.
decline in vulnerabilities: The company reported 705
It should be noted that 2015 was an unusually active year vulnerabilities in 2015, and 324 vulnerabilities in 2016 (a 54
for vulnerabilities, so the 2016 numbers may reflect a percent decline). Similarly, Cisco reported 488 vulnerabilities
normal pace of vulnerability advisories. From January to in 2015, and 310 in 2016 (a 36 percent decline).
October 2015, total alerts reached 7602. During the same
A concern among security researchers is that vulnerability
time period in 2016, total alerts reached 6380; during this
fatigue may be setting in among security professionals.
period in 2014, total alerts were 6272.
In recent months, there has not been a major vulnerability
The high number of vulnerability reports in 2015 may announcement that sent shock waves through the industry,
indicate that vendors were looking more closely at existing as Heartbleed did in 2014. In fact, the hype around
products and code, more carefully implementing secure named vulnerabilities such as Heartbleed and the
development lifecycle (SDL) practices, and identifying increase in 2015 likely contributed to the level of fatigue
vulnerabilities and subsequently fixing them. The decline in or, at least, to less interest in reporting vulnerabilities.
reported vulnerabilities may indicate that these efforts are
Figure
Figure37
37 Cumulative
CumulativeAnnual
AnnualAlert Totals
Alert Totals
9K
8K
7K
6380
6K 5976
5483
5K 4969
Alerts
4407
4K 3811
3K 2992
2193
2K
1327
1K
634
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
42 Defender Behavior
Cisco 2017 Annual Cybersecurity Report
Cisco is now using severity/impact ratings (SIRs), in which the rating levels are critical, high, medium, and low. The ratings reflect a simplified
prioritization of scores from the Common Vulnerability Scoring System (CVSS). In addition, Cisco has adopted CVSS v3.0, the successor to CVSS v2.0.
Because of this change, some vulnerabilities may have higher scores than before, so security professionals may see a small increase in vulnerabilities that
are rated critical and high, instead of medium and low. For more information about this scoring change, read the Cisco Security blog post,
The Evolution of Scoring Security Vulnerabilities: The Sequel.
As weve advised in past reports, security professionals Adobe Acrobat and Acrobat Reader memory
Jul 18, 2016
corruption vulnerability
should make a concerted effort to prioritize patches. If a
lack of staffing and other resources prevents the timely Adobe Acrobat and Acrobat Reader memory
Jun 23, 2016
corruption vulnerability
installation of all available patches, evaluate which ones are
most critical to network safety, and place those at the top Adobe Acrobat and Acrobat Reader memory
May 24, 2016
corruption vulnerability
of the to-do list.
Adobe Acrobat and Acrobat Reader memory
May 23, 2016
corruption vulnerability
Download the 2017 graphics at: www.cisco.com/go/acr2017graphics Source: Cisco Security Research
43 Defender Behavior
Cisco 2017 Annual Cybersecurity Report
20 12 10 9 11
SHARE
44 Defender Behavior
Cisco 2017 Annual Cybersecurity Report
Organizations may gamble on middleware being safe Time to Patch: Closing the Recovery
and may place greater attention on updating high-profile Time Frame
solutions. But they can lose the bet that adversaries
wont seek entry to networks through these low-profile Many users do not download and install patches in a
pathways. Middleware thus becomes a security blind spot timely manner. Adversaries can use these unpatched
for defenders and an opportunity for attackers. vulnerabilities to gain entry to networks. In our latest
research, we find that the key to encouraging users to
The challenge of updating middleware libraries closely relates download and install patches may rest in the cadence of
to the open-source software problem (discussed in the Cisco software updates from vendors.
2015 Midyear Security Report), since many middleware
solutions come from open-source developers. (However, the A security patch release is a clear indication to attackers
problem at hand can affect both open-source and proprietary that there is a vulnerability worth exploiting. Although
middleware developers.) Therefore, middleware libraries may sophisticated attackers have likely been exploiting the
rely on many developers to keep them updated. On the list of vulnerabilities for some time, the notification of a patch tells
tasks that an overtaxed IT or security team needs to manage, many others that its open season on the earlier versions.
middleware library updates may not be a top priority, but they
When software vendors release new versions on a regular
should be given greater attention.
schedule, users become conditioned to downloading
What is the potential impact of a middleware vulnerability and installing updates. Conversely, when vendor upgrade
that is exploited by adversaries? Given the connections releases are erratic, users are less likely to install them.
between middleware and other crucial systems, such as They will continue to operate outdated solutions that may
email or messaging, an attacker could move laterally into contain exploitable vulnerabilities.
these systems and send phishing messages or spam. Or
Other behaviors that affect the upgrade cycle include:
attackers could masquerade as authorized users and abuse
trust relationships between users to gain further access. How disruptive the reminder experience is
To avoid becoming the victim of an attack launched through How easy it is to opt out
Actively maintain a list of known dependencies and libraries There are varying windows of time in which users are likely
in the applications you use to install an upgrade when it is released by the vendor. Our
Actively monitor the security of these applications, and researchers looked at the installations of software on the
mitigate risks as much as possible endpoints used by our customers. Their software fell into
Insert a service-level agreement in contracts with software three categories:
vendors for providing patches in a timely manner
New versions: The endpoint ran the newest available version
Routinely audit and review software dependencies and of the software
library use
Recent versions: The endpoint ran one of the previous three
Ask software vendors for details on how they maintain and versions of the software, but not the newest
test their products
Old versions: The endpoint ran software that was more than
In short: Delays in patching increase the operational space three versions behind the current release
for attackers and allow them more time to gain control of
As an example, if a software vendor released version 28
critical systems. In the next section, we discuss this impact
on January 1, 2017, version 28 would be new; version 26
and trends in the patching of common productivity solutions
would be recent; and version 23 would be old. (The figures
such as web browsers.
on the next page contain callouts of the weekly time periods
where one or more versions of the software were released.)
45 Defender Behavior
Cisco 2017 Annual Cybersecurity Report
In examining users of Adobe Flash (Figure 42), we found In examining upgrades for the Google Chrome web
that, within the first week of an update release, nearly browser, we see a different pattern. It reflects a regular
80 percent of users install the softwares latest version. cadence of upgrades, as well as a strong opt-out policy that
In other words, it takes only about one week for the user makes it difficult for users to ignore update notifications. As
population to get up to speed with the latest version. This seen in Figure 42, endpoints running the newest version
one-week recovery period represents hackers window stay relatively steady over the course of many weeks.
of opportunity.
The Chrome data shows that users recover relatively
In looking at late Q4 2015 in the Adobe Flash graphic, we quickly. In the case of regular updates, one week is roughly
see a sharp drop in the number of users on the newest the recovery timeline. In one span of 9 weeks running
version of the solution. In the time period we examined, through Q2 and Q3 of 2016, however, there were seven
Adobe released five versions of Flash in quick succession, updates. During this time the population recovered, but
representing a mix of functionality additions, bug fixes, and upgrade fatigue began to set in. The percentage of users
security updates. Such a flurry of updates may confuse staying with an older version steadily climbs despite the
users. They may question whether they need to download majority of the population recovering.
so many updates; they can become fatigued by the number
Mozillas Firefox browser also offers updates on a regular
of upgrade notifications; and they may think theyve
schedule, but the recovery period after an update is released
already downloaded a crucial update and can ignore new
appears to take as long as a month. That is, users do not
notifications. No matter what drives their lack of interest in
download and install updates as frequently as Chrome
installing an update, its bad news for defenders.
users do. One reason may be that some users might not
use the browser regularly and therefore arent seeing and
downloading updates. (See Figure 43 on next page.)
Adobe
Flash
Outdated 83% 67% 99% 94% 88%
63% 69% 67% 70% 68% 76% 77% 94% 88% 80% 88% 94% 94% 92% 82% 86%
Versions: 78% 93%
Week: 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
May 2015
Google
Chrome
Outdated 97% 70% 95%
8% 63% 48% 87% 54% 94% 98% 94% 97%
Versions: 98% 54% 98% 97% 98%
Week: 0 5 10 15 20 25 30 35 40 45 50 55
May 2015
SHARE
46 Defender Behavior
Cisco 2017 Annual Cybersecurity Report
We found that Firefox updated its versions about every other for users to install upgrades after a release. At one point,
week, with the frequency of updates increasing over the there were two releases within 5 weeks, which affected the
course of the observation period. This increase in frequency user population for more than 3 months, as can be seen
is reflected in the growth of old Firefox versions within the between Q4 of 2015 and Q1 of 2016.
population. The recovery time is roughly 1.5 weeks, but the
Microsoft announced the end of life of Silverlight in 2012,
times overlap. The population that tries to stay current drops
although patches and bug fixes are still being released.
to as little as 30 percent of the user base. At some point,
However, it poses the same problem that Internet Explorer
two-thirds of the users have resorted to simply running the
does: Outdated and unpatched software invites attackers
browser more than four versions behind the most current
to easily exploit it.
one. So, although Firefox is rapidly addressing issues and
fixing bugs, the user base is not updating and restarting on The recovery period for Java users shows that most are
the same frequency. running versions of the software that are one to three
versions behind the most recent release. The time to
For software, the level of use seems to also be an indicator
recovery is about 3 weeks. An unusual pattern with Java
of its vulnerability. When users do not access software
is that the dominant populations are those that use recent
often and therefore arent aware of the need to patch and
versions. The Java update cycle is from 1 to 2 months.
upgrade it, the ignored software provides space and time
for attackers to operate. The overall lesson from time-to-patch cycles is that
upgrade release patterns are a contributing factor in user
We can see this in the research on Microsoft Silverlight,
security posture, which can place networks at risk.
which shows a recovery period of as long as 2 months
Firefox
Week: 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
May 2015
Silverlight
Outdated 26% 88% 93% 91%
Versions:
Week: 0 5 10 15 20 25 30 35 40 45 50 55
May 2015
Java
Outdated 84% 99% 93% 99% 96% 91% 98% 97% 99% 98%
Versions:
Week: 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
May 2015
47 Defender Behavior
Cisco 2017
Security Capabilities
Benchmark Study
Cisco 2017 Annual Cybersecurity Report
Security professionals want to make their organizations infrastructure is up to date, although that confidence appears
more secure, but in a way that responds to the complex to be waning a bit from previous years. In 2016, 58 percent of
attacker landscape and their adversaries efforts to expand the respondents said their security infrastructure is very up to
their operational space. Many organizations are relying date and is constantly upgraded with the latest technologies.
on many solutions from many vendors. This tactic adds to Thirty-seven percent said they replace or upgrade their
the complexity and confusion of securing networks as the security technologies on a regular basis but arent equipped
Internet continues to grow in terms of speed, connected with the latest-and-greatest tools (Figure 44).
devices, and traffic. Organizations need to aim for simplicity Figure 44 Percentages of Security
and integration if they are to protect themselves.
Professionals Who Feel
Figure 44 Percentages of Their Security
Security Professionals
Infrastructure Is Up to Date
Who Feel Their Security Infrastructure Is Up to Date
Perceptions: Security Professionals
Confident in Tools, Less Sure Theyre
Using Them Effectively
Most security professionals believe that they have adequate
solutions on hand and that their security infrastructures are
up to date. However, according to our study, this confidence
Described as
comes with some uncertainty. These professionals are not Described as Replaced/Upgraded
always sure they can muster the budgets and brainpower to Very Up to Date on Regular Cadence
Best Technologies Available Not Equipped with
truly take advantage of the technology they have. Latest and Greatest Tools
SHARE
Constraints: Time, Talent, and Money Affect the Ability to Respond to Threats
If security professionals are relatively confident that they Money is only part of the problem. For example, compatibility
have the tools needed to detect threats and mitigate issues speak to the problem of disconnected systems that
damage, they also recognize that certain structural dont integrate. And concerns about the lack of trained
constraints stand in the way of their goals. A tight budget personnel highlight the problem of having the tools but
is a perennial challenge. But other constraints on effective not the talent to truly understand what is happening in the
security speak to the problems of simplifying and security environment.
automating security.
The struggle to find talent is a concern, considering
In 2016, 35 percent of security professionals said that the expertise and decision-making abilities needed to
budget was their biggest obstacle to adopting advanced fight targeted attacks and shifting adversary tactics. A
security processes and technology (a slight decrease from well-resourced and expert IT security team, paired with
2015, when 39 percent said budget was the number one the right tools, can make technology and policies work
obstacle), as seen in Figure 47. As in 2015, compatibility together and achieve better security outcomes.
issues with legacy systems was the second-most-common
The median number of security professionals at the
obstacle: 28 percent named compatibility in 2016, compared
surveyed organizations was 33, compared with 25 in
with 32 percent in 2015.
2015. In 2016, 19 percent of organizations had between
50 and 99 dedicated security professionals; 9 percent had
100 to 199 security professionals; and 12 percent had
200 or more (Figure 48).
Figure 47 Biggest
Figure 47 BiggestObstacles
Obstacles to Security
to Security Figure 48 Number
Figure 48 Numberofof Security
Security Professionals
Professionals Employed
Employed by Organizations
by Organizations
Number of Dedicated Security Professionals
40-49 6
Lack of Trained Personnel 22% 25%
50-99 19
30 25 33
Source: Cisco 2017 Security Capabilities Benchmark Study
100-199 9
2014 2015 2016
200+ 12
SHARE
0% 5% 10% 15% 20%
Figure49
Figure 49 Number
Numberofof Security
Security Professionals
Professionals by Size
by Size of Organization
of Organization
5%
5% 15%
7%
11%
20% 10% 33%
17%
14% 12% 7%
6%
21% 7% 12%
4%
10% 7% 22%
15% 16%
7% 17%
SHARE
If security professionals are slipping in their goals to put 2014 2015 2016 2014 2015 2016
The lack of integration in security can allow gaps of time Number of Security Vendors in Security Environment
2016 (n=2850), Graphic Rounded to Nearest Whole Number
and space, where bad actors can launch attacks. The
tendency of security professionals to juggle solutions and
platforms from many vendors can complicate assembling
a seamless defense. As seen in Figure 51, a majority of
companies use more than five security vendors and more
15 610 1120 2150 Over 50
than five security products in their environment. Fifty-five Vendors Vendors Vendors Vendors Vendors
percent of security professionals use at least six vendors;
45% 29% 18% 7% 3%
45 percent use anywhere from one to five vendors; and
65 percent use six or more products. 55% Use More Than 5 Vendors
7% 93%
Experienced No Experienced
Security Alert Security Alert
44% 56%
Of Alerts NOT Of Alerts Are
Investigated Investigated
46%
Of Legitimate Alerts
Are Remediated
28%
54% Of Investigated
Alerts Are Legitimate
Of Legitimate Alerts
Are NOT Remediated
2016 (n=2796)
If operationalization goals are slipping, if tools are not used at The fact that nearly half of alerts go uninvestigated should
their maximum effectiveness, and if manpower is not robust, raise concern. What is in the group of alerts that is not
the result is faltering security. Security professionals are forced being remediated: Are they low-level threats that might
to skip the investigation of alerts simply because they do not merely spread spam, or could they result in a ransomware
have the talent, tools, or automated solutions available to attack or cripple a network? To investigate and understand
determine which ones are critical and why they are occurring. a greater slice of the threat landscape, organizations
need to rely on automation as well as properly integrated
Perhaps due to several factorssuch as the lack of an
solutions. Automation can help stretch precious resources
integrated defense system or the lack of staff time
and remove the burden of detection and investigation from
organizations are able to investigate a little more than half
the security team.
the security alerts they receive in a given day. As shown
in Figure 52, 56 percent of alerts are investigated, and The inability to view so many alerts raises questions about
44 percent are not investigated; of those alerts that are their impact on an organizations overall success. What
investigated, 28 percent are deemed legitimate alerts. could these uninvestigated threats do to productivity,
Forty-six percent of legitimate alerts are then remediated. customer satisfaction, and confidence in the enterprise?
As respondents told us, even small network outages or
To put the problem into more concrete terms, if an
security breaches can have long-term effects on the
organization records 5000 alerts per day, this means:
bottom line. Even when losses were relatively minor and
2800 alerts (56 percent) are investigated, while 2200 (44 the affected systems were fairly easy to identify and
percent) are not isolate, security leaders regard breaches as significant
Of those investigated, 784 alerts (28 percent) are legitimate,
because of the stress they put on the organization.
while 2016 (72 percent) are not
As the benchmark study shows, security professionals are Source: Cisco 2017 Security Capabilities Benchmark Study
jarred into reality when breaches occur. They often change
security strategies or bolster defenses. Organizations that Figure 54 Percentage
PercentageofofOrganizations
Organizations
Figure 54
have not yet suffered a breach of their networks due to Experiencing a Public Breach
Experiencing a Public Breach
attackers may be relieved theyve escaped. However, this
confidence is probably misplaced.
SHARE
Involuntarily Required
Voluntarily
Disclosed Reporting
Disclosed
(Third-Party) (Regulatory/Legal)
Figure
Figure55
55 Functions
FunctionsMost
MostLikely to Be
Likely Affected
to Be by aby
Affected Public Breach
a Public Breach
Business Partner Supplier Legal Regulatory Have Not Had Any Security
Relationships Relationships Engagements Scrutiny Breaches in the Past Year
22% 20% 20% 19% 10%
SHARE
The damage to organizations goes far beyond the time it takes After operations, finance was the function most likely to be
to deal with a breach or outage. There are real and substantial affected (cited by 30 percent of the respondents), followed
impacts that enterprises should try mightily to avoid. by brand reputation and customer retention (both at
26 percent).
As seen in Figure 55, 36 percent of security professionals
said that operations was the function most likely to be No organization that plans to grow and achieve success
affected. This means that core systems of productivity, wants to be in a position of having critical departments
which affect industries from transportation to healthcare to affected by security breaches. Security professionals
manufacturing, can slow down or even grind to a halt. should view the survey results with an eye toward their
own organizations, and ask themselves: If my organization
suffers this kind of loss from a breach, what happens to the
business down the road?
Online attacks also result in fewer customers. As shown 62% 20% 10% 4% 4%
in Figure 58, 22 percent of organizations said they lost
customers as a result of attacks. Of that group, 39 percent 38%
said they lost 20 percent of their customers or more. Saw Substantial Loss of Revenue
(n=778)
Download the 2017 graphics at: www.cisco.com/go/acr2017graphics Source: Cisco 2017 Security Capabilities Benchmark Study
Figure 56 Percentage
Figure 56 Percentage ofof Business
Business Opportunity
Opportunity Lost Figure 58 Percentage
Figure 58 Percentage ofof Customers
Customers LostLost
by by
Lost
as theas the Result
Result from anfrom an Attack
Attack Companies
Companies DueDuetoto Attacks
Attacks
Lost Less Lost Lost Lost Lost Lost Less Lost Lost Lost Lost
Than 20% 2040% 4060% 6080% 80100% Than 20% 2040% 4060% 6080% 80100%
42% 39%
Saw Substantial Loss of Opportunity Saw Substantial Loss of Customers
(n=625) (n=641)
Source: Cisco 2017 Security Capabilities Benchmark Study Source: Cisco 2017 Security Capabilities Benchmark Study
SHARE
Increased Investment in
37% Security Defense Technologies
or Solutions
Increased Investment in
37% Training of Security Staff
As they do with outsourcing, organizations also rely on Why Services Are Outsourced
2016 (n=2631)
third-party vendors to augment their defense strategies.
The security ecosystem provides them with ways to share
the responsibility for security.
SHARE
72%
Rely 4080% 31% Rely on Third-Party
Vendors for 2080%
6% of Security 2%
25% 25%
39% 43%
24%
6%
41% 5%
25%
Rely 2040%
Decrease Significantly Decrease Somewhat Remain the Same Increase Somewhat Increase Significantly
Insurance
Regulators Investors Press
Companies
70% 69% 67% 60%
2016 (n=2912)
As organizations take steps to strengthen their security Seventy-four percent of the security professionals said
posture, they can expect that more attention will be paid scrutiny will come from the executive leadership;
to their efforts. This scrutiny will come from influential 73 percent, from clients and customers; and 72 percent,
audiences and therefore cant be ignored. How these from employees, as seen in Figure 62.
audiences concerns are addressed can have a significant
impact on an organizations ability to defend itself.
Industry
Value Chain Security: Success in a Digital World Hinges on Mitigating Third-Party Risk
Value chain security is an essential element of success Develop a flexible security architecture that can be shared
in a connected economy. Ensuring that the right security with and deployed across the variety of third parties in
is in the right place at the right time throughout the value that ecosystem
chainthe end-to-end lifecycle for hardware, software, Assess whether those third parties are operating within the
and servicesis an imperative. tolerance levels set by the organizations security architecture
Source: Cisco
SHARE
Combatting Cyber Risks in the Supply Chain, SANS Institute, 2015: https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252.
Public Law 114-92
NERC ordered to undertake this effort by United States Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM15-14-002; Order No. 829].
64 Industry
Cisco 2017 Annual Cybersecurity Report
Organizations, together with their third parties, need to answer Governments in the post-Snowden era have been
questions such as, How will data be generated and by increasingly strident in their desire to regulate digital
whom? and, Should the data be digitally mined? Further communications and to access data when needed.
clarity requires determining the answers to such questions as, However, users have been just as ardent in their demand
Who owns the digital assets we are collecting or creating? for privacy. Events such as the recent head-butting
and, With whom must we share that information? Another between Apple and the FBI over an iPhone belonging to
critical question to answer: Who owns what liability and a terrorist have done nothing to assuage users worries
obligation when a breach occurs? about privacy. If anything, it taught a generation of digital
users, especially in the United States, about end-to-end
This value chain-centric approach helps ensure that
encryption. Many users are now demanding end-to-end
security considerations are built in at every stage of the
encryption from their technology providers, and they want
solutions lifecycle. The right architecture, combined with
to hold the encryption keys.
adherence to the appropriate security standards, will help
to drive pervasive securityand build trustthroughout the This marks a fundamental shift in the cybersecurity
entire value chain. landscape as we have known it. Organizations are going to
need to architect their environments so they can navigate
and respond to competing agendas.
Geopolitical Update: Encryption, Trust, While this shift is taking place, more governments are
and a Call for Transparency giving themselves the legal rightoften on a broad
In previous cybersecurity reports, Cisco geopolitical experts basisto bypass or break encryption or technical
examined the uncertainty in the Internet governance protection measures, often without the knowledge of
landscape, the rights of the individual versus the rights the manufacturer, communication provider, or the user.
of the state, and the ways that governments and private This is creating tension not only between authorities and
businesses might navigate the data-protection dilemma. technology firms but also between governments, who are
One common topic across these discussions has been not necessarily keen to see their citizens data accessed
encryption. We believe that encryption will continue to by third-country authorities. Many governments collect
permeate, perhaps even dominate, the cybersecurity information about zero-day exploits and vulnerabilities
debate for the foreseeable future. that they discover in vendor software; however, they are
not always transparent with vendors about the information
The proliferation of national and regional data privacy they possess, or sharing it in a timely manner.
laws has created unease among vendors and users
attempting to navigate those laws. In this uncertain Hoarding such valuable information prevents vendors
environment, issues such as data sovereignty and from improving security in their products and providing
data localization have come to the fore, helping to fuel users with better protection from threats. Even though
growth in cloud computing and localized data storage as governments may have good reason to hold some of
businesses seek a creative solution to meeting complex this intelligence close, there is also a need for greater
and evolving privacy regulations. transparency and trust in the global cybersecurity
landscape. Governments therefore should conduct a frank
At the same time, the escalating number of data breaches assessment of their current policies regarding the hoarding
and advanced persistent threats, and the publicity around of zero-day exploits. They should start from the default
hacks sponsored by nation-statesincluding those position that sharing information with vendors can only
conducted during high-profile events such as the U.S. lead to a far more secure digital environment for everyone.
presidential electionare making users even less confident
that their sensitive data and privacy will be protected.
For more on this topic, see Data Localization Takes Off as Regulation Uncertainty Continues, by Stephen Dockery, June 6, 2016, The Wall Street Journal:
http://blogs.wsj.com/riskandcompliance/2016/06/06/data-localization-takes-off-as-regulation-uncertainty-continues/.
65 Industry
Cisco 2017 Annual Cybersecurity Report
As explained in the geopolitical section on page 65, Another approach seeing increased traction is
end-to-end encryption will remain a topic of much encryption capabilities built in to a network or cloud
debate and consternation between governments service to protect data in transit. This is an evolution
and industry for the foreseeable future. Regardless of the traditional gateway VPN model, a solution
of any tension stemming from this issue, however, that addresses the dynamic nature of networks and
user demand for end-to-end data encryption with the high-speed transmission rates of data center
customer-held keys is increasing. traffic. Enterprises are using the operational and cost
efficiencies provided by the new capabilities to protect
Cisco geopolitical experts anticipate that some
data coming from any application in that environment
streams and pools of data will likely remain encrypted
as it travels at high speed to another location.
with vendor-managed keys at least for the short term,
particularly in ad-driven business models. Elsewhere, Network-based encryption is only one tool for
however, we should expect to see the use of end-to- protecting data, however. To ensure they are doing
end encryption with customer-held keys gaining more enough to protect their data while it is in transit or
traction, absent a legal mandate to the contrary. at rest, organizations should look at the challenge
holistically. A good place to begin is by asking
Meanwhile, look for organizations to also seek more
technology vendors basic but important questions
control over how they protect their data while it
such as:
is in transit, particularly as it moves at high speed
from one data center to another. This was once an How is data protected when its in transit?
arduous task for enterprises due to the limitations How is it protected when its at rest?
of legacy technologies and the impact on network
Who has access to the data?
performance. However, new approaches are making
Where is the data stored?
this process easier.
What is the policy for deleting data, when and if it
One solution is application-layer security, where must be deleted?
applications are modified to encrypt data.
Deploying this type of security can be very Again, these questions are only a starting point for a
resource-intensive, complex to implement, and broader dialogue about data protection that should
operationally expensive depending on how many evolve to include a discussion of topics such as data
applications an organization uses. resiliency and availability.
66 Industry
Cisco 2017 Annual Cybersecurity Report
Network Performance and Adoption Versus Security Maturity: Online Speeds, Traffic,
and Preparedness Are Not Growing at the Same Pace
Defenders want to stay ahead of their adversaries. To be Cisco has matched the VNI Forecast to data about
behind them is to be in a potentially dangerous place. defender maturity, taken from Ciscos annual Security
The worry is that defenders cant improve their security Capabilities Benchmark Study (see page 49). In examining
posture at the same pace that adversaries can gain space maturity growth rates in the 2015, 2016, and 2017
and time to operate. Given the pace of growth of fixed and benchmark reports, as seen in Figure 65, security maturity
mobile Internet traffic worldwide, defenders are obligated is underwhelming compared with the growth of Internet
to match this growth with gains in the maturity of their traffic. Some countries, such as China and Germany,
security infrastructure. actually show a slight decline in maturity over this time
period. Broadband speeds, in particular, are improving
The Cisco VNI Forecast examines global IP traffic
and growing at a significantly greater rate than other
annually, including mobile and Wi-Fi traffic. The forecasts
networking variables shown in Figure 65. Faster speeds
provide 5-year projections for IP traffic, the number of
and more connected devices foster greater traffic growth,
Internet users, and the number of personal devices and
but organizations are struggling to bolster their security
machine-to-machine (M2M) connections that will be
measures and infrastructures at similar rates.
supported by IP networks. (Visit here for more details on
the VNI Forecast.) For example, the forecast estimates
that by 2020, smartphones will generate 30 percent of
total IP traffic.
Figure65
Figure 65 Security
SecurityMaturity
Maturity and
and Growth
Growth Rates
Rates
300%
250%
Percentage of Growth
200%
150%
100%
50%
0%
Australia Brazil Canada China France Germany India Italy Japan Mexico Russia United United Overall
Kingdom States
Security Maturity Total Traffic Devices Fixed Internet Users Mobile Internet Traffic Mobile Speed
Source: Cisco Security Research, Cisco VNI, and Cisco 2017 Security Capabilities Benchmark Study
SHARE
67 Industry
Cisco 2017 Annual Cybersecurity Report
Certain industries also lag in terms of their security maturity is broadly adopted. Global mobile traffic was 5 percent of
compared with other industries, as seen in Figure 66. In total IP traffic in 2015, according to the VNI Forecast; it is
particular, pharmaceuticals, healthcare, and transportation projected to be 16 percent of total IP traffic by 2020.
are behind other industries.
Its clear that security organizations must step up their
Its important to note that the dramatic rise in mobile maturity efforts, and quickly, if they are to match the growth
speeds is an outcome of the broad adoption of 4G and in Internet traffic, which portends growth in the potential
LTE networks by telecommunications providers. When attack surface. In addition, organizations must respond to the
large-scale deployments of 5G networks become available growth in the use of endpoints that are not fixed or wired to
toward the end of this decade, mobile speeds are expected corporate networks. They must also accommodate a more
to become comparable to fixed network speeds. According widespread use of personal devices from which workers
to the current Mobile VNI Forecast, global mobile traffic access corporate data.
will likely gain a greater share of total IP traffic when 5G
5 4 7 14 5
36 29
30 31 39 30
39 27
48
31
18 27 29
29 23
9 5 3 5 5
30 32 30
30 42 24 38 33
38
39
21 27
34 28 24
68 Industry
Cisco 2017 Annual Cybersecurity Report
Figure 67 Security
Figure 67 SecurityMaturity
Maturitybyby Country
Country
4 4 7 5 5
28 28
41 25 25 34
41 31 36 38
USA Brazil Germany Italy UK
29 30 31 29
28
5 13 3 7 4
31 31 17
35 21
31
Australia China 47 India Japan
32 47 Mexico
35
31 26
34 21 26
4 6 7
32 33
39 30
35
Russia France Canada 36
27 26 23
Faster speeds are not the only factor driving growth For more information about the Cisco VNI Forecast, visit the
of Internet traffic. The IoT is accelerating the number Cisco website or read the Cisco blog post on the annual
of devices that are attached to the Internet, not only VNI forecast for 2015 to 2020.
adding to the growth of traffic but also adding potential
pathways for attackers.
69 Industry
Conclusion
Cisco 2017 Annual Cybersecurity Report
Conclusion
A Rapidly Expanding Attack Surface Requires an Interconnected and
Integrated Approach to Security
In analyzing data from Ciscos Security Capabilities Policy: Policy has strong ties to mitigation. Controlling
Benchmark Study (see page 49), we are able to access rights to networks, systems, applications, functions,
examine patterns and decisions that help organizations and data will affect the ability to mitigate damage from
minimize risk. We can therefore see where they should security breaches. In addition, policies to ensure a regular
review of security practices will help prevent attacks.
make security investments that can lead to a significant
difference in risk exposure. We measured risk by looking at Protocols: The right protocols can help prevent and
the lengths of breaches as well as percentages of system detect breaches, but they also have a strong relationship to
outages (see Figure 53 on page 55 regarding the length of mitigation. In particular, regular reviews of connection activity
breaches and the systems affected). on networks, to ensure that security measures are working,
are key to both prevention and mitigation. Its also beneficial
To understand how organizations create effective to review and improve security practices regularly, formally,
safeguards against risk, we need to examine what drivers and strategically over time.
affect their ability to prevent, detect, and mitigate risk. Tools: The judicious and appropriate application of tools
(See Figure 68.) The drivers must include these elements: has the strongest relationship with mitigation. With tools in
place, users can review and provide feedback that is vital to
Executive leadership: The top leadership must prioritize
detection and prevention as well as mitigation.
security. This is critical for the mitigation of attacks, as well
as their prevention. The executive team should also have
clear and established metrics for assessing the effectiveness
of a security program.
Figure
Figure68
68 Drivers
Driversand
andSafeguards for for
Safeguards Minimizing RiskRisk
Minimizing
Drivers Safeguards
Measure Influence of Policy, Executive Measure Influence of Firms Ability
Leadership, Protocols, Tools on Firms to Prevent, Detect, and Mitigate
Ability to Prevent, Detect, and Mitigate Effects of a Breach on Risk
Effects of a Breach
Executive
Leadership
Prevent
Policy
Detect Minimized Risk
Protocols
Mitigate
Tools
71 Conclusion
Cisco 2017 Annual Cybersecurity Report
The security safeguards that organizations useprevention, Mitigation: Well-documented processes and procedures
detection, and mitigationcan be viewed as measures of for incident response and tracking are key to effective breach
influence on an organizations ability to minimize risk. mitigation. Organizations also need strong protocols to
(See Figure 68.) manage their response to crises.
72 Conclusion
Cisco 2017 Annual Cybersecurity Report
Managing configurations
73 Conclusion
Cisco 2017 Annual Cybersecurity Report
About Cisco
Cisco delivers intelligent cybersecurity for the real world, Our sophisticated infrastructure and systems consume
providing one of the industrys most comprehensive this telemetry, helping machine-learning systems and
advanced-threat protection portfolios of solutions across researchers to track threats across networks, data centers,
the broadest set of attack vectors. Ciscos threat- endpoints, mobile devices, virtual systems, web, email,
centric and operationalized approach to security reduces and from the cloud to identify root causes and scope
complexity and fragmentation while providing superior outbreaks. The resulting intelligence is translated into real-
visibility, consistent control, and advanced threat protection time protections for our product and service offerings that
before, during, and after an attack. are immediately delivered globally to Cisco customers.
Threat researchers from the Cisco Collective Security To learn more about Ciscos threat-centric approach to
Intelligence (CSI) ecosystem bring together, under a single security, visit www.cisco.com/go/security.
umbrella, the industrys leading threat intelligence, using
telemetry obtained from the vast footprint of devices and
sensors, public and private feeds, and the open-source
community. This amounts to a daily ingest of billions of
web requests and millions of emails, malware samples,
and network intrusions.
74 About Cisco
Cisco 2017 Annual Cybersecurity Report
75 About Cisco
Cisco 2017 Annual Cybersecurity Report
76 About Cisco
Appendix
Cisco 2017 Annual Cybersecurity Report
Appendix
Cisco 2017 Security Capabilities Benchmark Study
Figure 69Survey
Figure 69 Survey Capabilities
Capabilities Benchmark
Benchmark StudyStudy
4%
Utilities/Energy 3%
7%
16%
Non-Key Industry 27%
21% 2016 (n=2912) 2015 (n=2432) 2014 (n=1738)
78 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 70Number
Figure 70 Number of Dedicated
of Dedicated Security
Security Professionals
Professionals
30-39 8% 9% 8%
40-49 4% 4% 6%
100-199 9% 9% 9%
Perceptions
Figure 71Majority
Figure 71 Majorityof of Security
Security Professionals
Professionals Feel Security
Feel Security Infrastructure
Infrastructure Is Up to Is Up to Date
Date
2016
58% 37% 5%
(n=2912)
2015
59% 37% 5%
(n=2432)
2014
64% 33% 3%
(n=1738)
79 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 72Percentages
Figure 72 Percentages of Security
of Security Professionals
Professionals Who Perceive Various Security Tools to Be Highly Effective
Who Perceive Various Security Tools to Be Highly Effective
Blocking Against Known Security Threats 2% <1% 24% 51% 23% 74%
Enabling Us to Assess Potential Security Risks 2% <1% 28% 49% 20% 69%
2016 (n=2912)
Not at All Not Very Somewhat Very Extremely % Very + Extremely
Graphic Rounded to
Effective Effective Effective Effective Effective Effective
Nearest Whole Number
2016 1% 4% 37% 59% 96% 1% 4% 41% 55% 96% 1% 4% 43% 53% 96%
2015 1% 4% 35% 61% 96% 1% 4% 36% 58% 95% 1% 4% 40% 55% 95%
2014 2% 4% 32% 63% 94% 2% 5% 35% 58% 94% 2% 4% 36% 57% 93%
2016 (n=2912)
2015 (n=2432) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree
2014 (n=1738)
80 Appendix
Cisco 2017 Annual Cybersecurity Report
2016 0% 4% 42% 53% 96% 0% 4% 41% 55% 95% 0% 4% 43% 53% 95%
2015 1% 4% 40% 56% 96% 1% 3% 40% 56% 96% 1% 3% 39% 57% 96%
2014 1% 4% 38% 56% 95% 1% 5% 37% 57% 94% 2% 4% 36% 58% 94%
We Can Increase Security Controls Security Is Well-Integrated into Our Security Technologies
on High-Value Assets Should Our Organizations Goals and Are Well-Integrated to Work
Circumstances Require Business Capabilities Effectively Together
2016 0% 4% 45% 51% 95% 1% 4% 40% 55% 95% 0% 5% 42% 53% 95%
2015 1% 3% 41% 56% 96% 1% 4% 40% 56% 96% 1% 4% 43% 52% 95%
2014 1% 5% 40% 54% 94% 2% 5% 36% 58% 94% 2% 5% 38% 56% 93%
2016 0% 5% 41% 53% 95% 0% 5% 46% 49% 95% 1% 7% 49% 43% 92%
2015 1% 4% 40% 56% 96% 1% 4% 44% 52% 95% 1% 8% 46% 45% 91%
2014 2% 5% 38% 55% 93% 1% 5% 40% 53% 93% 2% 9% 43% 46% 89%
2016 (n=2912)
2015 (n=2432) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree
2014 (n=1738)
81 Appendix
Cisco 2017 Annual Cybersecurity Report
Constraints
Large
How Many Different Large How Many Different Midmarket Enterprise Enterprise
Security Vendors (i.e., Brands, Midmarket Enterprise Enterprise Security Products Are in 250-1K 1K10K 10k+
Manufacturers) Are in Your 250-1K 1K10K 10k+ Your Security Environment? Employees Employees Employees
Security Environment? Employees Employees Employees
1-5 37.9% 32.7% 25.1%
1-5 46.9% 43.4% 39.9%
6-10 29.0% 30.1% 22.5%
6-10 28.4% 30.9% 21.3%
11-25 19.8% 20.4% 23.7%
11-20 17.6% 15.8% 23.1%
26-50 9.6% 10.5% 15.6%
21-50 5.6% 7.1% 8.7%
51-100 3.0% 4.3% 7.8%
More Than 50 1.4% 2.8% 6.9%
More Than 100 0.8% 1.9% 5.4%
Total Organizations 1435 1082 333
Total Organizations 1442 1084 334
Source: Cisco 2017 Security Capabilities Benchmark Study
Source: Cisco 2017 Security Capabilities Benchmark Study
82 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 79Year-over-Year
Figure 79 Year-over-Year Decrease
Decrease of Security
of Security BudgetBudget Coming
Coming Within Within IT Budget
IT Budget
Is the Security Budget Part of the IT Budget? (IT Department Members) 2014 (n=1673) 2015 (n=2374) 2016 (n=2828)
Completely Separate 6% 9% 9%
Figure 80Year-over-Year
Figure 80 Year-over-Year Decrease
Decrease of Security
of Security Spend
Spend as as a Proportion
a Proportion of the IT Budget
of the IT Budget
IT Budget Spend on Security as a Function 2014 (n=1673) 2015 (n=2374) 2016 (n=2828)
0% 7% 9% 10%
1-5% 4% 3% 4%
51% or More 5% 4% 2%
83 Appendix
Cisco 2017 Annual Cybersecurity Report
Impacts
Figure 81Percentages
Figure 81 Percentages of Organization's
of Organization's Figure 82Percentages
Figure 82 Percentages of Organization's
of Organization's Revenue
Opportunities Lost as a Result of Attacks
Opportunities Lost as a Result of Attacks Revenue
Lost as a Result of Attacks of Attacks
Lost as a Result
Some, but Less Than 20% 58% Some, but Less Than 20% 62%
20% to Just Under 40% 25% 20% to Just Under 40% 20%
Source: Cisco 2017 Security Capabilities Benchmark Study Source: Cisco 2017 Security Capabilities Benchmark Study
Figure 83Percentages
Figure 83 Percentages of Organization's
of Organization's Customers
Customers Lost as a Result
Lost as a Result of Attacks of Attacks
None (0%) 1%
All (100%) 1%
84 Appendix
Cisco 2017 Annual Cybersecurity Report
Outcomes
Figure 84Percentages
Figure 84 Percentages of Organizations
of Organizations Relying
Relying on Outsourcing
on Outsourcing
Which Security
Services Are 2014 2015 2016 Why Are These 2015 2016
Outsourced? (n=1738) (n=2432) (n=2912) Services Outsourced? (n=2129) (n=2631)
Advice and
51% 52% 51% More Cost-Efficient 53% 52%
Consulting
Audit 41% 47% 46% Desire for Unbiased Insight 49% 48%
Threat Intelligence N/A 39% 41% Lack of Internal Resources 31% 33%
Figure 85Percentages
Figure 85 Percentages of Organization's
of Organization's Security
Security Reliant Upon Third-Party
Reliant Upon Third-Party Vendors Vendors
None (0%) 4%
All (100%) 1%
IT Security Personnel
(n=2595)
85 Appendix
Cisco 2017 Annual Cybersecurity Report
Which Security Services Are Outsourced? Midmarket (n=1459) Enterprise (n=1102) Large Enterprise (n=351)
Figure 87Sources
Figure 87 Sourcesof of Increased
Increased Scrutiny
Scrutiny
2016 (n=2912)
Not at All Not Very Somewhat Very Extremely % Very + Extremely
Graphic Rounded to
Scrutinizing Scrutinizing Scrutinizing Scrutinizing Scrutinizing Scrutinizing
Nearest Whole Number
86 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 88Increase
Figure 88 Increase
of of Off-Premises
Off-Premises Private
Private Cloud
Cloud and Third-Party
and Third-Party Managed
Managed On-Premises
On-Premises Hosting Hosting
Where Networks Are Hosted 2014 (n=1727) 2015 (n=2417) 2016 (n=2887)
No Yes
Chief Security Officer 53%
2016 52%
8% 92%
(n=2754) (CSO) 53%
1%
Another Title 1%
1%
87 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 90 Percentage of Companies That Have a Formal Organization-Wide Security Strategy and
Figure 90 Percentages of Companies That Have a Formal Organization-Wide Security Strategy and
Follow StandardizedSecurity
Follow Standardized Security Policy
Policy Practices
Practices
Employees at My Organization Are Security Processes and Procedures Line-of-Business Managers Are
Encouraged to Report Failures and at My Organization Are Clear and Encouraged to Contribute to Security
Problems with Security Well-Understood Policies and Procedures
2016 1% 4% 38% 58% 96% <1% 4% 40% 55% 96% 1% 4% 43% 52% 95%
2015 1% 4% 33% 62% 95% 1% 4% 39% 57% 95% 1% 5% 40% 55% 94%
2014 3% 5% 32% 61% 92% 3% 6% 36% 56% 91% 3% 5% 39% 53% 92%
Security Processes at My Organization Security Processes at My Organization My Organization Has Optimized Its
Enable Us to Anticipate and Mitigate Are Measured and Controlled Using Security Processes and Is Now
Potential Security Issues Proactively Quantitative Data Focused on Process Improvement
2016 1% 4% 43% 53% 96% 1% 4% 45% 50% 95% 1% 4% 43% 52% 95%
2015 1% 4% 43% 53% 95% 1% 4% 42% 53% 95% 1% 4% 42% 53% 95%
2014 3% 7% 38% 53% 91% 3% 6% 37% 54% 91% 3% 5% 39% 53% 92%
2016 (n=2912)
2015 (n=2432) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree
2014 (n=1738)
88 Appendix
Cisco 2017 Annual Cybersecurity Report
2016 <1% 3% 41% 55% 97% <1% 4% 40% 56% 96% <1% 4% 41% 55% 96%
2015 1% 3% 38% 59% 97% 0% 4% 38% 57% 96% 1% 4% 40% 56% 96%
2014 2% 4% 33% 61% 94% 2% 3% 35% 60% 95% 2% 4% 36% 57% 94%
2016 <1% 4% 40% 56% 96% <1% 4% 43% 53% 96% <1% 4% 43% 52% 96%
2015 1% 3% 37% 60% 97% 1% 4% 42% 54% 96% 1% 3% 41% 56% 96%
2014 2% 5% 35% 59% 93% 2% 5% 35% 58% 93% 2% 4% 38% 56% 94%
2016 <1% 4% 44% 51% 95% 1% 5% 45% 49% 94% 1% 6% 43% 51% 94%
2016 (n=2912)
2015 (n=2432) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree
2014 (n=1738)
89 Appendix
Cisco 2017 Annual Cybersecurity Report
2016 <1% 4% 42% 53% 95% <1% 4% 42% 53% 95% 1% 5% 43% 52% 95%
2015 1% 4% 42% 54% 96% 1% 5% 41% 54% 95% 1% 4% 42% 53% 95%
2014 2% 5% 37% 56% 94% 1% 6% 38% 54% 93% 2% 5% 43% 51% 94%
2016 <1% 4% 44% 51% 96% <1% 4% 45% 50% 96% 1% 6% 44% 50% 93%
2015 1% 4% 43% 53% 96% 1% 5% 43% 52% 95% 1% 6% 44% 49% 93%
2014 2% 5% 40% 54% 93% 2% 5% 42% 51% 93% 2% 8% 41% 49% 90%
2015 N/A
2014 N/A
2016 (n=2912)
2015 (n=2432) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree
2014 (n=1738)
Figure 94Management
Figure 94 Managementandand Efficacy
Efficacy of Security
of Security Technologies
Technologies
What Are the Most Time-Consuming and Most What Are the Most Effective Security
Difficult Security Technologies for Staff to Manage? Technologies Used by the Organization?
(Mentions over 10%) 2016 (n=2895) 2016 (n=2895)
90 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 95Year-over-Year
Figure 95 Year-over-Year Use
Use of Security
of Security Threat
Threat Defense
Defense
Defenses Defenses
Security Threat Tthrough Security Threat Tthrough
Defenses Used Cloud-Based Defenses Used Cloud-Based
by Organization Services* by Organization Services*
35% 17% 1% 8%
Intrusion Prevention** 44% 20% None of the Above 1% 11%
N/A N/A 1% 13%
2016 (n=2912) 2016 (n=2725) * Security Respondents Who Use Security Threat Defenses
2015 (n=2432) 2015 (n=2268) ** Firewall and Intrusion Prevention Were One Code in 2014:
2014 (n=1738) 2014 (n=1646) Network Security, Firewalls and Intrusion Prevention
91 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 96Extent
Figure 96 Extent That
That Customer
Customer Protection
Protection Factors
Factors into Security
into Security Decision-Making
Decision-Making
2016 (n=2878)
Not at All Not Very Much Somewhat Very Much Extremely % Very Much +
Graphic Rounded to
Extremely
Nearest Whole Number
Figure 97ITITSecurity
Figure 97 Security Personnel's
Personnel's Biggest
Biggest Sources
Sources of Concern
of Concern Related
Related toAttacks
to Cyber Cyber Attacks
Viability of Disaster Recovery and Business Continuity 5% 23% 47% 26% 72%
2016 (n=2912)
Graphic Rounded to Not a Risk Slight Risk Moderate Risk High Risk % Moderate + High Risk
Nearest Whole Number
92 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 98Security
Figure 98 Security Professionals'
Professionals' Biggest
Biggest Sources
Sources of Concern
of Concern Related
Related to Attacks
to Cyber Cyber Attacks
2016 (n=2912)
Not at All Not Very Somewhat Very Extremely % Very + Extremely
Graphic Rounded to
Challenging Challenging Challenging Challenging Challenging Challenging
Nearest Whole Number
Where Does the Security Team Spend the Majority of Its Efforts? 23% 29% 47%
93 Appendix
Cisco 2017 Annual Cybersecurity Report
Incident Response
Figure100
Figure 100Percentages
Percentages of Security
of Security Alerts
Alerts ThatThat Are Investigated
Are Investigated or Remediated
or Remediated
Of Seen Alerts
56% Are Investigated
Less Than 5K 50%
50K100K 8%
1-2 Weeks 5%
3 Weeks to a Month 3%
1 Month to 3 Months 1%
1 Year or More 0%
94 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 102Groups
Figure 102 Groups Notified
Notified in the
in the Event
Event of anofIncident
an Incident
31% 23%
Human Resources 33% Public Relations 24%
36% 28%
Figure
Figure103
103KPIs Used
KPI's by Organizations
Used to Assess
by Organizations to
Security Performance
Assess Security Performance
2016 (n=2912)
Time to Detect (e.g., Time Threat Entered
59%
Environment to Detection)
Time to Patch (e.g., Time from Patch
52%
Release to Implementation)
Time to Contain (e.g., Time from Detection
44%
to Containment/Quarantine)
Time to Remediate (e.g., Time from
30%
Quarantine to Operational)
95 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 104Year-over-Year
Figure 104 Year-over-YearUse Use of Process
of Process to Analyze
to Analyze Compromised
Compromised Systems Systems
Processes to Analyze Compromised Systems 2014 (n=1738) 2015 (n=2432) 2016 (n=2912)
Figure 105Year-over-Year
Figure 105 Year-over-YearUse Use of Process
of Process to Eliminate
to Eliminate theof
the Cause Cause of Security
Security Incidents Incidents
Processes to Eliminate Cause of Security Incidents 2014 (n=1738) 2015 (n=2432) 2016 (n=2912)
96 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 106Year-over-Year
Figure 106 Year-over-YearUse Use of Process
of Process to Restore
to Restore Affected
Affected SystemsSystems
Processes to Restore Affected Systems 2014 (n=1738) 2015 (n=2432) 2016 (n=2912)
Figure 107Attack
Figure 107 Attack Simulations:
Simulations: Frequency
Frequency and and Extent
Extent of Driving
of Driving Security
Security Defense
Defense Improvements
Improvements
How Often Does Your Organization Run Attack Simulations? To What Extent Do the Results of Attack Simulations Drive
Improvements in Your Security Defense Policies, Procedures,
2016 (n=2868) or Security Technologies?
2016 (n=2736)
Never 4%
44% 47%
Weekly 28%
Monthly 33%
Quarterly 21%
Semi-Annually 8%
Annually 4% 8%
0% 1%
Regularly, but Less 3%
Than Once a Year
1 2 3 4 5
Not at All A Great Extent
Figure 108Importance
Figure 108 Importance of Attributing
of Attributing Origin
Origin of a of a Security
Security Breach
Breach
97 Appendix
Cisco 2017 Annual Cybersecurity Report
52%
38%
Source: Cisco 2017 Security Capabilities Benchmark Study Source: Cisco 2017 Security Capabilities Benchmark Study
Length of System Outages Due to Breach Percentage of Systems Impacted Due to Breach
0 Hours, No Outage 7% 0% 1%
61% or More 9%
98 Appendix
Cisco 2017 Annual Cybersecurity Report
Separated Security Increased Security Increased Focus Increased Investment Increased Investment
Team from Awareness Training on Risk Analysis in Security Defense in Training of
IT Department Among Employees and Risk Mitigation Technologies or Solutions Security Staff
99 Appendix
Cisco 2017 Annual Cybersecurity Report
What Data Protection and Privacy Processes and Policies What Data Protection, Privacy Standards and Certifications
Are Most Important for a Vendor to Have? Are Required for a Vendor to Work with Your Organization?
Organization-Wide Policies
35% ISO 27001 39%
on Data Access Controls
Data Incident
33% ISO 27018 34%
Response Program
Organization-Wide Policies on
27% Privacy Shield 28%
Access to Data Held by Vendor
Organization-Level
26% TRUSTe Compliance 26%
Privacy of Design
FedRAMP 18%
FISMA 17%
100 Appendix
Cisco 2017 Annual Cybersecurity Report
2016 4% 25% 29% 41% 4% 25% 30% 41% 7% 31% 28% 34% 5% 36% 31% 28%
2015 4% 22% 27% 45% 9% 24% 26% 40% 12% 24% 24% 39% 7% 36% 23% 34%
2014 10% 16% 27% 44% 5% 35% 24% 34% 4% 25% 27% 43% 23% 25%13% 38%
2016 5% 38% 29% 28% 5% 31% 34% 31% 13% 35% 21% 31% 5% 17% 31% 47%
2015 14% 32% 22% 32% 5% 29% 36% 29% 6% 37% 25% 32% 4% 21% 34% 40%
2014 16% 18% 25% 41% 16% 35% 19% 30% 3% 29% 32% 36% 10% 16% 20% 54%
2016 7% 32% 26% 35% 4% 21% 26% 47% 4% 30% 27% 39% 6% 35% 26% 32%
2015 16% 34% 16% 32% 14% 20% 16% 50% 14% 27% 26% 32% 15% 35% 20% 29%
2014 22% 40% 14% 24% N/A N/A N/A
Canada
Figure 115 Maturity Model Ranks Organizations Figure 116 Segment Sizing for Maturity Model
Figure 115 Maturity Model Ranks Organizations Based Figure 116 Segment Sizing for Maturity Model
Based on Security Process
on Security Process
Defined 6%
Level 3 Processes Characterized for the Organization; Middle Lower
Middle 9%
Often Proactive
8%
Repeatable Lower
1%
Level 2 Processes Characterized for Projects; Low 2%
Middle
Often Reactive 4%
Source: Cisco 2017 Security Capabilities Benchmark Study Source: Cisco 2017 Security Capabilities Benchmark Study
101 Appendix
Cisco 2017 Annual Cybersecurity Report
Industry-Specific
Figure 117 Percentage of Healthcare
Businesses That Have Implemented Figure 118 Resources Healthcare Companies
Figure 117 Percentage of Healthcare Businesses That Figure 118 Resources Healthcare Companies Use to
Standardized Security Policies Use to Measure Themselves Against HIPAA
Have Implemented Standardized Security Policies Measure Themselves Against HIPAA Privacy Rules
Privacy Rules
Implemented Standardized Security Policies Which Resources Are Used to
Healthcare Business Follows Healthcare-Specific Information Measure Companies Against HIPAA Healthcare Businesses
Security Policy Practice, 2016 (n=65) Privacy Rules and Security? 2016 (n=219)
Figure 119 Most Common Security Measures Among the Healthcare Businesses
with Medical
Figure Device
119 Most Networks
Common Security Measures Among the Healthcare Businesses with Medical Device Networks
Does Your Organization Have a Medical Device Network That Is Which of These Security Measures, if Any, Has Your Company
Converged with a Main Hospital Network? Implemented to Protect and Secure Your Medical Device Network?
Companies with a Medical Device Network in Their Organization (n=207)
102 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure120
Figure 120Sample
Sample Profile
Profile for Telecommunications
for Telecommunications
Figure121
Figure 121Security
Security Strategies
Strategies Factors
Factors for Telecommunications
for Telecommunications
Figure 122Security
Figure 122 Security Priorities
Priorities forfor Telecommunications
Telecommunications
The Enterprise Network and Internal Data 20% 28% 29% 24%
103 Appendix
Cisco 2017 Annual Cybersecurity Report
No, and
There Are No
Immediate
11%
Plans to Transportation Transportation
Implement a Businesses Businesses
Security (n=179) (n=179)
Operations 75% Yes 88%
Center Yes
Roadways 9%
Aviation 7%
Maritime 5%
Vehicles 5%
104 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 125Sample
Figure 125 Sample Profile
Profile for for Financial
Financial Services
Services
Which Financial Services Subsector Is How Much Do You Think Security Is Being
Your Organization Primarily Involved In? Influenced by the Following Trends?
105 Appendix
Cisco 2017 Annual Cybersecurity Report
Figure 126Data
Figure 126 Data Security
Security forfor Retail
Retail
106 Appendix
Cisco 2017 Annual Cybersecurity Report
Malware Families
100%
May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Oct
Jul
Unique Vectors
Figure 129TTD
Figure 129 TTDforfor
thethe Dridex
Dridex Malware
Malware Family
Family
20.4
20 16.9
Median Hours
15
10.2
10 7.2
5.5
5
0
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
107 Appendix
Cisco 2017 Annual Cybersecurity Report
100%
May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Oct
Jul
Unique Vectors
Email Web
0%
Source: Cisco Security Research Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
160 0.2%
Percentage of
Median Hours
120
0.1%
80
116.1 0%
40 26.2
5.1 5.9 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Source: Cisco Security Research
2016
Figure 133 Hash Ages for the Locky Malware Figure 134 Hash Ages for the Nemucod
Family Per Hash
Figure 133 MonthAges for the Locky Malware Family Malware
Figure 134Family Per for
Hash Ages Month
the Nemucod Malware
Per Month Family Per Month
100% 100%
Percentage of Nemucod Hashes
Percentage of Locky Hashes
80% 80%
60% 60%
40% 40%
20% 20%
0% 0%
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016 2015 2016
<24 Hours 12 Days 310 Days <24 Hours 12 Days 310 Days
1130 Days 3190 Days 90+ Days 1130 Days 3190 Days 90+ Days
108 Appendix
Cisco 2017 Annual Cybersecurity Report
100% 100%
Percentage of Adwind RAT Hashes
60% 60%
40% 40%
20% 20%
0% 0%
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016 2015 2016
<24 Hours 12 Days 310 Days <24 Hours 12 Days 310 Days
1130 Days 3190 Days 90+ Days 1130 Days 3190 Days 90+ Days
All the graphics in this report are downloadable at: To see updates and corrections to the information in
www.cisco.com/go/acr2017graphics this report, visit: www.cisco.com/go/acr2017errata
109 Appendix
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands
Cisco has more than 200 oces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/oces.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its aliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company. (1110R)
Adobe, Acrobat, and Flash are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.