Websense 2010 Threat Report: Advanced, Blended Threats Laser-Focused On Attacking Business And Infrastructure

Websense Security Labs predicts 2011 will bring more targeted attacks on content through new blended vectors – many focused on nationalistic and economic cyberterrorism

When it comes to dangerous Web threats, the only constant is change and gone are the days of predictable attack vectors. Instead, modern blended threats such as Aurora, Stuxnet, and Zeus infiltrate organizations through a variety of coordinated tactics, usually a combination of two or more. Phishing, compromised websites, and social networking are carefully coordinated to steal confidential data, because in the world of cybercrime, content equals cash. And, as the Websense 2010 Threat Report illustrates, the latest tactics have now moved to a political—and nationalistic—stage.

These conclusions are based on the analysis of Websense Security Labs researchers, who rely on their ThreatSeeker Network which every hour scans more than 40 million websites for malicious code and nearly 10 million emails for unwanted content and malicious code. The 2010 evidence and metrics suggest that cybercriminals and their blended attacks are having a field day taking advantage of security gaps left open by legacy technologies like firewalls, antivirus, and simple URL blockers.

The report showcases how in today's threat landscape, legacy defenses simply don't work. We all have antivirus, firewalls and proxies installed, but that isn't enough. Threats are no longer binary files delivered in attachments, they are script-based attacks and they are embedded in rich media like Flash. And many spread rapidly on the social Web. Reputation filters provide zero security for threats delivered via top "legitimate" websites like Google, Facebook, and YouTube, where 80 percent of Web traffic goes. Cybercriminals know that legacy technology simply looks for known information (signatures) or reputation of previously identified threats, which is why they are so successful at exploiting existing defenses. Most of today's blended attacks are considered "zero-day," in that they have not been previously identified. They are ever-evolving and pre-tested by cybercriminals on common anti-virus products before they are released. These threats sail through firewalls and open channels.

"The continued rise of organized cybercriminal gangs and the emergence of targeted advanced malware threats are the most concerning trend we've seen," said Dan Hubbard, chief technology officer, Websense. "Security needs to move ahead of the attackers and focus on contextual classification in order to thwart them. Simple binary access controls and castle and moat security will not solve the complex attacks we see today. These are precisely the type of threats we have in mind when we build Websense security products."

In 2010, cybercriminals adapted their strategies to address the social websites and sites with dynamic user-generated content. Attacks are now more blended, sophisticated, and targeted. Many of these attacks use new tricks and methods of delivery. Script-based attacks, blended email campaigns, and SEO poisoning were all common in 2010. Even the most easily detected threats and botnets were successfully repurposed with variations that often allow them to slip through outdated defenses. The majority of attacks in 2010 focused on the same thing: stealing data.

Significant findings from the Websense 2010 Threat Report affirm that while broad threats continue, focused, targeted attacks are on the rise. Findings include:

• 111.4 percent increase in the number of malicious websites from 2009 to 2010
• 79.9 percent of websites with malicious code were legitimate sites that have been compromised
• 52 percent of data-stealing attacks were conducted over the Web
• 34 percent of malicious Web/HTTP attacks included data-stealing code
• 89.9 percent of all unwanted emails in circulation during this period contained links to spam sites and/or malicious websites
• The United States and China continued to be the top two countries hosting crimeware and receiving stolen data during 2010; the Netherlands has found its way into the top five
• Searching for breaking news represented a higher risk (22.4 percent) than searching for objectionable content (21.8 percent)
• 23 percent of real-time search results on entertainment lead to a malicious link
• 40 percent of all Facebook status updates have links and 10 percent of those links are either spam or malicious

The Websense report also analyzes recent headline-grabbing attacks such as Aurora, Stuxnet, and Zeus, as well as other vectors for malicious and data stealing code. Also featured are statistics on the top five hosts of data-stealing code, a deep analysis of social Web content and threats, and an in-depth link analysis of top social networks.

"Whether it is your company's sensitive financial information, your social networking, or online banking credentials, that content has tremendous value," said Devin Redmond, vice president of Business Development, Product Management and Marketing, Websense. "With so many intertwined vectors, these threats demand a new approach to security that looks at both inbound and outbound content. To protect against today's blended and sophisticated threats, companies need to plug the spaces left by a scattershot spraying of point solutions and move to a unified security architecture that protects their content."

In the report, Websense Security Labs also predicts threat trends for 2011. Included in the predictions is an analysis of future blended threats, terrorism, and data loss over the dynamic Web that demonstrate the potential for targeted 2011 cyberterrorism attacks.

A full copy of the report, supplementary videos and background materials can be viewed at http://www.websense.com/2010threatreport.

Websense Security Labs will host a Webinar discussing the Websense 2010 Threat Report on Wednesday, November 10 at 9 a.m. Pacific Time. An archived recording of the Webinar will be available at http://www.websense.com/content/ProductResources.aspx/?cmpid=prnr after its completion.

The Websense ThreatSeeker Network, which is the backbone of Websense's diverse content security products, features the world's first Internet HoneyGrid. The system uses hundreds of technologies including honeyclients, honeypots, reputation systems, machine learning, and advanced grid computing systems to parse through more than 1 billion pieces of content daily, searching for security threats. Using more than 50 million real-time data collecting systems, it monitors and classifies Web, email, and data content. Together with the Websense Advanced Classification Engine — an advanced composite content classification engine embedded in Websense Web security, email security, and data security solutions — the ThreatSeeker Network provides Websense with unparalleled visibility into the state of content on the Internet and in email.

About Websense, Inc.
Websense, Inc. a global leader in unified Web security, data security and email security solutions, delivers the best content security for modern threats at the lowest total cost of ownership to tens of thousands of enterprise, mid-market and small organizations around the world. Distributed through a global network of channel partners and delivered as software, appliance and software-as-a-service (SaaS), Websense content security solutions help organizations leverage new communication, collaboration, and Web 2.0 business tools while protecting from advanced persistent threats, preventing the loss of confidential information and enforcing Internet use and security policies. Websense is headquartered in San Diego, California with offices around the world. For more information, visit http://www.websense.com.

SOURCE: Websense, Inc.