Data Talks: The Big Shift to File-Based Attacks Scrambles the Security Industry
- Bromium sees a dramatic drop in the percentage of browser-based attacks in 2018 compared to file-based attacks
- Microsoft’s legacy Internet Explorer is now the only major web browser with serious remaining security concerns
- The clear majority of threats reaching endpoints today arrive via email attachments and browser file downloads
Welcome to the second installment of the Bromium Threat Labs Data Talks blog series, highlighting trends and developments from Bromium’s unique vantage point of providing application isolation and control as the last line of defense on the endpoint. In the kickoff blog, we encouraged you to watch this space for original reporting you won’t find anyplace else. Today we begin with insights into the marked shift we’ve seen from web-based to file-based attacks.
What are we seeing in the threatscape?
Over the past 2 years, we’ve seen a seismic shift take place in the threatscape from attacks involving web browsers to attacks involving files. Bromium’s threat intelligence data—submitted voluntarily by our hyper-security-conscious customers—lay bare this tectonic transition. Browser attacks won’t go away, but they seem to be diminishing for now.
First, a bit about our data. Bromium alerts are different than anti-virus and next-generation detection-based products. Let’s generously assume that detection catches 99% of incoming malware. The rest fall to Bromium isolation. Under this assumption, Bromium generates just 1% of the alerts, but they’re flagging the nasty, evasive malware that’s already eluded all other defenses. So, our raw numbers tend to be quite low in absolute terms. We’ll never have the alert quantities of the big players with the headline reports, but they can’t match us on alert quality and uniqueness.
We looked at 1,208 true positive alerts (just a small subset of our total customer threat data) involving highly evasive malware that already successfully made it past all other defenses—which equates to 120,800 garden-variety alerts under the 1% assumption above—and this is what we found:
Web = In-browser drive-by attacks that exploit vulnerabilities in browsers, plugins, or underlying operating systems
File = Attacks from documents or executables arriving via email, web downloads, chat clients, or USB media devices
- In 2017 and the first half of 2018, file-based attacks took center stage, while web-based attacks started trending steadily downward. During 2017, attacks were dominated by Office documents—and specifically by Microsoft Word. So far in 2018, we have seen a significant upswing in the percentage of attacks coming from executable files. Our customers tell us that certain groups are particularly at risk from malicious documents, including: human resources (resumes), finance (invoices), and shipping/receiving (delivery notifications). Except for a few blips that were likely caused by quickly-patched browser holes, we may be nearing the end of the era of browser-based vulnerability, as security improvements and declining financial returns force attackers to focus their efforts on more fruitful vectors.
What files are we seeing?
It’s no surprise that the top attacking file types are DOC, XLS, PDF, and EXE. What is surprising, however, is the mix of these file types and how that mix has changed over time. In 2017, malicious Word documents dominated our customer data set at 86% of the total. Over the first half of 2018, by contrast, malicious executable files took center stage, eclipsing Word documents 43% to 34%. Whether this is a momentary blip, or a sustained change will be borne out over the rest of the year.
Why such a rapid shift to files?
Hypothesis #1: Changing Tactics – Attackers are shrewd and rational, tending to follow the path of least resistance. Quite simply, they go where the monetary return is the highest. Helpfully to the cybercriminals, users are easily enticed and deceived by malicious documents and love to install free stuff from dubious sources to customize their Windows experience. After all, who among us isn’t guilty of searching the web for a free PDF file combiner or MP4 file converter? We’ve also seen executable files masquerading as Flash updates, sometimes touting critical “security improvements” to trick users into installing them.
Hypothesis #2: Changing Technology – Newer browsers built on modern foundations have steadily gotten more secure internally—and their marketplaces for apps, plugins, and extensions have cracked down on fraud and abuse—steps which our data suggest are resulting in dramatic reductions in browser exploits due to a steadily declining attack surface. It makes sense that attackers are seeking greener pastures using easier target entry points other than the browser. That’s files.
- Chrome, Firefox, and Edge today boast a combined market share of over 78.5%. This shift to securely-designed browsers is reducing the available attack surface and increasing costs on bad actors to pursue an attack vector with declining returns. Google is leading the way with steady improvements to Chrome, rolling out significant security enhancement over the past 18 months, while raising the security bar for the entire web browser industry.
- The most vulnerable legacy browser, Microsoft Internet Explorer, is now down to just over 11% market share, and Microsoft is not likely to ever fix the 946 known vulnerabilities contained within IE, 122 of which have been discovered in the last 18 months alone! While some organizations will continue using Internet Explorer to support their legacy applications, we anticipate that most will soon completely transition over to newer and safer browsers.
- The contrast between modern and legacy browsers is stark: Google Chrome has had only 5 discovered vulnerabilities rating 7 or above on the severity scale over the past year, whereas Internet Explorer has had 86 new vulnerabilities of severity 7 or above discovered over the same time period.
- Due to its steadily improving quality and security features, Google’s dominance of the browser landscape is accelerating, with Chrome gaining 5 points of market share in just the past 12 months. At the same time, Internet Explorer and Firefox continue to hemorrhage users, with a surprising decline by Firefox to less than 10% share, its lowest reading ever, down from a high of nearly 33% back in 2010. Only Edge managed to eke out a small usage gain over the past year, to a still lowly 4.2%, after three full years on the market and countless millions spent by Redmond to promote it. This reporter is ready to declare the “browser wars” over and done with—let’s just give the crown to Chrome and call it a day. Maybe Edge will catch fire at some point, but we see scant evidence of that in our data.
- Microsoft has slowly but surely improved the resilience of Windows against web-based exploits, most notably with Windows Defender Smart Screen, now part of Windows Defender Exploit Guard in Windows 10, which has helped to minimize the impacts of browser exploits—especially drive-by attacks and malvertising Not to be outdone, Google is doing likewise for Chrome, further improving its security to maintain its advantage, both actual and perceived.
What does it mean for security vendors and defenders?
Browser exploits and other web-based attacks that use fileless techniques will always exist because perfect software is an impossibility—it has never and will never be written. If current trends continue, however, the implications for security vendors and defenders may bear out as follows:
- Enterprise and government security defenders should focus less on the browser itself and more on what comes through the browser, namely downloaded documents and executable files. Today’s threats encompass primarily web downloads (including phishing links to downloads) and email attachments, putting the focus on the applications as the primary point of vulnerability. Consider application isolation and control on the endpoint to automatically protect all downloads and attachments with ironclad, hardware-enforced virtualization-based security.
- Vendors of remote browsing proxy solutions could face tough sledding defending against the increased headwinds of a declining attack vector, as browsers continue to improve their security features and as Windows further hardens its attack surface against web-based exploits.
That’s all for now on the “big shift” taking place between web and file attacks. Next time, we’ll delve into the relationships between links, attachments, and downloads—and the different risk profiles these common attack vectors represent.