Without adequate and layered security, the web in 2015 was an incredibly threatening landscape, a trend that will no doubt continue in 2016.
To protect its customers, Symantec provides comprehensive security which includes a host of products. However, when it comes to protection from web-based threats, Symantec’s Intrusion Prevention System (IPS) is an essential addition to a layered security solution. IPS can protect computers and everything on them in ways that antivirus alone cannot. By scanning network traffic, IPS detects threats that use known exploits and attack vectors. Instead of detecting specific files, it detects specific methods used to get malicious files onto networks, allowing IPS to protect users against known and unknown threats, even before antivirus signatures can be created for them.
IPS protects against a wide range of security issues, which includes vulnerabilities, zero-day exploits, exploit kits (EK), social networking threats, command and control (C&C) activities (back doors and botnets), online scams, malvertising, phishing, and many more. To highlight just how effective this technology is, in this blog we’ll look at how Symantec IPS protected customers in 2015.
Exploit kits
It can be difficult to defend against weaknesses you don’t know about, and this is why advanced attackers continue to favor zero-day vulnerabilities to silently sneak onto victims’ computers. Attackers move quickly to exploit zero-day vulnerabilities to try to outpace software vendors in their efforts to create and roll out patches, and we’ve seen the attackers' reaction time become increasingly faster over 2015. Last year saw the breach of Italy-based cyberweapons supplier Hacking Team. When the previously unknown exploits that were compromised in the hack were released by the attackers, it was only a matter of hours before exploit kit authors had integrated them into their kits.
In 2015, the Angler EK was the leader in this field and also one of the most active EKs throughout the year. Symantec IPS blocked hundreds of thousands of attacks by this kit on a daily basis. Total blocks on Angler-based attacks numbered over 19.5 million. Angler’s favorite delivery mechanism was malvertisments and it mostly exploited Adobe Flash vulnerabilities.
The number of EK attacks blocked by Symantec in 2015 was approximately 300 million, which works out as 25 million per month on average. This statistic alone shows just how pervasive EKs are on the internet. Angler was way ahead of other EKs in 2015, with almost 20 million exploit attempts blocked by IPS.
Figure 1. Exploit kit attacks blocked by IPS in 2015
Windows 7 was the favored target for Angler in 2015, with 64 percent of the total blocked attacks focusing on this operating system (OS), and with Windows 8.1 (24 percent) and Windows Vista (5 percent) next in line. Fortunately for Mac OS X users, the Angler EK authors do not have them in their sights yet but this could change as cybercriminals look set to pay increasing attention to the Apple ecosystem.
Figure 2. Top operating systems targeted by the Angler exploit kit in 2015
Topping the chart for countries targeted by EKs in 2015 was the US, which saw 45 percent of attacks aimed at it.
Figure 3. Top 10 countries targeted by exploit kits in 2015
An important point to bear in mind when looking at these figures is that they represent actual attacks that were blocked. This literally means IPS has kept many millions of users safe from cyberattacks that would have likely succeeded had they not had IPS in place.
Tech support scams
We saw an increase in tech support scams in 2015, which amounted to a 200 percent rise compared to the previous year. Symantec IPS blocked hundreds of thousands of such scams throughout 2015. The second half of the year saw numbers surge significantly and this trend looks set to continue. In total, Symantec blocked more than 100 million tech support scams last year.
Figure 4. Tech support scams blocked by IPS in 2015
The countries targeted the most by tech support scams were the US, UK, France, Australia, and Germany.
Vulnerability exploit attempts
Outside of vulnerability exploit attempts made by EKs, Symantec IPS also blocked a significant number of attempts by attackers to exploit vulnerabilities in operating systems and applications in 2015. In fact, a total of over 240 million such exploit attempts were blocked by Symantec IPS.
The top five operating systems targeted by attackers in 2015 can be seen in Figure 5. Windows XP remains ahead of the pack with 71 percent of attacks blocked by IPS aimed at the 15-year-old OS. Even though Microsoft has ended support for XP, it seems there are plenty of users reluctant to upgrade and attackers are fully aware of and taking advantage of this situation.
Figure 5. Top operating systems targeted for OS or application exploits by attackers in 2015
Malware (post infection)
Some threats that made it onto systems and then attempted to carry out malicious activities were also blocked by Symantec IPS. We blocked more than 700 million attempts by malware to conduct C&C activity, act as a downloader, or carry out other malicious activity on users' computers.
Figure 6. Malware activity blocked by IPS in 2015
Windows OSes made up the vast majority of systems attacked and a breakdown of the targets shows that the most infected OS in 2015 was Windows 7 (66 percent). The trend shows that most of the users who got infected by malware were home users.
Figure 7. Top Windows operating systems targeted by malware in 2015
The bottom line
The statistics in this blog speak volumes about the importance of IPS, which should be your first line of defense against threats trying to get onto your computers. However, the bad guys are nothing if not resourceful and as such, IPS should be part of a layered security solution. Multiple security measures including antivirus, firewall, antispam, and IPS are recommended to protect users from the multitude of threats present in today’s threat landscape.
Norton Security, Symantec Endpoint Protection, and many other Symantec security products have network-based protection (firewall and IPS) and more built in. We urge you to ensure that you make use of the comprehensive security features fully by ensuring that none of them are turned off.
Still need more convincing to use IPS? Watch this video from Kevin Haley, Director, Security Technology & Response, who will give all the reasons you need to use IPS. Then make a new year’s resolution that’s good for the health of your computers, use IPS!