Kevin Thompson

Kevin Thompson, Threat Analyst for FireEye, earlier worked as a cyber analyst for the CIA, covering Eastern Europe and Russia and briefing numerous government agencies on future potential incidents. His analytical work has been used in Presidential Daily Briefings and as a case study in multiple training classes. He now educates FireEye clients and partners on the latest cyber threats to infrastructure.

Kevin’s address to Cyber Security Summit, 2016 Cyber Attacks by the Numbers, concisely reviewed the latest statistics and emerging trends:

  • In 2015, the median duration before a hack was discovered was 146 days, down from 246 days a year earlier. The ratio of internal versus external discoveries of hacks balanced at 50:50. Internal discovery by the hacked entity generally is faster; formerly, discovery of a hacking by an external entity typically meant the intrusion had been going on for 320 days.
  • Most attacks now are performed by malicious macros concealed within a Word or Excel document, Thompson reported.
  • The heaviest attack period occurs between Tuesday and Wednesday.
  • Attacks strategically take aim at defined groups and organizations, seeking specific types of information.

Less malware is in use now, Thompson said. About 50 percent of organizations looking for alerts about malicious malware are missing about 50 percent.

He warned that organizations using two-factor identification protocols need to be sure to include an expiration date when issuing access tokens. Failure to do so leaves open entryways that bad actors have exploited.

  • Two frequent means of transmission are via network or email-to-email.

Two additional trends:

  • Sophisticated criminals are targeting specific information such as personally identifiable data like credit card information and health data, and then monetizing their catch by selling it to others.
  • Ransomware is being positioned as a service and it’s attacking the public broadly; increased media reporting is leading a growing number of small businesses to pay the ransoms. This is becoming a sophisticated business among ransom builders and money launderers.
  • Some versions of ransomware remain dormant on an infected system until some trigger date or event occurs, with pop-ups announcing the breach and giving directions for paying the ransom to regain access to the hostage files.