2019

eSentire Threat
Intelligence Spotlight:
United Kingdom
Table of Contents

03 Foreword

04 Introduction

05 Growth in Attacks

06 Exploits

08 Malware

10 Phishing

12 Industry Trends in the U.K.

14 Takeaways and Recommendations

15 Methodology

16 References

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM

 FO RE WORD

Cyberattacks against businesses in the U.K. are becoming more frequent,

more sophisticated and more successful as the arms race continues
between adversaries and targets.

This report shares actionable intelligence to those responsible for defending

valuable business targets. Readers will gain a better understanding about the
nature of cyberattacks in the U.K. and be more prepared to implement
defensive measures needed to protect their infrastructure, data and customers.

Going forward, threat actors will continue to evolve their techniques and
increase attack volume. In order for U.K. businesses to prepare for what is
next, this report serves as required reading to identify what we are doing
well and what we need to do better.

– Mike StJohn-Green

About Mike StJohn-Green

Mike StJohn-Green has over forty years’ experience in the security sector
having spent 39 years in U.K. government, at GCHQ and then in the Office
of Cyber Security and Information Assurance in the Cabinet Office. His roles
in GCHQ included deputy director CESG, the Information Assurance arm
of GCHQ and predecessor to the NCSC. Mike has since worked with
private and public sector organisations worldwide, ranging from the finance
sector in the City of London to defence and critical infrastructure, as a
cybersecurity subject matter expert.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 3

INTRODUCTION

For several years, eSentire has published globally focused Threat Reports based on data from our Security
Operations Centres (SOCs) that monitor 650-plus customers around the world. Over the last two years,
eSentire’s European business has grown by over 90 percent to 120-plus customers across 10 European
markets. The bulk of this growth has come from the United Kingdom (U.K.). This expanded European
footprint delivers a sample size large enough to publish a dedicated U.K. Threat Report for the first time.

Globally, Managed Detection and Response (MDR) is a rapidly growing segment of the security market,
but it is still one that is seeing early adoption in some regions and verticals. According to research from
Gartner, five percent of organisations are currently using MDR services and that is predicted to increase
to 15 percent by 20201.

Because of the need to protect sensitive business data, industries such as finance and legal were among
the earliest adopters of eSentire’s MDR services, and as such, these industries represent the majority in
this report’s dataset. This report leverages eSentire’s anonymised customer network traffic and is being
released to complement survey data from private and public sector sources that already exist. One such
example is the Department of Digital, Culture, Media and Sport’s 2019 Cyber Security Breaches Survey2
which revealed that 60 percent of medium businesses and 61 percent of large businesses reported having
a breach in 2018. While the incident rates discussed in this report are slightly lower than what is reported
in the U.K Government’s survey, this is largely driven by the fact the eSentire customer base is typically
more mature in their security posture than a small or medium business which does not have a dedicated
managed security service.

The analysis of the cyber threats revealed by eSentire in this report is valuable for security practitioners,
IT decision makers and senior executives tasked with protecting business data for companies based
solely in the U.K. It also is applicable for the growing number of international businesses with customers,
employees and offices in the region who want to better understand the threat landscape.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 4

GROWTH IN ATTACKS
In 2018, eSentire observed that the
use of botnets increased by 500 percent
when compared to 2017. As first reported
in eSentire’s Q2 2018 Quarterly Threat
Report 3, a significant degree of this traffic
appears to come from compromised
servers distributed throughout the globe.
This observation is consistent with recent
trends whereby threat actors initiate Figure 1: Change in Observed Event Types Between 2017 and 2018 - U.K.
multistage attacks to compromise
low-hanging, low-value devices for which there is no immediate opportunity for monetary gain. Once these devices
are compromised however, they become a small piece of a larger-scale attack infrastructure that can be leveraged
when it is more likely to yield a financial benefit for the threat actor.

In the U.K., this increase in global botnet activity drove significant increases in the number of exploit (190 percent),
malware (45 percent) and scanning (15 percent) detections observed by eSentire during 2018. The only attack type
to decrease in observed incidents was phishing, which while still a significant threat to U.K. businesses.

Figure 2: Observed Incident Rates

An examination of eSentire’s observed incident data reveals that the increased amount of malicious activity across the
globe caused almost 40 percent of U.K. businesses to experience at least one form of cybersecurity incident during
the last year. When benchmarked against eSentire’s customer base, the U.K. has a slightly higher incident rate than
the global average (38 percent). While not a statistically significant difference, a deeper dive into these different event
types reveals that there are some event types that businesses in the U.K. appear to be better at preventing (phishing
and malware), but there are other types where they lag behind.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 5

EXPLOITS
In 2018, businesses in eSentire’s U.K. customer base saw a 190 percent increase in observed exploits driven
primarily by the targeting of web servers and routers.

Figure 3: Observed Web Server Exploit Attempts - U.K. (2018).

When examining U.K. web server exploits, attacks on Microsoft’s web server solution known as Internet
Information Services (IIS) are a constant fixture in hostile internet background radiation. Only a handful of
clients were susceptible to this type of exploit, but when they were, typically only the server hosting the
company’s webpage was impacted. This lack of susceptibility means that sensitive business data was,
in most instances, not breached because most companies opt to host their websites in an environment
completely separate from their internal operational network.

Throughout 2019, we expect web servers will continue to be a favourite target in the U.K. and around the
world as their exposure to the internet makes them an easy target for threat actors. To limit the damage of
future attacks, it is essential for businesses to keep financial and operational networks isolated from public
web servers to reduce the risk of critical systems being compromised.

Figure 4: Observed IoT and Router Exploit Attempts - U.K. (2018).

In addition to web servers, home routers have also been the subject of continuous targeting as vulnerabilities
and exploits are regularly published. When exploits are made publicly known, botnets can quickly execute
successful exploitation campaigns because of the vast quantity of routers that are deployed globally. In the
U.K., attacks associated with a variant of the Mirai botnet that specifically targeted D-Link routers was the
most observed exploit incident, with spikes in detections coming after exploits were published in July 4 and
October 5 of 2018.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 6

 Figure 5: Observed Exploit Attempts

An examination of eSentire’s U.K. customer base reveals that 27 percent of businesses experienced at least one
attempted exploit attack between February 2018 and February 2019. The nuance here is important because an
attempted exploit attack does not necessarily mean a successful one, as many businesses purposely leave assets
exposed to the Internet in order to conduct their daily business operations.

Attempted exploit attacks are the only attack type where the U.K. observed rate is ahead by just over one percent of
the global average of eSentire’s customer base. The spread between the global average and what occurred in the U.K.
is not significant, but this still should serve notice to U.K. businesses to do a thorough examination of any exploitable
services sitting on internal networks that are reachable from the internet.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 7

MALWARE

Figure 6: Malware Incident Share - U.K. (2018)

In the U.K., 87 percent of malware incidents observed by eSentire in 2018 was classified by the SOC as malicious
documents or MalDocs. In most instances, the MalDocs detected were disguised as invoices or missed payment
notifications which attempt to entice employees to download and execute a payload that can carry out further
malicious objectives once inside a network.

One interesting observation from our 2018 dataset is the lack of detected coinmining malware in eSentire’s U.K.
customer base. Coinmining malware mines cryptocurrency (typically Monero) directly on infected endpoint devices
(CoinMiner) or in web browsers (Coinhive) when a user visits a website running malicious code. Once infected, the
coinmining malware silently mines cryptocurrency while consuming a significant amount of processor cycles, resulting
in devices with sluggish performance and reduced battery life. In eSentire’s 2018 Annual Threat Report, we observed
that coinmining malware experienced a 1,500 percent increase worldwide when compared to rates observed in 2017,
but the U.K. only experienced a handful of observed incidents. This lack of coinmining malware detections may be
partially driven by the smaller sample size of eSentire’s U.K. customer base, but it is a phenomenon that may warrant
additional investigation in future reports.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 8

 Figure 7: Observed Malware Incidents

An examination of detected malware threats in the U.K. shows that in the last 12 months, 13 percent of eSentire’s U.K.
customers experienced some form of malware incident, compared to the global average of 17 percent. It is difficult
to determine the exact cause for the gap, but one consideration for the difference is the higher concentration of
regulated industries, such as finance, that make up eSentire’s U.K. customer base. Because these industries often have
more mature security hygiene, they are also likely to have more robust security training for their employee base, which
will usually include a focus on email and web browsing best practices. With the most commonly observed methods
for deploying malware originating via email and browsing, this training may be helping to protect U.K. businesses from
experiencing higher rates of malware incidents observed in other parts of the world.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 9

PHISHING
As part of eSentire’s global reports, DocuSign, Office365 and OneDrive have remained consistently popular phishing
lures throughout 2018. In the U.K., however, the highest success rate came from lures mimicking Dropbox logins. In this
instance, they were able to successfully entice users to submit credentials at a higher rate vs. other phishing lures that
got users to open an email and click a link.

Figure 8: Observed Phishing Rates - U.K. (2018).

For a phishing attack to be successful, a user typically must be enticed into action three times. First, the user has
to be convinced to open the email. Second, the user must click a link in an email. Finally, they must then submit
their credentials on a website that typically simulates the look and feel of a legitimate site. For Drobox credential
submissions (step three) to occur at a higher rate than other lures made it to step two, it reveals that threats actors
have been able to accurately recreate the look and feel of both Dropbox emails and its website.

For businesses that store sensitive data in cloud storage, the success rate of the Dropbox campaign should be an
eye-opening observation, as one compromised Dropbox account could give threat actors access to a company’s
entire cache of sensitive files.

This should also be a revelation for businesses that do not use Dropbox (or other cloud storage services) as a
corporate tool because the reality is that many employees may be using personal cloud storage services to store
business files in the cloud. Additionally, because personal accounts for services such as Dropbox do not come with
additional security measures such as Active Directory authentication or mandatory two-factor authentication (2FA),
data stored in personal clouds may be even more susceptible to being accessed by unauthorized users.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 10

 Figure 9: Observed Phishing Lures by Industry - U.K. (2018).

eSentire’s data reveals that when looking at phishing at an industry level, marketing agencies received a significant
number of Apple-related lures in 2018. This concentration of Apple lures in an industry perceived to have a high
number of Apple desktops and laptops reveals that threat actors are customising lures to specific sectors in an
attempt improve their success rate. This ability to potentially tailor lures to specific industries based on knowledge
of their internal tools highlights the importance for companies to train staff on how to recognise possible phishing
attempts and why it is essential to have the ability to detect and respond to threats in near real-time.
It also underscores that while there is sometimes a perception among users that Apple devices (iPhones and Macs)
are more secure at a system level, the existence of web browsers on these devices make them no less immune to
falling victim to a phishing attack.

Figure 10: Observed Phishing Incidents

An examination of observed phishing incidents, which includes the submission of credentials to an illegitimate
site clicking on known phishing links, reveals that nearly 10 percent of U.K. businesses experienced a successful
phishing incident in the last 12 months. Like malware, this rate is below the global observed average of eSentire’s
global customer base of 12 percent. Also like malware, it is difficult to pinpoint an exact reason why the U.K. performs
significantly better than the worldwide average at falling for phishing attempts, but our central hypothesis remains
that employees at eSentire’s core customer verticals may receive more security training because of the regulated
industries they conduct business in.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 11

INDUSTRY TRENDS IN THE U.K.

Figure 11: Comparison of Observed Incident by Industry - U.K.

A comparison of the most affected industries within eSentire’s U.K. customer base reveals little change between
2017 and 2018. This is primarily driven by the fact that eSentire’s current customer base mix, dominated by the financial
industry, remained the same in both years. However, an interesting observation is that the total number of alerts
continues to increase even as U.K businesses continue to evolve their security posture as a result of recent U.K.
regulatory initiatives. These initiatives include GDPR and new legislation implemented in May 2018 6 that implement a
hefty fine for critical national infrastructure (CNI) companies such and financial and technology firms that fail to protect
against loss of service due to cyberattacks.

Figure 12: Normalized Comparison of Observed Incident by Industry - U.K.

When eSentire’s industry data is normalized to a per sensor basis (a network sensor is deployed at each eSentire
customer site to enable our MDR service), a clearer picture of how specific industries are impacted is revealed.
Specifically, in the U.K., the marketing and manufacturing industries were recipients of the highest number of
incidents on a per site basis in 2018.

For the casual reader of this report, marketing agencies may not be considered a prime target for cyberattacks,
but it is important to remember that marketing agencies often will be contracted to work on marketing campaigns
well in advance of the release of a new product or service. If a threat actor is able to access this sensitive product
or service information before a public launch, this information could be sold to a competitor or used to trade stock
using knowledge that has not yet been disclosed to the public.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 12

Attacks on IoT Devices

In 2018, eSentire Threat Intelligence observed a growing trend in IoT exploits targeting cameras, door controllers,
surveillance equipment and media devices throughout our global customer base. In the U.K., the vast majority of
the observed exploits specifically impacted devices manufactured by AVTech, a leading manufacturer of video
surveillance and monitoring equipment.

Figure 13: Observed IoT Exploit Attempts - U.K. (2018).

Significant annual growth of Internet-connected devices drives the number of exploitable endpoints. The best
way to prevent IoT devices from being exploited is to ensure that default credentials are changed and firmware is
continuously updated. From an IT administration standpoint, it may be easiest to use default or shared credentials
when deploying devices en masse but taking the extra time to secure the device upon deployment will prevent
future security incidents.

Another strategy to consider when procuring IoT devices is to purchase from known vendors with a track record
of providing regular firmware and security updates. In recent years, there has been an influx of commoditised
white-label hardware available from wholesalers such as Alibaba and Amazon resellers. While the discounted upfront
cost is appealing, these companies do not always have a track record of supporting devices and the long-term
damage of a security breach caused by an unpatched device will quickly outweigh initial upfront cost savings.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 13

TAKEAWAYS AND RECOMMENDATIONS

eSentire Threat Intelligence has several recommendations that organisations can implement to
prevent their networks from being compromised by common types of attacks.

Email-based Attacks (Phishing and Malware)

Email is one of the most common attack vectors observed by eSentire. Reducing this attack
surface will protect U.K. organisations from both phishing and email-borne malware.

• User-awareness training for employees, including continuous simulated phishing exercises

to assess effectiveness
• Implement a simplified process for reporting and responding to suspicious emails
• Deploy spam filtering, URL rewrite and attachment sandboxing
• Block macros in Microsoft Office documents that originate from the internet 7
• Block Microsoft Office execution from temporary directories such as
Outlook and internet browsers

Exploits (Webservers, Switches, Routers and IoT Devices)

The number of Internet-connected devices grows significantly each year and brings
an increased number of exploitable endpoints that threat actors can leverage
as part of an attack.

• Work with your IT or security department to put a regular patching schedule in place 8
• Implement monitoring and detection of asset exposure to external networks9
• Consider two-factor authentication for externally-facing remote access points
• Implement better perimeter protections, such as application firewalls or IPS systems,
to weed out known attacks from reaching potentially vulnerable devices that must be
exposed to provide services

Improving Cybersecurity Leadership

While the above recommendations are best implemented by the IT department, senior
executives are playing an increasingly important role in securing a business. Recently,
the National Cyber Security Centre released its Board Toolkit which outlines key obligations
and priorities for board members and senior executives in the U.K.

eSentire strongly recommends that executives in the U.K. leverage this toolkit so that they can
familiarise themselves with the information required to make informed decisions about the risks
their businesses face. Once armed with this information, executives are encouraged to evaluate
and prioritize the risk management programs they need to put in place, including:

• Implementing effective cybersecurity measures

• Collaborating with suppliers and partners to mitigate security threats
• Planning responses to cyber incidents

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 14

METHODOLOGY

eSentire Threat Intelligence used data gathered in 2018 from over 2,000 proprietary network
and host-based detection sensors distributed globally across multiple industries. Raw data was
normalized and aggregated using automated machine-based processing methods. Processed data
is reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence
analysis results were further processed by a qualitative intelligence analyst resulting in a written
analytical product.

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 15

REFERENCES

[1] Gartner 2018 Market Guide for Managed Detection and Response Services -
https://www.esentire.com/resource-library/gartner-market-guide-for-managed-detection-and-response/

[2] Cyber Security Breaches Survey 2019 -

https://www.gov.uk./government/statistics/cyber-security-breaches-survey-2019

[3] Q2 2018 Quarterly Threat Report -

https://www.esentire.com/resource-library/q2-2018-quarterly-threat-report/

[4] D-Link, Dasan Routers Under Attack In Yet Another Assault -

https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/

[5] Multiple D-Link Routers Open to Complete Takeover with Simple Attack
- https://threatpost.com/multiple-d-link-routers-open-to-complete-takeover-with-simple-attack/138383/

[6] UK Government Warns of £17m Non-Compliance Fines for CNI Firms

- https://www.infosecurity-magazine.com/news/uk-government-warns-of-17m/

[7] New feature in Office 2016 can block macros and help prevent infection -
https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-
and-help-prevent-infection/

[8] Assessing Security Vulnerabilities and Applying Patches

- https://www.cyber.gov.au/publications/assessing-security-vulnerabilities-and-applying-patches

[9] Limitation and Control of Network Ports, Protocols and Services

- https://www.cisecurity.org/controls/limitation-and-control-of-network-ports-protocols-and-services/

[10] NCSC Board Toolkit - https://www.ncsc.gov.uk/collection/board-toolkit

2019 THREAT INTELLIGENCE SPOTLIGHT: UNITED KINGDOM 16

About eSentire:

eSentire, Inc., the global leader in Managed Detection and Response (MDR), keeps organizations safe from
constantly evolving cyber attacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC),
staffed by elite security analysts, hunts, investigates, and responds in real-time to known and unknown threats before
they become business disrupting events. Protecting more than $5.7 trillion AUM in the financial sector alone, eSentire
absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with
growing regulatory requirements. For more information, visit www.esentire.com and follow @eSentire.