Professional Documents
Culture Documents
2019 Threat Intelligence Spotlight U K 1577952813
2019 Threat Intelligence Spotlight U K 1577952813
eSentire Threat
Intelligence Spotlight:
United Kingdom
Table of Contents
03 Foreword
04 Introduction
05 Growth in Attacks
06 Exploits
08 Malware
10 Phishing
15 Methodology
16 References
Going forward, threat actors will continue to evolve their techniques and
increase attack volume. In order for U.K. businesses to prepare for what is
next, this report serves as required reading to identify what we are doing
well and what we need to do better.
– Mike StJohn-Green
Mike StJohn-Green has over forty years’ experience in the security sector
having spent 39 years in U.K. government, at GCHQ and then in the Office
of Cyber Security and Information Assurance in the Cabinet Office. His roles
in GCHQ included deputy director CESG, the Information Assurance arm
of GCHQ and predecessor to the NCSC. Mike has since worked with
private and public sector organisations worldwide, ranging from the finance
sector in the City of London to defence and critical infrastructure, as a
cybersecurity subject matter expert.
For several years, eSentire has published globally focused Threat Reports based on data from our Security
Operations Centres (SOCs) that monitor 650-plus customers around the world. Over the last two years,
eSentire’s European business has grown by over 90 percent to 120-plus customers across 10 European
markets. The bulk of this growth has come from the United Kingdom (U.K.). This expanded European
footprint delivers a sample size large enough to publish a dedicated U.K. Threat Report for the first time.
Globally, Managed Detection and Response (MDR) is a rapidly growing segment of the security market,
but it is still one that is seeing early adoption in some regions and verticals. According to research from
Gartner, five percent of organisations are currently using MDR services and that is predicted to increase
to 15 percent by 20201.
Because of the need to protect sensitive business data, industries such as finance and legal were among
the earliest adopters of eSentire’s MDR services, and as such, these industries represent the majority in
this report’s dataset. This report leverages eSentire’s anonymised customer network traffic and is being
released to complement survey data from private and public sector sources that already exist. One such
example is the Department of Digital, Culture, Media and Sport’s 2019 Cyber Security Breaches Survey2
which revealed that 60 percent of medium businesses and 61 percent of large businesses reported having
a breach in 2018. While the incident rates discussed in this report are slightly lower than what is reported
in the U.K Government’s survey, this is largely driven by the fact the eSentire customer base is typically
more mature in their security posture than a small or medium business which does not have a dedicated
managed security service.
The analysis of the cyber threats revealed by eSentire in this report is valuable for security practitioners,
IT decision makers and senior executives tasked with protecting business data for companies based
solely in the U.K. It also is applicable for the growing number of international businesses with customers,
employees and offices in the region who want to better understand the threat landscape.
In the U.K., this increase in global botnet activity drove significant increases in the number of exploit (190 percent),
malware (45 percent) and scanning (15 percent) detections observed by eSentire during 2018. The only attack type
to decrease in observed incidents was phishing, which while still a significant threat to U.K. businesses.
An examination of eSentire’s observed incident data reveals that the increased amount of malicious activity across the
globe caused almost 40 percent of U.K. businesses to experience at least one form of cybersecurity incident during
the last year. When benchmarked against eSentire’s customer base, the U.K. has a slightly higher incident rate than
the global average (38 percent). While not a statistically significant difference, a deeper dive into these different event
types reveals that there are some event types that businesses in the U.K. appear to be better at preventing (phishing
and malware), but there are other types where they lag behind.
When examining U.K. web server exploits, attacks on Microsoft’s web server solution known as Internet
Information Services (IIS) are a constant fixture in hostile internet background radiation. Only a handful of
clients were susceptible to this type of exploit, but when they were, typically only the server hosting the
company’s webpage was impacted. This lack of susceptibility means that sensitive business data was,
in most instances, not breached because most companies opt to host their websites in an environment
completely separate from their internal operational network.
Throughout 2019, we expect web servers will continue to be a favourite target in the U.K. and around the
world as their exposure to the internet makes them an easy target for threat actors. To limit the damage of
future attacks, it is essential for businesses to keep financial and operational networks isolated from public
web servers to reduce the risk of critical systems being compromised.
In addition to web servers, home routers have also been the subject of continuous targeting as vulnerabilities
and exploits are regularly published. When exploits are made publicly known, botnets can quickly execute
successful exploitation campaigns because of the vast quantity of routers that are deployed globally. In the
U.K., attacks associated with a variant of the Mirai botnet that specifically targeted D-Link routers was the
most observed exploit incident, with spikes in detections coming after exploits were published in July 4 and
October 5 of 2018.
An examination of eSentire’s U.K. customer base reveals that 27 percent of businesses experienced at least one
attempted exploit attack between February 2018 and February 2019. The nuance here is important because an
attempted exploit attack does not necessarily mean a successful one, as many businesses purposely leave assets
exposed to the Internet in order to conduct their daily business operations.
Attempted exploit attacks are the only attack type where the U.K. observed rate is ahead by just over one percent of
the global average of eSentire’s customer base. The spread between the global average and what occurred in the U.K.
is not significant, but this still should serve notice to U.K. businesses to do a thorough examination of any exploitable
services sitting on internal networks that are reachable from the internet.
In the U.K., 87 percent of malware incidents observed by eSentire in 2018 was classified by the SOC as malicious
documents or MalDocs. In most instances, the MalDocs detected were disguised as invoices or missed payment
notifications which attempt to entice employees to download and execute a payload that can carry out further
malicious objectives once inside a network.
One interesting observation from our 2018 dataset is the lack of detected coinmining malware in eSentire’s U.K.
customer base. Coinmining malware mines cryptocurrency (typically Monero) directly on infected endpoint devices
(CoinMiner) or in web browsers (Coinhive) when a user visits a website running malicious code. Once infected, the
coinmining malware silently mines cryptocurrency while consuming a significant amount of processor cycles, resulting
in devices with sluggish performance and reduced battery life. In eSentire’s 2018 Annual Threat Report, we observed
that coinmining malware experienced a 1,500 percent increase worldwide when compared to rates observed in 2017,
but the U.K. only experienced a handful of observed incidents. This lack of coinmining malware detections may be
partially driven by the smaller sample size of eSentire’s U.K. customer base, but it is a phenomenon that may warrant
additional investigation in future reports.
An examination of detected malware threats in the U.K. shows that in the last 12 months, 13 percent of eSentire’s U.K.
customers experienced some form of malware incident, compared to the global average of 17 percent. It is difficult
to determine the exact cause for the gap, but one consideration for the difference is the higher concentration of
regulated industries, such as finance, that make up eSentire’s U.K. customer base. Because these industries often have
more mature security hygiene, they are also likely to have more robust security training for their employee base, which
will usually include a focus on email and web browsing best practices. With the most commonly observed methods
for deploying malware originating via email and browsing, this training may be helping to protect U.K. businesses from
experiencing higher rates of malware incidents observed in other parts of the world.
For a phishing attack to be successful, a user typically must be enticed into action three times. First, the user has
to be convinced to open the email. Second, the user must click a link in an email. Finally, they must then submit
their credentials on a website that typically simulates the look and feel of a legitimate site. For Drobox credential
submissions (step three) to occur at a higher rate than other lures made it to step two, it reveals that threats actors
have been able to accurately recreate the look and feel of both Dropbox emails and its website.
For businesses that store sensitive data in cloud storage, the success rate of the Dropbox campaign should be an
eye-opening observation, as one compromised Dropbox account could give threat actors access to a company’s
entire cache of sensitive files.
This should also be a revelation for businesses that do not use Dropbox (or other cloud storage services) as a
corporate tool because the reality is that many employees may be using personal cloud storage services to store
business files in the cloud. Additionally, because personal accounts for services such as Dropbox do not come with
additional security measures such as Active Directory authentication or mandatory two-factor authentication (2FA),
data stored in personal clouds may be even more susceptible to being accessed by unauthorized users.
eSentire’s data reveals that when looking at phishing at an industry level, marketing agencies received a significant
number of Apple-related lures in 2018. This concentration of Apple lures in an industry perceived to have a high
number of Apple desktops and laptops reveals that threat actors are customising lures to specific sectors in an
attempt improve their success rate. This ability to potentially tailor lures to specific industries based on knowledge
of their internal tools highlights the importance for companies to train staff on how to recognise possible phishing
attempts and why it is essential to have the ability to detect and respond to threats in near real-time.
It also underscores that while there is sometimes a perception among users that Apple devices (iPhones and Macs)
are more secure at a system level, the existence of web browsers on these devices make them no less immune to
falling victim to a phishing attack.
An examination of observed phishing incidents, which includes the submission of credentials to an illegitimate
site clicking on known phishing links, reveals that nearly 10 percent of U.K. businesses experienced a successful
phishing incident in the last 12 months. Like malware, this rate is below the global observed average of eSentire’s
global customer base of 12 percent. Also like malware, it is difficult to pinpoint an exact reason why the U.K. performs
significantly better than the worldwide average at falling for phishing attempts, but our central hypothesis remains
that employees at eSentire’s core customer verticals may receive more security training because of the regulated
industries they conduct business in.
A comparison of the most affected industries within eSentire’s U.K. customer base reveals little change between
2017 and 2018. This is primarily driven by the fact that eSentire’s current customer base mix, dominated by the financial
industry, remained the same in both years. However, an interesting observation is that the total number of alerts
continues to increase even as U.K businesses continue to evolve their security posture as a result of recent U.K.
regulatory initiatives. These initiatives include GDPR and new legislation implemented in May 2018 6 that implement a
hefty fine for critical national infrastructure (CNI) companies such and financial and technology firms that fail to protect
against loss of service due to cyberattacks.
When eSentire’s industry data is normalized to a per sensor basis (a network sensor is deployed at each eSentire
customer site to enable our MDR service), a clearer picture of how specific industries are impacted is revealed.
Specifically, in the U.K., the marketing and manufacturing industries were recipients of the highest number of
incidents on a per site basis in 2018.
For the casual reader of this report, marketing agencies may not be considered a prime target for cyberattacks,
but it is important to remember that marketing agencies often will be contracted to work on marketing campaigns
well in advance of the release of a new product or service. If a threat actor is able to access this sensitive product
or service information before a public launch, this information could be sold to a competitor or used to trade stock
using knowledge that has not yet been disclosed to the public.
In 2018, eSentire Threat Intelligence observed a growing trend in IoT exploits targeting cameras, door controllers,
surveillance equipment and media devices throughout our global customer base. In the U.K., the vast majority of
the observed exploits specifically impacted devices manufactured by AVTech, a leading manufacturer of video
surveillance and monitoring equipment.
Significant annual growth of Internet-connected devices drives the number of exploitable endpoints. The best
way to prevent IoT devices from being exploited is to ensure that default credentials are changed and firmware is
continuously updated. From an IT administration standpoint, it may be easiest to use default or shared credentials
when deploying devices en masse but taking the extra time to secure the device upon deployment will prevent
future security incidents.
Another strategy to consider when procuring IoT devices is to purchase from known vendors with a track record
of providing regular firmware and security updates. In recent years, there has been an influx of commoditised
white-label hardware available from wholesalers such as Alibaba and Amazon resellers. While the discounted upfront
cost is appealing, these companies do not always have a track record of supporting devices and the long-term
damage of a security breach caused by an unpatched device will quickly outweigh initial upfront cost savings.
eSentire Threat Intelligence has several recommendations that organisations can implement to
prevent their networks from being compromised by common types of attacks.
• Work with your IT or security department to put a regular patching schedule in place 8
• Implement monitoring and detection of asset exposure to external networks9
• Consider two-factor authentication for externally-facing remote access points
• Implement better perimeter protections, such as application firewalls or IPS systems,
to weed out known attacks from reaching potentially vulnerable devices that must be
exposed to provide services
eSentire strongly recommends that executives in the U.K. leverage this toolkit so that they can
familiarise themselves with the information required to make informed decisions about the risks
their businesses face. Once armed with this information, executives are encouraged to evaluate
and prioritize the risk management programs they need to put in place, including:
eSentire Threat Intelligence used data gathered in 2018 from over 2,000 proprietary network
and host-based detection sensors distributed globally across multiple industries. Raw data was
normalized and aggregated using automated machine-based processing methods. Processed data
is reviewed by a visual data analyst applying quantitative analysis methods. Quantitative intelligence
analysis results were further processed by a qualitative intelligence analyst resulting in a written
analytical product.
[1] Gartner 2018 Market Guide for Managed Detection and Response Services -
https://www.esentire.com/resource-library/gartner-market-guide-for-managed-detection-and-response/
[5] Multiple D-Link Routers Open to Complete Takeover with Simple Attack
- https://threatpost.com/multiple-d-link-routers-open-to-complete-takeover-with-simple-attack/138383/
[7] New feature in Office 2016 can block macros and help prevent infection -
https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-
and-help-prevent-infection/
eSentire, Inc., the global leader in Managed Detection and Response (MDR), keeps organizations safe from
constantly evolving cyber attacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC),
staffed by elite security analysts, hunts, investigates, and responds in real-time to known and unknown threats before
they become business disrupting events. Protecting more than $5.7 trillion AUM in the financial sector alone, eSentire
absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with
growing regulatory requirements. For more information, visit www.esentire.com and follow @eSentire.