Navigating the known threat landscape

Preparing for the inevitable

In this section:

Malware: 90% of U.S. organizations had at least one malware-related incident during the past 12 months3.

Ransomware: 63% of organizations were confronted with at least one ransomware incident over the past 12 months4.

APTs: 65% of survey respondents in the financial services industry had an APT-related incident over the past 12 months5.

Bottom line: By focusing on known threats, organizations can build the foundation for a comprehensive cyberdefense.

The mainstreaming of cybercrime makes it difficult for organizations to stay ahead of the bad actors. A robust black market exists on the Dark Web for attack techniques, tools, and stolen data, providing easy access to anyone who wants to wreak havoc on poorly protected systems.

The result is a tsunami of known threats. In the United Kingdom, cyber-enabled fraud and computer misuse surpassed all other crimes in the region in 2015, measured by the number of incidents and victims6. Some experts believe the problem is even worse in the United States, with one estimating that cybercrime in the U.S. is larger than the narcotics trafficking industry7.

The exclusive AT&T Market Pulse: The Global State of Cybersecurity survey found that 90% of U.S. organizations experienced at least one malware-related incident over the previous 12 months, with 58% acknowledging occasional or frequent malware threats. Nearly three-quarters of respondents reported at least one incident involving unauthorized access to corporate data and at least one denial-of-service (DoS) incident.

These frequent attacks underscore the fact that cybercrime has become a global business. The prevalence of malware attacks was consistent across survey respondents in the U.S., Europe/Middle East (EMEA), and Asia-Pacific (APAC) regions. APAC companies experienced higher rates of unauthorized access to corporate data and DoS attacks than their counterparts in other regions.

Just as troubling is that existing methods aren’t catching all of the successful attacks. In our survey, 25% of organizations that had suffered a data breach were notified of the incident by law enforcement, and 21% were notified by customers. The impact of the worst data breaches all organizations suffered averaged 6 on a 10-point scale where 10 is the most severe. Impacts of successful attacks included downtime (46%), loss of revenue (28%), reputational damage (26%), and loss of customers (22%).

Let’s take a look at some of the more widely known, yet persistent threats — and what you can do to help reduce your exposure.

How data breaches are discovered

Organizations that suffered a recent data breach were notified by a variety of stakeholders

Data breaches are discovered by a variety of stakeholders
80% of organizations had at least one threat caused by an insider over the past 12 months


We’re far removed from the creation of malware in the 1970s as an intellectual exercise by early software coders. Malware evolved further during the 1990s into a prankster’s tool for displaying splash screens with scrambled code or laughing skulls. Today it has gone mainstream, with creators selling their products to a broad and eager customer base that ranges from nation states to hacktivists. Luckily, most malware variants are known — meaning the majority of attacks can be blocked with appropriate safeguards in place.

Cybercriminals are certainly taking advantage of this sophisticated tool chest. Members of a Russian cybercriminal gang were arrested in the spring of 2016, accused of stealing $45 million from banks and other institutions. The gang operated by depositing a sophisticated type of malware called Lurk, first seen in 2011, on legitimate web servers. Once the websites were compromised, anyone visiting the site became infected with the Trojan malware8.

A growing stockpile of known malware, worms, and viruses is overwhelming organizations. The volume of unsolicited emails with detected malicious attachments increased 300% from the first quarter of 2015 to the same period in 20169. Depending on the day of the week, AT&T intercepts anywhere from a few thousand to more than 2.5 million malicious messages daily. For example, AT&T logged a seven-fold spike in ransomware and information-stealing Trojans over a two-month period in mid-2016. Malicious messages trended upward from approximately 250,000 on July 1 to 1.75 million on Aug. 30.

Malware is like any other software, with developers seeking to continually improve its functionality. As organizations adopt new defensive measures, malware creators respond with their own innovations and then release those new variations for anyone to purchase.

300% increase in malicious email attachments from 2015 to 2016

For example, a malware strain called Angler (first seen in 2013) was previously the world’s most popular exploit kit, but criminals have recently shifted to Neutrino (discovered in 2013) following a cybercrime bust by Russian authorities. Available on the black market, Neutrino can deliver different payloads to victims based on specific data points such as geolocation, browser platform, and operating system10.

“Generally, 25% to 30%, of employees still click on suspect links.”

Brian Rexroad
Executive Director
Technology Security

Attackers are also evolving their methods by creating malicious macros with complex code to evade traditional malware detection methods. The macros, once enabled by an unsuspecting user, examine a system’s list of recently opened files to determine if it is a good target for execution to deliver malware or ransomware.

Malware business models are built on casting a broad net to compromise as many computers as possible. That makes every organization a potential malware target, though smaller businesses with limited IT and cybersecurity resources are more susceptible to a successful attack.

Some of the most common pathways for malware payloads rely on poor security practices among employees, vendors, or contractors who are authorized to access internal systems. Eighty percent of organizations in our survey experienced at least one threat over the past 12 months that was attributed to an insider. These insiders may have an axe to grind, but more likely they unwittingly exposed a digital door to malicious code by opening an infected email or downloading unauthorized software from the internet.

“Generally, 25% to 30% of employees still click on suspect links,” says Brian Rexroad, executive director of Technology Security at AT&T.


Ransomware has joined the list of known threats, as attacks have soared in the last year11. Over the summer, ransomware attacks against AT&T clients were trending above 30%, but dropped significantly in August. Clearly, this threat has developed into a volatile issue over the past year, with organizations of all sizes vulnerable to attack.

A volume-based business, this particularly destructive type of malware targets individual users and organizations with demands for relatively small payments. But those ransoms add up: This form of digital extortion is estimated to become a billion-dollar business in 201612.

Historically, cybercriminals have targeted high-value assets such as credit cards, Social Security numbers, and business plans. In comparison, ransomware can take advantage by digitally hijacking assets that may have little value outside of the organization. With ransomware, criminals use malicious code to block access to files, folders, or servers until a fee is paid for a decryption key.

In the AT&T survey, 63% of all U.S., EMEA, and APAC organizations were confronted with at least one ransomware incident over the past 12 months. Large U.S. enterprises with 5,000 or more employees were three times as likely as smaller organizations to be subject to ransomware attacks.

While the ransomware concept remains the same as when it first appeared on a floppy disk in the late 1980s, a variety of ransomware programs have been mainstreamed, with new or updated variants springing up regularly on Dark Web marketplaces. For example, Bart is a ransomware variant that targets business-related document formats, personal files including images and videos, and software source code files for encryption. Bart adds the files to a password-protected ZIP archive, making it easier to encrypt files on victims’ computers13.

63% of U.S., EMEA, and APAC organizations had a ransomware incident in the last 12 months

In addition, the ransomware Locky evolved yet again over the summer to make it even more difficult to detect14. Given that Locky is often delivered in socially engineered emails containing malicious ZIP attachments, improved spam-blocking techniques reduce the likelihood that it can breach your defenses. As with many known ransomware variants, restricting administrative privileges on computers acts an effective deterrent while regularly backing up data allows recovery if the ransomware is able to evade your malware detection tools.

Advanced Persistent Threats (APTs)

Attackers’ ability to operate in stealth mode is becoming commonplace — and should serve as a wake-up call to security teams. The disclosure by the Democratic National Committee (DNC) in June 2016 that attackers had operated for months, undetected, within their computer systems injected a troubling twist into the U.S. presidential election. The attackers — reported to be two known Russian espionage groups — allegedly tunneled into the DNC’s systems using a spear phishing technique, stealing emails, opposition research, and donor information15. It was the latest chilling example of an APT, and it begs the question: What cyberthreats are lurking in your organization?

“I think most security people would admit that if a motivated APT actor wants to get a foothold in your company, they will be able to do so eventually,” says John Hogoboom, technical staff lead for the Chief Security Organization at AT&T. “The hope is to be able to detect APTs rapidly through threat analysis and to minimize their persistence and impact to business.” Sectors that AT&T frequently sees targeted include government agencies, aerospace and defense, telecommunications, energy, electronics, law, international policy, and humanitarian organizations.

In our survey, 65% of respondents in the financial services sector experienced more than one APT-related issue, followed by technology companies (69%). On a regional level, 69% of U.S., 66% of EMEA, and 70% of APAC organizations had an APT attack in the past 12 months.

APTs are among the most sophisticated forms of cyberattacks, with the ability to run undetected for weeks, months, or even years. The earliest APT attacks — dating back decades — targeted military and defense contractors. U.S. businesses became aware of APTs within the past 10 years or so, when some countries began using them to steal intellectual property.

Today, many APT attacks may still be traced to nation states engaging in cyberespionage or — more recently — political mischief. In addition, cybercriminals have adopted APT techniques to steal money, credit card data, or intellectual property. For this reason, while the defense industry remains a prime target, organizations in any industry must be wary of the APT threat. Cybercriminals are also increasingly repurposing off-the-shelf malware rather than building their own16, a further indication that APTs are becoming more mainstream.

Know the term:

APT (Advanced Persistent Threat)

A targeted attack that penetrates a network without detection and maintains access for a period of time, all while monitoring information or stealing resources. APTs may continue for years.

APT attackers breach an organization’s defenses with malware, stolen credentials, or some other means. Once inside, the attackers lie low and avoid detection as they move throughout the network. Their aim: discovery of servers with valuable information, followed by theft of the data. APTs can become even more elusive when they install a second piece of malware that can continue the attack if the initial intrusion is detected.

Unlike other types of cyberbreaches, which demand immediate counteractions, APTs require a different type of action to block their possibly devastating effects. Once detected, quietly determining the extent of the APT before taking steps to eradicate it may help in foiling the successful launch of a second malware payload. “Don’t let them know that you know,” says Hogoboom.

Defending against APTs: A multilayered approach

Defending against APTs requires a multilayered approach

Distributed Denial of Service (DDoS)

The first documented denial-of-service attack over the internet occurred in February 2000, when a 15-year-old Canadian hacker launched a series of strikes against Amazon, eBay, and other e-commerce sites17. This was the dawn of DDoS, in which attackers enlist dozens, hundreds, or thousands of compromised machines — collectively to overwhelm the websites of targeted victims with traffic.

DDoS attacks have since become common, with 73% of global survey respondents reporting at least one DDoS-related issue in the past year.

Compared to respondents in the U.S., those in APAC were 15% more likely to have been attacked. But in all regions, there seems to be little slowdown in the number of DDoS attacks. Since 2013, AT&T has logged constant DDoS attack attempts on its clients (see “What does DDoS extortion look like?”).

This proliferation is due, in part, to the relative ease of launching DDoS attacks. Hackers have published DDoS kits that anyone can download to craft and mount an attack — even high school students who use them to shut down their schools’ websites or cripple online operations such as taking attendance, distributing grades, or administering tests18. AT&T has logged a 22% increase in DDoS attacks against schools since 2014. For one school district, AT&T recorded 30 attacks for the 2015-2016 school year.

While any type of organization can fall victim to these attacks, those engaged in divisive industries or activities, ranging from genetic engineering to politics, are perennial targets of hacktivist groups. In the financial services sector, for example, 82% of respondents in the AT&T survey have experienced at least one incident, with 47% experiencing multiple attacks. Since 2013, the financial sector has accounted for 39% of all DDoS attacks mitigated by AT&T.

APAC organizations were 15% more likely than U.S. organizations to have had a DDoS attack in the past 12 months

DDoS attack vectors have evolved as organizations mount defenses against known methods. One increasingly popular technique is to compromise different communications protocols and turn them into amplifiers to multiply the volume of the attack.

What does DDoS extortion look like?

The prospect of having your digital assets held hostage can strike panic at almost every level of an organization — from IT administrators and managers to executives and board members. Digital extortion can take many forms, including ransomware and DDoS attacks that block access to websites. In addition to a strict payment timetable, cyberattackers using one of these methods often insist on payment in bitcoins — a form of digital currency — for the anonymity of everyone involved in the transaction. Bitcoin’s value can fluctuate greatly; as of September 1, its value was $571.

How are these demands delivered? Here’s an excerpt from an actual email received by an organization that wishes to remain anonymous.

Receiving an actual ransomware email

Please forward this email to someone in your company who is allowed to make important decisions!

We have chosen your company as a target for our next DDoS attack.

All of your servers will be subject to a DDoS attack starting Friday.

Right now we are running a small 1 hour demo attack to prove that this is not a hoax.

What does this mean? This means that your website and other connected services will be unavailable for everyone; during the downtime, you will not be able to generate any sales. Please also note that this will severely damage your reputation among your users / customers as well as strongly hurt your Google rankings (worst case = your website will get de-indexed).

How do I stop this? We are willing to refrain from attacking your servers for a small fee. The current fee is 15 Bitcoins (BTC). The fee will increase by 15 Bitcoins for each day that has passed without payment.

What if I don’t pay? If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation among Google and your customers and make sure your website will remain offline until you pay. 

Do not reply to this email — don’t try to reason or negotiate — we will not read any replies. Once you have paid we won’t start the attack, and you will never hear from us again!

Please note that Bitcoin is anonymous, and no one will find out that you have complied.


The story of this extortion attempt had a happy ending. By teaming up with AT&T services, the organization was prepared for just such an attack and able to completely block the effects of the attacker’s threats.

Fighting the knowns

A few high-profile breaches — from ransomware attacks on hospitals to leaked emails from the DNC — obscure the real challenge for most organizations: The vast majority of threats are known, but organizations continue to be vulnerable because of poor practices (see “Preparing for the knowns”). To help protect your organization against mainstream attacks, these components of a multilayered approach are particularly important:

  • Consistently back up data and store it offline.
  • Conduct employee awareness training focused on the types of emails and other methods that are used to distribute malicious malware.
  • Update software with patches as they become available.
  • Deploy firewalls and other security solutions across every endpoint to help reduce vulnerabilities.