An analysis of exploit and malware traffic inside corporate networks found that social networks account for few attacks, while 97 percent of exploit traffic focused on 10 applications, nine of which were critical business applications.
The analysis of log data from 3,056 companies underscores that internal corporate applications, not multimedia and social-networking applications, are the focus of attackers, said Matt Keil, a senior research analyst with Palo Alto Networks, which compiled the report.
Attackers directed most of their malicious traffic at ports used for communication with Microsoft’s SQL and remote procedure calls (RPC), Web browsers and the Server Message Block (SMB) protocol, a common way of sharing access to file servers and printers, according to the report.
The other network and application access protocols include Active Directory, Domain Name System (DNS), Microsoft Office Communicator, Microsoft SQL Monitor and Session Initiation Protocol (SIP).
“When you compare social networking to the volume in the logs aimed at the internal applications … it indicates that security is somewhat crunchy on the outside and tender on the inside,” Keil said. “Somehow the exploits and malware are bypassing your perimeter security and targeting the business applications.”
The companies that took part in the survey contributed more than 260 million log entries detailing the communications of approximately 5,300 threats.
Each company had an average of 17 social networking, 19 file-sharing and 30 photo or video applications being used by employees. But attacks on those programs remained rare. Those types of programs accounted for a quarter of the applications whose communications were found in the log files and 20 percent of the bandwidth consumers. But they accounted for only 0.4 percent of all attack data in the logs.
Surveys have shown that IT managers worry about malware spreading through Facebook and other social applications. But Palo Alto’s data appears to show that such attacks are uncommon. Anecdotal evidence has supported both claims. In 2011, the Koobface worm stopped using Facebook to spread in 2011. However, Microsoft claimed the same year that phishing scams and adware had increasingly used social networks to spread.
More than 2,000 exploits targeted the applications internal to corporate networks. The lion’s share, however, were targeted at employees’ Web browsers. More than 1,550 different attack types focused on the browser, while the SMB file services ranked a distant second with 222 exploits.
“SQL databases, SMB file services, Active Directory and RPC all represent the soft underbelly of the corporate business infrastructure where the intellectual property, corporate information, credit card data, or perhaps social security numbers are stored,” the report stated.
About a tenth of all traffic on the network is considered unclassified or custom. While some malicious programs communicate with command-and-control servers using Web browsing or Domain Name System (DNS) queries, more than half use a custom UDP protocol, according to the Palo Alto report. The ZeroAcess botnet, Conficker, the Poison Ivy remote-access Trojan, and other malicious programs use custom communication protocols.
“The analysis clearly shows that customized or modified traffic is highly correlated with threats,” the company stated in the report. “This indicates that proactively controlling or blocking ‘unknown’ traffic could easily provide a powerful and untapped strategy for controlling modern threats.”