Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 64.6 million attack sensors and records thousands of events per second.

In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products.

Spam, phishing and malware data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; Symantec.cloud and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology is able to detect new and sophisticated targeted threats before reaching customers’ networks. Over 8 billion email messages and more than 1.4 billion Web requests are processed each day across 15 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers.

These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future.

Symantec blocked more than 5.5 billion malicious attacks in 2011; an increase of more than 81% from the previous year. This increase was in large part a result of a surge in polymorphic malware attacks, particularly from those found in Web attack kits and socially engineered attacks using email-borne malware. Targeted attacks exploiting zero-day vulnerabilities were potentially the most insidious of these attacks. With a targeted attack, it is almost impossible to know when you are being targeted, as by their very nature they are designed to slip under the radar and evade detection. Unlike these chronic problems, targeted attacks, politically-motivated hacktivist attacks, data breaches and attacks on Certificate Authorities made the headlines in 2011.


Looking back at the year, we saw a number of broad trends, including (in roughly the order they are covered in the main report):

• Malicious attacks skyrocket by 81%
  In addition to the 81% surge in attacks, the number of unique malware variants also increased by 41% and the number of Web attacks blocked per day also increased dramatically, by 36%. Greater numbers of more widespread attacks employed advanced techniques, such as server-side polymorphism to colossal effect. This technique enables attackers to generate an almost unique version of their malware for each potential victim.
  
  At the same time, Spam levels fell considerably and the report shows a decrease in total new vulnerabilities discovered (-20%). These statistics compared to the continued growth in malware paint an interesting picture. Attacks are rising, but the number of new vulnerabilities is decreasing. Unfortunately, helped by toolkits, cyber criminals are able to efficiently use existing vulnerabilities. The decrease in Spam - another popular and well known attack vector did not impact the number of attacks. One reason is likely the vast adoption of social networks as a propagation vector. Today these sites attract millions of users and provide fertile ground for cyber criminals. The very nature of social networks make users feel that they are amongst friends and perhaps not at risk. Unfortunately, it’s exactly the opposite and attackers are turning to these sites to target new victims. Also, due to social engineering techniques and the viral nature social networks, it’s much easier for threats to spread from one person to the next.
  
  
• Cyber espionage and business: Targeted attacks target everyone
  We saw a rising tide of advanced targeted attacks in 2011 (94 per day on average at the end of November 2011). The report data also showed that targeted threats are not limited to the Enterprises and executive level personnel. 50% of attacks focused on companies with less than 2500 employees, and 18% of attacks were focused on organizations with less than 250 employees. It’s possible that smaller companies are now being targeted as a stepping stone to a larger organization because they may be in the partner ecosystem and less well-defended. Targeted attacks are a risk for businesses of all sizes – no one is immune to these attacks.
  
  In terms of people who are being targeted, it’s no longer only the CEOs and senior level staff. 58% of the attacks are going to people in other job functions such as Sales, HR, Executives Assistants, and Media/Public Relations. This could represent a trend in attackers focusing their attention on lower hanging fruit. If they cannot get to the CEOs and senior staff, they can get to other links inside the organizations. It is also interesting to note that these roles are highly public and also likely to receive a lot of attachments from outside sources. For example, an HR or recruiter staff member would regular receive and open CVs and other attachments from strangers.
  
  
• Mobile Phones under Attack
  Growth of mobile malware requires a large installed base to attack and a profit motive to drive it. According to the analyst firm, Gartner, smartphones and tablets began to outsell conventional PCs in 2011, with sales of smartphones predicted to reach 645 million by the end of 2012. And while profits remain lucrative in the PC space, mobile offers new opportunities to cybercriminals that potentially are more profitable. A stolen credit card made go for as little as USD 40-80 cents. Malware that sends premium SMS text messages can pay the author USD $9.99 for each text and for victims not watching their phone bill could pay off the cybercriminal countless times. With the number of vulnerabilities in the mobile space rising (a 93.3% increase over 2010) and malware authors not only reinventing existing malware for mobile devices but creating mobile specific malware geared to the unique the opportunities mobile present, 2011 was the first year that mobile malware presented a tangible threat to enterprises and consumers.
  
  Mobile also creates an urgent concern to organizations around the possibility of breaches. Given the intertwining of work and personal information on mobile devices the loss of confidential information presents a real risk to businesses. And unlike a desktop computer, or even a laptop, mobile devices are easily lost. Recent research by Symantec shows that 50% of lost phones will not be returned. And that for unprotected phones, 96% of lost phones will have the data on that phone breached.
  
  
• Certificate Authorities and Transport Layer Security (TLS) v1.0 are targeted as SSL use increases
  High-profile hacks of Certificate Authorities, providers of Secure Sockets layer (SSL) Certificates, threatened the systems that underpin trust in the internet itself. However, SSL technology wasn’t the weak link in the DigiNotar breach and other similar hacks; instead, these attacks highlighted the need for organizations in the Certificate Authority supply chain to harden their infrastructures and adopt stronger security procedures and policies. A malware dependent exploit concept against TLS 1.0 highlighted the need for the SSL ecosystem to upgrade to newer versions of TLS, such as TLS 1.2 or higher. Website owners recognized the need to adopt SSL more broadly to combat Man-In-The-Middle (MITM) attacks, notably for securing non-transactional pages, as exemplified by Facebook, Google, Microsoft, and Twitter adoption of Always On SSL.
  
  
• 232 million identities stolen
  More than 232.4 million identities were exposed overall during 2011. Although not the most frequent cause of data breaches, breaches caused by hacking attacks had the greatest impact and exposed more than 187.2 million identities, the greatest number for any type of breach in 2011, according to analysis from the Norton Cybercrime Index. The most frequent cause of data breaches (across all sectors) was theft or loss of a computer or other medium on which data is stored or transmitted, such as a USB key or a back-up medium. Theft or loss accounted for 34.3% of breaches that could lead to identities exposed.
  
  
• Botnet takedowns reduce spam volumes
  It isn’t all bad news; the overall volume of spam fell considerably in the year from 88.5% of all email in 2010 to 75.1% in 2011. This was largely thanks to law enforcement action which shut down Rustock, a massive, worldwide botnet that was responsible for sending out large amounts of spam. In 2010, Rustock was the largest spam-sending botnet in the world, and with its demise, rival botnets were seemingly unable or unwilling to take its place. At the same time, spammers are increasing their focus on social networking, URL shorteners and other technology to make spam-blocking harder.
  
  Taken together, these changes suggest that a growing number of untargeted but high-volume malware and spam attacks is matched by an increasingly sophisticated hard core of targeted attacks, advanced persistent threats and attacks on the infrastructure of the Internet itself. Organizations should take this message to heart. They need to be successful every time against criminals, hackers and spies. The bad guys only need to be lucky once.

Download PDF file of the Main Report which includes all the notable and important information on the 2011 threat landscape. The Main Report does not include the large appendices of supporting material. Download the Main Report [PDF, 5.6 MB]