@ ETL2018
`
`m
`
`m
`
`=
`wD @
`
`2)
`Cc
`wm
`如
`m
`之
`一
`
`THREAT
`
`LANDSCAPE
`
`之
`
`ENISA Threat Landscape Report 2018
`15 Top Cyberthreats and Trends
`
`FINAL VERSION
`
`1.0
`
`ETL 2018
`
`JANUARY 2019
`
`www.enisa.europa.eu
`
`European Union Agency For Network and Information Security
`Fl
`WIZ, Inc. EXHIBIT - 1026
`WIZ, Inc. v. Orca Security LTD. - IPR2024-00220
`
`
`| ly
`
`WIZ, Inc. EXHIBIT - 1026
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`*
`
`enisa
`
`About ENISA
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0
`|
`External
`| January 2019
`
`
`
`The European Union Agency for Network and Information Security (ENISA) is a centre of network and
`information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA
`works with these groups to develop advice and recommendations on good practice in information security. It
`assists EU member states in implementing relevant EU legislation and works to improve the resilience of
`Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU
`member states by supporting the development of cross-border communities committed to improving network
`
`and information security throughout the EU. More information about ENISA and its work can be found at
`www.enisa.europa.eu.
`
`Contributors
`Andreas Sfakianakis, Christos Douligeris, Louis Marinos (ENISA), Marco Lourenco (ENISA), and Omid Raghimi.
`
`Editors
`Louis Marinos (ENISA) and Marco Lourengo (ENISA).
`
`Contact
`For queries on this paper, please use enisa.threat.information@enisa.europa.eu
`For media enquiries about this paper, please use press@enisa.europa.eu.
`
`Acknowledgements
`ENISA would like to thank the members of the ENISA ETL Stakeholder group: Pierluigi Paganini, Chief Security
`Information Officer, IT, Paul Samwel, Banking, NL, Jason Finlayson, Consulting, IR, Stavros Lingris, CERT-EU, Jart
`Armin, Worldwide coalitions/Initiatives, International, Thomas Haberlen, Member State, DE, Neil Thacker,
`Consulting, UK, Shin Adachi, Security Analyst, US, R. Jane Ginn, Consulting, US, Andreas Sfakianakis, Industry, NL,
`Thomas Hemker, Industry, DE. The group has provided valuable input, has supported the ENISA threat analysis and
`has reviewed ENISA material. Their support is highly appreciated and has definitely contributed to the quality of the
`material presented in this report. Moreover, we would like to thank CYjAX for granting access pro bono to its cyber
`risk intelligence portal providing information on cyberthreats and cyber-crime.
`
`Legal notice
`Notice must be taken that this publication represents the views and interpretations of ENISA, unless stated
`otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless
`adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of
`the-art and ENISA may update it from time to time.
`
`Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources
`including external websites referenced in this publication.
`
`This publication is intended for information purposes only. It must be accessible free of charge. Neither
`ENISA nor any person acting on its behalf is responsible for the use that might be made of the information
`contained in this publication.
`
`Copyright Notice
`© European Union Agency for Network and Information Security (ENISA), 2019
`Reproduction is authorised provided the source is acknowledged.
`
`ISBN 978-92-9204-286-8, ISSN 2363-3050, DOI 10.2824/622757
`
`02
`
`

`

`*
`
`*
`
`了 enisa
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0
`|
`External
`| January 2019
`
`*
`
`x
`
`*
`
`*
`
`Table of Contents
`
`
`
`1.
`
`Introduction
`
`1.1
`
`Policy context
`
`1.2
`
`Target audience
`
`1.3
`
`Structure of the document
`
`2.
`
`Cyberthreat Intelligence and ETL
`
`2.1 Cyberthreat Intelligence: State of Play
`
`2.2
`
`Cyberthreat Intelligence Maturity Model
`
`3.
`
`Top Cyberthreats
`
`3.1 Malware
`
`321.1
`3.1.2
`3.1.3
`3.1.4
`31:5
`3.1.6
`31.7
`3.1.8
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top malware families by type
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.2 Web Based Attacks
`
`3.2.1
`3.2.2
`3:2;3
`3.2.4
`3.2.5
`3.2.6
`3.2.7
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.3 Web Application Attacks
`
`3.3.1
`3.3.2
`3.3.3
`3.3.4
`3.3.5
`3.3.6
`3.3.7
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top Web Application Attacks
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.4
`
`Phishing
`
`3.4.1
`3.4.2
`3.4.3
`3.4.4
`3.4.5
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top Phishing Themes
`Specific mitigation actions
`
`10
`
`11
`
`12
`
`13
`
`14
`
`14
`
`18
`
`24
`
`26
`
`26
`26
`29
`30
`31
`3
`32
`32
`
`33
`
`33
`33
`34
`35
`36
`36
`36
`
`37
`
`37
`37
`38
`39
`39
`40
`40
`
`40
`
`40
`40
`43
`44
`45
`
`03
`
`

`

`*
`
`*
`
`了 enisa
`
`3.4.6
`3.4.7
`
`Kill Chain
`
`Authoritative references
`
`3.5
`
`Denial of Service
`
`3.5.1
`35:2
`3.5.3
`3.5.4
`3.5.5
`3.5.6
`3.5.7
`3.5.8
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top 5 DDoS attacks
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.6 Spam
`
`3.6.1
`3.6.2
`3.6.3
`3.6.4
`3.6.5
`3.6.6
`3.6.7
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top Spam sources
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.7
`
`Botnets
`
`3.7.1
`
`3.7.2
`
`3.7.3
`
`3.7.4
`
`3.7.5
`
`3.7.6
`
`3.7.7
`
`3.7.8
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top Botnet Attacks
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.8
`
`Data Breaches
`
`3.8.1
`3.8.2
`3.8.3
`3.8.4
`3.8.5
`3.8.6
`3.8.7
`3.8.8
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top Data Breaches
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.9
`
`Insider threat
`
`3.9.1
`3.9.2
`3.9.3
`3.9.4
`3.9.5
`3.9.6
`3.9.7
`3.9.8
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top IT and other assets vulnerable to insider attacks
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0
`|
`External
`| January 2019
`
`46
`46
`
`47
`
`47
`47
`49
`51
`51
`52
`53
`53
`
`54
`
`54
`54
`56
`57
`57
`58
`58
`
`59
`
`59
`59
`61
`62
`62
`62
`63
`63
`
`64
`
`64
`64
`65
`66
`67
`67
`68
`68
`
`69
`
`69
`69
`69
`70
`71
`72
`73
`73
`
`04
`
`

`

`*
`
`*
`
`了 enisa
`
`3.10 Physical manipulation/damage/theft/loss
`
`3.10.1
`3.10.2
`3.10.3
`3.10.4
`3:10:5
`3.10.6
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.11 Information Leakage
`
`3.11.1
`3.71.2
`3221.3
`3.11.4
`3711.5
`3.11.6
`3.11.7
`3.11.8
`
`Description of the cyberthreat
`
`Interesting points
`Trends and main statistics
`Top data leaks incidents
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.12 Identity Theft
`
`3.12)1
`3212.2
`3.12.3
`3.12.4
`3.12.5
`3.12.6
`3.12.7
`3.12.8
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top identity theft threats
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.13 Cryptojacking
`
`3.13.1
`3.13.2
`3.13.3
`3.13.4
`3.13.5
`3.13.6
`3.13.7
`3.13.8
`
`Description of the cyberthreat
`Interesting points
`Trends and main statistics
`Top 5 cryptojacking threats
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.14 Ransomware
`
`3.14.1
`3.14.2
`3.14.3
`3.14.4
`3.14.5
`3.14.6
`3.14.7
`3.14.8
`
`Description of the cybe-threat
`Interesting points
`Trends and main statistics
`Top ransomware threats
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.15 Cyber Espionage
`
`3315.1
`3.15.2
`
`Description of the cyberthreat
`Interesting points
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0
`|
`External
`| January 2019
`
`74
`
`74
`74
`76
`WT
`77
`78
`
`79
`
`79
`80
`81
`82
`83
`83
`84
`84
`
`85
`
`85
`86
`87
`88
`89
`90
`91
`91
`
`92
`
`92
`92
`96
`97
`97
`99
`99
`99
`
`100
`
`100
`100
`101
`103
`105
`105
`106
`106
`
`107
`
`107
`107
`
`os
`
`

`

`3415:3
`3.15.4
`3:15:35
`3.15.6
`3.15.7
`3.15.8
`
`Trends and main statistics
`Top cyberespionage attacks
`Specific attack vectors
`Specific mitigation actions
`Kill Chain
`Authoritative references
`
`3.16 Visualising changes in the current threat landscape
`
`4.
`
`Threat Agents
`
`4.1
`
`Threat agents and trends
`
`4.2
`
`Top threat agents and motives
`
`4.3
`
`Threat Agents and top threats
`
`5.
`
`Attack Vectors
`
`5.1
`
`Attack vectors taxonomy for this year’s threat landscape
`
`5.2
`
`Misinformation/Disinformation
`
`5.3
`
`Web and browser based attack vectors
`
`5.4
`
`Fileless or memory-based attacks
`
`5.5
`
`Multi-staged and modular threats
`
`6.
`
`Conclusions
`
`6.1
`
`Main CTl-related cyber-issues ahead
`
`6.2
`
`Conclusions and recommendations for this year’s ETL report.
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0
`|
`External
`| January 2019
`
`109
`110
`113
`113
`113
`114
`
`115
`
`116
`
`116
`
`118
`
`123
`
`125
`
`125
`
`126
`
`128
`
`129
`
`130
`
`133
`
`133
`
`136
`
`06
`
`

`

`*
`enisa
`
`*
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0 | External
`| January 2019
`
`Executive Summary
`
`
`2018 was a year that has brought significant changes in the cyberthreat landscape. Those changes had as
`source discrete developments in motives and tactics of the most important threat agent groups, namely
`cyber-criminals and state-sponsored actors. Monetization motives have contributed to the appearance of
`crypto-miners in the top 15 threats. State-sponsored activities have led to the assumption that there is a
`shift towards reducing the use of complex malicious software and infrastructures and going towards low
`profile social engineering attacks. These developments are the subject of this threat landscape report.
`
`Developments have been achieved from the side of defenders too. Through the emergence of active
`defence, threat agent profiling has led to a more efficient identification of attack practices and malicious
`artefacts, leading thus to more efficient defence techniques and attribution rates. Initial successes
`through the combination of cyberthreat intelligence (CTI) and traditional intelligence have been achieved.
`This is a clear indication about the need to open cyberthreat intelligence to other related disciplines with
`the aim to increase quality of assessments and attribution. Finally, defenders have increased the levels of
`training to compensate skill shortage in the area of cyberthreat intelligence. The vivid interest of
`stakeholders in such trainings is a clear indicator for their appetite in building capabilities and skills.
`
`Recent political activities have underlined the emergence of various, quite novel developments in the
`perceived role of cyberspace for society and national security. Cyber-diplomacy, cyber-defence and cyber-
`war regulation have dominated the headlines. These developments, when transposed to actions, are
`expected to bring new requirements and new use cases for cyberthreat intelligence. Equally, through
`these developments, existing structures and processes in the area of cyberspace governance will undergo
`a considerable revision. These changes will affect international, European and Member States bodies. It is
`expected that threat actors are going to adapt their activities towards these changes, affecting thus the
`cyberthreat landscape in the years to come.
`
`In summary, the main trends in the 2018’s cyberthreat landscape are:
`
`e
`
`e
`
`‧
`
`e
`
`e
`
`e
`
`e
`
`e
`
`e
`
`Mail and phishing messages have become the primary malware infection vector.
`
`Exploit Kits have lost their importance in the cyberthreat landscape.
`
`Cryptominers have become an important monetization vector for cyber-criminals.
`
`State-sponsored agents increasingly target banks by using attack-vectors utilised in cyber-crime.
`
`= Skill and capability building are the main focus of defenders. Public organisations struggle with staff
`retention due to strong competition with industry in attracting cybersecurity talents.
`
`The technical orientation of most cyberthreat intelligence produced is considered an obstacle towards
`awareness raising at the level of security and executive management.
`
`Cyberthreat intelligence needs to respond to increasingly automated attacks through novel
`approaches to utilization of automated tools and skills.
`
`The emergence of loT environments will remain a concern due to missing protection mechanisms in
`low-end loT devices and services. The need for generic loT protection architectures/good practices
`will remain pressing.
`
`The absence of cyberthreat intelligence solutions for low-capability organisations/end-users needs to
`be addressed by vendors and governments.
`
`All these trends are included in the content of the ENISA Threat Landscape 2018 (ETL 2018). Identified
`open issues leverage on these trends and propose actions to be taken in the areas of policy, business and
`
`07
`
`

`

`enisa
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0
`External
`| January 2019
`
`research/education. They serve as recommendations and will be taken into account in the future
`activities of ENISA and its stakeholders. An overview of identified points is as follows:
`
`Policy Conclusions:
`
`The EU will need to develop capabilities (human and technical) to address the needs for CTI
`knowledge management. EU Member States are requested to introduce measures to increase its
`independence from currently available CTI sources (mostly from outside the EU) and enhance the
`quality of CTI by adding a European context.
`
`As CTl is perceived as a public good, capabilities will be required to offer “baseline CTI” to all
`interested organisations. EU governments and public administrations are requested to share
`“baseline CTI”, covering sectorial and low-maturity needs of organizations.
`
`Regulatory barriers to collect CTI exists and should be removed. Coordinated efforts among EU
`Member States is required in the collection and analysis of CTI, as crucial activity in the
`implementation of proper defence strategies.
`
`Business conclusions
`
`Businesses will need to work towards making CTI available to a large number of stakeholders, with
`focus on the ones that lack technical knowledge. The security software industry needs to research and
`develop solutions using automation and knowledge engineering, helping end-users and organizations
`mitigating most of the low-end automated cyberthreats, with minimum human intervention.
`
`Businesses will need to take into account emerging supply chain threats and risks. The technology
`industry needs to introduce qualitative measures into its production processes, perform end-to-end
`security assessments and adhere to certification schemes.
`
`Businesses will need to bridge the gap in security knowledge among the operated services and end-
`users of the service. The consumption of CTI knowledge is a major step to achieve this goal.
`
`Technical/research/educational conclusions
`
`The ingestion of CTI knowledge needs to be enlarged to include accurate information on incidents and
`information from related disciplines. CTI vendors and researchers have to find ways to enlarge the
`scope of CTI, while reducing necessary manual activities.
`
`CTI knowledge management needs to be the subject of standardisation efforts. Of particular
`importance are the developments of standard vocabularies, standard attack repositories, automated
`information collection methods and knowledge management processes.
`
`Research needs to be conducted to better understand attack practices, malware evolution, malicious
`infrastructure evolution and threat agent profiling. Advances in those areas may significantly reduce
`exposure to cyberthreats and advance CTI practices.
`
`Much more training offerings need to be developed in order to satisfy the current market needs in CTI
`training.
`
`a number of important issues leading to the above
`In the last chapter of this document (see chapter 6),
`conclusions are mentioned, providing more elaborated conclusions. It is proposed to consider these
`issues and identify their relevance by reflecting them to the own situation and elaborate on it accordingly.
`
`The figure below summarizes the top 15 cyberthreats and trends in comparison to the landscape of 2017.
`
`08
`
`

`

`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0 | External
`| January 2019
`
`Top Threats 2018
`
`Assessed
`Trends 2018
`
`Change in
`ranking
`
`>>< 人 >
`
`NEW
`
`
`
`oO
`
`所 所 局 和 站
`
`.Malware
`
`.Web Based Attacks
`
`.Web Application Attacks
`
`. Phishing
`
`. Denial of Service
`
`.Spam
`
`.Botnets
`
`8.
`
`9.
`
`Data Breaches
`
`Insider Threat
`
`10. Physical manipulation/
`damage/ theft/loss
`
`11. Information Leakage
`
`12. Identity Theft
`
`13. Cryptojacking
`
`14, Ransomware
`
`
`
`Assessed Trends
`
`2017
`
`0
`
`已 和 局
`
`Top Threats 2017
`
`1. Malware
`
`2. Web Based Attacks
`
`3. Web Application
`Attacks
`
`4. Phishing
`
`5. Spam
`
`6. Denial of Service
`
`7. Ransomware
`
`8. Botnets
`
`9. Insider threat
`
`10. Physical
`manipulation/ damage/
`theft/loss
`
`11. Data Breaches
`
`12. Identity Theft
`
`13. Information
`Leakage
`
`14. Exploit Kits
`
`15. Cyber Espionage
`15. Cyber Espionage
`
`
`Legend:
`
`Trends: © Declining,
`Ranking:
`个 Going up,
`
`今 Stable, @ Increasing
`Same, \) Going down
`
`Table 1- Overview and comparison of the current threat landscape 2018 with the one of 2017
`
`09
`
`

`

`*
`
`*
`*
`
`*
`*
`enisa
`
`1. Introduction
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0 | External
`| January 2019
`
`
`
`This is the 2018 version of the ENISA Threat Landscape (ETL 2018) yearly report. It is the seventh in a
`series of ENISA reports analysing the state-of-the-art in cyberthreats based on open source material’. This
`report is the result of a one-year long collection, analysis and assessment activity of cyberthreat related
`information found in the public domain. Moreover, it captures experience gained through interactions
`with experts during various ENISA events on the topic of Cyberthreat Intelligence (CTI)**1*. The time span
`of the ETL 2018 is ca. December 2017 to December 2018 and is referred to as the “reporting period”
`throughout the report.
`
`In essence, ETL 2018 has maintained the structure of the previous ETL? by using the same template for the
`description of the assessed cyberthreats.
`
`As part of the annual improvement process, some adaptations have been applied to the ETL 2018. These
`improvements, originated from discussions with internal/external experts, helped increasing the
`efficiency in generating the report, collecting and disseminating the information and establishing better
`coherence among a variety of ENISA materials on cyberthreats. As opposed to the ETL 2017, in 2018 these
`advancements are merely content-oriented. Firstly, we included some work performed by ENISA in the
`area of CTI Maturity Model. Secondly, the assessment of threats has been brought into a wider basis,
`leveraging upon contributions of additional experts who have supported the information collection and
`the assessment exercise.
`
`An additional step in advancing ETL 2018 has been the inclusion of CTI knowledge obtained within related
`ENISA events. Both the ENISA - FORTH Summer School and the ENISA event of CTI (CTI EU)? have
`delivered valuable insights into the trends governing current CTI state-of-the-art. This knowledge has
`been integrated in this report by means of content related to CTI State-of-Play, the assessed cyberthreats
`and the conclusions drawn.
`
`The channels used for information collection, ENISA has used information provided by the MISP
`platform*, by CERT-EU® and by also using threat intelligence of the cyber-security portal CYjAX5 granted
`as access pro bono to ENISA. Confidential information found in these platforms has been taken into
`account in our analysis without any disclosure or reference to this material.
`
`Finally, it is worth mentioning that in 2018 ENISA has advanced with an established liaison with the EU
`agencies with cyber-security on the mandate. This involves the European Defence Agency (EDA), CERT-EU
`and EC3. This has been implemented by means of discussions for a more enhanced cooperation among all
`
`
`
`https://www.enisa.europa.eu/news/enisa-news/enisa-report-the-2017-cyber-threat-landscape, acce
`
`https://www.enisa.europa. eu/events/2018-cti-eu-event, accessed November 2018.
`http://www. misp-project.org/, a
`ed
`November 2018.
`https://cert.europa. eufcetitereton/en/CERT LatestNews.html,
`https://www.cyjax.com/, a
`d
`Novembs
`
`ed November 2018.
`
`10
`
`

`

`ENISA Threat Landscape Report 2018
`ETL2018 |
`1.0
`|
`External
`| January 2019
`
`four organisations, on the basis of
`reporting period’.
`
`a Memorandum of Understanding that has been signed in the
`
`The links to these institutions already existed at a working level. ENISA has a tight cooperation with CERT-
`EU in the area of threat information. This is implemented by means of mutual reviews of cyberthreat
`assessments, use of CERT-EU services and by intensive personal communication.
`
`While with EC3 and EDA a working relationship already exists, this year cooperation in the area of CTI has
`advanced with the ENISA CTI EU event that was commonly supported by all four institutions. In addition,
`in 2018, ENISA has intensified its cooperation with the Commission services by engaging resources from
`DG Connect and European Security and Defence College within its CTI EU event’®.
`
`1.1
`
`Policy context
`
`The Cyber Security Strategy of the EU® underscores the importance of threat analysis and emerging trends
`in cyber security. The ENISA Threat Landscape contributes towards the achievement of objectives
`formulated in this strategy, in particular by contributing to the identification of emerging trends in
`cyberthreats and understanding the evolution of cyber-crime (see 2.4 regarding proposed role of ENISA).
`
`Moreover, the ENISA Regulation? mentions the need to analyse current and emerging risks (and their
`components), stating: “the Agency, in cooperation with Member States and, as appropriate, with
`statistical bodies and others, collects relevant information”. In particular, under Art. 3, Tasks, d), iii), the
`new ENISA regulations states that ENISA should “enable effective responses to current and emerging
`network and information security risks and threats” .
`
`ETL 2018 also relates to the context of the NIS-Directive’®, as it contributes towards the provision of
`cyberthreat knowledge needed for various purposes defined in the NIS-Directive (e.g. article 69).
`Moreover, it comprises a comprehensive overview of cyberthreats and as such, it is
`a decision support
`tool for EU Member States used in various tasks in the process of building cybersecurity capabilities.
`
`Of particular interest is, however, the important role of threat landscaping and threat intelligence within
`the proposed new ENISA regulation/ ENISA mandate”’. Article 7.7 foresees that “The Agency shall prepare
`a regular EU Cybersecurity Technical Situation Report on incidents and threats based on open source
`information, its own analysis, and reports shared by, among others: Member States’ CSIRTs (ona
`voluntary basis) or NIS Directive Single Points of Contact {in accordance with NIS Directive Article 14 (5));
`European Cybercrime Centre (EC3) at Europol, CERT EU.”. ENISA’s work in the area of threat analysis (as
`exemplified by this report) largely satisfies this requirement, while articles 9 and 10 states the role of
`emerging cyberthreats, both to perform long-term analysis and feed research initiatives. Despite the fact
`that this proposal may be modified during the review process, the role of threat analysis assigned by this
`draft regulation is indicative for its future importance.
`
`
`
`https://www.eda.europa.eu/docs/default-source/documents/mou---eda-enisa-cert-eu-ec3---23-05-18.pdf,
`
`accessed November 2018.
`
`http://www.ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open-internet-and-online-
`freedom-and-opportunity-cyber-security, accessed November 2018.
`http://eur-lex.europa.eu/LexUriServ/LexUriServ.do ?uri=OJ:L:2013:165:0041:0058:EN:PDF, accessed November
`
`http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN, accessed November
`
`2018.
`https://www.enisa.europa.eu/news/enisa-news/european-commission-proposal-on-a-regulation-on-the-future-
`of-enisa, accessed November 2018.
`
`11
`
`

`

`*
`
`*
`*
`
`*
`*
`enisa
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0 | External
`| January 2019
`
`Concluding the entire policy context with regard to cybersecurity, one has to mention an announcement
`of the Commission services that puts all cybersecurity related initiatives in the context policy areas in the
`EU space’’. Besides repeating some of the policy documents mentioned above, this source touches upon
`domains that are related to cybersecurity, thus underlying the importance of understanding the emerging
`threat landscape. Of particular interest are the developments in the area of cyber defence, being one of
`the most dynamic ones in the current and forthcoming Commission activities.
`
`1.2
`
`Target audience
`
`is
`The information in this report has mainly strategic and tactical relevance’ of approximately one year. It
`directed at executives, security architects and security managers. Nonetheless, the information provided
`is also of use by non-experts. For all these target groups, ENISA has developed a web application that will
`facilitate the use of the ETL information.
`
`Looking at the details provided by this report and ETL in general, one can distinguish between the
`following information types and target groups:
`
`e
`
`e
`
`a description of the current state-of-play in
`©The first part of the document found in chapter 2 is
`cyberthreat intelligence (CTI). It reflects discussions performed in 2018 with the ENISA Threat
`Landscape Stakeholder Group (ETL SG) and within the ENISA event on Cyberthreat Intelligence in the
`EU (CTI EU)”®. This information targets security professionals or scholars interested in open/emerging
`issues of CTI.
`
`The top cyberthreats may find a wider group of potential stakeholders who are interested in
`understanding the threat landscape in general or deepen their understanding to cover particular
`threats and their aspects. Hence, decision makers, security architects, risk managers, auditors clearly
`belong to the target group. Scholars and end-users who wish to be informed about the where-about
`of various cyberthreats may find this material useful. Finally, ETL 2018 can be a useful tool for
`professionals of any speciality who are interested in understanding the state-of-play in the area of
`cyberthreats.
`
`Besides the information on cyberthreats, ETL 2018 is offering an overview of the entire cybersecurity
`threat “ecosystem”, by covering the relationships of various objects, such as threat agents, trends and
`mitigation controls. These interconnections make up the context of cyberthreats and can be used in
`various other activities, such as, any kind of security assessment, identification of protection needs or
`categorization of assets.
`
`Together with ETL 2018, interested readers may find a series of publications analysing cyberthreats based
`on contemporary incidents. These reports are published as Cybersecurity Infonotes’®, issued in a regular
`basis.
`
`
`
`ed November 2018.
`* https://ec.europa.eu/digital-single-market/en/cyber-security, :
`https: 1/www. consilium.europa. eu/en/press/press- veleases/2018/11/19/cyber- defence-council-updates-policy-
`framework/,
`accessed Novembe
`https: //www, cpni.gov. uk/documents/publications/2015/23- march-2015-mwr_threat_intelligence_whitepaper-
`2015.pdf?epslanguage=en-gb, accessed December 2017.
`https://www.enisa.europa.eu/publications/info-
`notes#c5=2008&c5=2018&c5=false&c2=infonote_publication_date&reversed=on&b_start=0, accessed November
`2018.
`
`12
`
`

`

`*
`enisa
`
`*
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0
`|
`External
`| January 2019
`
`1.3
`
`Structure of the document
`
`The structure of ETL 2018 is as follows:
`
`Chapter 2 “Cyberthreat Intelligence and ETL” provides an overview of recent developments in cyberthreat
`intelligence, positions the ETL and summarizes some cyberthreat intelligence issues that are seen as
`emerging.
`
`Chapter 3 “Top Cyberthreats” is the heart of the ENISA Threat Landscape. It provides the results of the
`yearly threat assessment for the top 15 cyberthreats.
`
`Chapter 4 “Threat Agents” is an overview of threat agents with short profiles and references to
`developments that have been observed for every threat agent group, in the reporting period.
`
`Chapter 5 “Attack Vectors” provides an overview of important attack vectors that have led to the most
`important incidents in 2018.
`
`Chapter 6 “Conclusions” concludes this year’s ETL report. Synthesizes a generic view from the assessed
`cyberthreats, it provides some policy, business and research recommendations.
`
`13
`
`

`

`*
`
`*
`*
`
`*
`*
`enisa
`
`* «+
`
`ENISA Threat Landscape Report 2018
`ETL 2018 |
`1.0
`|
`External
`| January 2019
`
`2. Cyberthreat Intelligence and ETL
`
`
`
`2.1
`
`Cyberthreat Intelligence: State of Play
`In 2018, Cyberthreat Intelligence (CTI) has continued improving with regard to good practices, tools,
`training courses and standards. These developments are the response to an increasing demand for
`contextualized and actionable information about threats. Just as in 2017, large organisations continue to
`be the main customer base for CTI. It is worth mentioning, that CTI has matured in concert with other
`related cybersecurity disciplines, such as Security Operation Centres (SOC), threat hunting and Security
`Information and Event Management (SIEM). Nevertheless, CTI experts worry about the differences
`between cycles of cybersecurity related processes. In particular, syncing CTI with Incident Management,
`Vulnerability Management and Risk management seems to be a necessity in order to keep the focus on
`incidents that matter for the protection of respective “crown jewels”?°.
`
`Though higher maturity levels are gradually implemented in large organisations, experts argue about the
`appropriateness of CTI in terms of a positive contribution to the enhancement of the level of defence’®?’.
`The main concerns here are the increasing technical nature of CTI, the variability between CTI and other
`cybersecurity management disciplines in the organisation (e.g. Risk Management) and the potential
`diversification of objectives among them. Shortage of CTI skills aggravates these deficiencies’®. The
`immense interest of experts in CTI trainings is a clear indicator of the market need for CTI trainings?®.
`Moreover, the adequacy of CTI for small and medium organisations is a valid concern within CTI experts.
`
`Through the analysis of CTI publications?°”2, but also through a series of consultations with experts, ENISA
`has identified the following topics as
`a summary of current CTI state of play.
`
`Some positive CTI developments:
`
`e
`
`e
`
`Pretty good information collection of publicly available CTI: information collection engines and tools
`exist, comprising of comprehensive collections in some cases grouped according various threat/attack
`types??7374,
`
`Good information sharing, especially for low confidentiality incidents/threats: there are already either
`ad-hoc or established CTI information sharing networks’, Loosely coupled individuals and user
`groups establish repositories with CTl information for the most common threats.
`
`
`
`‘© https://www.enisa.europa.eu/events/2018-cti-eu-event, accessed November 2018.
`1 https://www.darkreading.com/vulnerabilities---threats/5-reasons-why-threat-intelligence-doesnt-work/a/d-
`id/1333188?print=yes, accessed November 2018
`'S https://www.sans.org/reading-room/whitepapers/analyst/membership/38285, accessed November 2018.
`'S https://nis-summer-school.enisa.europa.eu/, accessed November 2018
`*°https://www.researchgate.net/publication/323704364_ODNI_COMMON_CYBER_THREAT_FRAMEWORK_A_NEW_
`
`MODEL_IMPROVES_UNDERSTANDING_AND_COMMUNICATION,