M86 report proves water is wet

No disrespect toward M86 Security intended. I've used a lot of their research in the past and they are always a pleasure to work with. But the latest report they sent me represents a big problem I'm finding with these documents lately: They tell us nothing new. Therefore, they are not helpful.

These reports remind me of rock bands who put out three greatest hits albums where the artwork is different but the songs are always the same.

M86's latest takeaways read like the last 10 reports I've seen from 10 different vendors:

Key findings by the M86 Security Labs for the second half of 2011:

Critical national infrastructure is targeted: As targeted attacks become more sophisticated, cybercriminals are pursuing a wider range of organizations, including commercial, national critical infrastructure and military targets. Confirmed attacks in 2011 include RSA, Lockheed Martin and the Asia-Pacific Economic Cooperation (APEC). Dutch company DigiNotar, for example, detected an intrusion that resulted in the fraudulent issuance of hundreds of digital certificates for a number of domains, including Google, Yahoo, Facebook, the CIA, the British MI6 and the Israeli Mossad.

Stolen digital certificates are increasingly used in successful targeted attacks: Stealing or faking digital certificates has become an important component of a targeted attack. Digital certificates are used to confirm and assure a user that the downloaded application truly is from the trusted vendor. With the stolen certificates cybercriminals can distribute malware and sign it with a legitimate company certification, thus tricking users to confidently download the application.

The Blackhole exploit kit dominates the exploit kits market: In late 2011, Blackhole established itself as the most successful exploit kit. Its authors increased its update frequency and added new ways to evade detection, such as checking the software version on the client machine before attempting to exploit it.

The volume of malicious spam escalated in 2011: Though overall spam volume decreased as of December 2011,the proportion of malicious spam rose in the second half of the year from less than 1 percent to 5 percent, with a spike in malicious attachments occurring in August and September. As noted previously, there was a shift from malicious attachments to the use of embedded links to infected content later in the year.

Social media is a haven for fraudulent posts and scams: It is now mainstream practice for spammers to use bogus social media notifications to dupe users into clicking on infected links. Perhaps even more troubling is the success with which cybercriminals capitalize on user trust and familiarity to make Facebook, for example, a conduit for spam and malware propagation. Many of these campaigns are spread virally by enticing users to share posts for "rewards" or "gift cards" with their friends.  

You can read the full report here and be your own judge.

So why pick one one vendor's report? Simple: It's the most recent one sent to me.

I think M86 outlines the threat landscape quite accurately. But since there's nothing new here, I find myself asking: "So what?"

With that kind of attitude, the least I can do is offer some specific ideas on how to make this a more useful exercise.

A couple thoughts to start with:

--Instead of reports that offer a laundry list of the different threats, maybe we're better off with more documents that zero in on one specific problem area? For example, one report all about malicious spam or social media risks, with more emphasis on the things we can do to improve the situation. True, reports like that already exist. But more of those are better than more of these hodgepodge reports.

--Instead of reports that tell us what the bad guys are doing, why not -- since we already know what they're doing -- focus reports on the newest techniques for fighting back? Just dive right in on the latest tools and procedures that security practitioners are successfully concocting in the trenches? There are plenty of reports about tools and defenses that are based on what vendors A, B and C are selling. It's time to hear from the practitioners who aren't selling anything, but are laboring away like Scotty in "Star Trek," concocting ways to save his ship on the fly.

Some food for thought, anyway.