Follow the Money, Follow the Crime

Download Follow the Money, Follow the Crime

Post on 14-Sep-2014




2 download

Embed Size (px)


Cyber crime is growing in both frequency and sophistication. We all know it is out there but do we know what to look for? Do we know how to combat it? Arm yourself with the latest updates from the X-Force Report of current security risks & trends happening today and our solutions from Trusteer, an IBM company to help you stay one step ahead of cybercriminals. View the full on-demand webcast:


<p>2013-MidYear-XF-Trend&amp;Riskreport</p> <p>Follow the Money, Follow the Crime</p> <p>19th March 2014</p> <p> 2012 IBM CorporationIBM Security Systems# 2013 IBM Corporation 2014 IBM CorporationIBM Security Systems#AgendaIBM X-Force Threat Intelligence Quarterly 1Q 2014Michael Hamelin, Lead X-Force Security ArchitectCTO Office, IBM Security Systems</p> <p>Protecting Enterprise Endpoints against Advanced Malware with Trusteer ApexDana Tamir, Director of Enterprise Security Trusteer, an IBM Company</p> <p>Connect with IBM Security</p> <p>Questions? 2014 IBM CorporationIBM Security SystemsIBM X-Force Threat Intelligence Quarterly1Q 2014</p> <p>Michael HamelinLead X-Force Security ArchitectCTO Office, IBM Security Systems</p> <p> 2012 IBM CorporationIBM Security Systems# 2013 IBM Corporation 2014 IBM CorporationIBM Security Systems#</p> <p>X-Force is the foundation for advanced security and threat research across the IBM Security Framework</p> <p> 2014 IBM CorporationIBM Security SystemsAdvanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio.</p> <p>As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework. 4At IBM, the world is our security lab</p> <p>v13-016,000+IBM researchers, developers, and subject matter experts focused on security3,000+IBM securitypatents</p> <p>Security Operations CentersSecurity Research and Development LabsInstitute for Advanced Security Branches</p> <p> 2014 IBM CorporationIBM Security SystemsWith more than 6,000 researchers, developers and subject matter experts engaged in security initiatives, IBM operates one of the worlds broadest enterprise security research, development and delivery organizations. This powerful combination of expertise is made up of the award-winning X-Force research and development teamwith one of the largest vulnerability databases in the industryand includes nine security operations centers, nine IBM Research centers, 14 software security development labs and the IBM Institute for Advanced Security with chapters in the United States, Europe and the Asia Pacific region.________________________</p> <p>Security Operations Centers: Atlanta, Georgia; Boulder, Colorado; Brussels, Belgium; Tokyo, Japan; Brisbane, Australia; Hortolandia, Brazil; Bangalore, India; Wroclaw, PolandNO: Detroit, Michigan; Toronto, Canada; ADD: Riyadh, Saudi Arabia; Heredia, Costa Rica</p> <p>Security Research Centers: Yorktown Heights, NY; Atlanta, GA; Almaden, CA; Ottawa, Canada; Zurich, CH; Kassel, DE; Herzliya, IL; Haifa, IL; New Delhi, IN; Tokyo, JP</p> <p>Security Development Labs: Littleton, MA; Raleigh, NC; Atlanta, GA; Austin, TX; Costa Mesa, CA; Fredericton, Canada; Toronto, CAN; Ottawa, CAN; Belfast, NIR; Delft, NL; Pune, IN; Bangalore, IN, Taipei, TW; Singapore, SG; Gold Coast, AU</p> <p>Note: IBM patent search performed by Paul Landsberg, IBM IP Office</p> <p>5Collaborative IBM teams monitor and analyze the changing threat landscapeCoverage20,000+ devices under contract3,700+ managed clients worldwide15B+ events managed per day133 monitored countries (MSS)1,000+ security related patents</p> <p>Depth17B analyzed web pages &amp; images40M spam &amp; phishing attacks76K documented vulnerabilitiesBillions of intrusion attempts dailyMillions of unique malware samples</p> <p> 2014 IBM CorporationIBM Security Systems#IBM X-Force has a long standing history as one of the best known commercial security research and development groups in the worldCan leverage security expertise across IBM to better understand what is happening in securityHave numerous intelligence sources: database of more than 76k security vulnerability monitored every dayGlobal web crawlerInternational spam collectorsWork closely with IBM managed security services group who monitor over 15B security events every day from nearly 4,000 security clients in over 133 countriesAll of this is done to stay ahead of continuing threats for our customers</p> <p>Our global web crawler is probably the worlds third largest behind Google and Bing. It crawls the web, and we have analyzed and classified over 17B web pages. XForce is particularly interested in files, images, or pages that contain malicious links or content. The team in Kassel Germany who builds our web crawler also developed an anti spam productWe have spam traps around the world, receive large amounts of spam so that we can analyze and understand the different types so that we can preemptively block that spamOur work covers 4 key areas:ResearchEnginesContent DeliverIndustry/Customer deliverables such as this X-Force report, blogs, articles, presentations and speaking engagements</p> <p>6Attackers optimize and refine target selection</p> <p> 2014 IBM CorporationIBM Security Systems#Attackers are optimizing their operations around many key initiatives which include a path of least resistance to reach the largest number of potential targets for the minimal amount of exploit effort.</p> <p>For example, attackers are optimizing various points of weak entry: The exploitation of trust via social media.Coordinated operations leaking user data as well as exploiting weak entry points into global brands such as foreign local language or franchise sites.Mobile malware with Android devices as the market expands.Take over of central strategic targets to access and exploit a broader base of end users.Diversion and distraction techniques which throw security administrators off path, while breaching targets under the cover.Cross-platform 0days were an optimization story as well</p> <p>7</p> <p>more thanhalf a billion recordsof personally identifiable information (PII) were leaked in 2013 2014 IBM CorporationIBM Security Systems#2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.</p> <p>This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies8</p> <p> 2014 IBM CorporationIBM Security Systems#</p> <p>What is the impact of a data breach and Where are customers most affected? 2014 IBM CorporationIBM Security Systems#Figure 3 illustrates the possible financial impact of a data breach in terms of fines, loss of intellectual property, loss of customer trust, and loss of capital, etc. that an organization of any size might face.</p> <p>Additionally, of the sampling of security incidents reported by X-Force in 2013, in terms of the country where the attack target was located, more than three quarters of those continue to occur in the United States. This could be based on the fact that many websites are operated from the United States, or possibly that it is more common that U.S. companies and websites are disclosing publicly.</p> <p>10Weaponized content focused on end user apps</p> <p> 2014 IBM CorporationIBM Security Systems#Attackers use spear-phishing messages to draw users to websites that contain hidden malicious Java applets (exploit sites). Once the user accesses the exploit site, the hidden Java applet exploits vulnerabilities to cause a chain of events that end with the delivery of the malware to the users machine, without the users awareness. Fifty percent (50%) of the exploits observed by X-Force malware research (Trusteer) in December 2013 targeted Java vulnerabilities indicating Java as a high risk application and top target, exposing organizations to attacks. </p> <p>11Attackers use exploit kits to deliver payloads</p> <p>Blackhole Exploit KitMost popular in 2013Creator arrested in October</p> <p>Styx Exploit KitRising in popularitySuccessful in exploiting IE and Firefox on Windows 2014 IBM CorporationIBM Security Systems#Effectively targeting end users</p> <p>Malvertising</p> <p>Watering HoleAttacker injects malwareon special interest websiteVulnerable niche users exploitedAttacker injects malwareon ad networkMalicious ad embedded on legitimate websitesVulnerable users exploited</p> <p> 2014 IBM CorporationIBM Security Systems#13</p> <p>Production ApplicationsDeveloped in houseAcquiredOff-the-shelf commercial appsIn-house developmentOutsourced developmentApplications in DevelopmentWeb app vulnerabilities: the dominant threat</p> <p> 2014 IBM CorporationIBM Security Systems#MH note:maybe hint we still didn't reach 10K vulnerabilities in a year, even though we modified the CVE number scheme to handle it, just thinking of interesting things to talk about.</p> <p>The declines in vulnerabilities demonstrated at the end of 2013 in both XSS and SQL injection, shown in Figure 11, couldindicate that developers are doing a better job at writing secure web applications, or possibly that traditional targets like content management systems (CMSs) and plug-ins are maturing as older vulnerabilities have been patched. </p> <p>As noted previously, XSS and SQL injection exploitation continue to be observed in high numbers, indicating there are still legacy systems or other unpatched web applications that remain vulnerable. This is expected, considering there are many thousands of blogs and other websites run by individuals who may not have the skills or awareness to update to later versions of their platform or framework.</p> <p>14</p> <p>Vulnerabilities designed to gain additional or unauthorized accessExploitationGain accessXSS typically attacks web apps 2014 IBM CorporationIBM Security Systems#The most prevalent consequence of vulnerability exploitation was "Gain Access" at 26% of all vulnerabilities reported in 2013. Cross-Site Scripting was the second most prevalent consequence at 18% and typically involves attacks against Web applications.</p> <p>15</p> <p>Declines in key reporting Web App VulnsCould indicateBetter job at writing secure web applications CMS systems &amp; plugins maturing as older vulns are patched</p> <p>Attacks continueXSS, SQLi exploitation still observed in high numbers 2014 IBM CorporationIBM Security Systems#However, vulnerabilities in key reporting areas such as Web application, Cross-Site Scripting, and SQL injection all demonstrated downward trends in 2013. Overall web application vulnerabilities accounted for 33 percent of those publically reported, down from 43 percent in 2012. </p> <p>The declines in vulnerabilities demonstrated at the end of 2013 in both XSS and SQL injection could indicate that developers are doing a better job at writing secure web applications or possibly that traditional targets like CMS systems and plugins are maturing as older vulnerabilities have been patched. As noted, XSS and SQL injection exploitation continue to be observed in high numbers, indicating there are still legacy systems or other unpatched web applications which remain vulnerable. This is expected considering there are many thousands of blogs and other websites operated by individuals who may not have the skills or awareness to update to later versions of their platform or framework.</p> <p>16Declines in key reporting True Exploits</p> <p>Two Categories trackedProof-of-concept codeFully functional programs capable of attacks are true exploits</p> <p>Continue to decreaseLowest levels weve seen in past 5 years 2014 IBM CorporationIBM Security Systems#X-Force catalogs two categories of exploit: exploit and true exploit. Simple snippets with proof-of-concept code arecounted as exploits, while fully functional programs capable of standalone attacks are categorized separately as true exploits.</p> <p>Publicly available and disclosed true exploits have continued to decrease over the past five years to the lowest levels weve seen since 2006. At the end of 2012 we reported that total true exploits were still down overall and at the end of 2013, we seethis trend continue.17Protecting Enterprise Endpoints against Advanced Malwarewith Trusteer Apex</p> <p>Dana TamirDirector of Enterprise SecurityTrusteer, an IBM Company 2012 IBM CorporationIBM Security Systems# 2014 IBM CorporationAbout Trusteer</p> <p> 2014 IBM CorporationIBM Security Systems#19APTs and Targeted AttacksThe Tool of Choice: Exploits and Advanced MalwareThe Entry Point:Vulnerable User Endpoints</p> <p>The Means:Exploits, Drive-by DownloadAdvanced MalwareCompromised Credentials</p> <p> 2014 IBM CorporationIBM Security Systems#</p> <p>Vulnerability disclosures leveled out in 2013, but attackers haveplenty of older, unpatched systems to exploit.60% of the exploits target vulnerabilities that have been publicly known for over 12 months!!! 2014 IBM CorporationIBM Security Systems#MH already talked about this Unpatched vulnerabilities are a bit problem. Did you know that 60% of exploits target 1-2yo vulnerabilities21Do you patch applications?22</p> <p>Source: Ponemon 2014 IBM CorporationIBM Security Systems#22The Threat Lifecycle</p> <p>Exploit ChainData ExfiltrationData Exfiltration PreventionExploit Chain Disruption 2014 IBM CorporationIBM Security Systems#Controlling Strategic Chokepoints To break the threat lifecycle</p> <p># of TypesAttack ProgressionWeaponized Content: Endless (IPS, Sandbox)Unpatched and zero-day vulnerabilities: Many (Patching)Ways to deliver and infect:HundredsMalicious Files: Endless(AV, Whitelisting) Ways to establish communication channels:HundredsDestinations: Endless(C&amp;C traffic detection) Strategic ChokepointStrategic ChokepointMalicious Behavior: Many(HIPs)Data exfiltrationExploit Chain 2014 IBM CorporationIBM Security Systems#Trusteer Apex: 3 Security Layers</p> <p> 2014 IBM CorporationIBM Security Systems#A few words about Java</p> <p>A powerful yet dangerous application:Did you know that</p> <p>Java is installed on ~85% of the desktop computers.Google Analytics</p> <p> 2014 IBM CorporationIBM Security Systems#</p> <p> combined with a presence in every enterprise makes Java the top target for exploits.explosive growth of Java vulnerabilities 2014 IBM CorporationIBM Security Systems#Java is a widely deployed high risk application that exposes organizations to advanced attacks. The number of Java vulnerabilities has continued to rise over the years, and 2013 was no exception. The number of reported Java vulnerabilities jumped significantly between 2012 and 2013, more than tripling. 27</p> <p>Most successful Java exploits are applicative, exploiting vulnerabilities related to the Java security manager and bypassing native OS-level protections.Applicative exploitsDifficult to defendGain unrestricted privilegesBypass native OS-level protections</p> <p>Native exploitsBuffer OverflowIllegal memory useUse-after-free 2014 IBM CorporationIBM Security Systems#Java applicative exploits are more difficult to defend against because they allow the applet to gain unrestricted privileges which makes malicious activities seem legitimate at the OS level. This means that, unlike native exploits, Java applicative exploits completely bypass native OS-level protections. Plus, Java applicative exploits dont generate buffer overflow, and hence are not prevented by methods such as DEP, ASLR, SEHOP and ot...</p>