silversky 2h 2013 financial institution …gracez/2h_2013_financial...silversky provides cloud-based...

2H 2013 Financial Institution Threat Report

SilverSky 440 Wheelers Farm Road Suite 202 Milford CT 06461 silversky.com © 2013 SilverSky

SILVERSKY 2H 2013 FINANCIAL INSTITUTION THREAT REPORT By Grace Zeng, Security Researcher, SilverSky Labs and Andrew Jaquith, CTO and SVP Cloud Strategy, SilverSky

White Paper

Corporate Headquarters SilverSky 440 Wheelers Farm Road Suite 202 Milford CT 06461 © 2013 SilverSky. The trademarks used herein are either trademarks of SilverSky, or trademarks of their respective owners.

800.234.2175 silversky.com

SilverSky provides cloud-based security services for 1,800 banks, credit unions and other financial institutions. Our banking and credit union customers’ assets exceed $580 billion. The financial services industry is one of the most security-conscious vertical markets. It is also one of the most targeted. As a service to our financial institution customers, SilverSky Labs issues its Financial Services Threat Report twice a year. Unlike nearly every security vendor “threat report,” SilverSky’s report does not simply analyze the threats. That is, we do not enumerate the vast and frightening amounts of malware, spam, botnets or any number of other hypothetical worries in the hope of inducing panicked purchases of flavor-of-the-month security products. SilverSky does something much more difficult, and we think, more interesting. We also analyze outcomes: whether and how often our customers were compromised. To our knowledge, SilverSky is the only security vendor that reports this way.

A note on SilverSky’s methods: SilverSky’s primary method of detecting security incidents is based on good old-fashioned signals intelligence. SilverSky does not manage the security of customer endpoints such as desktop PCs or servers. By contrast, our managed security service works at the network level, collecting raw device and security events from thousands of managed perimeter UTMs and other security devices. These events are correlated at high speed to detect when customer endpoints exhibit suspicious behaviors, attempt to communicate with command and control network or appear to be under attack. When our SIEM determines that an event is “interesting,” it is forwarded to a SilverSky analyst for review. Each incident is evaluated and rated. If the incident appears to be a likely or confirmed compromise, it is escalated to the customer.

In the second half of 2013, SilverSky processed 90 billion raw events, documented 1.9 million security alerts and investigated 70,000 potential incidents. Among the 925 financial institutions under study, we reported 1,556 likely and confirmed compromises across 390 organizations. Threats were categorized into low-, medium- and high-severity incidents. The majority of recorded incidents were information-gathering or reconnaissance-related activities (low-severity), and a small number of incidents were likely or confirmed system compromises (medium- and high-severity). This threat report is entirely focused on these medium- and high-severity incidents.

Figure 1: Incidents Reverted to the Mean During Holidays.

P.2 | 2H 2013 Financial Institution Threat Report

Statistics Overview

Monthly Trend

White Paper




In the second half of the last year, we observed a dramatic (but temporary) drop in incidents. As shown in Figure 1, the number of threats facing financial institutions decreased from July to September, and reverted to the mean back in December. One of the things that had an important impact was the arrest of the BlackHole exploit kit creator. This had a fairly immediate and positive effect on our customers as the arrest led to the kit’s extinction in October 2013. As always, when you take one threat actor out of the system, another springs up to take its place. We see today that the number of incidents has trended back to historical highs, partly because of the newly-emerged CryptoLocker ransom-ware and widespread ZmEU scan, which we’ll provide a deeper look into later in the report.

Figure 2: Number of Affected Organizations Decreased Slightly in 2H 2013

Figure 2 represents the frequency our financial institution customers experienced security incidents. The horizontal axis indicates the number of incidents that affected a group of customers and the vertical axis represents the percent of customers that met that threshold. Notably, 42 percent of our financial institution customers had at least one security incident, which is down from 47 percent in 1H 2013. About four percent of institutions had more than 10 incidents. A credit union experienced the most – 42 incidents in total.

Incident Distribution

White Paper




Table 1: Most Compromised Institutions by Type & Size Table 1 displays a new analysis that we’ve introduced into our half yearly threat report – breaking down the most compromised institutions by type, size (See Table 2 for the classification) and number of incidents. We noticed that six out of the top 10 most compromised institutions were credit unions, which is certainly an interesting trend that we’re keeping a close eye on going forward.

One of the ways we like to compare incident trends is to break down small, medium and large financial institutions. Overall, a smaller percentage of institutions were compromised in 2H 2013 than in 1H 2013, which we attribute to the fact that customers have been actively blocking access to unrated/unclassified web domains. From a period over period standpoint, small institutions actually faired a little bit better percentage-wise than medium or large institutions. Only 34 percent of these small institutions had at least one incident in the second half of 2013, compared to 51 percent two years ago. We’ve also seen a (not quite as precipitous but still large) drop in compromised medium and large institution percentages.

White Paper




Figure 3: Affected Institutions Down, but Compromises Continue

Table 2: Average Number of Incidents by Size of Institution

White Paper




In looking at the average number of incidents per institution, these numbers have stayed almost exactly the same. Despite percentage of compromised institutions decreasing, if you are being compromised on a regular basis, you will likely continue to be compromised at the same rate as you have been before. We also want to note that the attacks per small institution increased; likely due to the fact that smaller organizations have smaller staffs, less resources and expertise. Plus, it could be true that these smaller institutions are targeted and used as a “testing grounds” for attacks on some of the larger institutions.

Figure 4: Threat Sources Becoming More Concentrated SilverSky is not in the business of “naming and shaming” particular countries. We do not make any claims about which countries are more dangerous in terms of “attacks.” That said, looking at the distribution of threats from an IP source standpoint can help customers understand, in a very broad-brush way, where threats are coming from. The source IP addresses for threats tend to be associated with particular countries’ address spaces. With that caveat in mind, we found that source IP addresses for the threats we observed came from 40 different countries in 2H 2013, down from 49 in 1H 2013.

Sources of Threats

White Paper




Table 3: Simpson Index of Diversity for Threat Origin Down from 54 percent in 2H 2012 to 48 percent in 2H 2013, the U.S. still accounted for the most threat sources in our study. We believe one explanation for the decrease is that our financial institution customers have been blocking more traffic from non-U.S.-based IP addresses; many of these customers do not have international customers. As a way of estimating concentration of the attack space, we measured the diversity of threat sources using the Simpson Index of Diversity, where 1.0 means highly diverse and 0.0 means completely concentrated with one source. You can see in Figure 4 that this metric decreased from 0.30 in 1H 2013 to 0.17 in 2H 2013. The message here is that threat sources are becoming a little more concentrated and less diverse.

In the second half of 2013, attackers continued to evolve their methods. Exploit kits remained attackers’ main weapons – many of these kits revolve around enticing victims to visit malware-laden websites through the usual methods, notably spam emails. Often times, these kits are marketed and sold with support to botnet operators – they are essentially franchise operations. Exploit kit competition is also heating up. One of the historically most popular exploit kits, BlackHole, has given way to newer kits, leading to a splintering of the malware supply chain.

Trend Highlight: CryptoLocker

A key threat affecting more of our customers in 2H 2013 was CryptoLocker. This piece of ransomware surfaced in September 2013 and has become rapidly more prevalent. It typically spreads via spam emails containing malicious attachments. CryptoLocker uses a public key to encrypt files on local disks, network shares and USB devices. The corresponding private key is stored on a command & control

Threat Highlights

White Paper




(C&C) server and is under the attackers’ control. Victims must pay the attacker with cyber-currency, such as Bitcoin or MoneyPak, to retrieve the private key to decrypt files – typically a few hundred dollars. Note that SilverSky has SIEM correlations in place to detect customer traffic to CryptoLocker C&C domains and IP addresses.

Trend Highlight: More Attackers, More Tools

Due to the increased number of threats in the wild, defenders need to think about defending a larger array of attack vectors and types than ever before. The availability of attack tools has made the threat landscape chaotic. As an example, late last year we saw a politically motivated — and none-too-bright — attacker encouraging denial of service (DoS) attacks on Healthcare.gov. This person also distributed automated tools to let others participate in the attacks. It’s safe to say that we’ve reached the point where unskilled, politically motivated attackers feel free to distribute point-and-click DoS attack tools in public forums. To us, that signifies that the threat and malware supply chain has become truly diversified, with all of the negatives that implies. Adding to our concern is that anonymized currencies are increasingly effective in greasing the wheels of criminal cyber-commerce, making it much harder to “follow the money.”

Table 4: Simpson Index of Diversity for the Top Ten Threats Among the Top Ten threats from 2H 2013, we identified a high number of ZmEU vulnerability scan activities, especially in November and December, which puts it here in Table 4 as the top threat for the six month time period we analyzed. ZmEu has by far become the most prevalent threat we observed.

White Paper




Although not all of these potential incidents led to compromises, we reported to customers as a precaution – warning that their phpMyAdmin (open source software written in PHP, a web interface for MySQL administration) could have been vulnerable. ZmEu vulnerability scan jumped from four percent of incidents in the first half of the year to 30 percent of incidents in the second half of 2013.

The Blackhole exploit kit has fallen from the number one space to number nine, a pretty dramatic drop from 11 percent to one percent – following the arrest of the co-creator. Darkleech dropped from 10 percent to four percent and CryptoLocker, while still relatively small, rose from nearly zero to two percent.

As with source IP address concentration, we calculated the Simpson Index of Diversity score for this set of threats to understand threat concentration. The Simpson score for threats decreased from 0.88 in 1H 2013 to 0.59 in 2H 2013. This means that threats were more concentrated in the second half of the year than in the first six months. Also of note, six out of the top 10 threats are new compared to a year ago (2H 2012.) This underscores the increased velocity in the malware environment.

Figure 5: Threats are Rapidly Changing Figure 5 depicts how rapidly the top 10 threats are changing over time. Stretching back four periods to our first threat report in 1H 2012, you will see that only four of today’s top 10 even existed in the beginning of 2012. There is a lot of flux among these threats. For example, Darkleech came out of nowhere in 1H 2013, as did ZmEu. The Blackhole Exploit Kit remained steady for three periods of our analysis, but dropped in the last six months.

White Paper




Defending Against Threats

By tirelessly safeguarding our customers’ most important information, SilverSky enables growth-minded leaders to pursue their business ambitions without security worry. Our 60 security engineers and Security Operations Center analysts track hundreds of botnets, exploit kits and malware indicators on a daily basis. We offer four layers of defense to protect our financial customers, which have been key to some of the decreases we’ve outlined in this report from the second half of 2013. These include:

Network-based AV: equipped with fine-grained signatures to keep clients from downloading or executing malicious code during their web browsing

Web security filters: block access to known malicious and suspicious domains

SIEM correlations: use complex regular expressions to identify offending IP addresses, domains and file names

We will shortly unveil a new, fourth, layer of protection. SilverSky’s Targeted Attack Protection service, which detects zero day threats in email, will be arriving later this quarter. TAP was born out of the observation that many attacks originate from highly customized phishing emails sent to customers.

We believe that SilverSky’s network security services were part of the reason why a smaller number of financial institutions experienced incidents in 2H 2013. Customers are also blocking web traffic to unrated/unclassified domains following our recommendations, which has greatly reduced the number of infections coming from malicious websites.

If you’re seeking to protect endpoint PCs from compromise, and let’s face it – that’s where the bulk of these compromises occur (more than 90 percent are oriented at PCs) – you need to:

Use multi-layered defenses: This includes but is not limited to firewalls, anti-virus and targeted attack prevention for email.

Safeguard PCs and observe best practices: This is not so much a technical fix as a behavioral one: never open suspect email attachments or follow links, don’t respond to emails asking for financial information and disable and/or uninstall unused services.

Keep software current, especially OS, browser and AV: Patch the OS, of course, but also and more importantly, third-party browser plugins. These are things that are increasingly targeted.

Block Flash and ads in browser: If you must use Flash or Java, turn on auto-update.

For Servers and Networks, we have a few key recommendations. You should:

Consider using server host intrusion detection systems (HIDS): These are especially applicable to servers where application binaries are largely static such as webservers and transactional systems. It is a good idea to use HIDS along with application whitelisting technologies.

Enforce very strong production server passwords: Brute-forcing admin or root passwords is a popular way in, so using very strong, randomized passwords (16 or 32 characters, however many you can stand) helps prevent compromises of hosts inside the firewall. Multi-factor authentication is also a good practice. Also, something we recommend and do internally at SilverSky is changing default admin account names so it is not “Admin” or “Administrator.”

Remove unnecessary server components: You can reduce servers’ attack surfaces by cutting down the components that you deploy, and by removing unnecessary applications and services. For example,

White Paper




the ZmEu attack specifically targets vulnerabilities in phpMyAdmin, a MySQL administration tool. For lightweight admin tasks, phpMyAdmin is not necessary – there are more secure alternatives. If you remove it, you remove the ingress point for potential compromises.

Don’t just trust, verify: Don’t let things just drift. Scan all of your endpoints regularly to ensure that they remain patched and configured so that they are in a known security state.

And for Management, we recommend that you:

Invest in a highly skilled, highly trained security event detection and response staff. We think it’s a great idea have balance in your security program. Investing your entire budget in prevention technologies won’t help if you cannot detect incidents as they happen, or respond after they have occurred. Companies lacking budget or expertise across all three of these areas should consider outsourcing.

Set expectations with management. A 100% prevention-focused program won’t succeed in the modern age. Today’s CISOs will increasingly be judged by the degree with which they can reduce the likelihood of the worst attacks, on the skill with which they respond to incidents that do occur.

silversky 2h 2013 financial institution …gracez/2h_2013_financial...silversky provides cloud-based...

Documents