the evolution of cyber attacks
DESCRIPTION
The cyber criminal community has evolved from pranksters, lone wolves, and organized gangs to nation-states and hacktivist groups whose primary results have been increased costs and lost productivity. As enterprises and governments connect literally everything to the Internet, the size of their attack surface has grown, opening more opportunities for cyber criminals. Many of their current exploits are going unnoticed.TRANSCRIPT
CYBER ATTACKSTHE EVOLUTION OF
PRESENTS
As enterprises and governments connect literally everything to the Internet, the size of their attack surface has grown, opening more opportunities for cyber criminals. Many of their current exploits are going unnoticed.
Aw
aren
ess
Visi
bilit
y D
etec
tion
+
+
–
– Ability to Respond
Keys & Certificates
IAM
IDS
Firewall
A/V
VPN
DLP
IPS
MDM
1997
20042007
2010
2013
Viruses & Worms
For-Pro�tMalware
APTs
Key & Certi�cate-Based Attacks
• Code Signing Certificates• SSH Key Theft• Server Key Theft• Weak Crypto Exploits
The Evolving Cyberattack Landscape
The cyber criminal community has evolved from pranksters, lone wolves, and organized gangs to nation-states and hacktivist groups whose primary results have been increased costs and lost productivity.
DAMAGE LEVEL: DISRUPTION
VIRUSES, WORMS & DDoS
CIH COMPUTER VIRUS
The virus infected over 60 million computers worldwide, causing an estimated billion dollars in damage. Launched by a university student in Taiwan, Chen Ing-hau claimed to have created the virus to challenge the bold claims of the antivirus community.
1998
DA
MA
GE
LE
VE
L: D
ISR
UP
TIO
ND
AM
AG
E L
EV
EL:
DIS
RU
PTI
ON
This worm drove a DDoS for multiple Internet hosts and dramatically slowed down Internet traffic. The worm, based on a proof-of-concept code demonstrated at Black Hat by David Litchfield, infected 75,000 victims in the first 10 minutes of its release by exploiting a vulnerability that allowed it to generate random IP addresses and send itself out to them.
SLAMMER WORM
VIRUSES, WORMS & DDoS DAMAGE LEVEL: DISRUPTION
DISTRIBUTED DENIAL OF SERVICE
The first distributed-denial-of-service (DDoS) attacks ever recorded targeted the Mexican government and the Pentagon.
1998
2003
DA
MA
GE
LE
VE
L: D
ISR
UP
TIO
ND
AM
AG
E L
EV
EL:
DIS
RU
PTI
ON
DA
MA
GE
LE
VE
L: D
ISR
UP
TIO
N
DA
MA
GE
LE
VE
L: C
YB
ER
CR
IME
DAMAGE LEVEL: CYBERCRIME
FOR-PROFIT MALWARE
MYDOOM
Mydoom spread via spam. Mydoom stole email addresses to further proliferate, and then added a backdoor to victims’ machines to be used for further practices like a remote proxy for DDOS whereby victims’ machines would be part of a botnet.
SPAM SPAM
SPAM
SPAM
SPAM
2004
FAKEWARE/SCAMWARE
A popup message warns users that their machines may be infected, and that they should download and install fake Antivirus or spyware. Instead, this is a hoax to fool the user into installing malicious code.
UPDATEANTIVIRUS!
FOR-PROFIT MALWAREDAMAGE LEVEL: CYBERCRIME
2005
DA
MA
GE
LE
VE
L: C
YB
ER
CR
IME
DA
MA
GE
LE
VE
L: C
YB
ER
ES
PIO
NA
GE
DAMAGE LEVEL: CYBER ESPIONAGE
APTs
ZEUS TROJAN
This is one of the first examples of an attack that takes advantage of technologies used to ensure trusted digital communications.
This Trojan steals banking information by using man-in-the-browser keystroke logging and form-grabbing methods to steal credentials. Zeus stole information from the U.S. Department of Transportation and is now believed to have infected over 74,000 websites including BankOfAmerica.com, NASA.gov, ABC.com and Amazon.com.
T O
N
R
A J
BANK
2007
APTsDAMAGE LEVEL: CYBER ESPIONAGE
DA
MA
GE
LE
VE
L: C
YB
ER
ES
PIO
NA
GE Targeting the Microsoft Windows operating system, Conficker used flaws
in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques.
The Conficker infected millions of computers including government, business and home computers in over 200 countries. It was also the same year MD5 was discovered to be exploitable.
Government Home & Business
CONFICKER2008
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
T
DAMAGE LEVEL: WORLD WITHOUT TRUST
Code Signing Certificates, SSH Key Theft, Server Key Theft & Weak Crypto Exploits
Discovered in June 2010, this malware – reported to have been created by the United States and Israel to attack Iran's nuclear facilities – was the first cyber attack recognized as being made possible by compromised digital certificates.
Stuxnet leveraged unprecedented and advanced sophistication, zero-day exploits and a network of insiders to install itself in Windows systems used to manage industrial control systems. Stuxnet remained undetected on the network for months, using a compromised digital certificate to validate it. Its payload left behind a trail of physical destruction.
ACCESSGRANTED
STUXNET2010
Code Signing Certificates, SSH Key Theft, Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
T
This attack on a Certificate Authority (CA) marked a significant point in the history of cyber attacks. For the first time, a trust technology provider, the CA itself, forced customers, including a national government, to warn the world that they could not be trusted.
The attack took complete control of all eight of the company’s certificate-issuing servers during the operation. Though it is unconfirmed, there is a possibility the attacker may also have issued some rogue certificates that have not yet been identified. What is known is that 300,000 Gmail accounts were attacked. The attack also proved that a cyber debacle could ruin a business, as the CA itself was forced out of business due to the incident.
OUT OF BUSINESS
=
CA
DIGINOTAR2011
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
Code Signing Certificates, SSH Key Theft, Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
T
FLAMEDesigned to spread from one infected computer to other machines on the same network using a rogue certificate, Flame allowed attackers to take control of what noted cyber-war expert Richard Stiennon once referred to as the "Holy Grail" of all potential cyber weapons – the Microsoft update server. When infected computers updated, Flame intercepted the request and instead of downloading the update delivered a malicious executable to the machine that was signed with a rogue, but technically valid, Microsoft certificate. While Microsoft closed the door on Flame in their systems by issuing a patch, Flame essentially gave the blueprint to cyber criminals to execute similar attacks.
UPDATE!
2012
In 2012, the number of malware signed by stolen certificates grows 10x
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
Code Signing Certificates, SSH Key Theft, Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
T
Aw
aren
ess
Visi
bilit
y D
etec
tion
+
+
–
– Ability to Respond
Keys & Certificates
IAM
IDS
Firewall
A/V
VPN
DLP
IPS
MDM
WEAKLINK
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TCode Signing Certificates, SSH Key Theft, Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
Few are looking at the real problem:
600% = Year over year growth in compromised digital certificates in 2013
TURKTRUST
The CA issued two SSL intermediary certificates that could be used to issue certificates for any domain. One of the intermediary certificates was used to issue an SSL certificate put into use for google.com. Google discovered the unauthorized certificate in January 2013 and noted that it was from an intermediary CA that had obtained authority from a TURKTRUST certificate. No foul play was suspected at TURKTRUST, and the damage has yet to be fully assessed.
2013
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TCode Signing Certificates, SSH Key Theft, Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
In February, over 800 different trojans launched designed to steal keys and certificates
BIT9 HACKHackers compromised this security provider's network and digitally signed malware using Bit9's own encryption keys, which made it impossible for customers using its cyber defense technologies to know whether or not they were downloading legitimate files or malware. The extent of the damage may never be fully known, but the company claims to provide white-listing services for 30 Fortune 100 firms, almost one-third of the largest companies in the world.
2013
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TCode Signing Certificates, SSH Key Theft, Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
APT1
In what has been the most shocking and bold cyber attack revelation to date, Mandiant revealed in its APT1 report that nation-backed, China-based hackers had used self-signed digital certificates to implant malware into hundreds of U.S. companies over a period of several years. As part of the ground-breaking revelation, Mandiant stated that 100 percent of the APTs used compromised digital certificates that included keys and certificates.
2013
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TCode Signing Certificates, SSH Key Theft, Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
2013
The Snowden compromise was not so much based on malicious code, but the blind trust organizations have on keys and certificates, while highlighting the lack of control and visibility into these cryptographic assets that provide insiders unfettered access to highly sensitive systems. Snowden used fabricated digital keys to elevate his privileges and gain access to sensitive information.
USERNAME:PASSWORD:
SNOWDEN
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
100% of over 2,300 Global 2000 organizations surveyed acknowledged having attacks on keys
and certificates in the last 2 years
Keys & Certificates are under attack
They are the perfect target and recipe for success
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
Today’s Cyber criminal Attack Vector of ChoiceCryptographic Keys and Certificates
Little Awareness or detection
capability
More than 17,000 in
every organization
Attackers are granted
privileged status
No tools for responding to attacks
WID
E
REACH LOW VISIBILITY
PO
OR RESPONSE TRUSTED S
TATE
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
TD
AM
AG
E L
EV
EL:
WO
RLD
WIT
HO
UT
TRU
ST
DA
MA
GE
LE
VE
L: W
OR
LD W
ITH
OU
T TR
US
T
Download the full report: A Historical Overview of the Evolving Cyber Attack Landscape
venafi.com/EvolvingCyberattacks