Advanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio. As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework. The rest of this deck will talk to the specific capabilities of this team, as well as some specific integration points between the X-Force research and the products to which they add value.
IBM X-Force has a long standing history as one of the best known commercial security research and development groups in the world Can leverage security expertise across IBM to better understand what is happening in security Have numerous intelligence sources: database of more than 73k security vulnerability – monitored every day Global web crawler International spam collectors Work closely with IBM managed security services group who monitor over 15B security events every day from nearly 4,000 security clients in over 133 countries All of this is done to stay ahead of continuing threats for our customers Our global web crawler is probably the worlds third largest behind Google and Bing. It crawls the web, and we have analyzed and classified over 17B web pages. XForce is particularly interested in files, images, or pages that contain malicious links or content. The team in Kassel Germany who builds our web crawler also developed an anti spam product We have spam traps around the world, receive large amounts of spam so that we can analyze and understand the different types so that we can preemptively block that spam Our work covers 4 key areas: Research Engines Content Deliver Industry/Customer deliverables – such as this X-Force report, blogs, articles, presentations and speaking engagements
Attackers are optimizing their operations around many key initiatives which include a path of least resistance to reach the largest number of potential targets for the minimal amount of exploit effort. For example, attackers are optimizing various points of weak entry: The exploitation of trust via social media. Coordinated operations leaking user data as well as exploiting weak entry points into global brands such as foreign local language or franchise sites. Mobile malware with Android devices as the market expands. Take over of central strategic targets to access and exploit a broader base of end users. Diversion and distraction techniques which throw security administrators off path, while breaching targets under the cover. Cross-platform 0days were an optimization story as well
Examples that demonstrate diminished trust: Enterprises who trust the correct security procedures and policies are implemented on their networks but are shown differently by high breach activity that continues. Users who trust that a company is protecting their personal data. Enterprises that “want to trust” the growing wave of infrastructure that is social media and mobile as it expands the fluidity of our lives. Network and security admins who trust that “old attack methods and historic vulnerabilities” are not as important as other more current issues. Software developers and technical, security-savvy people who visit a trusted site not thinking that they have to protect themselves from drive-by-downloads.
What we are attempting to demonstrate in this graphic are the types of “Operational Sophistication” that is being utilized in many of these recent breaches and security incidents. It doesn’t mean there is not technical sophistication, because there can be ,but we see are attackers organizing strongly to create return on their development investments – getting, if you will – “the biggest bang for the buck!” They often look first for the path of least resistance. Some examples seen are: - attackers are organized and well funded (maintenance of botnets and ability to evolve techniques) - attackers are using social media and other public info to target key individuals (persons of interest) - spear phishing still a common point of entry to get a foothold - They are using "watering hole" techniques where they are scoping out where potential targets might congregate (like putting a Java vuln on the Mobile Dev site that resulted in infection of Apple and Facebook developers) - other "tried and true" techniques like XSS to target individuals and SQLi to breach web servers - using layered approach - for example... vulnerable CMS systems easily taken over to install malware/bots which are then used to DDoS other targets
2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012. This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies
Based on the incidents we have covered, SQL Injection (SQLi) remains the most common breach paradigm. We have not been surprised by this as SQLi is the most direct way to gain access to records in the database. In terms of return on exploit, SQLi is an effective attack of opportunity, where automated scripts can scan wide ranges of potential targets that run common web application software with known SQLi vulnerabilities. Several of the incidents displayed in the graphic were the result of unpatched or vulnerable web forums or other widely used third party products.
High volume distributed denial-of-service (DDoS) attacks against prominent targets persisted from 2012 into the first half of this year. The banking industry has been heavily attacked, causing downtime and business interruptions for online banking customers. Spamhaus,17 a non-profit organization dedicated to tracking spam abuse, was hit with what some consider to be the largest DDoS attack in the world, with traffic rates reported as high as 300 Gbps. These high bandwidth DDoS attacks escalated last year and continue to present a challenge in terms of successful attack mitigation. DDoS incidents also continue to provide an excellent distraction technique where the true motivation is to breach systems under the cover of the DDoS attack. Targeting the DNS provider is another example of the pattern of attacking a centralized strategic target to reach a larger group of potential victims.
A relatively recent attack type—and newly debuting on our charts this time—is the watering hole attack. Attackers have successfully breached several high tech companies by injecting browser exploits on websites frequently visited by targeted employees. These exploits lead to trojan malware installation. This same type of attack has also been used this year to target government employees. Watering hole attacks are good examples of operational sophistication because they reach a large number of select targets by compromising a single centralized location. In contrast, with spear phishing for example, an attacker has to individually connect with a larger group of people and only a small percentage might be successfully compromised. Often these attacks are successful because there is enough traffic from target organizations, and by nature they break through a certain layer of trust between the target and what the target believes is a legitimate and safe website.
Companies often have local language websites representing their brand, but these sites are not always secured with the same standard as the sites at the home office. Such was the case with several well-known brands that suffered damage to their reputation as well as legal implications for leaking large amounts of customer data. These types of leaks affected the food, consumer electronics, automotive, and entertainment industries in particular.
In the breaches tracked by IBM X-Force and in terms of the country where the attack target was located, the United States is the country with the most disclosed breaches by a large margin. This could be based on the fact that many websites are operated from the United States, or possibly that it is more common that U.S. companies and websites are disclosing publicly.
Because attackers have learned to monetize social media vulnerabilities, a black market has cropped up to trade compromised and fabricated accounts on social media sites Criminals are selling accounts on social networking sites, some belonging to actual people whose credentials were compromised, others fabricated and designed to be credible through realistic profiles and a web of connections. As a minimum function their use is to inflate page ‘likes’ or falsify reviews; though more insidious uses include hiding one's identity to conduct criminal activities – the online equivalent of a fake ID, but with testimonial friends, adding to the deception.
Social media exploits affect more than individuals; they can negatively impact enterprise brand reputation and cause financial losses IBM X-Force expects to see these newer applications of social engineering become more sophisticated as attackers create complex internetworks of identities while refining the art of deceiving victims. Users must adopt a mindset of guilty until proven innocent when it comes to social media and companies should engender suspicion to protect users and assets. Technology advancements and controls are available, best practices continue to be refined and taught, but ultimately the trust the user believes they have, may circumvent anything security practitioners put into place. Technology controls are in place, but are often either not enabled or are circumvented by the user’s extended network. The only effective defense is education and to engender suspicion
Obad was spread primarily through short message service (SMS) spam, and gained attention in June 2013 when it was dubbed “The most sophisticated Android Trojan.” We have seen the core functionality of Obad—such as information stealing and premium SMS sending—in other Android malware before, but the features that made it stand out include: Spreading through Bluetooth Device administration Anti-analysis techniques and code obfuscation X-Force believes this release is significant in that it reveals how malware authors are now investing more effort into creating increasingly resilient and dangerous Android malware.
In the past few years, there has been an explosive growth in Android devices and malware authors are turning their attention in that area of growth. As the number of users who own and operate Android devices is rapidly expanding, so too have malware authors increased their effort to take advantage of this larger market. Within the report, we discuss two types of Android malware that entered the stage in 2013 – Obad and Chuli. We also discuss some of the security enhancements and steps that could help thwart malware. When email opened, it (Chuli) displays a message about the conference. In the background, Chuli sets up hooks into Android’s SMS service so that it can intercept incoming SMS messages and send them to a remote Command and Control (C&C) server. It also sends the user’s SMS history, call history, contacts, and geolocation to the C&C server. Chuli is a very targeted attack and is only intended for specific individuals, thus the risk of infection to the common user is low. The existence of this malware indicates that Android users are increasingly becoming viable targets for these types of sophisticated attacks. Of course, in this case, the sophistication is related to the organization and intent of the attack—the raw technology in Chuli is not particularly novel. 2013 witnessed the release of a Trojan named Obad, which is notable for some new and technically sophisticated features. X-Force believes this release is significant in that it reveals how malware authors are now investing more effort into creating increasingly resilient and dangerous Android malware. Obad was spread primarily through SMS spam, and gained attention in June 2013 when it was dubbed “The most sophisticated Android Trojan.” We have seen the core functionality of Obad – such as information stealing and premium SMS sending – in other Android malware before, but the features that made it stand out include: spreading through Bluetooth, device administration, anti-analysis techniques and code obfuscation.
Older mobile devices are even more vulnerable as only 6% of Android devices are running the latest version of the platform which has the security enhancements needed to combat these threats. For the rest of 2013, X-Force expects to see the number of Android malware apps continuing to rise. We also anticipate that the degree of sophistication for this malware will eventually rival those found in desktop malware. There could be more improvements to combat malware in future versions of Android, but we believe that OS fragmentation (older versions that are being used as much as newer ones) will remain a problem.
In the first half of 2013, we entered just over 4,100 new publicly reported security vulnerabilities. If this trend continues throughout the rest of the year, the total projected vulnerabilities would approach 8200 total vulnerabilities, virtually the same number we saw in 2012.
Although vulnerabilities affecting mobile applications and operating systems represent a relatively small percentage of total disclosures (projected at just over four percent in 2013), we have seen the total number of disclosures increase significantly since 2009 when mobile vulnerabilities represented less than one percent of total disclosures. After a substantial jump in 2009, the number decreased slightly from 2010 to 2011 before another substantial jump in 2012. Many of the vulnerabilities affecting mobile platforms originate in components that are used in both mobile and desktop software. The remaining vulnerabilities are specific to mobile applications and represent a large portion of the increase in disclosures seen in 2012 and 2013. One significant development of note regarding mobile vulnerabilities in 2013 has to do with the number of public exploits available. In 2013, fewer than 30 percent of all mobile disclosures had public exploits or proof-of-concept code available. In comparison, only nine percent of mobile vulnerabilities disclosed between 2009 and 2012 had public exploits. Most of these exploits are targeted specifically towards mobile applications and are primarily disclosed on popular public exploit repositories.
Another example of how attackers are increasing their return on exploit is in the way they are targeting cross platform services to reach a maximum number of potential targets. It is worth noting that almost 80 % of the zero-day vulnerabilities covered by IBM X-Force in the first half of 2013, were vulnerable on Microsoft Windows and Apple Mac OSX. Nearly half were also vulnerable on some Linux distributions. This cross-platform reach emphasizes the operational sophistication which has been utilized for widespread exploitation.
Java The first was made in the Java 7u10 release which was the addition of a feature to easily disable Java in a browser. The second important change was made in the Java 7u11 release which was the change of the default security settings level to “High” which means that the user is prompted before running unsigned Java applications in the browser. This latter change makes it less attractive for attackers to use Java exploits because of the added effort to create exploit. Adobe Flash Adobe noted that since the introduction of the Reader sandbox in 2010, the most common delivery method for Flash Player zero-day attacks had been Office documents. In addition to the first two Flash zero-day attacks discussed earlier, a notable example of this is the RSA breach in 2011 in which attackers embedded a Flash zero-day exploit in an Excel document. IE September 2013: Water hole attack in Japan – CVE-2013-3893, effecting all versions of IE and exploit code readily available. In June, Microsoft reported and patched a zero-day vulnerability (CVE-2013-1331) in Microsoft Office. Microsoft describes the initial attacks as extremely targeted. This is why not much was known about the attack before the Microsoft advisory was published. The vulnerability affected the latest version of Office for Mac (Office 2011) but only affected an older version of Office in Windows (Office 2003).
As cyber-attacks intensify, monitoring the numerous vulnerability disclosures every day becomes daunting. Within IBM X-Force, we track publicly issued vulnerabilities through a triage process to identify which ones are most likely to be used by an attack, and then determine which ones require deeper research. By performing this review, we recognize that all vulnerabilities are characterized by two factors; the exploit “potential reward” that entices the attacker and the “exploit effort to achieve” that deters the attacker from further development. The exploit-probability matrix is devised by charting the “exploit reward” and “exploit effort to achieve” along the axes. By assigning vulnerabilities to the appropriate quadrant, it becomes clear which are favored by attackers. As illustrated in the exploit-probability matrix, easy exploitation with high potential reward – aka target impact, is still the sweet spot for the most prevalent attacks.
Web Application vulnerabilities, which have been on the rise in recent years, are down slightly in 2013. More than half of all web application vulnerabilities are cross-site scripting.
Most of these fall into the category of third party add-ons or plug-ins for Content Management Systems. Content Management System (CMS) programs are some of the most widely deployed software on the World Wide Web because of their ease of use, utility, and simplicity to maintain and administer. Attackers like to target these systems to find vulnerabilities and flaws that they can exploit. Because CMS applications and their plugins are web enabled, they can often be targeted with automated scanning tools to identify web application vulnerabilities. In addition to automation, attackers will also manually review CMS applications and plugins.
The most prevalent consequence of vulnerability exploitation for the 1st half of 2013 was “gain access” at 28 percent of all vulnerabilities reported. In most cases, gaining access to a system or application provides the attacker complete control over the affected system, which allows them to steal data, manipulate the system, or launch other attacks from that system.
The top three campaigns observed, enticing users to click on bad links and attachments in emails, are Internet payment companies, social networks, and internal scanners or fax devices. Together these three focus areas account for more than 55 percent of all scam and phishing incidents.
In countries where malware is distributed, we see the United States dominates the scene by hosting more than 42 percent of all malicious links. The geography with the second highest concentration of malicious links is Germany, with nearly 10 percent.
The country with the largest number of C&C servers in the month of June 2013 with nearly one-third of all C&C Servers is the United States. • The country with the second highest number of C&C servers is Russia with nearly 10 percent. • Germany, South Korea, China, and United Kingdom are close together, hosting between 7.0 and 4.2 percent of the C&C Servers
IBM X-Force continues to see operationally sophisticated attacks as the primary point of entry. Social Media Insights: We expect to see applications of psychological manipulation become more sophisticated as attackers create complex internetworks of identities while refining the art of deceiving victims. Technology controls are in place, but are often either not enabled or are circumvented by the user's extended network. The only effective defense is education and to engender suspicion. Mobile Device Malware Insights: X-Force recommends Android users check to see if a firmware update is available and consider upgrading. CISOs should also review their bring your own device (BYOD) security policies and their risk assessment of which devices and device profiles are allowed access. Poisoning the Watering Hole Insights: Website administrators can help lower the risk of your website being compromised from a watering hole attack by: hardening your servers, ensuring currency of software and web applications, and hardening client machines used to log into servers. Distraction and Diversion Insights: As the scope and frequency of data breaches continue in an upward trajectory, a return to basic security fundamentals is essential. Throughout the IBM X-Force 2013 Mid-Year Trend and Risk Report we look at many facets of secure computing from both the IT and network administrative perspective, as well as for end users. While technical mitigation is a necessity, conditioning users throughout the enterprise to view security as a mindset—not an exception—can go a long way toward reducing these incidents. Old Techniques, New Success Insights: Some of these gaps could be prevented by maintaining a consistent, high level of patching on both endpoints and servers. Keeping software and operating systems at the most current versions is another preventative measure. And even best practice security policy enforcement, such as enforcing the use of strong passwords, using different passwords for different accounts, and enabling two-factor authentication can help.
Mandatory Thank You Slide (available in English only).
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013