The Evolving Threat Landscape
•Download as PPTX, PDF•
1 like•1,238 views
In 2013 Kaspersky Lab discovered almost 1.8 billion web attacks – that’s 4.7 million every day, 3,000 every minute, and 50 per second. This presentation outlines the evolving IT Threat Landscape and the technologies available to help IT professionals manage the threats to their organisation. More details are available at: http://business.kaspersky.com/security-landscape-a-view-from-kaspersky-lab/ Read practical guide for IT managers: http://ow.ly/v3j46
Recommended
Recommended
More Related Content
More from Kaspersky
More from Kaspersky (20)
Recently uploaded
Recently uploaded (20)
The Evolving Threat Landscape
- 2. FUTURE IT THREATS The Evolving Threat Landscape2 CYBER WEAPONS will be tailor-made for specific cases. Cyber criminals will increasingly use simpler tools to destroy data at a required time MULTIPLE ATTACKS ON GOVERNMENT institutions and businesses will be carried out all over the world. Hacktivism may also be used to conceal other types of attacks MALWARE will be uploaded to official app stores. Mobile espionage will become widespread including stealing data from mobile phones and tracking people using their phones ATTACKS ON ONLINE BANKING SYSTEMS will become one of the most widespread methods of stealing money from users THE NUMBER OF TARGETED ATTACKS will continue to grow. Cybercriminals will start using new infection methods. The range of targeted businesses under threat will expand CYBER CRIMINALS will write mobile malware increasingly attacking Google Android
- 3. 0.1% 9.9% 90% MALWARE TODAY The Evolving Threat Landscape3 Traditional cybercrime Targeted threats to organizations True cyber weapons
- 4. EVOLUTION OF MALWARE WAVES WE HAVE TO DEAL WITH 1 NEW VIRUS EVERY HOUR 1994 1 NEW VIRUS EVERY MINUTE 2006 1 NEW VIRUS EVERY SECOND 2011 200,000 NEW SAMPLES EVERY DAY 2013 The Evolving Threat Landscape4
- 5. WAYS OF MALWARE SPREADING Exploit kits Email Social networks USB The Evolving Threat Landscape5
- 6. WAYS OF MALWARE SPREADING. WEB The Evolving Threat Landscape6 Exploit kits Social networks Kaspersky Lab discovered almost 1.6 billion web attacks in 2012 50 attacks per second 4.4 million attacks per day 182.000 attacks per hour 3.000 attacks per minute ATTACKS IN 2012
- 7. TARGET: MOBILE - WHY? Your device contains a lot of ‘interesting’ things: incoming and outgoing SMS messages work emails business contacts personal photos GPS coordinates online banking credentials various installed apps calendar The Evolving Threat Landscape7
- 8. PAGE 8 | Source: Kaspersky Lab August 2013 0 20000 40000 60000 80000 100000 120000 MOBILE MALWARE SAMPLE COLLECTION Number of unique samples The Evolving Threat Landscape8
- 9. MOBILE MALWARE Mobile malware written for specific platforms: 93.4% Android 3.7% 2.3% 0.6% Symbian WinCE J2ME 230 new Android malware every day The Evolving Threat Landscape9
- 10. ADVANCED PERSISTENT THREATS (APT) Facts Classification Detection Time Active Since Gauss Espionage Program July 2012 Aug / Sep 2011 • Sophisticated toolkit for cyber espionage • Implemented by creators of the Flame platform • Modules perform a variety of functions Flame Espionage Program May 2012 - 2008 • Complex set of operations • Downloads extra modules to victim computers • 20 extension modules detected • Sophisticated toolkit Duqu Espionage Program September 2011 August 2007 • Destroys all traces of activity • Core module never detected • No modifications discovered since Feb 2012 miniFlame Espionage Program October 2012 October 2012 • Miniature fully- fledged spyware module • Used for highly targeted attacks against select victims • Stand-alone malware or as a plug-in for Flame Wiper Destroyer Never Detected April 2012 • Destroyed dozens of database and computer systems • Majority of targets were organizations in Iran’s oil industry • Malware still unknown to this day The Evolving Threat Landscape10
- 11. NUMBER OF VICTIMS OVER 100K OVER 300K 2,500 10K 700 5-6K 20 50-60 10-20 50-60 Stuxnet Gauss Flame Duqu miniFlame Known number of incidents Additional number of incidents (approximate) 300K 100K 10K 1K 50 20 The Evolving Threat Landscape11 Source: Kaspersky Lab statistics
- 12. The Evolving Threat Landscape12
- 13. A NEW ADVANCED PERSISTENT THREAT (APT) - ICEFOG A new Advanced Persistent Threat (APT) Targets: governmental, military, industrial institutions Geography: Japan and South Korea Special features: human operator, manual attacks How does APT work? Spear phishing delivers exploits into the system The exploits infect the system through vulnerabilities in popular applications. Cybercriminals then interact with Icefog to control your system and steal data The Evolving Threat Landscape13 June 2013 2011 Classification: Detection Time: Active Since: Espionage
- 14. EVOLUTION OF KL TECHNOLOGIES TRUE ENDPOINT PROTECTION PLATFORM We are growing organically based on internal innovation development Our products are created from a single code base, meaning our technologies integrate seamlessly with each other The Evolving Threat Landscape14
- 15. TECHNOLOGY LEADERSHIP IS OUR KEY DIFFERENTIATOR Our products finish within the top 3 positions of independent tests more often than any other vendors Our world-renowned technologies have received a huge number of awards and certification from independent testing laboratories The Evolving Threat Landscape15 Nikolay Grebennikov Chief Technology Officer Kaspersky Lab
- 16. 0% 20% 40% 60% 80% 100% 0 20 40 60 80 N of independent tests/reviews ScoreofTOP3places Kaspersky Lab 1st places – 27 Participation in 79 tests/reviews TOP 3 = 80%Bitdefender Sophos G-Data Symantec F-Secure McAfee Trend Micro Avira Avast BullGuard AVG PC Tools Eset Webroot GFI Microsoft Panda KASPERSKY LAB PROVIDES BEST IN THE INDUSTRY PROTECTION* In 2012 Kaspersky Lab endpoint products participated in 79 independent tests and reviews. Our products won the 1st place 27 times and 63 times (80%) of all tests we were in TOP3. Notes: • For more details about TOP3 metric please click here • According to summary result of independent test in 2012 for corporate, consumer and mobile products • Summary includes tests conducted by the following independent test labs and magazines: • Test labs: AV-Test, AV-Comparatives, VB100, PC Security Labs, Matousec, Anti-Malware.ru, Dennis Technology Labs • Magazines: CHIP Online, PC Advisor, PC Magazine, TopTenREVIEWS, CNET, PCWorld, ComputerBild, PC-Welt • The size of the bubble is number of 1st places © 1997 – 2013 Kaspersky Lab ZAO . All Rights Reserved. Industry-leading Antivirus SoftwareThe Evolving Threat Landscape16
- 17. Leader in IDC MarketScape***A leader in the Forrester Wave for Endpoint Security The Forrester Wave™: Endpoint Security, Q1 2013** EPP MARKET LEADER 2013. A Leader. Magic Quadrant for Endpoint Protection Platform* The Evolving Threat Landscape17 * Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. ** The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. *** IDC's Go-to-Market Services (GMS) offers webrights and reprints of IDC research to support your marketing initiatives. GMS can also help you to leverage IDC's globally respected brand by delivering custom content and multimedia deliverables which are drawn from research and analysis independently conducted and published by IDC analysts. Learn more here or contact us at gms@idc.com
- 18. MINIMIZING YOUR RISK OF INFECTION Block Known exploits Taking advantage of existing technologies can dramatically reduce the risk of being attacked Block exploits before they reach your system APTs can exploit vulnerabilities in widely used applications. AEP spots and analyzes suspicious application behavior, blocking suspect applications from downloading unsafe code Apply patches promptly Patch Management monitors, downloads, schedu les and applies OS and 3rd party application patches. All vulnerabilities are patched automatically Fight known vulnerabilities Vulnerability Assessment tracks and deletes known software vulnerabilities in OS and 3rd party applications, referencing the vast Kaspersky Security Network database Defend your system against zero-day vulnerabilities A new weak spot with no patch available yet from the Vendor? You need a strong defensive approach Make Isolation your Defense A Default Deny approach using Whitelisting means that only trusted applications can run, isolating your systems so cybercriminals can’t reach your system to install remote software PATCH MANAGEMENT VULNERABILITY ASSESSMENT AUTOMATIC EXPLOIT PREVENTION (AEP) WHITELIST SECURITY APPROACH The Evolving Threat Landscape18
- 19. KASPERSKY ENDPOINT SECURITY FOR BUSINESS: PROGRESSIVE, FEATURE-RICH TIERS Licence Management Network Admission (NAC) Software Installation KasperskySecurityCentre TOTAL ADVANCE SELECT CORE Collaboration Mail Internet Gateway System Provisioning Patch Management Vulnerability Scan Mail Mobile Endpoint Security Mobile Device Management (MDM) File Server Security Application Control Device Control Web Control Anti-malware + Firewall Endpoint Management InfrastructureCloud Enabled via the Kaspersky Security Network (KSN) The Evolving Threat Landscape19
- 21. THANK YOU
Editor's Notes
- This presentation outlines the evolving IT Threat Landscape and the technologies available to help IT professionals manage the threats to their organisation.
- It is more than 25 years since the first PC viruses appeared. Over time, the nature of the threat has changed significantly. Today’s threats faced by businesses are more complexthan ever before. The connectivity provided by the Internet means that attacks can be launched on victim’s computers very quickly, as widely or selectively as malware authors, and the criminal underground that sponsor them, require.
- Until around 2003, viruses and other types of malware were largely isolated acts of computer vandalism – anti-social self-expression using hi-tech means. Most viruses confined themselves to infecting other disks or programs.After 2003, the threat landscape changed. Much of today’s malware is purpose-built to hijack computers to make money illegally.As a result, the threats businesses now face have become significantly more complexand we are beginning to see an increase in targeted threats to organisations and the damage they cause is more likely to be financial, not just ‘IT downtime’.
- In the last 19 years the number and complexity of malware incidents has increased exponentially – from only one new virus every hour in 1994. In 2013 Kaspersky Lab sees more than 200,000 new malware samples every day.
- Exploit kits: Cybercriminals look for insecure web sites and hide their code in one of the web pages: when someone views that page, malware may be transferred automatically, and invisibly, to their computer along with the rest of the content that was requested. The cybercriminals inject a malicious script into the web page, install malware on the victim’s computer or, more typically, takes the form of an IFRAME re-direct to a site controlled by the cybercriminals. The victim becomes infected if there’s an insecure, unpatched application on their computer.Social networks: Some social networks have a user-base the size of a large country, thus providing a ready-made pool of potential victims. They use social networks in different ways:First, they use hacked accounts to distribute messages that contain links to malicious code.Second, they develop fake apps that harvest the victim’s personal data (this can then be sold to other cybercriminals) or install malware (for example fake anti-virus programs).Third, they create fake accounts that gather ‘friends’, collect personal information and sell it on to advertisers.Cybercriminals cash in on the fact that people in social networks are pre-disposed toover-share information and to trust people they know.Email: Around three per cent of e-mails contain malware, in the form of attachments or links.E-mail is also used in targeted attacks, as a way of getting an initial foothold in the target organization(s). In this case, the e-mail is sent to a specific person in an organization, in the hope that they will run the attachment or click the link and begin the process by which the attackers gain access to the system. This approach is known as spear-phishing.USB / Removable Media: Physical storage devices provide an ideal way for malware to spread. USB keys, for example, have been used to extend the penetration of malware within an organization, following the initial infection. They have also been used to help malware to ‘hop’ between an untrusted computer connected to the Internet and a trusted network Often malware uses vulnerabilities in the way that USB keys are handled (for example,the use of autorun and LNK vulnerabilities), to launch code automatically when the device is inserted into a computer.
- By far the most common way of malware spreading is via the web using exploit kits and social networks. The numbers of web attacks detected in 2012 total almost 1.6 billion.
- Cybercriminals are now turning their attention more and more to mobile devicesand the reason is clear. Our mobile devices now carry the same amount of data as our PCs once did and the ubiquitous nature of mobility means that the number of mobile devices now exceeds the number of PCs.
- Mobile malware has exploded in the last 18 months. The lion’s share of it targets Android-based devices – more than 90 per cent is aimed at this operating system. This operating system ‘ticks all the boxes’ for cybercriminals: it’s widely-used, it’s easy to develop for and those using the system are able to download programs (including malicious programs) from wherever they choose. For this reason, there is unlikely to be any slow-down in development of malicious apps for Android. To-date, most malware has been designed to get access to the device. In the future, we are likely to see the use of vulnerabilities that target the operating system and, based on this, the development of ‘drive-by downloads’. There is also a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store. We’re also likely to see more mobile botnets, of the sort created using the RootSmart backdoor in Q1 2012. By contrast, iOS is a closed, restricted file system, allowing the download and use of apps from just a single source – i.e. the App Store. This means a lower security risk: in order to distribute code, would-be malware writers would have to find some way of 'sneaking' code into the App Store. The appearance of the ‘Find and Call’ app earlier this year has shown that it’s possible for undesirable apps to slip through the net. But it’s likely that, for the time-being at least, Android will remain the chief focus of cybercriminals. The key significance of the ‘Find and Call’ app lies in the issues of privacy, data leakage and the potential damage to a person’s reputation: this app was designed to upload someone’s phone book to a remote server and use it to send SMS spam.
- Before 2012, there were only two instances of cyber weapons being used – Stuxnet and Duqu. Stuxnetpioneered the use of highly-sophisticated malware for targeted attacks on key production facilities. Duqu: This malicious spyware program, was detected in September 2011 and brought to public attention in October 2011. Kaspersky’s experts managed to gain access to a number of Duqu’s C&C servers and collect a substantial amount of information about the programs’ architecture and its evolution. It was convincingly demonstrated that Duqu was a development of the Tilded platform, on the basis of which another high-profile malicious program – Stuxnet – had also been developed. By late 2011, Duqu ceased to exist “in the wild”. However, in late February 2012 Symantec’s experts discovered a new version of a driver in Iran, similar to the one used in Duqu but created on 23 February, 2012. The core module was never detected; no further modifications of Duqu have been discovered since then.Flame: Flame is a very sophisticated toolkit for conducting attacks, far more complex than Duqu. It is a backdoor Trojan which also possesses some of the characteristic of worms; the latter enable it to propagate via local networks or removable storage drives following instructions from its master. After infecting the host system, Flame starts to execute a complex set of operations, which can include analyzing the network traffic, taking screenshots, recording voice communications, keystroke logging etc. All this data is available to its operators via Flame C&C servers.Gauss: Gauss is a sophisticated toolkit for conducting cyber espionage, implemented by the same group that created the malicious Flame platform. The toolkit has a modular structure and supports remote deployment of a new payload that is implemented in the form of extra modules.Wiper: This “mystical” Trojan greatly disturbed Iran in late April 2012: it emerged basically from nowhere and destroyed a large number of databases in dozens of organizations. The country’s largest oil depot was especially hard hit – its operation was halted for several days after data on oil contracts was destroyed. Wiper’s creators did their best to destroy all the data that could be used to analyze the incidents. For this reason, practically no traces of the malicious program’s activity were left after Wiper was activated. miniFlame: In early June 2012, we discovered a small yet interesting module created on the Flame platform. This malicious program, dubbed miniFlame, is a miniature fully-fledged spyware module designed to steal information and gain access to an infected system. miniFlame/SPE is a tool for carrying out targeted attacks with pinpoint accuracy. For more information go to: http://www.securelist.com/en/analysis/204792257/Kaspersky_Security_Bulletin_2012_Cyber_Weapons
- The "Red October" Campaign - An Advanced Cyber Espionage Network Targeting Diplomatic and Government AgenciesRed October is a targeted attack campaign that has been going on for at least five years. It has infected hundreds of victims around the world in eight main categories:Government Diplomatic / embassies Research institutions Trade and commerce Nuclear / energy research Oil and gas companies Aerospace Military It is quite possible there are other targeted sectors which haven't been discovered yet or have been attacked in the past.The campaign was discovered in October 2012. The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information gathering scope is quite wide. During the past five years, the attackers collected information from hundreds of high profile victims although it's unknown how the information was used. It is possible that the information was sold on the black market, or used directly. Kaspersky Lab, in collaboration with international organizations, Law Enforcement, Computer Emergency Response Teams (CERTs) and other IT security companies is continuing its investigation of Operation Red October by providing technical expertise and resources for remediation and mitigation procedures. For more information go to: http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies
- Industry-leading protectionAcross the world, the outstanding effectiveness of Kaspersky’s anti-malware technologies is widely recognized. This superior, intelligent protection against emerging and increasingly sophisticated threats is delivered by “out of the box” best practices, backed by relentless antimalware expertise.Kaspersky Lab has summed up its comparative testing results for 2012. Throughout the year, the company's corporate,consumer and mobile security solutions participated in over 70 different tests and studies by international research labs. As well as assessing the antivirus component, the independent experts paid particular attention to the various technologies available in Kaspersky Lab’s products, including the company’s very latest developments: Automatic Exploit Prevention, Safe Money and Whitelisting. The results were truly outstanding: the company’s solutions claimed first place in 30 tests and on another 19 occasions received prestigious awards from the experts. This testifies to the high quality of Kaspersky Lab’s security solutions and the company's readiness to confront the most complex IT threats facing users.us ongoing programs, all help confirm Kaspersky antimalware as the industry leader.
- The enterprise endpoint protection platform (EPP) market is a composite market primarily made up of collections of products. These include: Anti-malware Anti-spyware Personal firewalls Host-based intrusion prevention Port and device control Full-disk and file encryption, also known as mobile data protection Endpoint data loss prevention (DLP) Vulnerability assessment Application control Mobile device management (MDM) These products and features are typically centrally managed and ideally integrated by shared policies. DLP, MDM and vulnerability assessment are also evaluated in their own Magic Quadrant or MarketScope analyses. Longer term, portions of these markets will get subsumed by the EPP market, as the personal firewall, host intrusion prevention, device control and anti-spyware markets have in the past. EPP suites are a logical place for convergence of these functions. Indeed, 53% of organizations in a recent Gartner survey1 already use a single vendor for several of these functions, or are actively consolidating products. In particular, mobile data protection is the leading complement to EPP and purchasing decisions regarding the two products are increasingly made together. For most organizations, selecting a mobile data protection system from their incumbent EPP vendors will meet their requirements.
- Kaspersky Endpoint Security for Business Award-winning anti-malware with centralized deployment, management and reporting. Kaspersky has built powerful enterprise-class features into the progressive tiers of our offerings, but we’ve made the technology uncomplicated and simple enough for any sized business.Core: The Kaspersky Endpoint Security for Business ‘Core’ tier is centrally managed by the Kaspersky Security Center and is assisted by the cloud-based Kaspersky Security Network. Key Features of Core: Powerful Endpoint Anti-Malware - Kaspersky’s scanning engines operate at multiple levels in the operating system, rooting out malware. Cloud-Assisted Protection - With the cloud-based Kaspersky Security Network, users are protected in real time against new threats. Centralized Management - Administrators can remove existing antivirus software, configure and deploy Kaspersky, and perform reporting — all from the same console.Select: Kaspersky’s ‘Select’ tier includes mobile device deployment and protection via MobileDevice Management (MDM) and mobile anti-malware. Endpoint control tools (web, deviceand application) help your organization enforce IT policy, keeping the essential elementsof your IT environment secure. Key Features of Select: Powerful Endpoint Anti-Malware - Kaspersky’s ‘best of breed’ scanning engine operates at multiple levels in the operating system, rooting out malware. The cloud-based Kaspersky Security Network (KSN) protects users in real time against new threats. Flexible, Granular Control Tools - A cloud-based, categorized database of safe and unsafe applications and websites helps the administrator to set and enforce policies for applications and web surfing, while granular controls ensure that only specific devices can plug in to machines on the network. Efficient Mobile Deployment and Security for Smartphones and Tablets - Agent-based mobile security is available for Android™, BlackBerry®, Symbian and Windows® Mobile devices. Mobile device policies and software can be securely deployed over the air to these and to iOS devices through Kaspersky MDM. Vulnerability Scanner - Tuned to flag hardware and software vulnerabilities which could be exposed to an attack.Advanced: Kaspersky’s Advanced tier delivers the protection and management solution yourorganization needs to enforce IT policy, keep users free from malware, prevent data loss,and enhance IT efficiency. One Management Console - From one ‘single pane of glass’, the administrator can view and manage the entire security scene — virtual machines, physical and mobile devices alike. One Security Platform - Kaspersky Lab developed our console, security modules and tools in-house rather than acquiring them from other companies. This means the same programmers working from the same codebase have developed technologies that talk together and work together. The result is stability, integrated policies, useful reporting and intuitive tools. One Cost - All tools are from one vendor, delivered in one installation — so you don’t have to go through a new budgeting and justification process to bring your security risks in line with your business objectives.