The 2013 Internet Security Threat Report highlights an increase in targeted attacks, particularly through spear phishing and emerging watering hole tactics, with manufacturing and finance sectors being the most affected. Cybercriminals leveraged vulnerabilities in web applications, while spam rates continued to decline due to ongoing botnet takedowns, though phishing and malware threats persisted. The report emphasizes the need for comprehensive security measures, routine vulnerability assessments, and employee awareness training to mitigate these threats.

1. ISTR 2013 Overview

2. TARGETED ATTACKS
Internet Security Threat Report 2013 :: Volume 18 2

3. Targeted Attacks
in 2012
Internet Security Threat Report 2013 :: Volume 18 3

4. Targeted Attacks by Industry
Manufacturing 24%
Finance, Insurance & Real Estate 19%
Services – Non-Traditional 17%
Government 12%
Energy/Utilities 10%
Services – Professional 8%
Wholesale 2%
Retail 2%
Aerospace 2%
Transportation,
1%
Communications, Electric, Gas
0% 5% 10% 15% 20% 25% 30%
Manufacturing moved to top position in 2012
But all industries are targeted
Internet Security Threat Report 2013 :: Volume 18 4

5. Targeted Attacks by Company Size
50% 2,501+ 50% 1 to 2,500
Employees 9% 1,501 to 2,500
2,501+
2% 1,001 to 1,500
3% 501 to 1,000
5% 251 to 500
50%
31% 31% 1 to 250
growth
since
2011
Greatest growth in 2012 is at companies with <250 employees
Internet Security Threat Report 2013 :: Volume 18 5

6. Targeted Attacks by Job Function
30% R&D
27%
Sales
25% 24%
20% C-Level
17% Shared
Mailbox
15% Senior
13%
12%
10%
Recruitment
Media
5% 4%
3% PA
1%
0%
Attacks may start with the ultimate target, but often look opportunistically for any
entry into a company
Internet Security Threat Report 2013 :: Volume 18 6

7. Spear Phishing Watering Hole Attack
Send an email to a person Infect a website and lie
of interest in wait for them
Targeted Attacks predominantly start as spear phishing attacks
In 2012, Watering Hole Attacks emerged (popularized by the Elderwood Gang)
Internet Security Threat Report 2013 :: Volume 18 7

8. Effectiveness of Watering Hole Attacks
Watering Hole Infected 500 All Within
Attack in 2012 Companies 24 Hours
Watering Hole attacks are targeted at specific groups
Can capture a large number of victims in a very short time
Internet Security Threat Report 2013 :: Volume 18 8

9. Recent Example of Watering Hole Attack
In 2013 this type of attack will become widely used
Several high profile companies fell victim to just such an attack
Internet Security Threat Report 2013 :: Volume 18 9

10. Watering Hole Targeted iOS Developers
In 2013 this type of attack will become widely used
Several high profile companies fell victim to just such an attack
Internet Security Threat Report 2013 :: Volume 18 10

11. Thwarting Targeted Attacks
• Human Intelligence regarding active and anticipated attack campaigns, targeted
Security Intelligence attacks, and emerging threats
• Use full capabilities of monitoring solutions to provide full visibility into security
Holistic Security Monitoring posture and events across the entire enterprise footprint
Removable Media Device
• Restrict removable devices and functions to prevent malware infection
Control
Email & Web Gateway Filtering • Scan and monitor inbound/outbound email and web traffic and block accordingly
• Discover data spills of confidential information that are targeted by attackers
Data Loss Prevention • Detect and prevent exfiltration of confidential information that are targeted by
attackers
Encryption • Create and enforce security policies so all confidential information is encrypted
Incident Preparedness & • Ensure formal Incident Response capabilities are in place and fully tested
• Conduct periodic penetration tests and red-team exercises to evaluate defense
Response and response capabilities from the perspective of an attacker
Internet Security Threat Report 2013 :: Volume 18 11

12. SPAM TRENDS
Internet Security Threat Report 2013 :: Volume 18 12

13. Spam Decline
79%
January 2011 Global Spam Rates 2011-2012 69%
90% October 2012
80%
70%
60%
50%
40%
30%
20%
10%
0%
Jan- Apr Jul Oct Jan- Apr Jul Oct
11 12
Spam has declined for second year in a row (as % of email)
Botnet takedowns continue to have an affect
Internet Security Threat Report 2013 :: Volume 18 13

14. Pharmaceutical Spam Decline
Pharmaceutical Spam Rates 2011-2012
70%
60%
50%
40%
30%
20%
10%
0%
Jan- Apr Jul Oct Jan- Apr Jul Oct
11 12
Internet Security Threat Report 2013 :: Volume 18 14

15. The Risk of Spam Continues
1 in 414 1 in 283
Emails are a phishing attack Emails are a malware attack
of all email is spam
Internet Security Threat Report 2013 :: Volume 18 15

16. Thwarting Spam-borne Attacks: Defense
• Human Intelligence regarding active and anticipated attack campaigns, targeted
Security Intelligence attacks, and emerging threats
Email & Web Gateway Filtering • Scan and monitor inbound/outbound email and web traffic and block accordingly
• Detect and block new and unknown threats based on global reputation
Advanced Reputation Security and ranking
• Use more than just AV – use full functionality of endpoint protection including
Layered Endpoint Protection heuristics, reputation-based, behavior-based and other technologies
• Restrict removable devices and turn off auto-run to prevent malware infection
Holistic Network Monitoring • Monitor globally for network intrusions, propagation attempts and other
suspicious traffic patterns, including using reputation-based technologies
& Layered Defenses • Network protection is more than just blacklisting
• Ensure employees become the first line of defense against socially engineered
Security Awareness Training attacks, such as phishing, spear phishing, and other types of attacks
Internet Security Threat Report 2013 :: Volume 18 16

17. VULNERABILITIES
Internet Security Threat Report 2013 :: Volume 18 17

18. Zero-Day Vulnerabilities
16
14 15
14 14
12 13 Total Volume
12
Stuxnet
10
Elderwood
8 9
8
6
2
4
4 4
3
2
0
2006 2007 2008 2009 2010 2011 2012
One group can significantly affect yearly numbers
Elderwood Gang drove the rise in zero-day vulnerabilities
Internet Security Threat Report 2013 :: Volume 18 18

19. All Vulnerabilities
7,000
6,000 6,253
5,562
5,000 5,291
4,842 4,989
4,644 4,814
4,000
3,000
2,000
1,000
0
2006 2007 2008 2009 2010 2011 2012
No significant rise or fall in discovery of new vulnerabilities in last 6 years
Internet Security Threat Report 2013 :: Volume 18 19

20. 30% Increase
in web attacks blocked…
247,350
190,370
2011 2012
Internet Security Threat Report 2013 :: Volume 18 20

21. Our Websites are Being Used Against Us
53%
61% of legitimate websites have
unpatched vulnerabilities
of web sites serving
malware are legitimate sites
25%
have critical vulnerabilities
unpatched
Internet Security Threat Report 2013 :: Volume 18 21

22. Our Websites are Being Used Against Us
In 2012,
one threat infected more than
1 million websites
Its payload was FakeAV
The next time it’s likely to be ransomware
Internet Security Threat Report 2013 :: Volume 18 22

23. Internet Security Threat Report 2013 :: Volume 18 23

24. Internet Security Threat Report 2013 :: Volume 18 24

25. Ransomware
Number of criminal gangs Estimated amount extorted
involved in this cybercrime from victims in 2012
Average number of attacks seen from
one threat in 18 day period
Internet Security Threat Report 2013 :: Volume 18 25

26. Protecting Against Vulnerabilities: Defense
Vulnerability • Routine, frequent vulnerability assessments and penetrations tests to identify
vulnerabilities in applications, systems, and mobile devices
Management Program • Formal process for addressing identified vulnerabilities
Configuration & Patch • Ensure all operating system and application patches are evaluated and deployed in
a timely manner
Management Program • Ensure adherence to formal, secure configuration standards
• Leverage application virtualization technologies to reduce risk when legacy web
Application Virtualization browsers and older versions of 3rd party applications like JAVA or Adobe Reader
must be used for compatibility reasons
Advanced Reputation Security • Detect and block new and unknown threats based on global reputation and ranking
• Use more than just AV – use full functionality of endpoint protection including
Layered Endpoint Protection heuristics, reputation-based, behavior-based and other technologies
• Restrict removable devices and turn off auto-run to prevent malware infection
• Monitor globally for network intrusions, propagation attempts and other
Layered Network Protection suspicious traffic patterns, including using reputation-based technologies
• Network protection is more than just blacklisting
Internet Security Threat Report 2013 :: Volume 18 26

27. MOBILE TRENDS
Internet Security Threat Report 2013 :: Volume 18 27

28. Android Malware Growth
200 5,000
180 4,500
160 4,000
140 3,500
120 3,000
100 2,500
80 2,000
60 1,500
40 1,000
20 500
0 0
Jan Apr Jul Oct Jan Apr Jul Oct
'11 '12
Cumulative Android Families 2011-2012
Cumulative Android Variants 2011-2012
Internet Security Threat Report 2013 :: Volume 18 28

29. Vulnerabilities & Mobile Malware
Platform Vulnerabilities Device Type # of Threats
Apple iOS 387 Apple iOS Malware 1
Android 13 Android Malware 103
Blackberry 13 Symbian Malware 3
Windows Mobile 2 Windows Malware 1
Today there is no significant link between mobile OS
vulnerabilities and exploitation by malware
In the future that may change
Internet Security Threat Report 2013 :: Volume 18 29

30. What Does Mobile Malware Do?
Mobile Threats by Type
Steal Information 32%
Traditional Threats 25%
Track User 15%
Send Content 13%
Adware/Annoyance 8%
Reconfigure device 8%
0% 5% 10% 15% 20% 25% 30% 35%
Internet Security Threat Report 2013 :: Volume 18 30

31. Information Stealing Malware
Android.Sumzand
1. User received email with link to
download app
2. Steals contact information
3. Harvested email addressed used
to spam threat to others
Internet Security Threat Report 2013 :: Volume 18 31

32. Mitigating Mobile Threats
• Remotely wipe devices in case of theft or loss
Device Management • Update devices with applications as needed without physical access
• Get visibility and control of devices, users and applications
• Guard mobile device against malware and spam
Device Security • Prevent the device from becoming a vulnerability
• Enforce compliance across organization, including security standards & passwords
• Identify confidential data on mobile devices and use technologies to prevent
future exposure
Content Security • Protect data from moving between applications
• Encrypt mobile devices to prevent lost devices from turning into lost
confidential data
• Provide strong authentication and authorization for access to enterprise
Identity and Access applications and resources
• Ensure safe access to enterprise resources from right devices with right postures
Mobile Application • Use application management capabilities to protect sensitive data in BYOD
scenarios or where full MDM capabilities are undesirable
Management
Internet Security Threat Report 2013 :: Volume 18 32

33. MAC MALWARE
Internet Security Threat Report 2013 :: Volume 18 33

34. Mac Malware Trend
10 new Mac families
of malware in 2012
6
4
3 3
1
2007 2008 2009 2010 2011 2012
Internet Security Threat Report 2013 :: Volume 18 34

35. Mac Malware
Only 2.5%
of threats found on
Macs are Mac
malware
Internet Security Threat Report 2013 :: Volume 18 35

36. Flashback
But in 2012
1 Mac Threat
infected 600,000
machines
Internet Security Threat Report 2013 :: Volume 18 36

37. Thwarting Mac Attacks: Defense
Layered Endpoint Protection • Use robust endpoint protection on your Macs – they are not immune to malware
• Monitor globally for network intrusions, propagation attempts and other
Layered Network Protection suspicious traffic patterns, including using reputation-based technologies
• Network protection is more than just blacklisting
• Ensure employees become the first line of defense against socially engineered
Security Awareness Training attacks, such as phishing, spear phishing, and other types of attacks
Configuration & Patch • Ensure all operating system and application patches are evaluated and deployed in
a timely manner
Management Program • Ensure adherence to formal, secure configuration standards
Internet Security Threat Report 2013 :: Volume 18 37

38. Stay Informed
symantec.com/threatreport
Security Response
Website
Twitter.com/threatintel
Internet Security Threat Report 2013 :: Volume 18 38

39. Thank you!
INSERT PRESENTER INFORMATION HERE
Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners. 04/13 21284433
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Internet Security Threat Report 2013 :: Volume 18 39