Supersized Security Threats – Can You Stop 2016 from Repeating?
•Download as PPTX, PDF•
2 likes•254 views
2016 was a year in which everything was bigger – bigger breaches, larger attacks, and bigger repercussions. Whether it was the evolution of DDoS attacks into the record-shattering Mirai botnet that disrupted large portions of the internet or insidious commercial banking Trojans available for sale as ready-made malware kits, the tone of cyberattacks darkened in 2016 while illuminating one key fact: many companies are not applying basic security fundamentals to their IT environments. Attend this webinar to learn: The top-level security trends from 2016, and what it could mean for 2017, including the political and intellectual property concerns stemming from large-scale data leaks Why classic attack vectors continue to be a weapon of choice for those seeking to disrupt operations and steal data Why a lower attack rate for the average security client may not be good news What steps your organization can take to protect against these attacks
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Supersized Security Threats – Can You Stop 2016 from Repeating?
Similar to Supersized Security Threats – Can You Stop 2016 from Repeating? (20)
Recently uploaded
Recently uploaded (20)
Supersized Security Threats – Can You Stop 2016 from Repeating?
- 1. IBM X-Force Threat Intelligence Index Limor Kessem April 2017 Executive Security Advisor Michelle Alvarez Threat Research, IBM Security
- 2. 2 IBM Security Key Trends from 2016 Unprecedented leaks of comprehensive data sets Tried and true methods stock the successful attacker’s arsenal The average security client experienced fewer attacks The continued need for focus on security fundamentals
- 3. 3 IBM Security An unprecedented amount of records and unstructured data leaked around the global in 2016 2014 1,000,000,000 records breached, while CISOs cite increasing risks from external threats 2015 Healthcare mega-breaches set the trend for high value targets of sensitive information Source: IBM X-Force Threat Intelligence Index - 2017 2016 Larger than life breaches as over four billion records and entire digital footprints of many companies were exposed
- 4. 4 IBM Security Source: IBM X-Force Threat Intelligence Index - 2017 In addition to PII, much larger caches of unstructured data were also exposed in 2016.
- 5. 5 IBM Security Despite a slight rise in security events for monitored security clients in 2016, average attacks were down. 54M Security events up 3% Attacks down 12% 1,019 Incidents down 48% 93 2016 Monitored Security Client Statistics Source: IBM X-Force Threat Intelligence Index - 2017
- 7. 7 IBM Security Spam email volume grew fourfold, with nearly half of spam containing malicious attachments Source: IBM X-Force Threat Intelligence Index - 2017
- 8. 8 IBM Security Record vulnerabilities disclosures topped 10,000, with new discoveries up across all classes of software. Source: IBM X-Force Threat Intelligence Index - 2017
- 9. 9 IBM Security The top attack vectors for monitored security clients used malicious input data, like SQLi or CMDi, or system data structure manipulation. Source: IBM X-Force Threat Intelligence Index - 2017
- 10. Industry Trends
- 11. 11 IBM Security Information and communications led the pack in most successfully breached companies Source: IBM X-Force Threat Intelligence Index - 2017
- 12. 12 IBM Security Financial Services • Financial Services sector moved from the 3rd most-attacked industry in 2015 to the most most-attacked industry in 2016. • SQLi and OS CMDi attacks accounted for almost half of all FSS attacks. • The large portion of Inadvertent Actors may mean these industries having a greater susceptibility to phishing attacks. Malicious Insider, 5% Inadver- tent Actor, 53% Outsiders, 42% Insider vs Outsiders To learn more, check out the “Focusing on financial institutions” paper from IBM X-Force. Source: IBM X-Force Threat Intelligence Index - 2017
- 13. 13 IBM Security Information & Communications • Information and Communications jumped into the 2nd most-attacked industry in 2016. • The number one mechanism of attack in this industry was “Manipulate Data Structures”, like buffer overflow conditions. • After Injection attacks, third most common attack class was the “Indicator” category, largely due to attempted connections from Tor exit nodes, which could be attackers disguising their originating location. • The overwhelming attacks from Outsiders are indicative of the data-rich targets in this industry, and comprised 23% of the breaches, but over 80% of the total records exposed in 2016. Malicious Insider, 1% Inadver- tent Actor, 3% Outsiders, 96% Insider vs Outsiders To learn more, check out the “Indicators of Compromise” paper from IBM X-Force. Source: IBM X-Force Threat Intelligence Index - 2017
- 14. 14 IBM Security Manufacturing • Manufacturing kept it’s position in the most attacked industries as the 3rd most-attacked industry in 2016. • SQL Injection accounted for 71% of the attacks on monitored Security manufacturing clients. • The overwhelming attacks from Outsiders in Manufacturing stem from perceptions that many systems within the sector are weak by design as a result of a failure to be held to compliance standards. Malicious Insider, 4% Inadver- tent Actor, 5% Outsiders, 91% Insider vs Outsiders To learn more, check out the “Cyber spies target manufacturers” paper from IBM X-Force. Source: IBM X-Force Threat Intelligence Index - 2017
- 15. 15 IBM Security Retail • Retail rose to the 4th most-attacked industry in 2016. • SQLi and CMDi, which accounted for 50% of the attacks, are used to target the large amount of financial records and other PII such as credit card and Social Security numbers. • The overwhelming attacks from Outsiders in Retail stem from the data-rich troves of PII owned by companies in these industries. Malicious Insider, 2% Inadver- tent Actor, 7% Outsiders, 91% Insider vs Outsiders To learn more, check out the “Security Trends in Retail” paper from IBM X-Force. Source: IBM X-Force Threat Intelligence Index - 2017
- 16. 16 IBM Security Healthcare • Healthcare dropped to the 5th most-attacked industry in 2016. • SQLi and CMDi, which accounted for almost half of the attacks, are used to target the large amount of personal health records. • The large portion of attacks from Inadvertent Actors can be attributed to situations when a desktop client is compromised via malicious email attachments, clickjacking, phishing or vulnerable computer services that have been attacked from another internal networked system. Malicious Insider, 25% Inadver- tent Actor, 46% Outsiders, 29% Insider vs Outsiders To learn more, check out the “Security Trends in Healthcare” paper from IBM X-Force. Source: IBM X-Force Threat Intelligence Index - 2017
- 18. 18 IBM Security Globally, cybercriminals pursued targets with proven returns in 2016 while exploring new geographies. Zeus, 28% Neverquest, 17% Gozi, 16% Dridex, 11% Ramnit, 9% GozNym, 7% Tinba, 6% Gootkit, 3% Qadars, 2% Rovnix, 1% Most prevalent financial malware families Global, 2016 Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
- 19. 19 IBM Security Attackers are engaging more methodical distribution methods for malware campaigns • Less mass-blasting of spam • Use of lower-end opportunistic malware like ransomware, IoT bots, and keyloggers • Employ anti-security features to avoid detection • Create minimal campaigns in a single country with a smaller target lists of companies
- 20. 20 IBM Security Cybercriminals are sharpening their focus on business accounts • Organized gangs lean toward business targets because they can steal more money at a time than with consumer accounts • Gangs are also more likely to have necessary resources at their disposal to steal larger amounts of money, such as: ̶ Fraudsters with reconnaissance experience to plan out the scenario. ̶ Funding to hire professional criminal call centers to support the fraud process and manipulate the victim. ̶ Straw companies and straw men to funnel, cash out, and launder millions in stolen funds. 50% 52% 42% Dridex GozNym TrickBot Portion of Business Account Targets Source: IBM X-Force Threat Intelligence Index - 2017
- 21. 21 IBM Security Commercial malware is making a comeback • Android overlay malware replaced banking Trojans as the “banking malware” commodity in open and semi-open forums on the cybercrime underground. • Ransomware and ransomware-as-a-service offerings are low-cost money makers for gangs that wish to make a minimal up-front investment. • New malware variants built on the Zeus v2 source code, leaked in 2011, kept Zeus at the top of the list of prolific malware. • A new developer arose in an attempt to sell brand new banking Trojan NukeBot in the underground. Ransom32, a Ransomware as a Service offering
- 22. 22 IBM Security In 2016, cybercriminals mimicked traditional organized crime by diversifying illicit profit sources. • Dridex banking Trojan partnered with Locky61 ransomware. • Ransomware dropper Nymaim had a Gozi banking Trojan module embedded, creating a new two-headed beast: GozNym.
- 23. 23 IBM Security Asia continued to attract organized cybercrime groups in 2016 Japan • The scarcity of attack tools in its complex language kept Japan isolated until late 2015 when the Shifu Trojan emerged, laying the foundation for further attacks. • Most active financial malware in Japan, per attack volume, includes: 1. Gozi 2. URLZone 3. Rovnix 4. Shifu Australia / New Zealand • Australia ranks 4th in 2016 most targeted by banking Trojan attacks, following the UK, the US and Canada. • Most active financial malware in in AUS/NZ includes: 1. Ramnit 2. Gozi 3. Dridex 4. TrickBotSource: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
- 24. 24 IBM Security In North America, the US remained a top target and Canada became a bigger target in 2016, while Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017 0 500 1,000 1,500 2,000 2,500 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Gozi and Ramnit Activity in Canada - 2016 Gozi Ramnit Gozi, 21% GozNym, 20% Neverquest, 17% Zeus varieties, 9% Dridex, 9% Tinba, 8% GootKit, 7% Kronos, 6% Ramnit, 2% URLZone, 1% TrickBot, 1% Most prevalent financial malware families US, 2016
- 25. 25 IBM Security In Europe, the UK and Germany remained at the top of the target list for cybercriminals Neverquest, 46% Kronos, 16% GootKit, 8% Tinba, 8% Gozi, 5% Dridex, 4% Zeus, 3% Ramnit, 3% URLZone, 2% Shifu, 2% GozNym, 1% Others, 2% Most prevalent financial malware families UK, 2016 Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017 Germany saw the emergence of two sophisticated gangs operating GozNym and Trickbot. Both emerged in Germany shortly after their global debut.
- 26. 26 IBM Security Growing sophistication changed the malware landscape in Brazil October of 2016 saw a notably sophisticated twist on the old phishing attack kit: live, interactive phishing attacks 1. The attack takes place over a web session between attacker and victim, on a website that mimics the look and feel of the original bank’s site. 2. Attacker uses Ajax-powered screens switch up messages victims see, asking for critical identification and transaction authorization elements. 3. The flow of events is controlled from a web- based admin interface, where the attacker automates the screens shown to the victim, also allowing personalization. Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017 Zeus moved into Brazil in time for a large international sporting event in the summer New malcode discovered in the wild, including a proper AV-disabling loader in driver form New cryptographic ransomware variants targeted businesses, including hospitals Other key trends:
- 27. 27 IBM Security Many of the incidents we’ve seen could be avoided with a focus on security basics Instrument your environment with effective detection. Keep up with threat intelligence. Maintain a current and accurate asset inventory. Maintain identity governance to audit and enforce access rules & permissions. Have a patching solution that covers your entire infrastructure. Create and practice a broad incident response plan. Implement mitigating controls.
- 28. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. FOLLOW US ON: THANK YOU
Editor's Notes
- “Unprecedented leaks”: From a single leak of 1.4 billion records to gigabytes worth of a company’s entire digital footprint, the amount of leaked structured and unstructured data continues to expand around the globe “Tried and true”: Classic attack vectors like SQL injection and O/S command injection, the re-packaging of malware code, and even old school attacks like spam with malicious attachments continue to be used to target and wreak havoc on networks and data. “Fewer attacks don’t mean less danger”: If our average IBM monitored security client is any example, companies are experiencing fewer attacks (a 12% decrease for our monitored clients compared to 2015). HOWEVER, the reduction in attacks could mean attackers are relying more and more on proven attacks, thus requiring fewer attempts.
- Notes on 2016: 2016 saw world-changing leaks affecting the political landscape of multiple countries. The year 2016 was somewhat unusual, however, as several “historical hacks” from breaches occurring in earlier years surfaced publicly, with revelations that billions of previously unreleased records were being sold on the Dark Web. Large amounts of unstructured data like company emails and intellectual property were leaked, resulting in the exposure of gigabytes worth of data. New and troubling attack vectors led to high-volume hijacks resulting in extensive DDoS campaigns and weaponized IoT devices.
- In 2016, there were many notable examples of leaks involving hundreds of gigabytes of email archives, documents, intellectual property and source code, exposing companies’ complete digital footprints to the public
- In our monitored client environments, IBM® X-Force® saw that the average client organization experienced more than 54 million security events in 2016—only three percent more events than 2015. At the same time, client organizations monitored by X-Force experienced an average 12 percent decrease in attacks in 2016 compared to 2015 (1,019 attacks in 2016 compared to 1,157 attacks in 2015). Most notably, the average monitored client was found to have experienced 93 security incidents in 2016, down 48 percent from the 178 discovered in 2015.
- Among malicious attachments to spam, ransomware accounted for the vast majority—85 percent. Ransomware continues to be one of the most profitable forms of malware in terms of effort versus earnings. While these attacks were already established and profitable, the February 2016 case of a California hospital that paid a ransom of 40 Bitcoins (approximately USD17,000 at the time) to unlock encrypted files foreshadowed a renewed campaign of similar attacks against the healthcare industry in several countries. Given that disruptions of hospital operations can be both financially damaging and literally matters of life and death—exacerbated by outdated security processes and infrastructure—the healthcare sector became a lucrative worldwide target throughout the year.
- The X-Force vulnerability database has been tracking public disclosures of software vulnerabilities since 1997. In 2016, the 20th year of documenting these threats, X-Force recorded the highest single-year number in its history: 10,197 vulnerabilities. Web application vulnerability disclosures made up 22 percent of the total vulnerability disclosures in 2016. A large majority of those were cross-site scripting and SQLi vulnerabilities, which could be leveraged by attackers to target vulnerable systems.
- To assist in analyzing and describing threats to its monitored security clients, X-Force has grouped 2016 observed attack types according to the standard set by the MITRE Corporation’s CAPEC effort. This system, as described by MITRE, “organizes attack patterns hierarchically based on mechanisms that are frequently employed in exploiting a vulnerability.” The only exception is the “Indicator” category, which describes conditions and context of threats and attack patterns. According to the X-Force analysis of 2016 data, the number one attack vector targeting X-Force-monitored clients—at 42% - using malicious input data to attempt to control or disrupt the target system. Command injection, which includes operating system command injection (OS CMDi) and SQLi, belongs in this category. OS CMDi is also known as “shell command injection,” for which the now infamous and widely prevalent Shellshock vulnerability is named. Shellshock activity surged across all industries before its two-year anniversary in September 2016 and made up just over one-third of all attacks targeting healthcare in 2016. In a publicly reported breach during the summer of 2016, a SQLi attack using the software vBulletin29 was used to steal millions of user records from gaming forums and other sites with large user bases. Even though a patch had been issued earlier, there were still many sites running older or unpatched versions, and it is often easy for attackers to scan the web for potential targets running this software. Manipulate data structures The number two attack vector, accounting for 32% of attacks, was the attempt to gain unauthorized access through the manipulation of system data structures. As CAPEC states, “Often, vulnerabilities [such as buffer overflow vulnerabilities], and therefore exploitability of these data structures, exist due to ambiguity and assumption in their design and prescribed handling.”
- Breaking out publicly disclosed security events in 2016, X-Force sees that the industries experiencing the highest number of incidents and reported records breached were information and communication and government. It is worth noting, however, that the healthcare industry dropped out of the top five position, but continued to be beleaguered by a high number of incidents, although attackers focused on smaller targets resulting in a lower number of leaked records.
- According to figures compiled by IBM Managed Security Services, the financial services sector moved from the third most-attacked industry in 2015 (behind healthcare and manufacturing) to the first most-attacked in 2016, due primarily to a large rise in SQLi and OS CMDi attacks. In this year, these attacks alone were responsible for almost half of all attacks among the financial sector of IBM Managed Security Services customers. SQLi and OS CMDi are perhaps the most popular attack vectors within this sector because successful exploitation of these vulnerabilities provides attackers with the ability to read, modify and destroy sensitive data. And there’s a large amount of PII contained within the databases of financial institutions. In 2016, there was a notable rise in publicly reported Society for Worldwide Interbank Financial Telecommunication (SWIFT) attacks against the messaging system used by thousands of banks and companies to move money around the world. The result was that millions of US dollars were stolen and illegally transferred from various global banks using custom malware and SQLi attacks. In 2017, SQLi and OS CMDi are positioned to continue to be the primary methods of attacking data stores. The biggest risk to Financial Services is via the 3rd parties with which they engage, who may not have the same budgets or rigor for security defenses; these partners are frequently within the Information & Communications segment, who hold notable positions in both the most breached and most attacked industry list.
- The information and communications technology sector moved up into the top five attacked sectors, taking second place among monitored industries in 2016. IBM-monitored security client data shows the number one mechanism of attack in this industry was “Manipulate Data Structures.” Buffer overflow conditions, which fall under this attack category, were exploited in many of these attacks, which accounted for 51 percent of all attacks seen in this sector. SQLi and OS CMDi were the second most frequent attack types detected in this sector during 2016, accounting for 30 percent of the total attacks, confirming X-Force predictions that these attacks would not wane anytime in the near future. Ranking as the third most prevalent attack type targeting the information and communications technology sector was the “Indicator” category, which was due largely to attempted connections from Tor software exit nodes. Tor (an abbreviation of the original project name, “The Onion Router”) is designed to allow full anonymity to the end user. Although not all traffic coming from the Tor network is indicative of an attack, by using a Tor client, a cybercriminal can disguise the attack’s originating network location and its path to the target, making identification virtually impossible.
- In 2016, SQLi accounted for the majority of all attacks—more than 71%—in manufacturing. This industry is a tempting target, as many systems within the sector are perceived to be weak by design as a result of a failure to be held to compliance standards. The second most popular attack mechanism in manufacturing was “Abuse Existing Functionality,” which accounted for about 7% of all attacks detected. Many of these attacks involved flooding a target system with a large number of requests, to create a state of denial of service. “Collect and Analyze Information” was in position number three at 6%.
- The retail industry remains at risk from any threat that targets credit card or gift card data. Retailers maintain an extremely large amount of financial records and other personal information such as credit card and Social Security numbers, and SQLi and CMDi attacks are often used to steal this information. These attacks accounted for 50 percent of all attacks against the industry in 2016. Buffer manipulation and brute force attacks took second and third place during 2016, and collectively represent 28% of the total attacks on retailers. One notable publicly disclosed breach against a retailer occurred late in the year, when attackers targeted accounts at a UK food delivery service by using brute force authentication details gleaned from other public data breaches. Customers who reused passwords discovered that unauthorized food purchases had been made via their hijacked accounts.
- SQLi and OS CMDi attacks represented the majority of attacks within healthcare in 2016, at a combined 48%. Healthcare records are always a top prize for cybercriminals and, as X-Force has seen in the retail industry, are widely for sale on the Dark Web. Attack methods categorized as “Manipulate Data Structures” account for the second most popular attack type within the industry and “Manipulate System Resources” is third. These attacks focus on known vulnerabilities within an application, which, when successful, can lead to full system compromise. The category “Image File Attacks,” in which malicious code is hidden within a variety of image file types, were the third most prevalent type of attempted attacks seen in healthcare, at 28%. Brute force attacks, which are part of a CAPEC mechanism of attack named “Employ Probabilistic Techniques,” used against authentication mechanisms, round out the top attacks in position four, at 6%. The fifth ranked sector, healthcare, also has a greater percentage (71%) of insiders (inadvertent at 46% and malicious at 25%) versus outsiders (29%). It can be useful to think of inadvertent actors as compromised systems carrying out attacks without the user being aware of it as is the case with the “Subvert Access Control” attack type. This often happens when a desktop client is compromised via malicious email attachments, clickjacking, phishing or vulnerable computer services that have been attacked from another internal networked system.
- In the global panorama of financial cybercrime, one year might bring little change, with the same types of malware continuing to target the same geographies, while the next can be very active. That was certainly the case 2016, with some countries seeing a marked rise in the attention of cybercriminals.
- Spreading malware via mass spam blasts can draw unwanted attention and detection by security solutions. As a result, attackers are using more evasion detection techniques like anti-security/anti-sandbox detection and minimal campaigns.
- Cyber gangs sharpen the focus on business accounts to reap more reward for the effort; Dridex malware target list has at least 50% business banking services.
- Attackers are taking advantage of ready-made toolkits for malware-as-a-service, Android overlay malware, and new variants built on the Zeus v2 source code.
- Cybercriminals are branching out, as in the case of the Dridex crime gang expanding in ransomware using Locky. Online banking fraud facilitated by Dridex is one of the most sophisticated malware operations in the cybercrime arena, and not only is ransomware technically inferior, operating ransomware demands much less knowledge and skill, which has attracted lower-level criminals to it in the past decade. But there is a connection now between them, and it appears that Locky adds a new profit source to the Dridex gang. In virtually no time, the evidently well-funded joint GozNym gang abandoned the ransomware business, for the most part, and began launching financial fraud attacks on banks in the US. GozNym then expanded its attack scope into Europe, launching redirection attacks on Polish, English and German banks. Before long, its aggressive debut garnered GozNym some attention from law enforcement and saw some of its operators arrested and indicted before the end of 2016.
- Two of the most prominent threats relevant to Asian countries are Dridex and TrickBot, both of which are operated by organized cyber gangs. Singapore is especially heavily targeted, but it’s not the only country where these Trojans seek to attack; X-Force research analysis of configuration data shows that most malware families have targets in other parts of Asia such as Indonesia, India and Malaysia. Singapore and the United Arab Emirates are growing in popularity as cybercrime targets. UAE Another geography increasingly present on Trojan configurations is the United Arab Emirates (UAE). X-Force data shows that organized gangs like the Dridex and the TrickBot crews are including more UAE banks on their target lists, as did Dyre before them. This is notable because the UAE resembles Singapore in a sense: it is a global center of business, and its population is considered to have above average wealth. Also, businesses and individuals in the region tend to operate in both English and their local languages, allowing malware operators to employ their existing English-language attack tools.
- Most attacks in Brazil are the work of local criminals using tools adapted into the Portuguese language and sold on Brazilian forums and social networking pages. In the past, the malware employed by Brazilian cybercriminals has tended to operate at lower sophistication levels than most malware made in Eastern Europe, but on that front 2016 saw a shift toward greater technical savvy. The shift gained momentum towards year’s end, bringing the Brazilian threat landscape more closely into line with other parts of the world. Behind it are local criminals increasingly collaborating with Russian-speaking cybercrime actors to buy and market malware or plan more effective attacks.