GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY

Transcription

1 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY Executive Summary ii

2 Caption: Attacks b % of events 6% 8% 2% 10% 12% 4% THE CHANGING NATURE OF SECURITY Digital businesses are difficult to launch and run even without the challenge of security. And yet, digital business strategies are also being used by hackers to systematically go after lucrative targets. Using complex and distributed systems of talent, knowledge and analytics, just like the best of the corporate or startup leaders, hackers have made the prospect of data sharing risky for both customers and companies. But, by the same token, a secure environment enables extraordinary new innovations in digital business. Security is not optional when people are engaging in data diplomacy, where firms pass data between each other in order to create exponential jumps in value (as detailed in NTT i 3 s Digital Business Transformation book). In this year's Global Threat Intelligence Report, you'll find out about the latest exploits, targeted industries and overall trends in security. Read the full report at nttgroupsecurity.com 2 Executive Summary 2

3 GEOGRAPHIC AND VERTICAL MARKET TRENDS NTT Group provides insight into the different threats we have observed against our clients by geographic location and alignment with specific business sectors. Executive Summary 3

4 ATTACKS BY SECTOR, 2014 Finance Business & Professional Retail Manufacturing Healthcare Technology Education Government Pharmaceuticals Insurance Transport and distribution Gaming Media Hospitality, leisure & entertainment Non-profit Other 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% % of events Finance continues to represent the number one targeted sector with 18% of all detected attacks. The long-term trend of targeted attacks against the finance sector continues. Most incident response engagements supporting the finance sector in 2014 were directly related to wire fraud, phishing and spear-phishing attacks. Attacks against business & professional 56% of attacks against the NTT global services moved from 9% to 15%. Risks Caption: Attacks client by sector, base originated Finance from is IP number addresses one. are inherited through business-tobusiness relationships. The likely represents a 7% increase from 49% within the United States. This implication is that this sector is generally identified in 2013 data. Attackers often softer, but high value targets for attackers. leverage systems close to their intended targets, bypassing geo-filtering defense tactics. The United States is also a highly networked country and there is no shortage of resources for attackers to use. Executive Summary 4

5 VULNERABILITIES, ATTACKS AND EXPLOITATION This year s vulnerability data and analysis of exploit kits provided additional validation of last year s findings and also brought into view the impact which exploit kits can have against organizations. NTT s observations also continue to raise concerns about the effectiveness of patch management solutions in 2014, 76% of identified vulnerabilities throughout all systems in the enterprise were found to be more than 2 years old, and almost 9% of them were over 10 years old. Executive Summary 5

6 WEB APPLICATION ATTACK TYPE, 2014 Injection Other Insecure Direct Object Ref Authentication & Access Control XSS Security Mis-Config Sensitive Data Exposure Session Management Un-validated Redirects & Forwards CSRF 0% 5% 11% 17% 22% 28% 26% of observed web application attacks Caption: in In , were injection injection-based, attacks leads up web from application 9% in attack types. These attacks often allow exfiltration of data or remote command execution, and will be a significant concern for the foreseeable future. MALWARE BY SECTOR, 2014 Education Healthcare Executive Summary 6

7 NEW VULNERABILITIES ANNUALLY Caption: The number of new vulnerabilities annually is almost unmanagable. Over 80% of vulnerabilities in 2014 exploit The number of Adobe Flash kits were less than two years old. Exploit kit vulnerabilities identified in 2014 developers are focusing on usability and was the highest ever, and marked effectiveness of their kits to ensure a steady increase since successful compromise of targeted systems. Keeping content and capabilities of exploit kits fresh is a key factor which supports cybercrime as a business. Executive Summary 7

8 DDOS BY TYPE NTP Amplification Multi-vector TCP SYN SSDP Amplification DNS Amplification Other 0% 7% 14% 21% 28% 35% Network Time Protocol (NTP) amplification attacks contributed to 32% of all DDoS attacks observed by NTT Group in The simplicity of launching these types of attacks and the availability of DDoS tools to support them were key contributors. DDoS amplification attacks using User Datagram Protocol (UDP) accounted for 63% of all DDoS attacks observed by NTT Group. In addition to the NTP amplification attacks observed, other UDP based attacks (SSDP and DNS) accounted for almost two-thirds of all attacks. Executive Summary 8

9 THE IMPORTANCE OF INCIDENT RESPONSE An organization s ability to identify attacks is not always equal to their ability to respond to an attack. Detailed findings are provided throughout the GTIR with specific recommendations and case studies to illustrate some of the challenges faced by organizations today. Executive Summary 9

10 NTT Group observes incident response efforts in three core areas: malware, DDoS and breach investigations. Although it appears some organizations are realizing the importance of managing incident response capabilities themselves, and are able to handle everyday operational responses in-house, many still need thirdparty expertise when it comes to more complex security events. Incident response engagements involving malware threats increased 9% compared to 2013, from 43% to 52%. With the increased capabilities of exploit kits, NTT Group experienced a steady increase of incident response support for malware threats. A majority of this was in response to mass distributed malware. NTT Group client requests for DDoS attack response support sharply decreased from 31% of all support events in 2013 to 18% in As technology capabilities become more widely available and affordable, and education about DDoS mitigation becomes more widespread, NTT Group has observed a decline in external support required for DDoS attacks. Although there was significant focus on NTP and SSDP DDoS attacks in 2014, mitigation controls are often able to successfully mitigate these threats, resulting in fewer incident response support events in this area. Basic controls are still not implemented in all cases. 74% of organizations do not have formal incident response plans. Proper network segregation, malware prevention controls, patch management, monitoring, and incident response planning could have prevented or mitigated a significant portion of incidents NTT Group saw in These foundational controls are even absent in many large organizations. Executive Summary 10

11 Case Study: Spear Phishing Attack Organization saves over 80% by successful mitigation. In this case study, NTT Group describes in detail how a spear phishing attack cost an organization over $25,000 in legal and investigation costs, but could have cost $127,000 or much more. COST OF EVENTS - SPEAR PHISHING ITEM The actual cost of investigation, remediation and professional incident support as described COST $15,400 Actual cost of legal and public relations support $8,775 Potential loss due to wire transfers $127,530 Wire transfers recovered -$126,630 Total actual cost directly related to the event $25,075 Cost of event: Spear phishing. Executive Summary 11

12 Case Study: Web Application-based DDoS Attack. Due to rapid detection and response efforts an organization was able to successfully address DDoS attacks, resulting in significant reduction of reputation and monetary losses. Proactive DDoS services saves organization reputation and significant financial impact. TIMELINE OF EVENTS DATE EVENT DAY 1 Possible application DDoS attack detected Incident escalated to NTT Group Client Team verified no operational issues causing delays leading to indication of an attack Logs requested from the client s Internet Service Provider (ISP) ishing. Detailed analysis reveals an attacker maliciously using a WordPress feature as a focus of the attack Mitigation steps identified and signature is created, tested and deployed Client fully mitigates the attack Escalation of sanitized details related to the attack traffic is transmitted to DoS prevention vendor Total elapsed time for this incident: 5.5 hours Elapsed time once logs were received from ISP: 1.5 hours DAY 7 Vendor deploys new official signature Executive Summary 12 COST OF INCIDENT

13 ABOUT NTT GROUP SECURITY 7 research and development centers 16 security operation centers (SOCs) worldwide NTT GROUP COMPANIES OPERATE GLOBALLY, WITH COMMON OBJECTIVES, EACH HAVING SPECIFIC REGIONAL STRENGTHS. 1,300 security and compliance experts 6,898 clients worldwide With the support of NTT Innovation Institute, Inc (NTT i 3 ), NTT Group operating companies are collaborating and integrating to leverage the global reach and scale of NTT s ICT and R&D capabilities, and the security intelligence and analysis capabilities of each of the global operating companies. This report was developed using NTT s Global Threat Intelligence attack data from the NTT Group companies including Solutionary, NTT Com Security, Dimension Data, NTT DATA, NTT R&D and NTT i 3. The key findings in the 2015 Global Threat Intelligence Report are a result of the analysis of approximately six billion worldwide verified attacks over the course of The data for this report were collected from sixteen Security Operations Centers (SOC) and seven R&D centers, and supported by thousands of NTT security specialists, professionals and researchers from around the world. Executive Summary 13

14 Solutionary, an NTT Group security company (NYSE: NTT), is the next generation managed security services provider (MSSP), focused on delivering managed security services and global threat intelligence. Comprehensive Solutionary security monitoring and security device management services protect traditional and virtual IT infrastructures, cloud environments and mobile data. Our clients are able to optimize current security programs, make informed security decisions, achieve regulatory compliance and reduce costs. The patented, cloud-based ActiveGuard MSSP platform uses multiple detection technologies and advanced analytics to protect against advanced threats. Solutionary Security Engineering Research Team (SERT) researches the global threat landscape, providing actionable threat intelligence, enhanced threat detection and mitigating controls. Experienced, certified Solutionary security experts act as an extension of clients internal teams, providing industry-leading client service to global enterprise and mid-market clients in a wide range of industries, including financial services, health care, retail and government. Services are delivered 24/7 through multiple state-of-the-art Security Operations Centers (SOCs). See how Solutionary can enhance security, improve efficiency and ease compliance. Contact an authorized Solutionary partner or Solutionary directly at , them at info@solutionary.com, or visit NTT Com Security, an NTT Group security company (NYSE: NTT), is in the business of information security and risk management. By choosing our WideAngle consulting, managed security and technology services, our clients are free to focus on business opportunities while we focus on managing risk. The breadth of our Governance, Risk and Compliance (GRC) engagements, innovative managed security services and pragmatic technology implementations, means we can share a unique perspective with our clients helping them to prioritize projects and drive standards. We want to give the right objective advice every time. Our global approach is designed to drive out cost and complexity recognizing the growing value of information security and risk management as a differentiator in high-performing businesses. Innovative and independent, NTT Com Security has offices spanning the Americas, Europe and APAC (Asia Pacific) and is part of the NTT Communications Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world. To learn more about NTT Com Security and our unique WideAngle services WE CAN Develop and communicate strategy: We analyze the market and competitive landscape, and apply these insights to ensure that you select the most appropriate technologies. Perform security process engineering: We ensure that the correct processes and procedures are put in place, so that you derive maximum benefit from the investments you make and the market opportunities that you ve identified. Optimize security investment: We take ownership of the deployment, integration, and customization of various security technologies. Manage security operations: We professionally manage your security environment on an ongoing basis, using global best practices. Meet your specific needs: We provide services through a hybrid model of client-driven and providerdriven tools, delivered remotely, onpremise, or via the cloud. Executive Summary 14

15 for information security and risk management, please speak to your account representative or visit for regional contact information. Dimension Data, an NTT Group company (NYSE: NTT), is a USD 6.7 billion ICT solutions and services provider with over 25,000 employees and with operations in 58 countries. Our security business delivers broad technical and integration expertise across a variety of IT disciplines, including networking, security, communications, data centers, and end-user computing. We service over 6,000 security clients across all industry sectors, including financial services, telecommunications, health care, manufacturing, government, and education. Our real-time security information and event management architecture is based on an enterprise-wide risk management solution that enables our Security Operations Centre (SOC) analysts to centrally manage attacks, threats, and exposures by correlating security information from multiple security technology controls. This solution enables them to eliminate clutter such as false positives, while quickly identifying the real security threats to help them respond effectively and efficiently. Our team of certified security experts, located in SOCs, brings unmatched cybersecurity experience to augment the knowledge base of our clients IT organizations. We provide peace of mind with skilled technicians ready to help clients respond to, and mitigate, all cybersecurity threats. Our certifications include ISO9001, ISO/IEC 27001:2013, ASD Protected Gateway, PCI DSS, and ASIO T4. For more information, please contact your nearest Dimension Data office or visit NTT DATA, an NTT Group security company (NYSE: NTT), is a leading IT services provider and global innovation partner with 75,000 professionals based in over 40 countries. NTT DATA emphasizes long-term commitment and combines global reach and local intimacy to provide premier professional services, including consulting, application services, business process and IT outsourcing, and cloud-based solutions. We re part of NTT Group, one of the world s largest technology services companies, generating more than $112 billion in annual revenues, and partner to 80% of the Fortune Global 100. Visit to learn how our consultants, projects, managed services, and outsourcing engagements deliver value for a range of businesses and government agencies. NTT Innovation Institute, Inc. (NTT i 3 ) is the Silicon Valley-based innovation and applied research and development center of NTT Group. Our institute works closely with NTT operating companies and their clients around the world to develop market-driven, clientfocused solutions and services. NTT i 3 builds on the vast intellectual capital base of NTT Group, which invests more than $2.5 billion a year in R&D. Our world-class scientists and engineers partner with prominent technology companies and start-ups to deliver marketleading solutions which span strategy, business applications, data and infrastructure on a global scale. To learn more about NTT i 3, please visit us at 15 Executive Summary 15

16 ABOUT NTT GROUP SECURITY NTT innovations are delivered through operating companies around the globe. Executive Summary 16

17 THEMES OF GTIR End users are now the perimeter for organizations and they need to be treated that way Most organizations are not adequately prepared to handle major incidents in their environment. Proper threat intelligence must be considered a foundational element of an organization s security strategy. Executive Summary 17

18 For years, the security industry has been largely focused on Advanced Persistent Threats (APTs), and for good reason. Advanced threats are after organizations most valuable data and assets and even the most sophisticated security vendors struggle to detect advanced attacks in progress. However, the data gathered by NTT Group in 2014 demonstrates that APTs aren t the only type of attack that we need to be concerned about, and many organizations are still vulnerable to less advanced attacks that pose a serious risk. If an attacker can successfully exploit an old vulnerability or succeed with a social engineering attack, advanced techniques can be used to maintain the attack once an organization has been compromised. As a result of these observations, the 2015 Global threat Intelligence Report (GTIR) focuses on techniques used in less advanced attacks, and how organizations can effectively defend against and respond to those attacks by attending to the most current security paradigms and data. Read the full report at nttgroupsecurity.com 18 Executive Summary 18

19 2015 NTT Innovation Institute 1 LLC. NTT Group Security organizations ( NTT Group Security ) including NTT Innovation Institute 1 LLC, Dimension Data, NTT Com Security, NTT Data, Solutionary or the original creator of the material owns the copyrights. Additional copyright and legal information available at 19 Executive Summary 19