The Cyber-threat Landscape in 1H 2010

Transcription

1 The Cyber-threat Landscape in 1H 2010 Dr. Jean Paul Ballerini WW IBM Security Solutions Sales Enablement, X-Force Expert

2 Agenda IBM s Threat Management R&D: X-Force Mid-Year Report 2

3 IBM X-Force Research and Development The mission is to: Research and evaluate threat and protection issues Develop new technology for tomorrow s security challenges Deliver security protection for today s security problems Educate the media and user communities 3

4 IBM Security Applied Research Teams IBM researches and monitors latest threat trends with IBM X-Force Provides Specific Analysis of: Vulnerabilities and exploits Malicious/Unwanted websites Spam and phishing Most comprehensive vulnerability database in the world Entries date back to the 1990 s Malware Other emerging trends IBM builds technology for tomorrow with IBM Research Homomorphic Encryption: Query a search engine without telling the engine what you are looking for! The mission of the IBM X-Force research and development team is to: Research and evaluate threat and protection issues Develop new technology for tomorrow s security challenges Deliver security protection for today s security problems Educate the media and user communities IBM is dedicated to cybersecurity advancement Enterprise Security Architecture: Working with clients worldwide to implement the new architecture based on six security zones of control High Tech Risk Analytics: Pre-fraud detectors with low false positive rates at a speed of times the scale of today's model Security Research Source: IBM X-Force Database, Institute Focus Engage in public-private collaboration Address and mitigate cybersecurity challenges Provide a forum for clients to better understand how recent IBM Research advances can help 4

5 IBM X-Force web intelligence lifecycle Deep Crawl of Known Malicious Websites Analyze New Exploit Techniques Provide New Protection Guidance Develop Protection Deliver Updates Classify MSS Links Find Related Websites (Deep Crawl) Search for Malware Find New Malicious Websites Block All Malicious Domains Apply Updates Monitor Browsing of: - Million of End-users - Thousands of Customers - Hundreds of Countries Block Malicious Links Send Links to X-Force 5

6 Information Sources lists Vendor disclosures Blacknets Greynets Honeynets Whiro Crawler Information Sharing ISACS, CERTs, Industry Organizations Research Partnerships Conferences Online 6

7 Protocol Analysis Module is the Engine Behind our Products Virtual Patch Client-Side Application Protection Web Application Protection Threat Detection & Prevention Data Security Application Control What It Does: Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach Why Important: At the end of 2009, 52% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability. What It Does: Protects end users against attacks targeting applications used everyday such as Microsoft Office, Adobe PDF, Multimedia files and Web browsers. Why Important: At the end of 2009, vulnerabilities, which affect personal computers, represent the second-largest category of vulnerability disclosures and represent about a fifth of all vulnerability disclosures. What It Does: Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP fileincludes, CSRF (Crosssite request forgery). Why Important: Expands security capabilities to meet both compliance requirements and threat evolution. What It Does: Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability. Why Important: Eliminates need of constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities. What It Does: Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist. Why Important: Flexible and scalable customized data search criteria; serves as a complement to data security strategy. What It Does: Manages control of unauthorized applications and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling. Why Important: Enforces network application and service access based on corporate policy and governance. 7

8 Security Effectiveness Top Vulnerabilities of 1st Half 2010 Top 14 Vulnerabilities 437 Average days Ahead of the Threat 5 Vulnerabilities Ahead of the Threat 2 Protection released post announcement 7 same day coverage 8

9 Our Intelligence is spread Worldwide 8 Security Operations Centers 7 Security Research Centers Monitored Countries 20,000+ managed devices Billion Events per day Zurich, CH Toronto, CA Brussels, BE Alamden, US Boulder, US TJ Watson, US Detroit, US Tokyo, JP Tokyo, JP Atlanta, US Haifa,IL Atlanta, US Sao Paulo, Brazil New Delhi, IN Brisbane, AU 9

10 World s largest URL filter list Topicality Crawlers collect image and text data from the Internet 24 hours a day on 365 days, which adds up to 200 million pages each month Every day, customers receive updates, equaling some 150,000 changes Quality Largest URL database meets practically every filtering requirement by means of indexed URLs in 68 categories Quantity World's largest URL filter list contains 170 million sites World's largest database with 10 billion evaluated web pages and images 10

11 Spam database Topicality World wide distributed SpamCollectors collect spam 24 hours a day on 365 days -> up to 1.6 mio. unique spams per day Update cycle for costumer: 12 times daily Quality Approx. 45 mio. hot and relevant spam signatures in the database > % spam recognition < 0.01 % overblocking Quantity Additional methods for an efficient spam recognition (Bayes Filter, URL Checker, Meta Heuristics, FlowControl, Structure Analysis, Phishing detection, ) 11

12 Agenda IBM s Threat Management R&D: X-Force Mid-Year Report 12

13 Summary Attacks Continue Across all Security Domains Reported vulnerabilities are at an all time high, up 36%, due to significant increases in public exploit releases and efforts by software vendors to identify and mitigate security vulnerabilities. More than 55% of all vulnerabilities disclosed are Web application vulnerabilities. 55% of all vulnerabilities disclosed had no vendor-supplied patches available at the end of the 1 st half of PDF attack activity continue to dominate the threat landscape. More than that, April 2010 had the most significant spike in PDF attack activity. Event activity for this month was almost 37% higher than the average for the first half of The Zeus botnet toolkit continues to wreak havoc on organizations. Early 2010 saw the release of an updated version of the Zeus botnet kit, dubbed Zeus 2.0. Anonymous proxy websites continue to increase in volume, quadrupling since Advanced persistent threats are groups of attackers that target and successfully penetrate well defended networks. Attackers are continuing to find new ways to hide or mask their malicious traffic to evade security technologies, i.e. Javascript obfuscation. 35% of virtualization vulnerabilities impact the hypervisor. 7.2% of the Internet is considered socially unacceptable, unwanted, or flat out malicious. Brazil, the U.S., and India account for more than one fourth of worldwide spam. Majority of spam (more than 90%) is still classified as URL spam spam messages that include URLs that a person clicks to view the spam contents. Amount of URL spam using well-known and trusted domain names continue to increase. The top spam domains have moved from China (.cn) to Russia (.ru). More than two thirds (66.8%) of all financial phishing targets are located in North America, the remaining 32% are in Europe. 13

14 Vulnerability Disclosures at an All-Time High Vulnerability disclosures up 36%. Web applications continue to be the largest category of disclosure. Increase in vulnerability disclosures due to significant increases in public exploit releases and to efforts by several vendors to identify and mitigate security vulnerabilities. The most critical two vulnerabilities disclosed in the first half of 2010 were remote code execution vulnerabilities in Java Web Start and Microsoft Windows Help and Support Center Both were publicly disclosed before patches were available from the respective vendors 14

15 Exploit Effort vs. Potential Reward Economics continue to play heavily into the exploitation probability of a vulnerability Web Browser, Document Reader and Office document vulnerabilities are very profitable and easily executable 15

16 Attacker Motivation is to Gain Access and Manipulate Data Gain access remains the primary consequence of vulnerability exploitation. Up to 52% as compared to 50% in Data Manipulation on the rise. Up to 21% Bypass Security and Denial of Service remain similar to previous years. Questions to Ask: Are you confident that an attacker can not gain access to your system? Is your private data secure? 16

17 Web App Vulnerabilities Continue to Dominate 55% of all vulnerabilities are Web application vulnerabilities. Cross-Site Scripting & SQL injection vulnerabilities continue to dominate. 88% of web application vulnerabilities affect plug-ins and not the base platform 17

18 Client-Side Vulnerabilities: Web Browser and Document Vulnerabilities Continue to Impact End Users Web browsers and their plug-ins continue to be the largest category of client-side vulnerabilities. Already in the first half of 2010, we see that document readers and editors, as well as multimedia applications, have almost surpassed 2009 year-end totals. 18

19 Vulnerabilities in Document Readers: 1st Half of 2010 Numbers Represent Almost Half of Full Year 2009 Totals Portable Document Format (PDF) continue to surpass Office Format documents in the 1st half of

20 PDF Exploitation is HOT! PDF attacks continue to increase as attackers trick users in new ways. The most significant jump in activity occurred in April which can be attributed to the large surge of malicious spam in circulation. Three of the top 5 most popular exploits affect PDF documents. ActiveX dropped off the top 5 exploit list and has been replaced by an older Java vulnerability. 20

21 Bad Web Content Tries to Evade Filters 7.2% of the Internet contains unwanted content such as pornographic or criminal Web sites. Anonymous proxies, which hide a target URL from a Web filter, have steadily increased to more than quadruple in number since

22 Suspicious Web Pages and Files are on the Rise The level of obfuscation found in Web exploits continues to rise. Attackers continue to find new ways to disguise their malicious traffic via JavaScript and PDF obfuscation. Obfuscation is a technique used by software developers and attackers alike to hide or mask the code used to develop their applications. Exploit toolkit packages continue to favor malicious Adobe Flash and PDF, along with Java files. 22

23 Zeus Botnet Activity Increases Zeus botnet toolkit continues to wreak havoc on organizations. Release of an updated version of the Zeus botnet kit, dubbed Zeus 2.0. Major new features included in this version provide updated functionality to attackers. Zeus botnet operators usually infect new PC s by either mass ing malicious documents to victims, or directing them to a malicious website. Zeus myths explained: Zeus is not a single botnet Zeus is not a virus or worm Zeus does not use vulnerabilities and exploits to install itself Zeus itself is a backdoor or Trojan 23

24 Zeus Crimeware Service Hosting for costs $50 for 3 months. This includes the following: # Fully set up ZeuS Trojan with configured FUD binary. # Log all information via internet explorer # Log all FTP connections # Steal banking data # Steal credit cards # Phish US, UK and RU banks # Host file override # All other ZeuS Trojan features # Fully set up MalKit with stats viewer inter graded. # 10 IE 4/5/6/7 exploits # 2 Firefox exploits # 1 Opera exploit We also host normal ZeuS clients for $10/month. This includes a fully set up zeus panel/configured binary 24

25 Competition for Zeus SpyEye is set to become more popular Bots have the ability to remove Zeus Includes extra features Keylogger, network sniffer 25

26 Websites Hosting Bad Links Professional bad Web sites like pornography, gambling, or illegal drugs Web sites have seen increases in links to malware links in the 1st half of Blogs and bulletin boards have also seen increases in malware links. 26

27 Spam Continues to Change to Avoid Detection Over 90% of spam is classified as URL spam. Spammers continue to use trusted domains and legitimate links in spam messages to avoid anti-spam technologies. Top spam domains moved from.cn (China) to.ru (Russia) Brazil, the U.S., and India account for about one forth of worldwide spam 27

28 Spam Volume and Average Size Increases Spam volume reached an all time high in June Since mid-march of 2010, the average size of spam doubled without any changes in the percentage of imagebased spam. The average spam byte size continued to increase until the beginning of June, reaching an average size of nearly 10 KB. 28

29 Phishing Attacks Decline Again Contrary to the 2nd half of 2009, phishing volume has declined back to levels seen in the 1st half of Brazil remains the top sender in terms of phishing volume, while India is in second place, and South Korea holds third place. Russia fell from rank 3 to rank 10. Germany is new to the top 10 and Turkey disappeared. Top subject subject lines represent more than 36% of all phishing s. 29

30 Phishing Targets Financial & Credit Card Industries 49.1% of phishing is targeted at the financial industry vs. 60.9% in Over two-thirds (66.8%) of all financial phishing targets are located in North America vs. 95% in % of financial phishing targets are located in Europe 27.9% of phishing s were targeted at credit cards. 30

31 Phishing Tools Commercial phishing kits make it easy for a novice to start in the business 31

32 Virtualization Security Increasingly a Focus 35% of server class vulnerabilities affect the hypervisor Virtualization Vulnerability Disclosures expected to fall in 2010 Number of disclosures peaked in 2008 at 100, fell by 12 percent to 88 in 2009, and appears on track to fall slightly further in 2010 (39 virtualization vulnerabilities were disclosed in the first half of 2010). This trend suggests that virtualization vendors have been paying more attention to security since 2008 and/or security researchers have focused their efforts on easier targets. Questions to Ask: Are you virtual environments secure? What solutions do you have in place to protect the hypervisor? IBM Security Offerings: IBM Security Virtual Server Protection for VmWare 32

33 For More IBM X-Force Security Leadership X-Force Trend Reports The IBM X-Force Trend & Risk Reports provide statistical information about all aspects of threats that affect Internet security,. Find out more at X-Force Security Alerts and Advisories Only IBM X-Force can deliver preemptive security due to our unwavering commitment to research and development and 24/7 global attack monitoring. Find out more at X-Force Blogs and Feeds For a real-time update of Alerts, Advisories, and other security issues, subscribe to the X-Force RSS feeds. You can subscribe to the X-Force alerts and advisories feed at or the Frequency X Blog at 33

34 Dr. Jean Paul Ballerini IBM Security Solutions