Cyber Security Trend - Annual Review 2013

Transcription

1 Cyber Security Trend - Annual Review 2013

2 - Better response to cyber attacks and triaging gray events - Executive summary Threats of the Internet - web network Attacks from the Internet Corporate system status Overseas website general status Realistic measures against threats on web networks Threats of the Internet - web applications Attacks from the Internet Corporate system status Trends and measures in the development phase Measures by web application firewalls (WAF) Threats to endpoints Drive-by download attacks Detected malware attached to s Measures against attacks on endpoints Threats to users Attacks on vulnerabilities of users Security measures against threats to users Security awareness and its importance - the first line of defense Aftermath of targeted attack measures Most serious issue in organizations Security specialist deployment Epilogue

3 Executive summary Executive summary Threats to web systems - Need for defense-in-depth to cover patch application delays - Duration between public disclosure of vulnerabilities in platform products and attacks is becoming shorter. Attacks on the vulnerability in PHP were observed only 6 days after the disclosure in Measures against vulnerabilities are application of patches in general; however, completing these measures within such a short period can be difficult since a certain level of verification by development and operation sections is required before the application. Active deployment of defense-in-depth strategies such as introducing WAF is increasingly important to protect unpatched systems from attacks that exploit vulnerabilities. - 30% of web applications are still in danger - Our security assessment found high-risk vulnerabilities in 30% of web applications. This number has not changed over 5 years. This suggests that security measures are not sufficiently implemented in the development phase. Therefore, it is desired to take preventive measures such as establishing design and development guidelines to prevent creating vulnerabilities, undergoing security assessment, and implementing WAF as part of defense-indepth strategies. Threats to overseas websites - Need for inventory and measures since 40% of websites are left unmanaged - Our Website Group Inventory Service revealed that 40% of websites are not appropriately managed such as highrisk vulnerabilities are left unattended. Especially we were twice are likely to succeed in logging into management services such as SSH/FTP in overseas websites as Japanese websites. Cyber attacks on a corporate website are likely to spread to the organization's overseas websites; therefore, the organization may not be able to afford to leave their management to local personnel. Firstly they should take inventory to understand the current status, and improve the management level to where the websites can be integrated into the centralized infrastructure. Threats from targeted attacks - Awareness is the first line of defense - Establishing information security policies and rules and calling for attention have no effect unless employees' awareness is not developed. Organizations must encourage employees to develop an awareness of security. Hands -on training such as targeted training is effective in developing awareness. Making employees aware of risks and available protection methods through such activities forms the first line of defense to maintain the organization's security level. - Check the entry and endpoint to beat increasingly sophisticated malware distribution methods - Attacks that infect endpoints with malware still continue vigorously and the malware distribution method is becoming sophisticated. Thorough implementation of three layered protection, namely "ingress protection to prevent malware from reaching users", "endpoint protection to prevent infection", and "egress protection to prevent infected devices from communicating with outside" is effective. However, it is necessary to review if the applied measures are working since these measures were introduced only in the recent few years. Aftermath of targeted attack measures - Need for the triage system for gray events and incident response - Due to advancement in measures against targeted attacks, security products tend to detect gray events in addition to obvious attacks. When a gray event is detected, it needs to be determined whether it is a real attack or false positive; however, this is difficult since it requires high-level security knowhow, and specialist with such knowhow is in short supply. Therefore, a triage system is required to determine how to process these gray events quickly according to the clearly set priorities. However, misjudgment in triage may directly lead to delay in response, and 2

4 Executive summary may cause the damage to spread. Organizations should first establish an incident response system that provides a reliable triage function. However, the triage system may not work by the internal resources only, you can also consider deploying external resources such as security specialists to make the triage function work effectively and efficiently. Research outline This report analyzes data which NRI Secure collected in 2012 fiscal year (April 1, 2012 to March 31, 2013) through the following security services. Older data is also used in some places in order to analyze the trend in past years. Managed security services - FNC 1 Secure Internet Connection Service It is an outsourcing service providing security measures required for safe connection between customers' internal networks and the Internet, such as gateways, proxy servers, and remote access. This report summarizes logs from URL filtering servers for 28 companies, virus check servers for 45 companies, and spam filtering servers for 22 companies which are part of gateway servers under management of the FNC Secure Internet Connection Service. - FNC Secure Web-Net Management Service It is an outsourcing service providing security measures to protect customers' websites from threats of illegal external access. It monitors security devices such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and web application firewalls (WAF) 24 hours 365 days. This report summarizes logs from 142 firewalls, 42 IDSes/IPSes, and WAFs for 664 websites under management of the FNC Secure Web-Net Management Service. Security assessment service - Platform Assessment It is a service which inspects security holes and setting statuses of system infrastructures such as servers and network devices from outside (the Internet) or inside the LAN, and provides the assessment on the risks of detected flaws based on our own criteria. This report summarizes 130 systems on which we carried out the assessment in Web Application Assessment It is a service which detects hidden security flaws in web applications with considerations to the web application implementation, development languages, and platforms, and reports the assessment on the risks of detected flaws based on our own criteria. This report summarizes 531 systems on which we carried out the assessment in Website Group Inventory Service It is a service which uses our proprietary algorithm to search public websites that are related to a given organization, and carry out simple security checks on those discovered sites to determine the overall security level of the website group. This report summarizes 2,759 sites (1,493 domestic sites and 1,266 overseas sites) on which we carried out the simple security checks in Targeted Attack Simulation It is a service which checks and reports employees' response to targeted s by sending targeted s attached with fake malware to employees of the customer's organization and monitoring if the employees open the attached file. This report summarizes the result from 166,319 s sent from December 2011 to March * NRI Secure presented a proposal of specific measures with the assessment results to organizations whose systems contained security flaws, and strongly recommended that they apply the measures immediately. As a result, we assume that the most of these websites have applied the appropriate measures and are now secure. 1. Firewall Network Center. Our service brand which provides the secure boundary mainly to the Internet. 3

5 1. Threats of the Internet - web network 1. Threats of the Internet - web network 1.1. Attacks from the Internet Analysis on threats in blocked communications The FNC Secure Internet Connection Service and FNC Secure Web-Net Management Service monitor access from the Internet to the internal network and website, and log rogue attempts blocked by the firewall. Among those blocked by the firewall between April 2012 and March 2013, Table 1 lists 15 services which were most frequently targeted, and Figure 1 shows the numbers of attempts. Table 1: Top 15 services targeted by attacks blocked by firewalls Figure 1: Number of blocked attempts to top 15 services Figure 1 shows that blocked attacks were generally concentrated in widely used services in the Internet such as HTTP/HTTPS, DNS, and SMTP in Meanwhile, access to Windows services such as TCP,UDP/137 (NetBIOS name service), TCP/445 (SMB Windows file sharing), TCP/1433 (Microsoft SQL Server), and TCP/3389 kept certain levels. These trends seem unchanged over years although slight fluctuation may occur in Top 15 services depending on the discovered vulnerabilities and popular attacking method in the year. 4

6 1. Threats of the Internet - web network Figure 2: Monthly history of attacks on TCP,UDP/53 blocked by firewalls Figure 2 shows monthly history of access attempts targeting TCP,UDP/53(DNS). This shows that access to TCP,UDP/53(DNS) increased significantly from October DDoS (Distributed Denial-of- Service) attacks on a non-profit organization Spamhaus Project Ltd. which publishes an IP address based blacklist as a part of spam measures and a contents distribution network (CDN) provider CloudFlare, Inc. which supported Spamhaus Project attracted attention in March Their websites were brought down to their knees by the attacks that overflowed networks of tens to hundreds Gbps bandwidth over several days. There also are reports on DDoS attacks targeting at American ISPs listed on public mailing lists for network operators. It is known that these DDoS attacks deployed a method called DNS reflector attacks. Although we cannot determine whether the access to TCP,UDP/53 in this case was DNS reflector attack attempts, the attacker may have been sending DNS queries to search DNS servers that can be used for Internet attacks, or to attack these sites directly since access to TCP,UDP/53 increased in the second half of Figure 3 shows the origin of these access attempts based on the senders' IP addresses. 98% of sender's IP addresses are in China; this suggests the attackers or the targets were in China. Figure 3: Countries of senders to TCP,UDP53(DNS) blocked by firewalls 5

7 1. Threats of the Internet - web network [Column] DNS reflector attacks DNS reflector attacks exploit the mechanism of DNS servers to cause network bandwidth starvation and service disruption. These are classic attacks with a long history. They are also called DNS amplification attacks since they amplify the traffic by using DNS servers. DNS reflector attacks send DNS queries with forged sender IP addresses as shown in Figure 4. These attacks take advantage of the fact it is easy to forge the sender IP addresses in UDP packets. Measures include a method called BCP38 that prevents sender address forgery and blocks queries to DNS servers at the ISP level, and other anti-ddos solutions at the ISP level. Although previously open resolvers (cache DNS servers that accept any sender addresses) were mainly targeted, attacks on authoritative DNS servers have also been reported recently. Figure 4: DNS reflector attack 6

8 1. Threats of the Internet - web network Among Windows services, we will focus on the remote desktop protocol (hereinafter RDP) in which a number of high-risk vulnerabilities were disclosed in RDP is used to operate the desktop environment remotely in Windows. Figure 5 shows monthly history of blocked access from April 2011 to March Figure 5: Monthly history of attacks on TCP/3389 blocked by firewalls We mentioned in our report last year that blocked access to TCP/3389 used by RDP had increased since the disclosure of high-risk vulnerabilities in RDP in The attacks increased further in 2012 and a high level of access attempts still continues now. RDP may be targeted by malicious third parties since its high-risk vulnerabilities are disclosed one after another in 2012 in addition to those disclosed in Many of those disclosed in 2012 were vulnerabilities that allow third parties to execute any code remotely under a specific condition and may allow them to take control of the attacked computer itself. On the other hand, Morto worm may be partly responsible for the large number of blocked access to TCP/3389. Morto worm spreads through indiscriminate access to TCP/3389 and the infected terminals generate a large volume of traffic addressed to TCP/3389. Morto worm was observed since August 2011 and its variant emerged in July The emergence of a variant even nearly a year later suggests the worm's continuing widespread activities. Figure 6: Origin countries of attacks on TCP/3389 blocked by firewalls 7

9 1. Threats of the Internet - web network Figure 6 summarizes originated countries of access to TCP/3389 based on the senders' IP address. 50% to 60% of access is coming from China, the U.S.A., and South Korea throughout the year, and the rest is from 187 countries or areas. This may suggest that attempts are made in wide-ranging countries and areas as well as that Morto worm is still spreading. Attacks on new vulnerabilities As they were in 2011, many vulnerabilities were found in web associated platforms and frameworks in Many system administrators had to take emergency action especially for those vulnerabilities found in Struts, PHP, and Ruby on Rails (RoR) in Table 2 because of the large number of users and potential risks where the attacked device would allow the attacker to execute any code remotely. Figure 7 shows attacks on these vulnerabilities detected by the FNC Secure Web-Net Management Service. Table 2: Attacks on platform vulnerabilities disclosed in 2012 Figure 7: History of detected attacks on platform vulnerabilities With regard to vulnerabilities in Struts (CVE and CVE ) and PHP (CVE ), scans to check the existence of the vulnerabilities and attacks were detected only several days after the vulnerability disclosure, and attacks continued for several months. On the other hand, attacks on RoR vulnerability (CVE ) were not detected for 2 months after the vulnerability disclosure. However, this may be because a small number of websites used RoR among customers of our FNC Secure Web-Net Management Service since there was a report of attacks on this vulnerability within several days. We observed the first attack on the RoR vulnerability in March 2013, and also saw an increase in attacks on Struts vulnerabilities at the same time. This is due to concentrated attacks on a certain system. This suggests the same 8

10 1. Threats of the Internet - web network attacker or the same group of attackers persistently attacking on vulnerabilities in not only RoR but also other platforms and frameworks including Struts because the senders' IP addresses were also generally the same. Attacks on known vulnerabilities The DoS vulnerability (CVE ) in Apache HTTP Servers (hereinafter Apache) disclosed in late August 2011 was a typical emergency case since a large number of web servers were affected and the attack code called Apache Killer was publicized quickly. This vulnerability allowed DoS attacks due to web servers' handling of HTTP requests and the web server became unable to provide web services. Figure 8 shows monthly history of attacks by Apache Killer detected by IDSes/IPSes and WAFs provided by the FNC Secure Web-Net Management Service. Figure 8: History of detected Apache Killer attacks The detected number increased in January 2013 and it stayed to be large numbers in February and March. The reason why attacks on vulnerabilities continue even long after the disclosure is that malicious third parties know there still are many unguarded websites exist on the Internet. One of the attacking methods was reported to be Apache Killer in the DDoS attack on websites by a hacktivist group Anonymous reported in This section summarized the attack trends from the Internet on web networks. It should be noted that the duration between vulnerability disclosure and attacks is becoming shorter. This means patches should be applied immediately after the release if your vulnerability measures thoroughly rely on the patch application approach. You need to speed up patch application, or another means to prevent attacks. Known vulnerabilities are harmless as long as the patches have been correctly applied. However, there might be systems that were overlooked because their priorities were low. Also, there might be systems that were under development at the time of the vulnerability disclosure but measures were not applied. It is necessary to make sure that measures are applied on every system since attacks on known vulnerabilities are seen continuously. It is desirable to be continuously aware of the trend of observed attacks in addition to awareness of vulnerabilities. DDoS attacks such as DNS reflector attacks, and worms have been around for a long time and tend to surge now and then at irregular intervals. You also need to be alert to information such as hacktivists' warnings. It is desirable to obtain such information through security related news sites or mailing list, and be on alert as necessary. You can also obtain such information from security service providers. 9

11 1. Threats of the Internet - web network 1.2. Corporate system status This section examines how measures are implemented in web networks in corporate systems based on the results of our Platform Assessment Service. The Platform Assessment Service consists of remote assessment which is carried out via the Internet through the firewall, and on-site assessment which assesses the system from inside the firewall. Their aims are to assess the resistance against attacks from external networks such as the Internet and attacks from internal networks initiated by malicious insiders or third parties who have overtaken servers. Systems are classified into one of the following three groups according to their risk levels determined by the assessment. "Danger": Systems which can be successfully attacked any moment. "Warning": Systems which can be successfully attacked under certain conditions. "Safety": Systems which do not have any of the above flaws. Figure 9: Platform assessment results via firewalls annual comparison Figure 9 shows the results of remote assessment over the past 5 years. The sudden increase in the number of sites in "Danger" in 2011 was due to the DoS vulnerability (CVE ) in Apache described in section 1.1. Assessment in 2012 found many systems were still unguarded. This exposes the actual status of organizations that are finding it difficult to apply measures against all high-risk vulnerabilities although this may be a result of concerns such as the criticality of the given systems, difficulties and costs of patch application, and the systems' lifecycle. Figure 10: Measure application status in 22 systems where CVE was detected (number of IPs) 10

12 1. Threats of the Internet - web network Figure 10 shows how measures are applied on 22 systems (A to V) where this vulnerability has been detected. This indicates the number of patched Apaches and unpatched Apaches among public web servers. This shows some servers are patched; however, the measure has not been applied to all web servers. Apart from this vulnerability, only 2% of systems were in "Danger" in 2012 and high-risk vulnerabilities on system's platforms other than web servers were few and far between. Many of systems with "Warning" had application server management consoles and remote maintenance services (ssh, etc) accessible from the Internet. Although they were implemented with authentication functions, the system could be illegally controlled once the attacker is authenticated using the dictionary attack on the ID and password. Figure 11: Platform assessment results inside firewalls annual comparison Figure 11 shows the results of on-site assessment over the past 5 years. The number of systems in "Danger" decreased in 2010; however, it increased again in 2011 due to the DoS vulnerability in Apache as it did in the remote assessment. Apart from this vulnerability, 40% of systems were in "Danger". These included many systems running old versions of platform products with known vulnerabilities. Many systems in organizations were being left with high-risk vulnerabilities. This indicates the fact that corporate systems are heavily relying on their firewalls to protect themselves against attacks via the Internet. This trend stays unchanged. There are two issues in depending on firewalls as the security measure. Firstly, it cannot prevent attacks by insiders and third parties who have taken control of servers. Secondly, it cannot prevent attacks that take advantages of communications permitted on the firewall. Figure 12: Attacks exploiting vulnerabilities in web application frameworks Figure 12 shows an example of attacks that cannot be blocked by firewalls since the attacker penetrates the firewall by taking advantage of vulnerabilities in the application server. The vulnerabilities in Struts discussed in 11

13 1. Threats of the Internet - web network section 1.1 are of the same nature. Information leakage incidents taking advantages of vulnerabilities in Struts have also occurred in Japan. Applying measures to servers that are considered to be protected by firewalls may seem too much a burden; however, measures should be applied thoroughly to such high-risk vulnerabilities. This section summarized the status of measures applied in corporate systems (web networks). We have learnt that measures against high-risk vulnerabilities are not applied to every system even long after the disclosure. We have explained the necessity of applying measures thoroughly since attacks on known vulnerabilities are continuously carried out in section 1.1 ; however, this is not adhered enough. Efforts should be made to apply measures thoroughly; for example, the security management department takes initiative in reviewing the current status, promoting security measures, and applying overall defense-in-depth measures such as WAFs Overseas website general status In order to manage the security status of the website, you need to know how many associated websites your company has, where they are, and who are responsible for them. However, identifying own company's website completely has become difficult due to globalization of organizations and the system outsourcing trend. As a solution to such cases, we offer the Website Group Inventory Service that takes inventory of domestic and overseas websites, and carry out simple security checks on these websites. Figure 13 shows website locations of Japanese organizations we checked in 2012 based on their IP addresses. The map indicates that websites of Japanese organizations are dispersed over many countries. Figure 13: Locations of overseas sites of Japanese global enterprises 12

14 1. Threats of the Internet - web network The simple security checks included in this service collect information as it may be carried out by malicious third parties. Figure 14 shows analyzed result on those websites that may be attacked. Please note websites in overseas locations are categorized as overseas sites though the location of websites does not necessarily correspond to whereabouts of the target users. Figure 14: Detected issues that may be attacked Figure 14 shows 41% of websites had some issues that can be attacked regardless if they were in Japan or overseas. The likelihood of detecting issues is comparatively higher in overseas sites then domestic sites. The following cases were often seen in those sites with risks found by the simple security checks. Banner information contained the product version with high-risk vulnerabilitiyes. We obtained the product versions from the banner information included in the response to access to a public port, and checked if the version contained any known high-risk vulnerabilities (that allow remote execution of any code or remote DoS attacks) and if the attacking method is publicized. They are more likely to be targeted by malicious third parties. Login attempt to the maintenance service was successful We checked if ports which were used for remote operations were open, and were able to make ID/password login attempts. Although attackers must log in to use the service, they may still successfully log in using the dictionary attack on the IDs and passwords. Figure 15: Login attempts to maintenance services could be made (%) 13

15 1. Threats of the Internet - web network Difference between domestic and overseas sites was significant in "Login attempt to maintenance services could be made" as shown in Figure 15. This is probably due to the site configuration. Many websites are located onpremises in Japan; therefore, the maintenance access routes are normally provided separately from the Internet through which services are also provided. This means the maintenance service is not made accessible from the Internet in most cases. On the other hand, overseas sites are often implemented using web hosting services including cloud services rather than installing them on-premises; therefore, servers are normally maintained via the Internet. However, the issue is lack of appropriate access control and not the maintenance work being carried out via the Internet. It is necessary to prevent login attempts by malicious third parties by measures such as restricting source IP addresses and implementing public key authentication. This section examined the domestic and overseas website management status from the results of the Website Group Inventory Service. Although it is assumed that important websites are purposely managed and applied with measures using suitable means such as security assessment, the statistics suggested the same care is not taken for the rest and vulnerabilities are still left undealt with. Security measures for websites should be controlled by frameworks such as guidelines and workflows in the organization. However, such frameworks are not present, or not being practiced even if they are present in many cases Attackers target vulnerable systems. Organizations should carry out inventory of all websites and check their security levels; this will also help them to review priorities for security measures. For systems that are difficult to properly manage for various reasons, it is required to take different approaches such as centralizing infrastructure or integrating operational structure. 14

16 1. Threats of the Internet - web network 1.4. Realistic measures against threats on web networks We have described the status and required measures for corporate systems (web networks) from section 1.1 to 1.3. It is important to establish appropriate control over websites that are not properly managed, and patches should be swiftly and thoroughly applied on vulnerabilities. However, the importance of such measures has always been perceived. Yet measures are not thoroughly applied. This may suggest many organizations do not know how to approach despite being aware of the necessity, or organizations are finding the tasks difficult and achieving little. Organizations must understand that there is a limit on what they can do on their own, and seek the means to reduce risks. When it is difficult to deal with on their own, the organization can consider outsourcing part of, or the whole task. Outsourcing seems to be considered undesirable in general because it is a capital outflow. However, costs still incur for in-house solutions, and costs are even higher if a security incident occurs due to insufficient measures. This section describes best practice for corporate security measures, and how to effectively take advantage of outsourcing. Corporate security measures Organizations must establish a system to respond to attacks on vulnerabilities. Decision making and actions will vary if the tasks are left to individual departments and branches. A corporate-wide system is required in which vulnerability risks are analyzed by the security management department and a top-down management style is taken for truly high-risk vulnerabilities. In order to do so, the security management department must know their sites. Then they should establish appropriate control such as centralizing infrastructure and integrating operational structures. These truly high-risk vulnerabilities indicate ones that can be exploited easily by malicious third parties, and the attack can result in significant damage to the organization. Vulnerabilities which can be attacked easily are those in public service infrastructures such as web servers and web application servers; in other words, vulnerabilities that cannot be protected by firewalls, that can be attacked remotely, and whose attack code is publicly available. The security management must establish the means to distinguish them. The use of CVSS may be one of the possible methods. In addition, we observed attacks on vulnerabilities occurred within only several days after the disclosure of highrisk vulnerabilities in section 1.1. While patch application is the basic measures for vulnerabilities, it is difficult to complete it within such a short period in general; therefore, it is necessary to actively deploy the defense-in-depth approach using security devices at the same time. Especially WAF is capable of blocking attacks on platform vulnerabilities only by applying the latest signature supplied by the manufacturer. Although enabling WAF's new signature involves possibilities of causing False Positive, some products allow enabling only signature detection without blocking the packets. Enabling the latest signature provides a temporary solution to organizations by blocking or detecting attacks while the organizations complete the genuine solution to apply patches. Effective outsourcing Outsourcing the whole system to a provider of full-managed services can be a solution when it is difficult to establish an appropriate management system with in-house resources. It is the latest trend to deploy hosting services such as inexpensive cloud services; however, many of such inexpensive services are self-managed which means the users are expected to apply security measures. Another option can be to seek advice from experts on how to distinguish truly high-risk vulnerabilities for the security management department. Measures based on considerations to the seriousness and the attack status can cause delays in the response and the damage to spread if a wrong decision is made. You can make well-informed and accurate decisions by taking advice from experts who are connected to worldwide organizations such as CSIRT (Computer Security Incident Response Team). 15

17 2. Threats of the Internet - web applications 2. Threats of the Internet - web applications 2.1. Attacks from the Internet Attacks on web applications Attacks on web applications are never ending, and we often hear reports on web content falsification incidents. While measures on web applications progressively applied with help of IPA, media reported news that several million people's private information was stolen from a members' website in WAFs managed by the FNC Secure Web-Net Management Service are detecting numerous attacks on web applications continuously as they did in the last year.(figure 16) Figure 16: Monthly history of detected attacks on web application vulnerabilities The most common attacks on web application in 2012 were SQL injection. SQL injection exploits flaws in application implementation and operates the backend databases illegally to steal or falsify the data. Our WAFs detected a large number of SQL injection attacks within a short period, and they had the same pattern as the communication pattern generated by a specific attack tool. This may suggest the attacks came from bots. Also we continuously observed attacks such as cross-site scripting, cross-site request forgery (CSRF), and remote file inclusion (RFI). However, the number of detected attacks is hardly comparable to SQL injection. Attackers seemed to focus on SQL injection to target vulnerabilities probably because its reward is greater if the attack is successful. Figure 17 shows daily history in September 2012 when the attacks surged. Figure 17: Daily history of detected SQL injection attacks in September 2012 It peaked on September 18 but only 2 addresses were used by the attackers. Both were IP addresses of South Korean ISPs. These IP addresses were persistently attacking the target site thus the surge on September 18. It is said that attacks from China increase in September due to anti-japanese sentiment because it is the month of the 16

18 2. Threats of the Internet - web applications railway explosion which was the origin of the Manchurian Incident. There were reports of increased numbers of attacks in September 2012 and our FNC Secure Web-Net Management Service confirmed an increasing trend; however, there was no other case as extreme as the above mentioned SQL injection attacks from South Korea. Attacks on vulnerabilities in off-the-shelf web applications A large number of off-the-shelf web applications are available nowadays, from open source to commercial products. Deploying part of, or the whole application is becoming common rather than developing required web applications from scratch. On the other hand, they are increasingly targeted by attackers. We will examine the trend of attacks on vulnerabilities in off-the-shelf web applications using an example of WordPress which is a blog/cms platform. WordPress is used as the platform to run websites by numerous organizations. Many vulnerabilities were found in WordPress in 2012 and reports about attacked websites followed because they continued to use the software without upgrading the version. The most common attacks to exploit vulnerabilities in WordPress were remote file inclusion (RFI) attempts on timthumb.php according to the statistics from our FNC Secure Web-Net Management Service. timthumb.php is the library for changing the size of images that are used in the theme or plug-in of WordPress, and its vulnerability was disclosed in August Figure 18 shows the number of attacks on timthumb.php in WordPress detected by IDSes/IPSes, and WAFs at multiple websites. Figure 18: Attacks on the Timthumb.php vulnerability in WordPress The detected number was low in the first half of 2012; however, it increased in October and continued to be high till March. Although the vulnerability was disclosed in August 2011 and not new, attacks increased almost a year later. The WordPress blog platform of a major overseas news agency was attacked in August 2012 and false news articles were posted. This high profile incident may have triggered a boom in attacking WordPress. This section summarized the trend in attacks on web applications. It is important to maintain security when developing and operating web applications since numerous attacks such as SQL injection have been detected. 17

19 2. Threats of the Internet - web applications 2.2. Corporate system status Risks in web applications This section will examine how measures are implemented on the corporate websites based on the results of our Web Application Assessment Service. Similarly to the Platform Assessment, our Web Application Assessment categorizes websites into 3 groups according to their risk levels. "Danger": Websites where important information can be illegally accessed. "Warning": Websites with possible information leakage risks while important information could not be accessed. "Safety": Websites which do not have any of the above flaws. Figure 19 shows websites we have assessed in the past 5 years by each of the above categories. 33% of websites were in "Danger", 30% were "Warning", and 37% were "Safety" in the 2012 results Figure 19: Risk levels of websites over five years Websites that were in "Safety" have been gradually increasing over years. However, websites in "Danger" have always been found at a certain level without decreasing. This may suggest that security lessons learnt in the past were not applied efficiently, but instead, issues were dealt individually. High-level security is generally required in financial systems where security breaches directly lead to financial damage. Also, awareness of information security is deemed to be relatively high in financial organizations since they are enforced compulsive motivation to promote security measures through FSA inspections and BOJ inspections 2. Figure 20 shows the risk levels in public websites of financial and non-financial organizations. Fewer websites of financial organizations are in "Danger" and more of them are in "Safety" compared to non-financial organizations. This trend stays unchanged over years. 2. An inspection carried out by the Bank of Japan in accordance with the Bank of Japan Act in order to maintain stability of the financial system. 18

20 2. Threats of the Internet - web applications Figure 20: Risk levels in financial and non-financial public websites Next, we will examine the security status of websites where credit card information is handled 3. Websites which handle credit card information are called for robust security measures since exploitation of such information will likely to cause direct financial damage to users. Figure 21 shows the risk levels of websites which handle credit card information (hereinafter handling sites) and which do not (hereinafter non-handling sites). Figure 21: Risk levels of handling and non-handling sites The risk level comparison shows that portions of "Safety" are almost the same among handling sites and nonhandling sites. On the other hand, the proportion of "Danger" websites is smaller. Handling sites are required to comply with the international security standards PCI DSS 4. Although it is not mandatory for all handling sites for the time being, the target will be expanded to many of them by March Therefore, clearing houses to act on their behalf, and compliant systems such as EC Site are increasing in Japan. This trend in 2012 is considered to be the general awareness that compliance may be required to a wider range of non-compliant sites in the future. On the other hand, the proportion of "Warning" for handling sites is larger at 45%. This is because the number of security measures for handling credit card information is growing in handling sites. 3. Websites that hold information such as credit card numbers, names, and expiry dates. 4. Payment Card Industry Data Security Standard. Security standards developed by five global payment brands for systems which handle credit card information. 19

21 2. Threats of the Internet - web applications Trend in detected typical issues This section examines the specific risks in detail. The following are most common and "Danger" flaws found in our web application assessment. Spoofing due to insufficient checks (hereinafter spoofing) Accessing administrative functions by privilege escalation (hereinafter privilege escalation) SQL injection Figure 22 shows detected cases for the above flaws plus another "Warning" flaw, the cross-site scripting, in our web application assessment in the past 5 years. Figure 22: Detected major flaws over 5 years There have been only small changes in the detected rates for all issues over 5 years. This may suggest that these issues are built-in at a certain rate in development and measures to eliminate the possibility have not been effectively established. This section analyzed the trends in risk levels of flaws detected in corporate system web applications and their details. The ratio of detecting high-risk flaws has been hardly changed in these several years. The trend in detected common flaws has been also the same. However, financial systems and other corporate systems which handle credit cards are tend to be advanced in security measures due to audit by external organizations and requirements from standards. Undergoing security assessment and rectifying any detected flaws are norm for these organizations, and it is deemed that system developers are also aware of it. Costs for correction are significant if a flaw is found in a system after the release. Organization should assume that developed web applications are likely to contain high-risk vulnerabilities. Applying preventive measures by security assessment and only accepting the delivery after the necessary correction are effective for keeping security risks and costs low Trends and measures in the development phase This section analyzes trends in development processes of web applications. Development processes can be defined as "Requirements (requirement definition)", "Design", "Implementation (including tests), "Deployment", and "Operations". Figure 23 shows the origin processes of high-risk flaws found in web application assessment over years. 20

22 2. Threats of the Internet - web applications Figure 23: Processes where high-risk flaws were created over years The trend stayed roughly the same and the majority of flaws were created in the Requirements and Design processes. These flaws are created because the security requirements and perspectives are not clarified enough. "Privilege escalation" and "spoofing" discussed in section 2.2 are flaws in these processes. Establishing the design guidelines and design review system from the security viewpoint are effective measures; however, the statistics over years indicate that such measures are not thoroughly applied. Flaws in the implementation process can be difficult to eliminate since they can be overlooked or escape attention even when the developers understand the necessity of measures. "SQL injection" and "cross-site scripting" discussed in section 2.2 are flaws in these processes. It is difficult to eliminate human errors in major development projects. However, these flaws can be comprehensively dealt with by using a mechanical approach such as source code assessment tools. Flaws in the operation process are mainly the products used by the platform and their configurations. As described in section 1.4 it is important to deal with flaws in this process by establishing the system and applying measures to high-risk vulnerabilities. All flaws can be detected by security assessment after the development; however, flaws created in the requirements and design processes are more difficult and costly to correct. Therefore, it is more cost effective to apply preventive measures thoroughly in the development stage such as establishing the design guidelines and design review system from the security viewpoint. Figure 24: Measures in website development processes 21

23 2. Threats of the Internet - web applications This section clarified which development processes the high-risk flaws were created and examined the trend. Today, elemental technologies that form web applications are increasingly diverse such as smartphone and tablet implementation, asynchronous communications such as Ajax and WebSocket, and authentication technologies such as OpenID. It is deemed that new technologies will continuously be implemented such as HTTP2.0. It is desirable to take preventive measures in upper processes of development by expert reviews in order not to miss any issues in diversified security aspects Measures by web application firewalls (WAF) Basic measures for vulnerabilities in web applications are correction of the web application itself. However, there are cases where such correction is difficult especially in operation. We have discussed that implementing defense-in-depth strategies by security devices such as WAFs is effective for vulnerabilities in platforms and web applications in chapter 1 and 2.This section clarifies the effectiveness of WAFs. Functions of WAFs vary depending on products. This section examines network WAFs that are deployed in our FNC Secure Web-Net Management Service. Figure 25: Effective security measures by WAFs Figure 25 shows 3 approaches to protect web applications from attacks. (1) Product signature (blacklist) This approach blocks attacks by communication pattern matching using the blacklist that defines attack patterns. This can block attacks on known vulnerabilities of products, and wide-ranging attacks using known patterns. (2) Cunstomised signature (blacklist) This approach blocks attacks on unique vulnerabilities in developed web applications and known vulnerabilities that cannot be protected by product signatures by defining proprietary signatures. Creating the signatures and maintaining them require high levels of expertise. (3) Input validation (whitelist) This approach blocks any communications that do not match the whitelist that defines specifications of input values to web applications. SQL injection and cross-site scripting are vulnerabilities that are created by insufficient input validation. Insufficient input validation in web applications can be substituted by a whitelist on WAF. Ideally all specifications of web applications should be defined in the whitelist on WAF; however, this causes too much 22

24 2. Threats of the Internet - web applications workload. Therefore, the most effective approach is to narrow down the target around the areas where flaws were found in the security assessment to implement the whitelist. WAFs are capable of blocking any attacks that can be defined in the blacklist or whitelist. In other words, WAFs cannot block attacks that cannot be defined in the blacklist or whitelist as specifications of web applications. Therefore, many cases of spoofing and privilege escalation cannot be blocked by WAFs. Despite such restrictions, WAFs can provide effective protection by customization. You can improve their effectiveness by applying your own signatures and whitelist for bespoke web applications in addition to the product signatures. This section clarified the effectiveness of WAFs. Although WAFs are not almighty, they can block wide-ranging attacks and definitely improve the security level. Active deployment of WAFs will be an effective measure for improving security levels for neglected systems and being prepared for attacks on unexpected vulnerabilities. 23

25 2. Threats of the Internet - web applications [Column] Detecting and blocking account hacking with WAFs Account hacking using illegally obtained list of users has become popular. Figure 26: Account hacking with a list Figure 26 shows one of the methods to prevent attacks by login attempts like this is to monitor failed authentication logs and block the access. Ideally the application should log authentication attempts, and a system should be established to detect the incident real-time and take action. Many applications produce logs but it is difficult to monitor logs all the time and block the access. We have been using WAFs to detect such attacks even before this particular attack became popular. The characteristic of this attack is to generate a large number of login attempts and failed authentication attempts. Especially this tends to produce a large number of login attempts to non-existent IDs. While the specific signature and detection logic to be implemented on the WAF vary depending on the characteristics of the website, the following hypothesis commonly applies. Attacks are coming from a small number of IP addresses Detect by observing the number of failed authentication attempts per IP address Attacks are coming from a large number of IP addresses Detect by observing the total number of failed authentication attempts regardless of the IP addresses While it is difficult to accurately detect this attack, the detection rate can be improved by customizing the WAF according to the characteristics of the website. Since security devices like WAFs can block communications, you can automatically block the access when attacks are detected. An increasing number of damage caused by this attack has been reported in Some organizations received login attempts continuously over several weeks. Detecting attacks that make large numbers of login attempts, and dealing swiftly with such incidents are effective for minimizing the damage. It is desirable that web applications implement such functions. However, this attack is happening now and immediate measures are required. Taking the defense-in-depth approach would be effective while waiting for applications to be implemented with the measures. 24

26 3. Threats to endpoints 3. Threats to endpoints 3.1. Drive-by download attacks Drive-by download attacks make users access the websites that have been compromised by malicious third parties, and infect the users with malware. This method is effective for attackers since they can exploit a number of vulnerabilities at the same time and they can attack a number of users. We will examine the status. Detection of malware from drive-by download attacks Our FNC Secure Web-Net Management Service logs customers' Internet web browsing history using virus check servers. Figure 27 shows monthly history of malware detected by the virus check server in 2012 (April 2012 to March 2013). Malware is categorized into Trojan horse, Exploit, Backdoor, and others. Trojan horse is programs that operate maliciously while the users are unaware. Exploit is programs or methods that attack vulnerabilities of computers and servers. Backdoor is software that is used to allow the attackers to remotely operate the target device. While Trojan horse occupies the majority of detected malware, Exploit is detected at a certain rate every month. This indicates that the attacks on software vulnerabilities are continuously carried out. Figure 27: Monthly history of malware detected by virus check servers Let's focus on Trojan horse, the most common attacks. Figure 28 shows a further breakdown of Trojan horse into iframe/redirector, JavaScript, other scripts, and others, and their monthly detection history. "iframe/ redirector" uses inline frame embedding and redirect codes with JavaScript. "JavaScript" indicates other malicious JavaScript codes. "other scripts" indicates script codes other than JavaScript that are used in Internet Explorer such as VBScript. Any other malicious codes that are not applicable to any of these are in "Others". Figure 28: Monthly history of malware (Trojan horse) detected by virus check servers 25

27 3. Threats to endpoints "iframe/redirector" was in the majority throughout Together with "JavaScript", the most of malicious codes were written in JavaScript. The number of detected malicious codes used for drive-by download attacks such as "iframe/redirector" had a sudden increase in July 2012 and January 2013 onwards. Drive-by download attacks lead users to malicious sites and make them download or execute malware. The attackers falsify legitimate websites by embedding inline frames with malicious contents using JavaScript, or redirect users to malicious sites, to make the user execute codes that exploits vulnerabilities of web browsers or plug-ins. "iframe/redirector" inserts inline frame codes in to HTML using JavaScript, or redirects users to malicious sites, to make users execute malicious contents. Attackers can make users download malicious contents while the users are unaware because inline frames can be hidden. In recent years the majority of user environments are allowing JavaScript to be executed since many websites cannot be displayed properly without enabling JavaScript. Subsequently making the environment easier for the attackers to lead users to malicious sites. Next we will focus on Exploit that exploits vulnerabilities in software. We have categorized Exploit malware into their targeted platform (Windows, Java, Flash Player, Adobe Reader/Acrobat, and others) and summarized their detection history in Figure 29. Figure 29: Monthly history of malware (Exploit) detected by virus check servers Exploit targeting Windows maintains a certain level throughout the year. Meanwhile, the largest part is taken by Exploit targeting software which is used as plug-ins for web browsers such as Java, Adobe Flash Player, and Adobe Reader/Acrobat. In addition to Java, the number of detected Exploit for Flash Player and Adobe Reader/ Acrobat increased since December 2012 and later. This indicates that attackers are increasingly targeting plug-ins that are often enabled in web browsers. Table 3 shows the detected malware that exploited vulnerabilities disclosed in 2012 and corresponding vulnerability information. This indicates that malware was targeting Adobe software in which many vulnerabilities were found in recent years and Java related vulnerabilities in Oracle in addition to the Windows platform. 26

28 3. Threats to endpoints Table 3: Detected malware that exploits specific vulnerabilities We will have a closer look at attacks on specific vulnerabilities in Windows and Java. The vulnerability (CVE ) in Windows disclosed on June 18, 2012 was a vulnerability in the Microsoft XML core service (MS12-043) used in Windows. The attacker can exploit this vulnerability to execute any code remotely. The proof-of-concept code (PoC) was released for this vulnerability and was detected already on the day of the disclosure. This shows attackers exploited this vulnerability immediately. A Java vulnerability (CVE ) disclosed on August 30, 2012 (U.S. time) was in Java runtime environment (JRE) by Oracle. The attacker could exploit this vulnerability to execute any OS commands. Although there are many vulnerabilities in Java, this was a particularly dangerous vulnerability, because the vulnerability could be exploited only by leading users to a website and the patch was not provided at the time of the disclosure despite the fact the attack code already existed at the same time. Malware to exploit this vulnerability was first detected on September 5, only 6 days after the disclosure and was put to wrong use. Next we will focus on top level domains of detected URLs. From the web browsing logs in 2012 (April 2012 to March 2013) we extracted top level domains of URLs where malware was detected, and created a graph with the number of detection in months as Figure 30. Figure 30: Monthly history of top level domains of detected URLs The number decreased after the peak in July 2012; however, it is gradually increasing again in More than half of them have been gtld such as com, org, net, info, and biz; however, top level domains for Japan jp cctld have been increasing since January This means more malware is detected in websites for Japanese users. We also detected 57 top level domains in other cctld with country codes such as th (Thai), cn (China), and ru (Russia). This shows URLs with malicious contents are spread over various cctld. It is deemed that those web servers in various countries have been used to distribute malicious contents such as malware since it is unlikely that the owners of these domains were doing so. 27

29 3. Threats to endpoints Increasingly sophisticated malware distribution methods As we have described drive-by download attacks are an effective method for attackers; however, the attack has to end when the legitimate server administrator finds it and removes it. The attackers have developed a method to get around it recently. A number of Japanese websites were compromised by Darkleech Apache Module, a malicious Apache module to be used for drive-by download attacks in mid March The incident attracted attention from information security related organizations 5,6 in Japan and overseas including NRI Secure, and the information was released. Figure 31: Drive-by download attack using Darkleech Apache Module In this method, attackers somehow install Darkleech Apache Module to a website in order to infect users who accessed the website with malware. Although the typical drive-by download attacks previously added illegal code to the contents file, the new method implements the malicious Apache module on the web server in order to embed strings in the response of the contents to lead users to the malware infected site. Finding this attack by monitoring contents falsification would have been difficult because this method is different from the previous method that falsified the content file itself. Attackers also embedded an attack tool called BHEK2 (Blackhole Exploit Kit Version 2) in the malware infected site to attack on vulnerabilities in Java, Flash Player, Adobe Reader/Acrobat, etc. An alert on a vulnerability in management control panel software Plesk Panel 7 was issued from JPCERT/CC on April 8, 2013 because it was likely that the software was used by attackers to install Darkleech Apache Module on web servers. Let's see the detected access to malware infected sites to where users were lead to by websites falsified by Darkleech Apache Module in 2012 (October 2012 to March 2013) from the data on UTM 8 that is provided by our FNC Secure Internet Connection Service The abbreviation of Unified Threat Management. Devices that are based on firewalls with additional security functions such as anti-virus, intrusion detection, and URL filtering. 28

30 3. Threats to endpoints Figure 32: Monthly history of detected access to malware infected sites Figure 32 shows monthly history of detected access to malware infected sites by mainly corporate users being led by websites falsified by Darkleech Apache Module. We can see that websites falsified by Darkleech Apache Module already existed in October 2012, and the detected cases increased towards March when damage was spreading in Japan. The most of detected access was overseas sites mainly in the U.S.A. The first detection of Japanese websites was February 13, This proves that falsified websites already existed before March 15, 2013 when many falsification incidents of Japanese websites were reported. The reason the damage of this attack gradually spread was probably because it was difficult for the website administrators to realize the attack with measures such as contents falsification detection and update checks because this attack does not update content files on the web server. In order to check if malware has been embedded in the website, you need to actually look around the website and keep watch, and deploy website malware detection products or services. Let us repeat that such an attacking method which can attack all users who browsed the website is very attractive to attackers. We must continue to be on watch. 29

31 3. Threats to endpoints 3.2. Detected malware attached to s (hereinafter mail) has been around for a long time as a communication tool and is still being used widely mainly on the Internet. However, this also provided easy opportunities to send spam mails and malware attached mails. Let's see the detection status of malware which was attached to incoming mails from April 2012 to March 2013 based on the data from the gateway type virus check servers provided by our FNC Secure Internet Connection Service. Figure 33: Types of detected malware on Internet mails Figure 33 shows types of malware attached to incoming Internet mails in 2011 and More than half of them were Trojan horse and backdoor types. These types have been around for a long time and these programs may allow malicious third parties to control the computer if executed. They have been mainly distributed via mails as attachments and hoping the user to carelessly open the attached file. No major difference is seen in results from 2011 and Attacker's ultimate motivation behind sending malware as a mail attachment is to steal information. This is probably the reason why Trojan horse and backdoor to control the computer is so popular Measures against attacks on endpoints This chapter clarifies the status of threats to endpoints. The measure against attacks on vulnerabilities is swift patch application just as we discussed in chapter 1 concerning corporate systems (web networks). However, many experienced difficulty in swift patch application when the notorious Java vulnerability was disclosed in 2012 because of the possible impact on business system operations using Java. The defense-in-depth strategy to provide alternative protection is required when the patch cannot be applied. The defense-in-depth strategy can roughly be divided into ingress protection to prevent malware from reaching users, endpoint protection to prevent infection, and egress protection to prevent infected devices from communicating with outside. Entrance protection can be gateway type anti-virus, spam filter, and content filter products. Anti-virus software is effective in endpoint protection. Some of recent anti-virus software is implemented with functions that detect attack patterns and malware behavior and block the attack in addition to traditional pattern matching. Enabling such functions is effective. Effective exit protection includes firewalls that can identify applications so that you can restrict communications by applications. This can block malware's communicating with outside parties. 30

32 4. Threats to users 4. Threats to users We have discussed about threats on systems and measures against them up to now; however, security threats are not limited to systems. "Targeted attacks" aiming at specific organizations have become popular in Japan since While there are various types of targeted attacks, the typical targeted mail attack is sending mails to employees to infect the terminal with malware. Attackers tempt the employees of the targeted organization to open the attachment or click the URL in the mail body to infect the terminal. Once a terminal is infected by malware, the attacker may control the terminal via the Internet and may ultimately steal organization's confidential information. We saw information leakage incidents caused by targeted mail attacks in Japan last year. It can be said that targeted mail attacks aim to catch users off their guard; in other words, attacking vulnerabilities in users. Since contents of mails are customized for the targeted organization, measures on systems such as antispam and anti-virus products that rely on pattern matching technique cannot completely block. Therefore, security measures for "users" have become important. For example, implementing security training to make users aware of targeted attacks and teach them how to deal with them. This chapter describes the threats of targeted mail attacks on users and measures against them Attacks on vulnerabilities of users We started providing the Cyber Attack Simulation Service to check cyber attack resistance of the organization in Part of the service is "Targeted Training (Targeted Attack Simulation Service)" that provides mock targeted attack to our customers in Japan. As shown in Figure 34, the targeted mail attack simulation service sends forged targeted attack mail to employees, monitor if they open the attachment or click the URL (hereinafter opening ratio), and report the summary. Figure 34: Targeted training 31

33 4. Threats to users We categorize the credibility from contents of mails into 5 levels as shown in Table 4. Table 4: Credibility levels of targeted mails with malicious intention Generally level 3 and above are considered targeted mails. The higher the level, the more likely the recipient would be deceived. Massive amount of level 1 mails are being transmitted but most users would delete them without opening nowadays. However, majority of users may be deceived by level 5 mails unless they can check the mail header information in detail. While a spam filter can mechanically detect and remove them if the mail contents are not user specific like level 1 and level 2, level 3 onwards will probably slip through. Recently, more and more users are using social media such as Twitter and Facebook. Many users register to Facebook with their real names and some disclose their employers. In addition, mail addresses assigned to employees from organizations are often based on their names, thus some are easily guessable. Therefore, it is not difficult for third parties to collect employees' accounts of a specific organization to prepare the attack. Once the employee is identified, faking mails equivalent to level 4 or level 5 in Table 4, as if they were written by concerned parties, is possible by combining trivial articles which the employee may have carelessly posted in social media. How likely are the employees deceived when they receive targeted mails that look as if from concerned parties? Let's see targeted mail resistance of employees from the data we acquired from our Targeted Attack Simulation Service. Figure 35 shows the opening ratio for each level. Figure 35: Opening ratio for each level (N=166,319 mails) 32

34 4. Threats to users The opening ratio of level 3 is lower than level 2. This is probably due to the fact many organizations carried out the training from the lower level to the higher level, such as "1st training mail on level 2, then 2nd training mail on level 3" in order to strengthen the employees' resistance. Figure 36 shows the opening ratio in different industries. Figure 36: Opening ratio in industries (N=24 companies) Figure 36 does not show significant difference between industries. Figure 35 and Figure 36 show that if the attacker can identify employees' mail addresses of the targeted organization, the attacker can easily send targeted mails with about a 20% chance of success regardless of the industry. The attacker can even increase the success rate to about 40% if he can take advantage of public information such as social media Security measures against threats to users What can we do about targeted mail attacks? As discussed, it is difficult to identify skillfully crafted level 5 attack mails; therefore, there is a limit on users' resistance against targeted mails. However, the resistance can be improved by training against level 4 mails and lower. Figure 37 shows the opening ratio of the 1st training and 2nd training in organizations which deployed our Targeted Attack Simulation Service. Figure 37: Opening ratio of 1st and 2nd targeted training (N=166,319 mails) The opening ratio by employees who were experiencing targeted training for the first time was 21.0%, whereas the opening ratio was down to 13.3% in the 2nd training. Many employees answered "Although I knew 33

35 4. Threats to users about targeted mails, I never thought it would come to me" in the post training questionnaire; in other words, they processed the mail without realizing it was a targeted mail attack. Experience of a mock targeted mail attack in the 1st training and raised awareness of targeted mail attack were the main reason for the lower opening ratio in the 2nd training. This shows that targeted training can improve employees' resistance to targeted mail attacks. However, this is not all. Targeted training can also improve overall security level of the organization. We will explain this in the next section. 34

36 4. Threats to users 4.3. Security awareness and its importance - the first line of defense - The importance of security measures for users is increasing every year and it is not only because of the emerging targeted attacks. Nowadays systems are complex masses of various functions and a certain security knowledge is required to use them safely. If security awareness is not present in the user, security holes can be created by user vulnerabilities regardless of the security level in the implemented system. Strength of the security level is sometimes compared to strength of a chain; therefore, in this case, users may become the weakest link 9 in the security in organizations. Security education built around "knowledge" is unmistakably important. However, the most important issue that comes even before that is employees' awareness of security - "security awareness". So, what is security awareness specifically? For example, you can display security warning posters at places where people may notice in the office, or display security warnings in the PC screen saver. It is effective to raise employees' security awareness first through such approaches before the security training. Why awareness is necessary before the training? Let's think of general employees who are not concerned about organization's system management and risk management. They have to observe cumbersome procedures to comply with the organization's security policies and rules, and they might wish to do away with them. More than a few employees may consider security is not important since complying with such rules does not produce direct benefit to them. A research by a German security specialist, Avira 10 revealed that only about 40% of employees in various companies answered "It is important to adhere to security policies, and that the entire company stay vigilant" and more than half of them did not think security mattered. Preaching security and rules in this situation would be praying to deaf ears for the most of them. Employees act based on their own sense of values such as what is important and what should be prioritized. Organizations cannot convey the importance of security to employees if they do not see any value in security but prioritizing efficiency. This is why the organizations should change the employees' mindset and promote security to the high priority issue. How can we effectively change their mindset? Perhaps, you can give an example of a real information leakage incident, and make them think "What if this incident happens in our company?" So you can capture their imagination by using a real case. However, an explanation by associating "incident" and "organization" often make the employees think "That is an organization's problem. Not mine." Therefore, make the setting closer to them by associating "incident" and "employee" instead of "organization." For example, give them the following case. An employee clicked the URL in a mail he received in the office. His PC was infected with malware while he was unaware, and as a result his company's confidential information leaked out. His casual action caused a sensational scandal. This might make them feel security can also be their own matter. The aforementioned targeted training has the effect of associating "incident" and "employee" and giving them a strong impact that it can happen to them. Let's see how employees' awareness changes by the targeted training. The targeted training sends forged mails to users. Mails are designed to appear business related and attract users' attention. If the employee opens the attached file, "It was training" is displayed. There was a slight concern in advance that the training may not be received well and some people might be offended by receiving such mails while they are busy at work. However, 86% of them answered that the training was useful for raising their security awareness in the post 9. "The strength of the chain is in the weakest link." The proverb to say a chain is only as strong as its weakest link

37 4. Threats to users training questionnaire. We received only few negative answers. This proves the training was very effective measure for raising awareness. Figure 39 shows the result of the questionnaire. Figure 39: Result of the questionnaire (N=6,308 employees) Many employees made comments in the questionnaire such as "I never thought I could be infected with malware just by browsing the site" and "I would not open the attachment on my personal PC but I thought the office PC was secure." This indicates that they made their own assumption to be "okay" despite feeling some doubt. This reveals the reality that users who do not quite understand how they can be infected by malware, and who put too much confidence in the organization's security systems, are indeed jeopardizing the organization's first line of defense against security threats. However, we can expect some changes in their attitude since they had an opportunity to reflect their conduct by the targeted training. Also, many employees commented on changes in their awareness such as "I used to think such attacks were irrelevant to me" and "I used to open attached files casually but now I check the subject and body." We, too, felt confident that the targeted training had a certain effect in raising security awareness. However, awareness does not last long. People get used to it if you repeat the same thing. Therefore, it is said that awareness raising activities should continue in varied approaches. Many organizations including government and municipal offices are carrying out targeted training. It is important that the training should be carried out continuously with new added elements. You can also use external services when you have run out of new elements. "Awareness is the first line of defense" is a quote from "How to Raise Information Security Awareness" 11 by ENISA 12. Needless to say, security training for employees is important. However, without raising their security awareness, the organization's security policies, information system security, and security rules would not effectively function ENISA: European Network and Information Security Agency 36

38 5. Aftermath of targeted attack measures 5. Aftermath of targeted attack measures We have discussed about the trends in 2012 using data acquired from services we provided to our customers. Finally, we will touch on the future perspectives. In order to combat targeted attacks vigorously carried out in 2011, organizations promoted measures against targeted attacks in We learned that 25% of organizations had already applied some measures against targeted attacks and 23% were in consideration from system administrators and security administrators in information system departments of Japanese organizations in our research to compile the "Organizations Information Security Status Investigation 2012" 13 between August and October We assume that more organizations have applied the measures since 9 months has passed. Organizations mainly applied measures against targeted attacks on systems. They were mainly so-called exit protection such as products to monitor and block outwards communications, and heuristic anti-virus software that does not rely on pattern matching. On the other hand, management issues such as employee training are lagging behind. The comparably progressive move is some training such as the aforementioned targeted training; however, about 50% organizations are not even considering any other measures. Measures from both system and management aspects are effective in improving the organization's resistance against targeted attacks. More organizations will deploy such an approach. However, implementation of these measures may cause new issues to organizations. These issues can potentially become major concern for organizations' security. As the threats to organizations escalate rapidly, organizations may have to face their structural reform to maintain their security level. We will describe the technical background of the issue and the direction of measures in the following section Most serious issue in organizations Let's focus on the effects of implementing measures on systems against targeted attacks. The large part of detectable items by monitoring communications as part of exit protection are certain "gray" communications, and in many cases it is difficult to tell whether it is an attack or not only by observing the detected single item. For example, it is definitely "black" if the detected item is addressed to a known C&C server registered to the blacklist, or addressed to known attack site such as a malware distribution site. However, numerous communications seem "gray" on their own, for example, a certain session exceeded the transmission threshold to the same global IP address per time unit, or a certain PC is continuously producing authentication error log. You need to determine if these "gray" events are actually "white" or "black" each time to supplement the function of the security product. The same can be said about the heuristic anti-virus software that does not reply on pattern matching. People have realized the limitations of the pattern matching method as an increasing number of new malware is appearing 14 each year. Creating the pattern file cannot catch up while variants and obfuscated malware keep appearing using compression technologies, and attackers are taking measures to avoid pattern matching detection. Meanwhile, false positive is rare in the pattern matching method because it uses the specific part of malware code in the definition file to identify the malware. On the other hand, false positive may considerably increase in the heuristic method that uses general characteristics of malware (such as obfuscation and use of packer 15 ) and the behavior of programs running on the OSes The number of newly detected malware was approximately 8 million 5 years ago (2008) whereas the number quadrupled to 35 million in en/statistics/malware/ 15. Tool to compress, protect, and encrypt execution files 37

39 5. Aftermath of targeted attack measures It seems that the advancement of measures against targeted attacks that are customized for specific organizations, caused security products to catch all likely attacks resulting in detecting gray events in addition to black. Manually checking detected gray events is extremely onerous task. Also, in many organizations the events detected by network devices are managed by the person in charge of network devices, events detected by server devices are managed by the person in charge of server devices, and the same apply for PC terminals thus all of them having to process gray events. The workload of system departments in general has probably become heavy (Figure 40). We often hear that some are simply removing conditions that triggered false positive each time false positive occurs in order to reduce the workload. However, simply relaxing detection conditions to stop the alert may reduce the possibility of detecting real attacks. This jeopardizes the whole point of implementing new products. Figure 40: Increasing alerts by measures against targeted attacks Let's see measures in the management aspect. In short, the same effect as the implementation of new measures for systems is appearing in the management aspect. We have already described the effects of targeted training. Now employees with the raised awareness of targeted attacks and security would query the helpdesk and system management department each time they receive "gray" mails to see if they are real attacks (Figure 41). 38

40 5. Aftermath of targeted attack measures Figure 41: Increased queries after targeted training We hear from our customers who had our targeted training that they now receive more queries on suspicious mails from their employees. It is a good thing that employees' awareness of targeted attacks is raised, and they make queries to the helpdesk. However, the problem is, that the helpdesk staff are unable to appropriately determine whether it is an attack. There are two reasons. Firstly, they are unable to process the increased number of queries with the existing helpdesk capacity. Another important reason is that it requires highlevel security expertise to determine whether the "gray" mail is "white" or "black". It is extremely dangerous to open attached files or click URL in the mail bodies without enough security knowledge, and they must not take such an approach. An appropriate environment and security knowledge are required to determine whether the "gray" mail is "white" or "black". So, what the organizations should do if they detected gray events in their system? The act of detecting gray events and determining white or black is part of incident response in general. Incident response is the response to security incidents. All security related artificial incidents are the subject regardless if it is intentional or accidental. For example, an information leakage as a result of an employee's unauthorized action is also a subject to incident response in addition to external intruders and cyber attacks such as PC malware infection. While incident response can be broken into 6 or 7 steps according to the guidelines defining best practice, Figure 42 shows 3 major steps in incident response. 39

41 5. Aftermath of targeted attack measures Figure 42: 3 steps in incident response The first step is detection. This step detects an event. In addition to system incidents such as events detected by security products, and repeated rebooting of a server, other incidents such as suspicious mails to employees or internal confidential information being posted on a certain bulletin board are all included. This detection has more events to detect in the recent 1 or 2 years due to the new measures against targeted attacks in organizations. The second step is triage. Triage is generally a medical term. This indicates the process of determining the priority of patients' treatment based on the severity of their condition in order to achieve the best overall result when the resources are in short supply. You may have seen colored tags are used to indicate patients' priority in medical dramas; this process is the triage. The third step is response. Response is made according to the policy determined in triage. Further investigation may be required in some cases. If the cause and affected scope of the security incident are identified, action such as removal of the cause and recovery can be taken. Many organizations may have response procedures to some degree as part of their BCP. This section focuses on triage. In order to distinguish detected events, the triage process needs to determine the following. (1) Whether the response required for the detected event? (First decision) (2) If "Yes" for the previous question, what should be done? (Second decision) Misjudgment in the above two questions may directly lead to delay in response, and may cause the damage to spread. For example, if a PC is infected with malware and "gray events" are detected, the attacker has more time to attack while the response team does not realize the infection. Early detection of malware may prevent serious damage (such as confidential information leakage) if the attacker spends some time on spying and further intrusion before actually taking information rather than immediately after malware infection in targeted attacks. However, many targeted attacks were discovered several months to even over a year afterwards as shown in Figure 43. This indicates making the above two decisions swiftly and accurately is not easy even if they can detect gray events. 40

42 5. Aftermath of targeted attack measures Figure 43: Duration between targeted attacks and their discovery in Japan (from public information) The first decision is particularly difficult. Because the second decision is relatively easy if the procedure is established in advance; for example, what to do if malware is detected by pattern matching anti-virus software. However, setting a procedure may not be possible for the first decision. Incident response often has to deal with unexpected events. You can establish the procedure and simply follow that for expected events; however, the response has to be determined each time for unexpected events. How appropriately decision and response can be made for unexpected events in the triage process depends heavily on the experience of the person in charge of incident response. Personnel who have experienced many unexpected events may be found in security specialist organizations that support security incidents in customer organizations; however, it is rare to find such personnel in normal organizations. Difficulties in the triage process of incident response may be the most serious issue in organizations Security specialist deployment As we have described in the previous section, more and more organizations will face the difficulties in triage as they promote measures against targeted attacks. We believe that this tendency will only grow. We will describe the incident response system for organizations in this section. Let's think of our daily life. What do you do when you have a problem in your life? When you have a problem that threaten the safety of your life and you cannot resolve it on your own, you will contact the specialist and ask him to deal with it. You would call the police if you have been burgled, you would call the fire brigade if you have a fire, and you would call the ambulance if you had an accident and injured. Everyone knows their telephone numbers since their youth. Safety of our lives is maintained by those organizations we can contact when we have problems, and their 24 hours 365 days availability. We believe the same system would be ideal for security incident response in organizations. In other words, establishing a system with the dedicated contact point and dedicated specialists to handle security incidents. No one would disagree with policies such as "maintaining security in organizational activities" and "positioning security as the important issue." If so, the idea of establishing a system to deal with security incidents in order to maintain security in the organization is just as natural as having the police and fire brigade. Best practice for security incidents is establishing CSIRT (Computer Security Incident Response Team) in the organization. Aforementioned our research for the "Organizations Information Security Status Investigation 41

43 5. Aftermath of targeted attack measures 2012" found 6.9% of organizations had implemented CSIRT, and 2.3% were in consideration. Although still in the minority, we believe this is one of the security measures that will attract much interest in the feature. CSIRT is the collective name for organizations that deal with security incidents. Activities of CSIRT include collecting vulnerability information, applying patches, training employees, and running enlightening campaigns to prevent the occurrence of security incidents in addition to dealing with security incidents. Figure 44 shows services provided by CSIRT according to CERT/CC 16. In general, systems that provide part of or all of these services and deal with security incidents are called CSIRT. Figure 44: Services provided by CSIRT 17 Although it is ideal to establish the system with all functions, we should concentrate on establishing the incident response system that is capable of accurate triage first. Triage tasks do not have to be carried out by organization's internal resources. It is very difficult to implement the system from scratch when you have no personnel with security knowledge. In addition, the person in charge must always be aware of the latest trends in threats and attacking methods in addition to wide-ranging IT knowledge in order to deal with security incidents. However, the required knowledge to do so is becoming wider and complex every year. It is too much of a burden for the system operation administrators and helpdesk administrators. It may be a good idea to take advantages of external resources such as security specialists for efficient and effective implementation of the system. For example, you can implement the system where the analysis of alerts detected by various security products is outsourced to security specialists so that you can receive their support in the difficult triage process (Figure 45). You can minimize the damage by security incidents by early detection of attacks with the specialists' support in determining "gray" as "black." 16. Computer Emergency Response Team / Coordination Center. The first CSIRT in the world established in Carnegie Mellon University 17. Source: CERT/CC Handbook for Computer Security Incident Response Teams (CSIRTs) 42

44 5. Aftermath of targeted attack measures Figure 45: Triage system with external security specialists (when an alert is detected) Also, you can implement a system where employees report suspicious mails to the helpdesk and only the analysis on "gray" mails is outsourced to security specialists (Figure 46). Once the "gray" mail is determined to be "black", you can prevent the infection from spreading by warning other employees since the similar mails may also be sent to them. Figure 46: Triage system with external security specialists (when a suspicious mail is received) Organizations can of course implement CSIRT with their own resources without using external organizations. The important point to keep in mind is that the goal is not CSIRT implementation. Organizations must promote the measures with the understanding that the goal is to process gray events accurately. This chapter described new issues that have been derived from the advancement of measures against targeted attacks. It is generally said that security risks change as the environment surrounding organizations changes. The wave of targeted attacks on Japanese organizations definitely pushed corporate security measures forward; however, this may be time for us to review the whole environment in the organization and examine the risks again. 43

45 6. Epilogue 6. Epilogue In 2012, we saw the materialization of threats that were previously identified. DNS reflector attacks and account hacking described in columns were the typical examples of these and caused havoc where measures were not applied. Once measures are applied against a specific attacking method, another effective attacking method becomes popular. Other threats what have been previously identified may materialize in the future again. On the other hand, we realized the limitation of measures against already materialized issues. This does not mean that measures are impossible. The limitation lies in how thoroughly and quickly we can apply measures. The concept of security measures includes the principle of defense-in-depth. The idea behind it is that another layer of defense can provide protection even if a certain protection measure fails to function. We believe now is the time to take the defense-in-depth approach. Also, this year we realized effects of the targeted training service to security awareness. Attacks that target users will probably continue along with attacks that target systems. As we have described, we believe raising security awareness and promoting security to the high priority issue are effective in maintaining the security level in organizations. We are determined to continue supporting our customers in building robust security foundations. We hope this report will help you make information security strategies. 44

46 - Better response to cyber attacks and triaging gray events - Writing and data preparation Supervision Collaboration Tomohiro Nakashima Sukehiro Nishita Nobuyuki Ito Kensuke Masaki Yoichi Shimoyama Yu Yasutake Taku Murakami Tomohiko Suga Takeshi Asano Koutaro Kando Takaaki Kimura Takehiro Kyoyama Motoyoshi Takanashi Yukinori Hashimoto Kazuya Hiradate FFRI Inc. This research is an autonomous endeavor by NRI Secure Technologies, Ltd. in order to promote security measures in corporate and public organizations. NRI, the NRI logo, NRI Secure Technologies are the trademarks or registered trademarks of Nomura Research Institute. Company names, product names, and logos mentioned in this report are the trademarks or registered trademarks of their respective owners in Japan and other countries. Source images on the front page and silhouette designs used in this report are in public domain. The following images were used. The source data in this research cannot be provided. NRI Secure Technologies, Ltd. holds the copyright of this report. Mention our company name and the name of our research "" when reproducing or quoting part of this report. Also in such a case, please notify us. (Phone: , [email protected]) The following actions are prohibited. Modifying part of or all of data. Selling or publishing this report. Reproducing or quoting without stating the source. Contents of this report are subject to change without prior notice.

47