2015 TRUSTWAVE GLOBAL SECURITY REPORT

Transcription

1 2015 TRUSTWAVE GLOBAL SECURITY REPORT Rahul Samant Trustwave Australia

2 WHY DO CYBERCRIMINALS DO WHAT THEY DO? 1,425% Return on Investment (ROI) Estimated ROI for a one-month ransomware campaign Based on Trustwave SpiderLabs research into underground markets One example: $5,900 investment = $84,100 profit Make it difficult and expensive for criminals to target your organization

3 SUMMARY 1 Trustwave Global Security Report Overview 2 Data Compromise Investigations 3 Threat Intelligence & Security Research 4 Security Testing 5 Wrap Up

4 THE 2015 TRUSTWAVE GLOBAL SECURITY REPORT Seventh annual compendium of Trustwave threat intelligence Detailing cybercriminals methods and impact in the previous year 574 compromised locations investigated across 15 countries Billions of events each day across five global SOCs 4 million vulnerability scans Thousands of web app security scans Tens of millions of web transactions Tens of billions of messages Millions of blocked malicious websites Thousands of penetration tests

5 DATA COMPROMISE 1 Who is falling victim? 2 What IT systems are criminals compromising? 3 How are criminals breaking in? 4 What data are criminals targeting? 5 How long does it take to detect a breach? 6 How long does a breach last?

6 GEOGRAPHIC LOCATIONS OF VICTIMS Distribution of investigations by location

7 ENVIRONMENTS COMPROMISED BY REGION Distribution of investigations by type and region

8 COMPROMISES BY INDUSTRY Distribution of investigations by industry

9 ENVIRONMENTS COMPROMISED BY INDUSTRY Distribution of investigations by type and industry

10 FACTORS CONTRIBUTING TO COMPROMISE Distribution of investigations by factors that made the breach possible 28% Weak Remote Access Security 28% 15% 15% 8% 6% Weak Passwords Weak (or Non-Existent) Input Validation Unpatched Vulnerabilities Misconfigurations Malicious Insider

11 TYPES OF DATA TARGETED Distribution of investigations by type of data targeted 49% PII + CHD (E-commerce Transaction Data) 31% Track Data (POS Transaction Data) 12% Financial Credentials 8% Proprietary Data

12 BREACH DETECTION Distribution of investigations by modes of detection 81% of victims did not identify a breach themselves

13 DURATION OF A COMPROMISE Median durations between various compromise milestones 111 Days a breach Days to 86 detect a 7 lasted breach Days to contain a breach

14 THREAT INTELLIGENCE 1 Types of Attacks 2 The Rewards of Cybercrime 3 Celebrity Vulnerabilities 4 Top Host-Based Vulnerabilities 5 Top Exploit Traffic 6 Attacks on Web Applications & Servers 7 Spam Trends 8 Exploit Kits and

15 TARGETED ATTACK SKB Enterprises serves a lot of customers, handles a lot of payment card transactions and probably has a lot of customer data stored somewhere. I m going to figure out how to break in. Target identified first ONLY THEN is the attack considered More effort spent planning and executing Usually targeting larger organizations OPPORTUNISTIC ATTACK I know how to compromise a web server via an Adobe Cold Fusion vulnerability. I m going to scan the Internet to find unpatched servers and see whether I can access some valuable data inject malicious code to infect visitors with malware Exploit and vulnerability identified first Target doesn't matter, just needs to be vulnerable to exploit Low-hanging fruit Smaller organizations usually fall victim

16 ROI CALCULATION FOR RANSOMWARE CAMPAIGN EXPENSES Payload - $3,000 Infection Vector - $500 Traffic Acquisition - $1,800 Daily Encryption - $600 Total Expenses - $5,900 REVENUE Visitors 20,000 RETURN ON INVESTMENT Total Expenses - $5,900 Revenue $90,000 Gross Profit $84,100 ROI 1,425% Infection Rate 10% Payout Rate 0.5% Ransom Amount $300 Length of Campaign 30 days Total Revenue $90,000

17 THE YEAR OF THE CELEBRITY VULNERABILITY Vulnerabilities with memorable names and logos Helped bring awareness of technical security issues to the masses Sometimes not as serious as the media attention suggests Trustwave observations of real-world prevalence and exploits 0.60 percent of vulnerabilities detected were Heartbleed 2.47 percent of exploit traffic targeted POODLE 2.30 percent of exploit traffic targeted Shellshock

18 NETWORK VULNERABILITY SCAN ANALYSIS Top 5 Most Frequently Detected Vulnerabilities 41% Of vulnerabilities detected were SSL vulnerabilities

19 EXPLOIT TRAFFIC DETECTED Top 5 Exploits Observed by Trustwave-managed IDS sensors

20 ATTACKS ON WEB APPLICATIONS AND SERVERS Top Opportunistic Attack Methods Observed by Trustwave

21 SPAM CATEGORIES % OF SPAM INCLUDES MALICIOUS LINKS OR ATTACHMENTS

22 PREVALENT EXPLOIT KITS Exploit kit prevalence based on telemetry from Trustwave Secure Web Gateway TOP EXPLOITED APPLICATIONS Most exploited client-side applications and plug-ins as observed by Trustwave in % RIG 33% Flash 23% Nuclear 29% Internet Explorer 17% Angler 10% Adobe Reader 13% Fiesta 13% Silverlight 9% Magnitude 15% Java ( 63%) 5% Neutrino Copyright 2015 Trustwave Holdings, Copyright Inc Trustwave Holdings, Inc.

23 SECURITY TESTING 1 Web Application Security 2 Mobile Application Security 3 Most Common Penetration Testing Findings 4 Most Common Business Passwords

24 WEB APPLICATION SECURITY 98% Of applications are vulnerable 20 Median flaws per application

25 FREQUENCY OF APPLICATION VULNERABILITY TYPES Top application vulnerabilities identified by Trustwave in 2014, proportioned by type

26 MOBILE APPLICATION VULNERABILITIES Cumulative percentages of mobile application in which Trustwave identified at least one vulnerability of varying severities

27 COMMON PENETRATION TESTING FINDINGS Top Ten Penetration Testing Findings in a Comparative Ranking Authentication bypass SQL injection Logic flaws Unpatched systems Weak administrator password Shared local administrator password Authorization bypass Unencrypted storage of sensitive data Cross-site scripting (XSS), persistent LLMNR Poisoning (a name resolution attack) Application Network Application and Network

28 PASSWORD ANALYSIS Cracked 51 percent of passwords w/in 24 hours & another 37 percent w/in two weeks TOP 10 COMMON KEY WORDS

29 WRAPPING UP

30 FOLLOW-UP QUESTIONS Make it too expensive or difficult for criminals to attack YOU Have you considered all possible attack vectors? Attackers have. Do you know what attackers are targeting? Do you know where those assets reside? Trustwave can help How do you know your security is effective? Don t guess, test Validate your assumptions with penetration testing Trustwave can help

31 WHERE DO WE GO FROM HERE? What you should do with this information Make it more difficult and expensive for attackers to target you Protect users from themselves Don t guess, test Know what to respond to and how to respond

32 GET IN TOUCH WITH TRUSTWAVE

33 THANK YOU