SentinelOne Labs. Advanced Threat Intelligence Report Predictions

Transcription

1 SentinelOne Labs Advanced Threat Intelligence Report 2015 Predictions

2 2014 Rearview More, Better Malware The past 12 months were characterized by the extension of threats that emerged in 2013: more sophisticated, more targeted, and more havoc creating attacks. There are five trends worth mentioning before we jump to our 2015 predictions. Top 10 Attack Techniques 9% 6% 2% 1% 6% 23% DDoS SQLi Unknown Defacement Account Hijacking Targeted Attack 14% 19% DNS Hijacking Malware Unspecified Malware 18% iframe Injection Other POS Point of Sale devices are essentially endpoints with virtually no embedded security. Most run Windows XP and outdated Antivirus software. They were sitting ducks for targeted malware likely developed by a consortium of hacker groups in the former Soviet Union using the same core malware family. While there isn t an immediate silver bullet, these threats will slowly be mitigated and phased out over time. SentinelOne Labs Advanced Threat Intelligence Report: 2015 Predictions Page 2

3 Ransomware These attacks are very lucrative. Since higher infection rates mean more income -- attackers invested in and bolted-on very sophisticated evasion techniques to their core payloads. The advent of bitcoin has transformed ransomware into a stealthy money making machine anyone can use. This trend is here to stay - since there are no effective security measures against it today. Targeted, Advanced Evasion Both Nation States and cyber criminals developed attacks that only execute on a specific machine or set up. Since they behave like a benign application on the way to the target machine these threats are able to evade layers of detection mechanisms. This trend will become more widespread and dangerous in Windows was Still Top Target Although we observed several new attacks targeting Mac OS X, Linux, ios and Android, these were still in very low number and effect. Although some cross platform attacks emerged that were designed to infect Windows and Mac OS X based systems (i.e. WireLurker), they were relatively unsophisticated and not widespread. Windows still is the most dominant attack target, with most dangerous campaigns not focused on the mobile platform yet. Government Code Went Mainstream Our discovery of Government grade malware developed for espionage (we named it Gyges) being bolted-on to ransomware and financial Trojans was very troubling. This code, which has fallen into the hands of cybercrime groups, enables any type of malware to operate in stealth mode and be completely invisible to all security measures. We are following this development closely. Motivation Behind Attacks 13.8% 9.2% Cyber Crime Cyber Espionage Hacktivism Cyber War 17.2% 59% SentinelOne Labs Advanced Threat Intelligence Report: 2015 Predictions Page 3

4 2015 Predictions What s Next OS X, Linux in the Cross Hairs Until now, these two platforms have been relatively neglected by attackers. We predict this is about to change. The massive adoption of Linux in enterprise datacenters and recent uptick in revived variants of Linux malware (i.e. cdorked ) all indicate that this OS will be targeted in the near future. We view the cdorked attacks as a proof of concept designed to test the resilience of Linux and the security products used to defend it. As for Mac OS X, it has experienced a long and slow rise in malware attacks -- if we exclude the enormous Flashback campaign a few years ago. However, the recent emergence of zero day vulnerabilities combined with the platform s increasing enterprise market share, especially among executives, leads us to believe this will change in The biggest cause for concern here is that because these platforms are generally considered safe, there are very few security products available to protect them from advanced attacks. Enterprise Hostage-Ware The runaway success of ransomware campaigns will emboldened attackers to devise new and even more lucrative attacks. We believe ransomware will be used to coordinate a time bomb attack on an enterprise. By simultaneously holding hostage multiple resources within an organization, an attacker could temporarily halt operations. The devastating effects of such an attack on a small enterprise, would force most companies to pay a high price for the release of their systems. One successful attack of this nature will produce many more copycat incidents. SentinelOne Labs Advanced Threat Intelligence Report: 2015 Predictions Page 4

5 Critical Infrastructure Shut Downs There have been a few first spark attacks on critical infrastructure this year, including some that shut down power grids for short periods of time but were not were never publicly disclosed. The dangerous combination of old, unmaintained technologies and a large attack surface make critical infrastructure especially vulnerable to attacks. Nation States are building weaponized capabilities to remotely take control of an adversary s SCADA and other critical infrastructure operational systems. We predict cyber inflicted power outages and irregularities in assembly operations at large manufacturing facilities will result from attacks on SCADA and ICS systems. New Nation State Threats We predict that Russia will continue to use cyber-attacks as a political retaliation tool, as it is believed they did last year in the Home Depot POS attack and numerous attacks on US-based financial institutions. We expect China to continue to carry out brute force cyber-attacks and espionage campaigns, primarily against the US, Japan, other APAC countries and human rights activists. Also, even though their methods are not very stealth and often traceable, law enforcement agencies and governments will not be able to do very much to mitigate Chinese attacks. Primarily because of entangled diplomacy efforts and lack of accountability inside the Chinese regime. We believe a relative new comer to the cyber espionage game, Pakistan, will expand its activities, mostly against India, by outsourcing malware creation and using contractors to build out attacks. Attacks as a Service Will Proliferate While Malware as a Service (MaaS) has existed for several years, we predict Attacks as a Service (AaaS) will emerge in Buyers will no longer need to patch together malware and other individual cybercrime for hire services to carry out a campaign. Instead, they will simply visit a website, select the desired malware platform and capabilities to build a Trojan, choose their target assets (online banking credentials, healthcare records, credit card numbers, etc.), request a specific number of infections, pay with an underground money transfer provider or Bitcoin - and be in business. SentinelOne Labs Advanced Threat Intelligence Report: 2015 Predictions Page 5

6 About SentinelOne SentinelOne is reinventing endpoint security to protect organizations against advanced threats and nation state malware. The company uses predictive execution inspection to detect and protect all devices against targeted zero day threats in real time. SentinelOne was formed by an elite team of cyber security and defense experts from Intel, McAfee, Checkpoint, IBM and the Israel Defense Forces. Contact Us For more information about SentinelOne products and services refer to the contact Sales: General inquiries: Phone: Web site: SentinelOne, USA 2513 E. Charleston Rd Mountain View, CA This document is for informational purposes only. SENTINELONE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.