Top 10 Data Security Threats Plaguing Credit Unions (2H 2013 Threat Report) Andrew Jaquith CTO & SVP, Cloud Strategy Grace Zeng, SilverSky Labs February 20, 2014
Housekeeping rules Everyone s phone is muted, but please feel free to ask questions by typing your question in the right hand area. We will have a Q/A Session at the end of the Webinar. 2
Housekeeping rules For Technical Issues, use the Chat function to send a question to me, SilverSky. 3
Housekeeping rules You will all receive a link to download the presentation materials and a link to view the recording in an email tomorrow. 4
Agenda 1 Introduction 2 Financial institutions incident trends 3 Threat highlights, second half 2013 4 Recommendations 5
Agenda Introduction 2 Financial institutions incident trends 3 Threat highlights, second half 2013 4 Recommendations 6
SilverSky delivers security from the cloud What we do We simplify how our customers secure their information. How we do it We secure our customers sensitive data, monitor their networks 24x7 for intrusions and manage our customers email and collaboration applications all from our cloud. Why it matters We enable growth-minded leaders to pursue their business ambitions without security worry. 7
The expert cloud provider of information security solutions By tirelessly safeguarding our customers most important information, SilverSky enables growth-minded leaders to pursue their business ambitions without security worry. NETWORK SECURITY SERVICES EMAIL PROTECTION SERVICES MANAGED APPLICATION SERVICES UTM Management Event Monitoring and Exchange Response Brand Lync Protection Web SharePoint App Firewall Managed Event Mobile Monitoring BlackBerry device and Response management Log Email management DLP Email Vulnerability Encryption management Email Archive Brand protection UTM Email management Continuity Advanced Event monitoring Targeted Attack and response Prevention Exchange Lync Email Security SharePoint Email DLP Managed BlackBerry Email Encryption Mobile Device Email Email Management Continuity Archive CONSULTING AND PROFESSIONAL SERVICES 8
SilverSky is a recognized security leader The combination of strong business and technical value, SLA adherence, plus innovative use of the cloud puts SilverSky solidly in the Leaders category. SilverSky s Hosted Exchange offerings have robust security features, and comply with federal and industry rules and regulations SilverSky has strong appeal with companies that have stringent security and regulatory requirements. 9
About the SilverSky Security Operations Center Our experienced team of 60 SOC analysts and engineers helps protect $525 billion in banking and credit union assets. Every month on average, SilverSky s Security Operations Center analyzes: 15 billion raw events 325,000 security alerts A majority of the incidents we see are informational or reconnaissance-related. A small number are likely and confirmed compromises (medium- and high-level incidents). All are reported to customers. 10
SilverSky SIEM correlates events and alerts SilverSky SIEM 11
How SilverSky classifies incidents Level 0 Alert forwarded to SOC from our SIEM. Every alert is analyzed by a human analyst and escalated if necessary Level 1 Informational incident: scanning, reconnaissance or information leak Level 2 Suspected compromise or medium-severity incident Level 3 Verified compromise; considered high-severity incident Likely and confirmed compromises 12
Headlines from the 2 nd Half of 2013 More compromises overall, but fewer affected % with likely and confirmed compromises decreased Major threat was eliminated in Q4, and our customers implemented more effective web security controls But: those who were compromised had the same number, or more, as before Threats more concentrated and fast-moving Decrease in attack sources and types of threats 6 out of the top 10 threats different from 1 year ago New ransomware and special-purpose threats 13
Analysis highlights SilverSky analyzed security incidents based on data from 925 financial institutions for the second half of 2013 We found: 1,556 likely and confirmed compromises (up from 1513 in 1H 2013) 390 institutions affected (down from 437) 42% of our financial customers experienced at least one incident (down from 47%) 48% of attacks came from U.S. IP addresses Most common potential compromise: ZmEu vulnerability scan; CryptoLocker rising fast. Attack source IP addresses and threats more concentrated (reversal from last year) Full report at: https://www.silversky.com/blog 90 billion raw events 1.9 million security alerts 72,000 potential incidents 1,556 compromises 58m:1 1,200:1 46:1 1:1 14
The modern threat landscape Spam botnets Storm, Rustock, Cutwail In 2009, 83.4% of spam originated from botnets 1 Spam may contain Trojan droppers such as Bredolab Attack botnets Darkness, BlackEnergy, Stuxnet Botnets for hire (DDOS), often politically motivated Marketed to attack or disable competitor sites Financial botnets DarkLeech, Zeus, BlackHole Steal victim s bank and credit card data Sold as kits; franchise model like McDonald s: 1,400 versions controlled by many attackers 3 Zeus offshoot Citadel has stolen $500m 3 Special-purpose trojans CryptoLocker, Reveton, Plasma Ransomware encrypts, holds victim files hostage. More than 500,000 victims and counting. 4 Bitcoin mining bots feed affiliate services such as FeodalCash 5 Sources: 1 Symantec/MessageLabs 2 FBI (390 cases) 3 Microsoft 4 Symantec 5 Krebs on Security, XyliBox 15
SilverSky tracks 140+ botnets SilverSky uses multiple external lists of known malicious IP addresses and domains, plus internal built lists based on anomalies detected within the customer base Lists are updated hourly, daily or in real-time to keep up with fastchanging C&C infrastructures. Others use complex regular expressions to detect patterns in URLs Currently tracking 140+ botnets, exploit kits and malware indicators 16
Agenda 1 Introduction Financial institutions incident trends 3 Threat highlights, second half 2013 4 Recommendations 17
Incidents reverted to the mean during holidays 299 Number of Level 2 and Level 3 incidents, 2H 2013 (n=925 financial institutions) 351 Incidents dipped in early fall but increased to the highest levels of the year during holidays Arrest of BlackHole kit creator in October had immediate positive effect on incidents Overall number of compromises are trending back to historical highs, due to CryptoLocker and ZmEu January 2012 December 2013 trend 2H 2013 Jul Aug Sep Oct Nov Dec Jan 2012 Jul 2012 Jan 2013 Jul 2013 18
Compromises decreased slightly in 2H 2013 50% 40% 30% 20% 10% 0% 42% 12% 4% 1% 1 4 7 10 13 16 19 22 25 28 31 34 37 40 Most compromised institutions Institution Size Incidents 1 Credit union Mid-size 42 2 Credit union Large 37 3 Credit union Small 28 4 Bank Mid-size 24 5 Credit union Small 20 6 Credit union Mid-size 20 7 Bank Small 18 8 Credit union Large 18 9 Money transfer Large 18 10 Bank Large 17 42% of institutions had at least one compromise, down from 47% in 1H 2013 Attacks more evenly distributed: 3.2% experienced > 10, up from 1% One customer a mid-sized credit union had 42 incidents 6 of the top 10 most compromised institutions were credit unions 19
Affected FIs down, but compromises continue Number of institutions with incidents and % with at least one incident Size of institution ($assets) Average # of incidents 1H 2013 2H 2013 1H 2012 2H 2012 69% 1H 2013 63% 2H 2013 56% 55% 51% 34% Large Medium Small Small (<$250 million) 3 4 Mid-sized (<$1 Bn) 4 4 Large (>$1 Bn) 6 6 A smaller percentage of institutions of all sizes were compromised Customers have been blocking more unrated web domains However, for affected institutions, average incidents stayed even Attacks on smaller institutions increased slightly Small institutions have smaller staffs, less resources and expertise Testing grounds for attacks on larger institutions 20
Threat sources becoming more concentrated Country 2H 2012 1H 2013 United States 54% 48% China 6% 12% Netherlands 2% 5% Germany 7% 5% Russian Federation 4% 3% France <1% 3% United Kingdom 4% 3% Canada 3% 3% Ukraine 3% 2% Romania <1% 1% Total 86% 85% Simpson Index of Diversity (1.0=highest) 0.30 0.17 Offending source IP addresses from 40 countries, up from 49 in 1H 2013 % from the top 10 countries decreased, and attacker source countries are more concentrated About 48% of known attacks came from the U.S., down from 54% Institutions under scrutiny almost all U.S.-based; non-us IP traffic often blocked Some malware came from legitimate U.S. web sites 21
Agenda 1 Introduction 2 Financial institutions incident trends Threat highlights, second half 2013 4 Recommendations 22
Attackers continues to evolve their methods Exploit kits are attackers main weapons. Modern attacks focus on inducing victims to visit malware-laden websites through the usual methods, notably via phishing. Infected websites host exploit kits such as DarkLeech and ransomware such as CryptoLocker. These kits are marketed and sold with support to botnet operators; they are essentially franchise operations. Exploit kit competition is heating up. Historically popular kits such as BlackHole are giving way to newer, competing kits, leading to a splintering of the malware supply chain. 23
Threat highlight: CryptoLocker CryptoLocker, a piece of ransomware, surfaced in Sep 2013 and has been on the rise Spreads via spam emails containing malicious attachments Uses public keys to encrypt files on local disks, network shares and USB devices The private key is stored in a C&C server under the attacker s control Victims need to pay the attacker with cyber-currency such as Bitcoin and MoneyPak to retrieve the private key to decrypt files SilverSky has correlations to detect customer traffic to CryptoLocker C&C domains and IP addresses. 24
More attackers, more attack tools Increased threat diversity means defenders must worry about more threats (stretch the field) 42% of SilverSky financial services customers were compromised at least once in the second half of 2013 Availability of attack tools means the threat environment is becoming more chaotic Example: politically motivated attacker encouraging DDOS attacks on healthcare.gov (and distributing tools) Anonymized currencies grease the wheels of commerce and make it harder to follow the money These three trends mean that more attackers have access to more weapons than ever before. 25
Top 10 threats for the second half of 2013 Trojans remain the #1 threat category facing financial customers ZmEu has become dominant threat facing customers Significant other new threats are CryptoLocker & Pony Loader BlackHole has fallen from #1 in 1H 2013 to #9 (following Oct 2013 arrest of co-creator) Six out of the top 10 threats are new compared to one year ago (2H 2012) Threat environment more concentrated (Simpson score 0.59 versus 0.88 first half of 2013) % of incidents Threat Name 1H 2013 2H 2013 1 ZmEu Vulnerability Scan 4% 30% 2 Darkleech Exploit Kit 10% 4% 3 Andromeda C&C 3% 4% 4 CryptoLocker - 2% 5 ZeroAccess Rootkit C&C - 2% 6 Pony Loader C&C - 2% 7 TDL4/TDSS C&C 4% 1% 8 Zeus C&C 2% 1% 9 Blackhole Exploit Kit 11% 1% 10 Stabuniq Trojan 2% 1% Total 47% 47% Simpson Index of Diversity (1.0=most diverse) 0.88 0.59 26
Threats are rapidly changing every day 1 ZmEu Vulnerability Scan 2 Darkleech Exploit Kit 3 Andromeda C&C 4 CryptoLocker 5 ZeroAccess Rootkit C&C 6 Pony Loader C&C 7 TDL4/TDSS C&C 8 Zeus C&C 9 Blackhole Exploit Kit 10 Stabuniq Trojan 6 out of the top 10 threats SilverSky detected in 2H 2013 differ compared to 1 year ago. 27
How SilverSky protects customers We follow exploit kits and botnets closely 60 SilverSky experts tracking more than 140 botnets Four layers of defense protect customers Targeted Attack Prevention (TAP) detects zero-day threats and links in email (Launched last week) Network-based AV is equipped with JavaScript/iframe signatures to keep clients from executing code Web security filters block known botnet host domains and suspicious domains Analysts constantly adding new correlations in SIEM to match related IP addresses, domains and file names 28
Agenda 1 Introduction 2 Financial institutions incident trends 3 Threat highlights, first half 2013 4 Recommendations 29
Recommendations: PCs Use multi-layered defenses Firewalls, web security, IDS/IPS, anti-virus, SIEM, targeted attack detection for email Safeguard PCs and observe best practices Never open suspect email attachments or follow links Don t respond to emails asking for financial information Disable and/or uninstall unused services Keep software current, especially OS, browser and AV Patch, patch, patch! OS, but also third-party browser plugins Minimum browsers: IE 9, FireFox 16, Chrome 25, Safari 5.1 Block Flash and ads in browser or with web security software When practical, block access to unclassified sites If you must use Flash or Java, turn on auto-update 30
Recommendations: Servers and network Consider server host intrusion detection systems (HIDS) Use for key workloads where application binaries are largely static Webservers and transactional systems Use in combination with application whitelisting technologies Enforce very strong production server passwords Brute-forcing admin or root passwords is popular way in Strong passwords help prevent compromises of hosts inside the firewall or require multi-factor authentication Change default admin account names as well Remove unnecessary server components Examples: PHP MyAdmin (ZmEu ingress points) Don t just trust, verify scan everything regularly 31
Recommendations: Management For balance, invest in a highly skilled, highly trained security event detection and response staff Companies lacking budget or expertise should outsource Set expectations with management Prevention cannot be perfect. You will be judged, in part, on how much you can reduce the likelihood of the worst attacks Create and test your response plan. The measure of your program is how quickly (and effectively) you respond to compromises that occur due to your residual risks 32
Thank you for your time www.silversky.com 800.234.2175 info@silversky.com