Threat Landscape. Threat Landscape. Israel 2013

Similar documents
Unknown threats in Sweden. Study publication August 27, 2014

White Paper. Advantage FireEye. Debunking the Myth of Sandbox Security

The Advanced Cyber Attack Landscape

The Ostrich Effect In Search Of A Realistic Model For Cybersecurity

Spear Phishing Attacks Why They are Successful and How to Stop Them

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Anti-exploit tools: The next wave of enterprise security

Defending Against Cyber Attacks with SessionLevel Network Security

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Breaking the Cyber Attack Lifecycle

CYBER SECURITY THREAT REPORT Q1

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher

Comprehensive Advanced Threat Defense

DATA SHEET. What Darktrace Finds

Marble & MobileIron Mobile App Risk Mitigation

Protect Your Business and Customers from Online Fraud

Fighting Advanced Threats

Practical Steps To Securing Process Control Networks

Defending Against Data Beaches: Internal Controls for Cybersecurity

Top Ten Cyber Threats

Advanced Persistent Threats

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Covert Operations: Kill Chain Actions using Security Analytics

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Symantec Advanced Threat Protection: Network

IBM Security re-defines enterprise endpoint protection against advanced malware

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

SPEAR-PHISHING ATTACKS

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Post-Access Cyber Defense

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Protecting Your Organisation from Targeted Cyber Intrusion

SPEAR PHISHING UNDERSTANDING THE THREAT

Getting real about cyber threats: where are you headed?

Endpoint Threat Detection without the Pain

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

INDUSTRY OVERVIEW: FINANCIAL

A Case for Managed Security

Fostering Incident Response and Digital Forensics Research

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Perspectives on Cybersecurity in Healthcare June 2015

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

I N T E L L I G E N C E A S S E S S M E N T

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

05 June 2015 A MW TLP: GREEN

Cybersecurity and internal audit. August 15, 2014

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Streamlining Web and Security

Cybersecurity Awareness. Part 1

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Basic Security Considerations for and Web Browsing

You ll learn about our roadmap across the Symantec and gateway security offerings.

Zak Khan Director, Advanced Cyber Defence

Cybercrime Security Risks and Challenges Facing Business

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Advanced Persistent Threats

The Hillstone and Trend Micro Joint Solution

Recurrent Patterns Detection Technology. White Paper

Advanced Cyber Threats in State and Local Government

Getting Ahead of Malware

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

24/7 Visibility into Advanced Malware on Networks and Endpoints

Cyber Security Metrics Dashboards & Analytics

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Malware & Botnets. Botnets

Practical Threat Intelligence. with Bromium LAVA

Cisco IPS Tuning Overview

Operation Liberpy : Keyloggers and information theft in Latin America

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Common Cyber Threats. Common cyber threats include:

Securing Your Business s Bank Account

FireEye Advanced Threat Report: 2013

Security Analytics for Smart Grid

Advanced Endpoint Protection Overview

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Unified Security, ATP and more

Transcription:

Threat Landscape Threat Landscape Israel 2013

Document Control Document information Version Title Creation Date Revision Date 1.4 Threat Intelligence / Israel 2013 17 January 2014 27 January 2014 Contact information Name Title Email Alexander Haik Regional Sales Director Israel alexander.haik@fireeye.com Dud Akiva Systems Engineer dudu.akiva@fireeye.com Yogi Chandiramani Director Systems Engineering Europe yogi.chandiramani@fireeye.com

Table of Contents Document Control... 2 Table of Contents... 3 Introduction... 4 Executive Summary... 5 Definitions... 6 Malware Distribution... 7 Introduction... 7 Detection Type Distribution... 8 APT families... 9 Callback Analysis for Israel... 11 Vertical Analysis... 12 Conclusion and Recommendations... 16

Introduction We appreciate the opportunity to provide you with a unique insight into the Threat Landscape in Israel for 2013. For many years, we have been stating that over 95% of businesses unknowingly host compromised PC s within their corporate networks. Israel is no different than any other country. During this assessment, we have identified all types of threat actors: nation state, cyber criminals, activists and amateurs as well. Well- funded threat actors have adjusted their techniques from generic, opportunistic and scattershot to targeted, resilient and evasive. It is my pleasure to present this analysis that provides a comprehensive assessment of the Israeli threat landscape. I am looking forward to discuss this report with you and help you define and execute your cyber security strategy for 2014 and beyond. Best Regards, Alexander Haik, Regional Sales Director, Israel

Executive Summary This FireEye Advanced Threat Report for Israel provides an overview of the advanced persistent threats (APT) targeting computer networks that were discovered by FireEye during 2013 in Israel. This report summarizes 2013 data gleaned from the FireEye Dynamic Threat Intelligence (DTI) cloud of worldwide malware protection platforms. Based on this information and insight, FireEye can report the following: More than 52,000 events were discovered in 2013 in Israel across 20 organizations More than 2,000 end points were probably compromised as they were beaconing or communicating with CnC servers More than 272 variant of malwares were detected in 2013 The number of APT events represented 25% of all events identified or 1.5 APT event per hour in 2013 40 variant of APT were identified in 2013 The Defense/Airlines industry is the most targeted vertical representing on its own over 50% of compromised end points with APT The USA is currently home for more than 50% of callbacks coming from Israel We identified almost 1,000 malicious files focusing on obfuscation techniques to bypass signature based controls Disclaimer: This report only covers computer network attacks that targeted FireEye customers, sharing their metrics with FireEye it is by no means an authoritative source for all APT attacks in Israel and elsewhere in the world. In this dataset, we take reasonable precautions to filter out test network traffic as well as traffic indicative of manual intelligence sharing among our customer base within various closed security communities. We realize that some popular APT TTPs can be reused and repurposed by both cyber- criminals and nation- state threat actors alike. To address this issue, we employ conservative filters and crosschecks to reduce the likelihood of misidentification.

Definitions Advanced Persistent Threat (APT): a distinct set of cyber tools, techniques, and procedures (TTPs) that are employed directly or indirectly by a nation- state or a sophisticated, professional criminal organization for cyber espionage or the long- term subversion of adversary networks. Key qualifying APT characteristics include regular human interaction (i.e. not a scripted, automated attack), and the ability to extract sensitive information, over time, at will. Callback: an unauthorized communication between a compromised victim computer and its attacker s command- and- control (CnC) infrastructure. Remote Access Tool (RAT): software that allows a computer user (for the purposes of this report, an attacker) to control a remote system as though he or she had physical access to that system. RATs offer numerous attractive features such as screen capture, file exfiltration, etc. Typically, an attacker installs the RAT on a target system via some other means such as spear phishing or exploiting a zero- day vulnerability, and the RAT then attempts to keep its existence hidden from the legitimate owner of the system. Security Event: FireEye regularly discovers a wide variety of web, email, and file- based threats, including the opening of a malware attachment, a click on a malicious hyperlink, or the callback of an infected machine to its attacker s command- and- control (CnC) network. Targeted attack: a unique TTP- to- Target pairing. Please note, that APTs usually employ multiple TTPs and manage multiple targeted attacks at the same time. Threat Actor: the nation- state or criminal organization behind an APT. This could be a military unit, an intelligence agency, a contractor organization, or a non- state actor with indirect state sponsorship. Tools, Techniques, and Procedures (TTPs): the characteristics specific to a threat actor in the cyber domain, usually referring to specific malware. As a caveat, it is important to remember that APTs normally employ multiple TTPs, and multiple APTs can also use the same TTPs. This dynamic frequently complicates cyber defense analysis. Vertical: one of FireEye s 20 distinct industry categories: Aerospace, Chemicals, Construction, E- Commerce, Education, Energy, Entertainment, Finance, Government, Healthcare, High- Tech, Insurance, Legal, Manufacturing, Other, Retail, Services, Telecom, Transportation, and Wholesalers. Target: the recipient of an APT attack. In most cases, the low false positive rates inherent in FireEye alerts suggest that the discovered attack was successful.

Malware Distribution Introduction The number of events has grown by a 4x factor between January and December 2013. The number of APT has more than doubled over the year. We identify sporadic spikes and downturns: Ø April/May 2013: Possibly due to an Anonymous campaign (#op- Israel) launched against Israel during April. Alternatively, A Syrian organization launched an attack at Israeli infrastructure as a retaliation for reported Israeli bombing in Syria. Ø September 2013: Jewish New Year holidays which lasted through September and whereby threat actors can take full advantage of festivities to better infiltrate organizations. 8000 7000 6000 # of events 5000 4000 3000 2000 1000 0 APT Other 2013 Figure 1 Malware Trending For the month of December 2013, we identified more than 3 APT events/hour.

Detection Type Distribution The following figure presents the Detection Type distribution based on the malware family. Zero Day Callback 2% Detection Type Distribution APT 25% Virus 48% Backdoor 9% Trojan 10% Figure 2 Detection Type Distribution InfoStealer 4% Malicious.URL 1% Malware.Binary 1% The Virus family leads the chart with 48% of overall number of events identified in 2013. This number is particularly interesting as this family of malware is typically recognized by signature- based technologies. While a virus does not typically steal information, it is designed to replicate itself within the organization causing disruption and nuisance. On the other hand of the spectrum, APT and Remote Access Toolkit represents more than 25% of the distribution. These malware families take complete control of workstations located in organizations and not only steal data but also are very sophisticated by nature. They typically move laterally within the organization by using the compromised workstation as a stepping- stone. Trojan, Backdoor and Infostealer represent almost 23% of the overall distribution. These families of malware have an objective which is to take control of your workstation and typically steal sensitive data. The level of sophistication and commitment is however less than APT. Zero day malware represent 4% of the overall distribution. Those are typically not identified with signature- based tools and therefore bypass the legacy security controls.

APT families The following table presents the most popular APT families identified during this assessment:: Family Description Attributes Gh0stRat Beebus LV Gh0stRAT is a malicious remote administration tool (RAT). Requiring little technical savvy to use, RATs offer unfettered access to compromised machines. They are deceptively simple attackers can point and click their way through the target s network to steal data and intellectual property. But they are often delivered as key component of coordinated attacks that use previously unknown (zero- day) software flaws and clever social engineering. Features common to most Windows- based RATs include key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying. FireEye discovered the Trojan.APT.Beebus APT campaign consistently targeting companies in the aerospace and defense industries. The campaign has been in effect for sometime now. This campaign uses both email and drive- by downloads as a means of infecting end users. The threat actor has consistently used attachment names of documents/white papers released by well- known companies. The malicious email attachment exploits some common vulnerabilities in PDF and DOC files. The malware uses a well- documented vulnerability in the Windows OS known as DLL search order hijacking. There is an order in which executables load DLLs on the Windows operating system. This particular malware takes advantage of this vulnerability and drops a DLL called ntshrui.dll in the C:\Windows directory. The first place from where the executable looks to load the DLL is its own directory. By dropping the ntshrui.dll in the directory C:\Windows, the malware achieves persistence More information can be found at: http://www.fireeye.com/blog/technical/targeted- attack/2013/02/operation- beebus.html Backdoor.APT.LV primarily uses websites hosting.exes to propagate. Many of the domains used names referring to the Middle East. The malware was observed talking back to its CnC using a custom protocol over port 80. The malware gathers the information from the compromised machine and sends it to its CnC: Netbios name, User, Date, Locale, Windows OS name. The malware also informs the CnC of its version. Although the

ExtremeRAT PoisonIvy Backdoor.APT.LV collects crucial information pertaining to the user and the compromised machine, upon execution, it also (oddly) opens up a dialog box asking the user to run an executable named "Trojan.exe." This obvious name of a malicious executable suggests this malware is intended for non- native English speakers More information can be found at: http://www.fireeye.com/blog/technical/botnet- activities- research/2012/09/the- story- behind- backdoorlv.html XtremeRAT is a malicious remote administration tool (RAT). Requiring little technical savvy to use, RATs offer unfettered access to compromised machines. They are deceptively simple attackers can point and click their way through the target s network to steal data and intellectual property. But they are often delivered as key component of coordinated attacks that use previously unknown (zero- day) software flaws and clever social engineering. Features common to most Windows- based RATs include key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying. Well known APT introduced by the PLA http://www.fireeye.com/blog/technical/cyber- exploits/2013/09/hand- me- downs- exploit- and- infrastructure- reuse- among- apt- campaigns.html Decoy Document Browser Tempering Performs Data theft Exhibits Backdoor Capabilities These APT families are highly sophisticated and motivated. Their business impact is typically very high.

Callback Analysis for Israel The following map highlights the locations of the CnC Servers identified in this threat analysis. All these callbacks originated from Israel. More than 50% of all callbacks from Israeli victims appear to contact 1 st tier CnC nodes based in the USA and 7% of callbacks appear to contact 1 st tier CnC nodes based in China. It is interesting to note that most callback destinations are within western countries, where Israel is regarded more positively. Figure 3 Callback Map

Vertical Analysis Let s first have a look at industry verticals, each of which possesses substantial intellectual property value. Furthermore, these verticals often play a tangible role in cybercrime and national security affairs. The following verticals were analyzed in the assessment. Defense/Airlines: this vertical designs and operates military equipment or operates commercial or defense air transport. Automotive/Transportation: this vertical designs, builds, and operates cars, which have myriad commercial applications. Chemicals: chemistry is the study of matter, and plays a central role in bridging all of the natural sciences, including their relationship to energy. E- Commerce: online web services to sell products to businesses or consumers. Energy: in physics, energy is required for any kind of work, to include starting engines, turning on city lights, or launching a missile. Entertainment/Media/Hospitality: organizations providing information and recreation services. Finance: most financial transactions today are conducted via the Internet, whether between people, businesses, or governments. Manufacturing: Providing facilities to build products for other verticals. Other: some specialized businesses play a niche role in national economies, but are nonetheless targeted by niche- focused APTs. Pharmaceuticals: medicine industry, providing products for healthcare.

The following figure presents malware activity by verticals. Malware Distribution byvertical # events 30000 25000 20000 15000 10000 5000 Services/Consulting/VAR High-Tech Healthcare/Pharmaceuticals Government: Federal Financial Services 0 Energy/Utilities/Petroleum Refining Defense/Airlines Chemicals/Manufacturing/ Mining Figure 4 Malware Distribution per Vertical It is clear that high value verticals are being targeting with High Tech leading the group, closely followed by Health Care/Pharmaceuticals vertical.

APT per Vertical 11% 53% 27% Financial Services Government: Federal Healthcare/Pharmaceuticals High-Tech Defense/Airlines 3% 6% Figure 5 APT distribution per vertical Looking more specifically at APT events, the Defense/Airlines vertical represents on its own more than 50% of compromised end points. The following table presents the APT families identified for the Defense/Airlines vertical: APT Name for Defense/Airlines vertical Check_Command DarkComet MdAdum Mirage Mongall Page Zegost 9002 Beebus Cresy PingBed Taidoor Figure 6 APT name for Defense/Airlines Vertical Government vertical is not spared with about 27% of compromised end points.

The following table presents the APT families identified for the Government vertical: APT Name for Government vertical 1PHP DarkComet FakeMessenger Gh0stRat Kaba Lurid LV Note Protux XtremeRAT Bosee Generic Suroot WMIGhost Figure 7 APT Name for Government vertical

Conclusion and Recommendations The evidence highlighted in this report demonstrates that organizations in Israel are a target for advanced threats. The type of malwares identified is consistent with what we see in other countries and verticals. Attackers are targeting high value organizations in Israel and are making their way in. The high number of APT events suggests a large level of information theft. Our recommendations are the following: 1. Ensure existing security tools are up to date the evidence of Virus family malware can be easily addressed with legacy, signature based tools 2. Implement Advanced Threat Protection systems to ensure high value data is safe guarded 3. Plan and Implement an Incident Response and Management strategy to close existing security gaps 4. Share and collaborate with other entities in terms of emerging cyber threats to optimize your security posture

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information