2015 TRUSTWAVE GLOBAL SECURITY REPORT Rahul Samant Trustwave Australia
WHY DO CYBERCRIMINALS DO WHAT THEY DO? 1,425% Return on Investment (ROI) Estimated ROI for a one-month ransomware campaign Based on Trustwave SpiderLabs research into underground markets One example: $5,900 investment = $84,100 profit Make it difficult and expensive for criminals to target your organization
SUMMARY 1 Trustwave Global Security Report Overview 2 Data Compromise Investigations 3 Threat Intelligence & Security Research 4 Security Testing 5 Wrap Up
THE 2015 TRUSTWAVE GLOBAL SECURITY REPORT Seventh annual compendium of Trustwave threat intelligence Detailing cybercriminals methods and impact in the previous year 574 compromised locations investigated across 15 countries Billions of events each day across five global SOCs 4 million vulnerability scans Thousands of web app security scans Tens of millions of web transactions Tens of billions of email messages Millions of blocked malicious websites Thousands of penetration tests
DATA COMPROMISE 1 Who is falling victim? 2 What IT systems are criminals compromising? 3 How are criminals breaking in? 4 What data are criminals targeting? 5 How long does it take to detect a breach? 6 How long does a breach last?
GEOGRAPHIC LOCATIONS OF VICTIMS Distribution of investigations by location
ENVIRONMENTS COMPROMISED BY REGION Distribution of investigations by type and region
COMPROMISES BY INDUSTRY Distribution of investigations by industry 2014 2013
ENVIRONMENTS COMPROMISED BY INDUSTRY Distribution of investigations by type and industry
FACTORS CONTRIBUTING TO COMPROMISE Distribution of investigations by factors that made the breach possible 28% Weak Remote Access Security 28% 15% 15% 8% 6% Weak Passwords Weak (or Non-Existent) Input Validation Unpatched Vulnerabilities Misconfigurations Malicious Insider
TYPES OF DATA TARGETED Distribution of investigations by type of data targeted 49% PII + CHD (E-commerce Transaction Data) 31% Track Data (POS Transaction Data) 12% Financial Credentials 8% Proprietary Data
BREACH DETECTION Distribution of investigations by modes of detection 81% of victims did not identify a breach themselves
DURATION OF A COMPROMISE Median durations between various compromise milestones 111 Days a breach Days to 86 detect a 7 lasted breach Days to contain a breach
THREAT INTELLIGENCE 1 Types of Attacks 2 The Rewards of Cybercrime 3 Celebrity Vulnerabilities 4 Top Host-Based Vulnerabilities 5 Top Exploit Traffic 6 Attacks on Web Applications & Servers 7 Spam Trends 8 Exploit Kits and
TARGETED ATTACK SKB Enterprises serves a lot of customers, handles a lot of payment card transactions and probably has a lot of customer data stored somewhere. I m going to figure out how to break in. Target identified first ONLY THEN is the attack considered More effort spent planning and executing Usually targeting larger organizations OPPORTUNISTIC ATTACK I know how to compromise a web server via an Adobe Cold Fusion vulnerability. I m going to scan the Internet to find unpatched servers and see whether I can access some valuable data inject malicious code to infect visitors with malware Exploit and vulnerability identified first Target doesn't matter, just needs to be vulnerable to exploit Low-hanging fruit Smaller organizations usually fall victim
ROI CALCULATION FOR RANSOMWARE CAMPAIGN EXPENSES Payload - $3,000 Infection Vector - $500 Traffic Acquisition - $1,800 Daily Encryption - $600 Total Expenses - $5,900 REVENUE Visitors 20,000 RETURN ON INVESTMENT Total Expenses - $5,900 Revenue $90,000 Gross Profit $84,100 ROI 1,425% Infection Rate 10% Payout Rate 0.5% Ransom Amount $300 Length of Campaign 30 days Total Revenue $90,000
THE YEAR OF THE CELEBRITY VULNERABILITY Vulnerabilities with memorable names and logos Helped bring awareness of technical security issues to the masses Sometimes not as serious as the media attention suggests Trustwave observations of real-world prevalence and exploits 0.60 percent of vulnerabilities detected were Heartbleed 2.47 percent of exploit traffic targeted POODLE 2.30 percent of exploit traffic targeted Shellshock
NETWORK VULNERABILITY SCAN ANALYSIS Top 5 Most Frequently Detected Vulnerabilities 41% Of vulnerabilities detected were SSL vulnerabilities
EXPLOIT TRAFFIC DETECTED Top 5 Exploits Observed by Trustwave-managed IDS sensors
ATTACKS ON WEB APPLICATIONS AND SERVERS Top Opportunistic Attack Methods Observed by Trustwave
SPAM CATEGORIES 2014 2013 6% OF SPAM INCLUDES MALICIOUS LINKS OR ATTACHMENTS
PREVALENT EXPLOIT KITS Exploit kit prevalence based on telemetry from Trustwave Secure Web Gateway TOP EXPLOITED APPLICATIONS Most exploited client-side applications and plug-ins as observed by Trustwave in 2014 25% RIG 33% Flash 23% Nuclear 29% Internet Explorer 17% Angler 10% Adobe Reader 13% Fiesta 13% Silverlight 9% Magnitude 15% Java ( 63%) 5% Neutrino Copyright 2015 Trustwave Holdings, Copyright Inc. 2015 Trustwave Holdings, Inc.
SECURITY TESTING 1 Web Application Security 2 Mobile Application Security 3 Most Common Penetration Testing Findings 4 Most Common Business Passwords
WEB APPLICATION SECURITY 98% Of applications are vulnerable 20 Median flaws per application
FREQUENCY OF APPLICATION VULNERABILITY TYPES Top application vulnerabilities identified by Trustwave in 2014, proportioned by type 2014 2013
MOBILE APPLICATION VULNERABILITIES Cumulative percentages of mobile application in which Trustwave identified at least one vulnerability of varying severities
COMMON PENETRATION TESTING FINDINGS Top Ten Penetration Testing Findings in a Comparative Ranking Authentication bypass SQL injection Logic flaws Unpatched systems Weak administrator password Shared local administrator password Authorization bypass Unencrypted storage of sensitive data Cross-site scripting (XSS), persistent LLMNR Poisoning (a name resolution attack) Application Network Application and Network
PASSWORD ANALYSIS Cracked 51 percent of passwords w/in 24 hours & another 37 percent w/in two weeks TOP 10 COMMON KEY WORDS
WRAPPING UP
FOLLOW-UP QUESTIONS Make it too expensive or difficult for criminals to attack YOU Have you considered all possible attack vectors? Attackers have. Do you know what attackers are targeting? Do you know where those assets reside? Trustwave can help How do you know your security is effective? Don t guess, test Validate your assumptions with penetration testing Trustwave can help
WHERE DO WE GO FROM HERE? What you should do with this information Make it more difficult and expensive for attackers to target you Protect users from themselves Don t guess, test Know what to respond to and how to respond
GET IN TOUCH WITH TRUSTWAVE www.trustwave.com @trustwave infosales@trustwave.com
THANK YOU