© 2015 IBM Corporation

IBM Security

1 © 2015 IBM Corporation

IBM X-Force Insights from the 1Q 2015

Threat Intelligence Quarterly

Kevin Skapinetz Director of Strategy

and Product Marketing

April 14, 2015

© 2015 IBM Corporation

IBM Security

2

IBM X-Force® Research and Development

Vulnerability

Protection

IP

Reputation

Anti-Spam

Malware

Analysis

Web

Application

Control

URL / Web

Filtering

The IBM X-Force Mission

Monitor and evaluate the rapidly changing threat landscape

Research new attack techniques and develop protection for tomorrow’s security challenges

Educate our customers and the general public

Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter

Expert analysis and data sharing on the global threat landscape

Zero-day

Research

© 2015 IBM Corporation

IBM Security

3

IBM X-Force monitors and analyzes the changing threat landscape

15B+ events

managed per day

270M+ endpoints

reporting malware

20,000+ devices

under contract

133 monitored

countries (MSS)

3,000+ security

related patents

96K+ documented

vulnerabilities

25B+ analyzed

web pages and images

12M+ spam and

phishing attacks daily

860K+ malicious

IP addresses

Millions of unique

malware samples

© 2015 IBM Corporation

IBM Security

4

IBM X-Force nicknamed this year, “The Year of the Breach”

Marketing Services

Online Gaming

Online Gaming

Online Gaming

Online Gaming

Central Government

Gaming

Gaming

Internet Services

Online Gaming

Online Gaming

Online Services

Online Gaming

IT Security

Banking

IT Security

Government Consulting

IT Security

Tele-communic

ations

Enter-tainment

Consumer

Electronics

Agriculture Apparel

Insurance

Consulting

Consumer Electronics

Internet Services

Central Govt

Central Govt

Central Govt

Attack Type

SQL Injection

URL Tampering

Spear Phishing

3rd Party Software

DDoS

SecureID

Trojan Software

Undisclosed

Source: IBM X-Force® Research Trend and Risk Report

Size of circle estimates relative impact of

breach in terms of cost to business

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Entertainment

Defense

Defense

Defense

Consumer Electronics

Central Government

Central Government

Central Government

Central Government

Central Government

Central Government

Central Government

Consumer Electronics

National Police

National Police

State Police

State Police

Police

Gaming

Financial Market

Online Services

Consulting

Defense

Heavy Industry

Entertainment

Banking

© 2015 IBM Corporation

IBM Security

5 5 Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015 and 2014 IBM Chief Information Security Officer Assessment

83% of CISOs say that the challenge posed by external threats has increased in the last three years

Near Daily Leaks

of Sensitive Data

40% increase in reported data

breaches and incidents

Relentless Use

of Multiple Methods

800,000,000+ records were leaked, while the future

shows no sign of change

“Insane” Amounts

of Records Breached

42% of CISOs claim the risk from external threats

increased dramatically from prior years.

© 2015 IBM Corporation

IBM Security

6 6

The tone of breaches has shifted, revealing disturbing flaws in the fundamentals of both systems and security practices

• End-user password re-use

• Leaving default passwords on admin systems

• Poor challenge questions for password resets

• The same operating systems, open-source libraries and CMS software are prevalent on many websites

• Several of these systems and libraries had vulnerabilities disclosed in 2014

• Sensitive photos stored on a cloud service were leaked due to weak passwords

• Private email communications at a major Hollywood studio were released

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015

© 2015 IBM Corporation

IBM Security

7

Total number of records breached in 2014

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015

Based on pure volume,

the number of records

breached in was nearly

© 2015 IBM Corporation

IBM Security

8

With strict disclosure laws and higher hosting rates for high-profile websites, the United States continued to be a top target in 2014

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015

© 2015 IBM Corporation

IBM Security

9

Attackers are applying fundamental attack types in creative, new ways

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015

© 2015 IBM Corporation

IBM Security

10

The 2014 vulnerability forecast shifted drastically when an automated tool identified a class of vulns affecting thousands of Android apps

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015

© 2015 IBM Corporation

IBM Security

11

2014 closed with 9,200 new vulns assigned XFIDs, but the total number of vulnerabilities may surge to more than 30,000

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015

© 2015 IBM Corporation

IBM Security

12

We had our first taste of “designer vulns” in 2014: critical vulnerabilities with clever logos and handles

Heartbleed CVE-2014-0160

OpenSSL

Shellshock CVE-2014-6271/7169

Unix Bash shell

POODLE CVE-2014-3566/8730

SSL 3.0 Protocol

GHOST CVE-2015-0235

Linux GNU C Library

© 2015 IBM Corporation

IBM Security

13

Apache Cordova allows mobile app developers to use HTML 5 as single cross-platform development technology

© 2015 IBM Corporation

IBM Security

14

At the time of initial disclosure, 91% of Cordova apps were vulnerable

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015

Despite the availability of

patches and warnings of

sanctions from Google for

non-patched apps,

© 2015 IBM Corporation

IBM Security

15 15

What can app designers and the industry do to mitigate threats?

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015

• Be proactive in the measures taken to keep users safe

• Have a process for rapid implementation and deployment of security fixes

• Establish PSIRTs responsible for tracking vulns across in-house products

• Maintain backward-compatibility and streamlined updates within build process

• Mobile app industry should investigate segregation of framework from app code

© 2015 IBM Corporation

IBM Security

16

Let’s talk about malware and motivations

© 2015 IBM Corporation

IBM Security

17

59% of CISOs strongly agree that the sophistication of attackers is outstripping the sophistication of their organization’s defenses

Particularly troubling is the adaptation of malware toolkits from targeting

financial institutions to APT-style attacks on a broader range of industries

Source: 2014 IBM Chief Information Security Officer Assessment

• Targets Consumers

• Used for stealing

– Bank account credentials

– Personal information

• Targets Employees

• Used for stealing

– Corporate credentials

– Business information

© 2015 IBM Corporation

IBM Security

18

Financial malware is used against industries beyond traditional targets

`

Comprehensive Menu of

Advanced Capabilities

• Keylogging and screen

capturing

• Remote code execution

• Full remote control

Highly Evasive

• Sophisticated evasion

techniques used to bypass

detection

• Can remain stealthy for lengthy

periods of time

Able to be Repurposed

• Communicates with a C&C

• Receives operational

instructions via config file

• Config file can be updated with

new operational instructions

Already Massively

Distributed

• Off the shelf malware, not

custom designed

• Uses distribution campaigns

• Millions already infected!

© 2015 IBM Corporation

IBM Security

19

Citadel is available for sale on the Russian underground, with new features prioritized by crowdsourcing to target new industries

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015

© 2015 IBM Corporation

IBM Security

20

An average of 1 in 500 machines is infected at any point in time

Infection Rates for Massively Distributed APT Malware by Country

Source: IBM Trusteer, SecurityIntelligence.com

© 2015 IBM Corporation

IBM Security

21

© 2015 IBM Corporation

IBM Security

22

SPEAR PHISHING

1

An employee within the targeted

organization receives an email

with the Upatre malware

FIRST STAGE MALWARE EXECUTED

2

Upon opening the attachment,

the Upatre malware is installed

SECOND STAGE MALWARE EXECUTED

3

Upatre establishes

communication to the attacker

and downloads Dyre

THE PHONE CALL SOCIAL ENGINEERING 5

To overcome measures by the bank to

protect against fraud; the Dyre Wolf social

engineers critical information from the victim

THE WIRE TRANSFER 6

Upwards of $1.5 million USD is quickly

and efficiently transferred from the victim’s

account to several offshore accounts

THE DDOS 7

Immediately after the theft, a high volume

DDoS against the victim starts; in order

to distract or hinder investigation

VICTIM LOGS INTO TARGETED ACCOUNT 4

Problem with

your account,

call the bank at

1-800-XXXX

Dyre alters the response from

bank’s website, tricking the victim

to call an illegitimate number

© 2015 IBM Corporation

IBM Security

23

Dyre infections by the numbers

0

500

1000

1500

2000

2500

North America

Europe

other

Africa

South America

Australia

Asia

© 2015 IBM Corporation

IBM Security

24

Since traditional security isn’t effective against Mad APTs, what can you do to mitigate threats from Citadel or Dyre malware?

© 2015 IBM Corporation

IBM Security

25

IBM has built one of the fastest growing enterprise security portfolios

…and we’re innovating

• new or updated offerings in the last 12 months

• Major releases in every IBM security domain

IBM Security Systems

IBM Security Services

2002 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

70+

© 2015 IBM Corporation

IBM Security

26

IBM Security

Integrated capabilities delivered across a comprehensive security framework

X-Force Monitor and evaluate today’s threats

QRadar Detect, analyze, and prioritize threats

Trusteer Reduce fraud and malware

Identity and Access

Management Manage users and their access

Guardium Discover and harden valuable assets

AppScan Secure critical business applications

Network Protection

BigFix, MaaS360 Protect infrastructure against attacks

© 2015 IBM Corporation

IBM Security

27

Join the X-Force Exchange Beta – xforce.ibmcloud.com

© 2015 IBM Corporation

IBM Security

28

Connect with IBM X-Force Research & Development

IBM X-Force Threat Intelligence Quarterly and other research reports:

/http://www.ibm.com/security/xforce

Twitter ibmxforce@and ibmsecurity@

IBM X-Force Security Insights Blog

force-www.SecurityIntelligence.com/topics/x

© 2015 IBM Corporation

IBM Security

29

www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and

response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,

misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product

should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use

or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily

involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT

THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.