ibm x-force - information assurance | isaca kevin... · ibm x-force nicknamed this year, ... gaming...
TRANSCRIPT
© 2015 IBM Corporation
IBM Security
1 © 2015 IBM Corporation
IBM X-Force Insights from the 1Q 2015
Threat Intelligence Quarterly
Kevin Skapinetz Director of Strategy
and Product Marketing
April 14, 2015
© 2015 IBM Corporation
IBM Security
2
IBM X-Force® Research and Development
Vulnerability
Protection
IP
Reputation
Anti-Spam
Malware
Analysis
Web
Application
Control
URL / Web
Filtering
The IBM X-Force Mission
Monitor and evaluate the rapidly changing threat landscape
Research new attack techniques and develop protection for tomorrow’s security challenges
Educate our customers and the general public
Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
Expert analysis and data sharing on the global threat landscape
Zero-day
Research
© 2015 IBM Corporation
IBM Security
3
IBM X-Force monitors and analyzes the changing threat landscape
15B+ events
managed per day
270M+ endpoints
reporting malware
20,000+ devices
under contract
133 monitored
countries (MSS)
3,000+ security
related patents
96K+ documented
vulnerabilities
25B+ analyzed
web pages and images
12M+ spam and
phishing attacks daily
860K+ malicious
IP addresses
Millions of unique
malware samples
© 2015 IBM Corporation
IBM Security
4
IBM X-Force nicknamed this year, “The Year of the Breach”
Marketing Services
Online Gaming
Online Gaming
Online Gaming
Online Gaming
Central Government
Gaming
Gaming
Internet Services
Online Gaming
Online Gaming
Online Services
Online Gaming
IT Security
Banking
IT Security
Government Consulting
IT Security
Tele-communic
ations
Enter-tainment
Consumer
Electronics
Agriculture Apparel
Insurance
Consulting
Consumer Electronics
Internet Services
Central Govt
Central Govt
Central Govt
Attack Type
SQL Injection
URL Tampering
Spear Phishing
3rd Party Software
DDoS
SecureID
Trojan Software
Undisclosed
Source: IBM X-Force® Research Trend and Risk Report
Size of circle estimates relative impact of
breach in terms of cost to business
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Entertainment
Defense
Defense
Defense
Consumer Electronics
Central Government
Central Government
Central Government
Central Government
Central Government
Central Government
Central Government
Consumer Electronics
National Police
National Police
State Police
State Police
Police
Gaming
Financial Market
Online Services
Consulting
Defense
Heavy Industry
Entertainment
Banking
© 2015 IBM Corporation
IBM Security
5 5 Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015 and 2014 IBM Chief Information Security Officer Assessment
83% of CISOs say that the challenge posed by external threats has increased in the last three years
Near Daily Leaks
of Sensitive Data
40% increase in reported data
breaches and incidents
Relentless Use
of Multiple Methods
800,000,000+ records were leaked, while the future
shows no sign of change
“Insane” Amounts
of Records Breached
42% of CISOs claim the risk from external threats
increased dramatically from prior years.
© 2015 IBM Corporation
IBM Security
6 6
The tone of breaches has shifted, revealing disturbing flaws in the fundamentals of both systems and security practices
• End-user password re-use
• Leaving default passwords on admin systems
• Poor challenge questions for password resets
• The same operating systems, open-source libraries and CMS software are prevalent on many websites
• Several of these systems and libraries had vulnerabilities disclosed in 2014
• Sensitive photos stored on a cloud service were leaked due to weak passwords
• Private email communications at a major Hollywood studio were released
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
© 2015 IBM Corporation
IBM Security
7
Total number of records breached in 2014
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
Based on pure volume,
the number of records
breached in was nearly
© 2015 IBM Corporation
IBM Security
8
With strict disclosure laws and higher hosting rates for high-profile websites, the United States continued to be a top target in 2014
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
© 2015 IBM Corporation
IBM Security
9
Attackers are applying fundamental attack types in creative, new ways
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
© 2015 IBM Corporation
IBM Security
10
The 2014 vulnerability forecast shifted drastically when an automated tool identified a class of vulns affecting thousands of Android apps
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
© 2015 IBM Corporation
IBM Security
11
2014 closed with 9,200 new vulns assigned XFIDs, but the total number of vulnerabilities may surge to more than 30,000
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
© 2015 IBM Corporation
IBM Security
12
We had our first taste of “designer vulns” in 2014: critical vulnerabilities with clever logos and handles
Heartbleed CVE-2014-0160
OpenSSL
Shellshock CVE-2014-6271/7169
Unix Bash shell
POODLE CVE-2014-3566/8730
SSL 3.0 Protocol
GHOST CVE-2015-0235
Linux GNU C Library
© 2015 IBM Corporation
IBM Security
13
Apache Cordova allows mobile app developers to use HTML 5 as single cross-platform development technology
© 2015 IBM Corporation
IBM Security
14
At the time of initial disclosure, 91% of Cordova apps were vulnerable
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
Despite the availability of
patches and warnings of
sanctions from Google for
non-patched apps,
© 2015 IBM Corporation
IBM Security
15 15
What can app designers and the industry do to mitigate threats?
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
• Be proactive in the measures taken to keep users safe
• Have a process for rapid implementation and deployment of security fixes
• Establish PSIRTs responsible for tracking vulns across in-house products
• Maintain backward-compatibility and streamlined updates within build process
• Mobile app industry should investigate segregation of framework from app code
© 2015 IBM Corporation
IBM Security
17
59% of CISOs strongly agree that the sophistication of attackers is outstripping the sophistication of their organization’s defenses
Particularly troubling is the adaptation of malware toolkits from targeting
financial institutions to APT-style attacks on a broader range of industries
Source: 2014 IBM Chief Information Security Officer Assessment
• Targets Consumers
• Used for stealing
– Bank account credentials
– Personal information
• Targets Employees
• Used for stealing
– Corporate credentials
– Business information
© 2015 IBM Corporation
IBM Security
18
Financial malware is used against industries beyond traditional targets
`
Comprehensive Menu of
Advanced Capabilities
• Keylogging and screen
capturing
• Remote code execution
• Full remote control
Highly Evasive
• Sophisticated evasion
techniques used to bypass
detection
• Can remain stealthy for lengthy
periods of time
Able to be Repurposed
• Communicates with a C&C
• Receives operational
instructions via config file
• Config file can be updated with
new operational instructions
Already Massively
Distributed
• Off the shelf malware, not
custom designed
• Uses distribution campaigns
• Millions already infected!
© 2015 IBM Corporation
IBM Security
19
Citadel is available for sale on the Russian underground, with new features prioritized by crowdsourcing to target new industries
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
© 2015 IBM Corporation
IBM Security
20
An average of 1 in 500 machines is infected at any point in time
Infection Rates for Massively Distributed APT Malware by Country
Source: IBM Trusteer, SecurityIntelligence.com
© 2015 IBM Corporation
IBM Security
22
SPEAR PHISHING
1
An employee within the targeted
organization receives an email
with the Upatre malware
FIRST STAGE MALWARE EXECUTED
2
Upon opening the attachment,
the Upatre malware is installed
SECOND STAGE MALWARE EXECUTED
3
Upatre establishes
communication to the attacker
and downloads Dyre
THE PHONE CALL SOCIAL ENGINEERING 5
To overcome measures by the bank to
protect against fraud; the Dyre Wolf social
engineers critical information from the victim
THE WIRE TRANSFER 6
Upwards of $1.5 million USD is quickly
and efficiently transferred from the victim’s
account to several offshore accounts
THE DDOS 7
Immediately after the theft, a high volume
DDoS against the victim starts; in order
to distract or hinder investigation
VICTIM LOGS INTO TARGETED ACCOUNT 4
Problem with
your account,
call the bank at
1-800-XXXX
Dyre alters the response from
bank’s website, tricking the victim
to call an illegitimate number
© 2015 IBM Corporation
IBM Security
23
Dyre infections by the numbers
0
500
1000
1500
2000
2500
North America
Europe
other
Africa
South America
Australia
Asia
© 2015 IBM Corporation
IBM Security
24
Since traditional security isn’t effective against Mad APTs, what can you do to mitigate threats from Citadel or Dyre malware?
© 2015 IBM Corporation
IBM Security
25
IBM has built one of the fastest growing enterprise security portfolios
…and we’re innovating
• new or updated offerings in the last 12 months
• Major releases in every IBM security domain
IBM Security Systems
IBM Security Services
2002 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
70+
© 2015 IBM Corporation
IBM Security
26
IBM Security
Integrated capabilities delivered across a comprehensive security framework
X-Force Monitor and evaluate today’s threats
QRadar Detect, analyze, and prioritize threats
Trusteer Reduce fraud and malware
Identity and Access
Management Manage users and their access
Guardium Discover and harden valuable assets
AppScan Secure critical business applications
Network Protection
BigFix, MaaS360 Protect infrastructure against attacks
© 2015 IBM Corporation
IBM Security
28
Connect with IBM X-Force Research & Development
IBM X-Force Threat Intelligence Quarterly and other research reports:
/http://www.ibm.com/security/xforce
Twitter ibmxforce@and ibmsecurity@
IBM X-Force Security Insights Blog
force-www.SecurityIntelligence.com/topics/x
© 2015 IBM Corporation
IBM Security
29
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use
or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.