fiaaz walji sr. director websense canada. shift in attacks = shift in defense 2 2012 began with a...

Fiaaz WaljiSr. DirectorWebsense Canada

“Shift in attacks = shift in Defense”

2

• 2012 began with a report from IDC stating “Signature-based

tools (anti-virus, firewalls and intrusion prevention) are only

effective against 30% – 50% of current security threats

• Much of this can be attributed to how attacks have evolved to

specifically counter those defenses

• Websense® Security Labs™ team produced report on the key

threats and trends

Behind the 2013 Threat Report

3

Data Collection

Threat Analysis

Expert Interpretation

4

ThreatSeeker Network

Largest Security Intelligence NetworkUp to 5 billion requests per day

900 million global end points

400+ million sites per day

1 billion pieces of content per day

10+ million emails per hour2.5 billion URLs per day

# Viruses undetected by Top 5 AV Engines

5

Areas Covered in this Report

6

7

Victims are Everywhere

Victims are Everywhere

8

9

10

Social Media

Email

Mobile

Attack Vectors

Web

Victims are funneled to the Web

Redirects

Malware

Recon

XSS

Dropper Files

CnCExploit

Kits

Phishing

© 2012 Websense, Inc. Proprietary and Confidential

Lure Redirect ExploitKit

DropperFile

CallHome

DataTheft

Victims are funneled to the Web

Recon

CYBER KILL CHAIN

Web Threats

12

13

Web traffic To FI’s

SOURCE: COMSCORE

Top 5 most popular types of sites compromised

14

Key Take Away

15

The web is both an attack vector AND

support for other attack vectors.

16

Social Media Adoption in Canada

17

Source: Comscore

18

Social Media Threats

Presidents Family Emails, Photos Apparently Hacked ow.ly/hxY2a

of malicious links in social media used

shortened web links32%

8. CANADA

KEY TAKE AWAY

19

As social media use increased in the

workplace, so did the exposureof sensitive information

20

Mobile Phone Penetration by country

21

RANK COUNTRY # MOBILE PHONES % OF POPULATIONWORLD Over 5.6 billion 80%

1 CHINA 1,020,000,000 75%

2 INDIA 919,170,000 76%

3 USA 327,577,529 103%

4 BRAZIL 250,800,000 130%

5 INDONESIA 250,100,000 105%

6 RUSSIA 224,260,000 154%

35 CANADA 25,543,862 74%

2222

Source: Comscore ; Dec 2011

British Columbia ranks #1 in Canada in smartphone/capita

43% of

Canadian

smartphone

subscrib

ers own a

connected

device

23232323

of Canadians with Smartphones would

consider using them like credit cards.

CIBC poll by Harris/Decima Jul 2012

47%

24

More Canadians are

accessing online

banking through their smartphones

SOURCE: COMSCORE

25

Method of Access

SOURCE: COMSCORE

26

26

1 Billion Apps were

downloaded in the last week of

2012

Source: Flurry

27

• Social Media:#2 use of Smartphones

• Lost Device

• Malicious URLs

• Exploitable technologies

• App Stores

Mobile Threats

28

• SMS abused by 82 percent of malicious apps– SEND_SMS

– RECEIVE_SMS

– READ_SMS

– WRITE_SMS

• 1 in 8: RECEIVE_WAP_PUSH

• 1 in 10: INSTALL_PACKAGES

Mobile Apps

Malicious "Top 20" Android Permission Type

Legitimate "Top 20"

1 INTERNET 12 READ_PHONE_STATE 33 SEND_SMS X4 WRITE_EXTERNAL_STORAGE 45 ACCESS_NETWORK_STATE 26 RECEIVE_SMS X7 READ_SMS X8 RECEIVE_BOOT_COMPLETED 119 CALL_PHONE 17

10 WAKE_LOCK 911 ACCESS_COARSE_LOCATION 612 VIBRATE 813 RECEIVE_WAP_PUSH X14 ACCESS_FINE_LOCATION 715 WRITE_SMS X16 ACCESS_WIFI_STATE 517 GET_TASKS 1018 SET_WALLPAPER 1419 READ_CONTACTS 1520 INSTALL_PACKAGES X

Malicious "Top 20" Android Permission Type

Legitimate "Top 20"

1 INTERNET 12 READ_PHONE_STATE 33 SEND_SMS X4 WRITE_EXTERNAL_STORAGE 45 ACCESS_NETWORK_STATE 26 RECEIVE_SMS X7 READ_SMS X8 RECEIVE_BOOT_COMPLETED 119 CALL_PHONE 17

10 WAKE_LOCK 911 ACCESS_COARSE_LOCATION 612 VIBRATE 813 RECEIVE_WAP_PUSH X14 ACCESS_FINE_LOCATION 715 WRITE_SMS X16 ACCESS_WIFI_STATE 517 GET_TASKS 1018 SET_WALLPAPER 1419 READ_CONTACTS 1520 INSTALL_PACKAGES X

KEY TAKE AWAY

29

Data stored on and accessed through a mobile device are at

risk

minimal control of web, email and social media traffic and

access.

Lost devices are also a risk.

30

31

• Only 1 in 5 emails weresafe and legitimate

Email Threats

Email Breakdown by Content & URLsEmail Breakdown by Content Only

32

• 92% of Spam emails contain URLs

• Spam distribution rate: 250,000 per hour

Spam

Top 5 Malicious Web Links in Spam Email1 Potentially Damaging Content Suspicious sites with little or no useful content.2 Web and Email Spam Sites used in unsolicited commercial email.3 Malicious Websites Sites containing malicious code.4 Phishing and Other Frauds Sites that counterfeit legitimate sites to elicit information.5 Malicious Embedded iFrame Sites infected with a malicious iframe.

• Increasingly focused on Commercial & Govt

• 69% sent on Mondays & Fridays

• More Targeted

– Regionalized

– Spear phishingon the rise

Phishing

33

Top 5 Countries Hosting Phishing

KEY TAKE AWAYS

34

Email-based threats evolved significantly to circumvent keyword, reputation and

other traditional defenses.

Increased spear-phishing.

Cybercriminals added a “time-delay” to some targeted attacks,

>50% of users accessed email from outside the corporate network.

35

36

Top 10 Countries Hosting Malware

United StatesRussian Federation

GermanyChina

MoldovaCzech RepublicUnited Kingdom

FranceNetherlands

Canada

Organizations can no longer dismiss malware threats as solely an English-language or American phenomenon.

• More aggressive

– 15% connected in first 60 sec.

– 90% requested information

– 50% accessed dropper files

37

Malware

38

Top 10 Countries Hosting CnC Servers

KEY TAKE AWAY

39

Today’s malware is more dynamic and agile, adapting to an infected system

within minutes.

Half of web-connected malwaredownloaded additional executables in

the first 60s

The remainder proceeded more cautiously—often a calculated response to bypass short-term sandbox defenses

40

41

Data Theft

Planned data theft attacks through cyberspace grew last year, targeting high value intellectual property (IP) and using all available vectors

PII value/target remained flat

KEY TAKE AWAY

42

Remove temptation ;

mitigate accidental loss through

security improvements

address growing SSL/TLS usage,

provide an integrated approach

to monitoring and controlling

both inbound and outbound

content

© 2012 Websense, Inc. Proprietary and Confidential

Lure Redirect ExploitKit

DropperFile

CallHome

DataTheft

Real World Example: Boston Tragedy

Recon

Shocking news

lures in email &

SEO leading to the web

redirect.

Video page of

the drama with a hidden

malicious iFrame

Redkit exploit kit leverages

CVE-2013-0422, an

Oracle Java 7 known

vulnerability.

Two known bot infection

files allowing remote

control of infected system.

Two known botnet

families registers

newly infected systems

&opens to commands

Cyber criminals

now control infected systems

and targeted

data

topical or event-based campaigns, attempts to

propagate as widely as possible,

rather than being directed

at specific individuals or

organizations.

44

Conclusion• Primary attack foundation was the Web

– Threats increased across all vectors

– Attacks grew more: Aggressive ; Dynamic ; Multi-staged ; Multi-vector

• Defenses must adapt:

– Real-time point-of-click ; Inbound & outbound ; Content & Context inspection

• MDM capabilities must be augmented

– defenses to control mobile access ; perform real-time analysis of potentially malicious content across all vectors.

• Email security requires real-time threat analysis

– Must be coordinated with web, mobile and other defenses.

• Malware defenses need to monitor both inbound and outbound

– HTTP and HTTPS traffic to prevent infection and detect CnC communications

45

Thank Youwww.websense.com/2013predictions