fiaaz walji sr. director websense canada. shift in attacks = shift in defense 2 2012 began with a...
TRANSCRIPT
Fiaaz WaljiSr. DirectorWebsense Canada
“Shift in attacks = shift in Defense”
2
• 2012 began with a report from IDC stating “Signature-based
tools (anti-virus, firewalls and intrusion prevention) are only
effective against 30% – 50% of current security threats
• Much of this can be attributed to how attacks have evolved to
specifically counter those defenses
• Websense® Security Labs™ team produced report on the key
threats and trends
Behind the 2013 Threat Report
3
Data Collection
Threat Analysis
Expert Interpretation
4
ThreatSeeker Network
Largest Security Intelligence NetworkUp to 5 billion requests per day
900 million global end points
400+ million sites per day
1 billion pieces of content per day
10+ million emails per hour2.5 billion URLs per day
# Viruses undetected by Top 5 AV Engines
5
Areas Covered in this Report
6
7
Victims are Everywhere
Victims are Everywhere
8
9
10
Social Media
Mobile
Attack Vectors
Web
Victims are funneled to the Web
Redirects
Malware
Recon
XSS
Dropper Files
CnCExploit
Kits
Phishing
© 2012 Websense, Inc. Proprietary and Confidential
Lure Redirect ExploitKit
DropperFile
CallHome
DataTheft
Victims are funneled to the Web
Recon
CYBER KILL CHAIN
Web Threats
12
13
Web traffic To FI’s
SOURCE: COMSCORE
Top 5 most popular types of sites compromised
14
Key Take Away
15
The web is both an attack vector AND
support for other attack vectors.
16
Social Media Adoption in Canada
17
Source: Comscore
18
Social Media Threats
Presidents Family Emails, Photos Apparently Hacked ow.ly/hxY2a
of malicious links in social media used
shortened web links32%
8. CANADA
KEY TAKE AWAY
19
As social media use increased in the
workplace, so did the exposureof sensitive information
20
Mobile Phone Penetration by country
21
RANK COUNTRY # MOBILE PHONES % OF POPULATIONWORLD Over 5.6 billion 80%
1 CHINA 1,020,000,000 75%
2 INDIA 919,170,000 76%
3 USA 327,577,529 103%
4 BRAZIL 250,800,000 130%
5 INDONESIA 250,100,000 105%
6 RUSSIA 224,260,000 154%
35 CANADA 25,543,862 74%
2222
Source: Comscore ; Dec 2011
British Columbia ranks #1 in Canada in smartphone/capita
43% of
Canadian
smartphone
subscrib
ers own a
connected
device
23232323
of Canadians with Smartphones would
consider using them like credit cards.
CIBC poll by Harris/Decima Jul 2012
47%
24
More Canadians are
accessing online
banking through their smartphones
SOURCE: COMSCORE
25
Method of Access
SOURCE: COMSCORE
26
26
1 Billion Apps were
downloaded in the last week of
2012
Source: Flurry
27
• Social Media:#2 use of Smartphones
• Lost Device
• Malicious URLs
• Exploitable technologies
• App Stores
Mobile Threats
28
• SMS abused by 82 percent of malicious apps– SEND_SMS
– RECEIVE_SMS
– READ_SMS
– WRITE_SMS
• 1 in 8: RECEIVE_WAP_PUSH
• 1 in 10: INSTALL_PACKAGES
Mobile Apps
Malicious "Top 20" Android Permission Type
Legitimate "Top 20"
1 INTERNET 12 READ_PHONE_STATE 33 SEND_SMS X4 WRITE_EXTERNAL_STORAGE 45 ACCESS_NETWORK_STATE 26 RECEIVE_SMS X7 READ_SMS X8 RECEIVE_BOOT_COMPLETED 119 CALL_PHONE 17
10 WAKE_LOCK 911 ACCESS_COARSE_LOCATION 612 VIBRATE 813 RECEIVE_WAP_PUSH X14 ACCESS_FINE_LOCATION 715 WRITE_SMS X16 ACCESS_WIFI_STATE 517 GET_TASKS 1018 SET_WALLPAPER 1419 READ_CONTACTS 1520 INSTALL_PACKAGES X
Malicious "Top 20" Android Permission Type
Legitimate "Top 20"
1 INTERNET 12 READ_PHONE_STATE 33 SEND_SMS X4 WRITE_EXTERNAL_STORAGE 45 ACCESS_NETWORK_STATE 26 RECEIVE_SMS X7 READ_SMS X8 RECEIVE_BOOT_COMPLETED 119 CALL_PHONE 17
10 WAKE_LOCK 911 ACCESS_COARSE_LOCATION 612 VIBRATE 813 RECEIVE_WAP_PUSH X14 ACCESS_FINE_LOCATION 715 WRITE_SMS X16 ACCESS_WIFI_STATE 517 GET_TASKS 1018 SET_WALLPAPER 1419 READ_CONTACTS 1520 INSTALL_PACKAGES X
KEY TAKE AWAY
29
Data stored on and accessed through a mobile device are at
risk
minimal control of web, email and social media traffic and
access.
Lost devices are also a risk.
30
31
• Only 1 in 5 emails weresafe and legitimate
Email Threats
Email Breakdown by Content & URLsEmail Breakdown by Content Only
32
• 92% of Spam emails contain URLs
• Spam distribution rate: 250,000 per hour
Spam
Top 5 Malicious Web Links in Spam Email1 Potentially Damaging Content Suspicious sites with little or no useful content.2 Web and Email Spam Sites used in unsolicited commercial email.3 Malicious Websites Sites containing malicious code.4 Phishing and Other Frauds Sites that counterfeit legitimate sites to elicit information.5 Malicious Embedded iFrame Sites infected with a malicious iframe.
• Increasingly focused on Commercial & Govt
• 69% sent on Mondays & Fridays
• More Targeted
– Regionalized
– Spear phishingon the rise
Phishing
33
Top 5 Countries Hosting Phishing
KEY TAKE AWAYS
34
Email-based threats evolved significantly to circumvent keyword, reputation and
other traditional defenses.
Increased spear-phishing.
Cybercriminals added a “time-delay” to some targeted attacks,
>50% of users accessed email from outside the corporate network.
35
36
Top 10 Countries Hosting Malware
United StatesRussian Federation
GermanyChina
MoldovaCzech RepublicUnited Kingdom
FranceNetherlands
Canada
Organizations can no longer dismiss malware threats as solely an English-language or American phenomenon.
• More aggressive
– 15% connected in first 60 sec.
– 90% requested information
– 50% accessed dropper files
37
Malware
38
Top 10 Countries Hosting CnC Servers
KEY TAKE AWAY
39
Today’s malware is more dynamic and agile, adapting to an infected system
within minutes.
Half of web-connected malwaredownloaded additional executables in
the first 60s
The remainder proceeded more cautiously—often a calculated response to bypass short-term sandbox defenses
40
41
Data Theft
Planned data theft attacks through cyberspace grew last year, targeting high value intellectual property (IP) and using all available vectors
PII value/target remained flat
KEY TAKE AWAY
42
Remove temptation ;
mitigate accidental loss through
security improvements
address growing SSL/TLS usage,
provide an integrated approach
to monitoring and controlling
both inbound and outbound
content
© 2012 Websense, Inc. Proprietary and Confidential
Lure Redirect ExploitKit
DropperFile
CallHome
DataTheft
Real World Example: Boston Tragedy
Recon
Shocking news
lures in email &
SEO leading to the web
redirect.
Video page of
the drama with a hidden
malicious iFrame
Redkit exploit kit leverages
CVE-2013-0422, an
Oracle Java 7 known
vulnerability.
Two known bot infection
files allowing remote
control of infected system.
Two known botnet
families registers
newly infected systems
&opens to commands
Cyber criminals
now control infected systems
and targeted
data
topical or event-based campaigns, attempts to
propagate as widely as possible,
rather than being directed
at specific individuals or
organizations.
44
Conclusion• Primary attack foundation was the Web
– Threats increased across all vectors
– Attacks grew more: Aggressive ; Dynamic ; Multi-staged ; Multi-vector
• Defenses must adapt:
– Real-time point-of-click ; Inbound & outbound ; Content & Context inspection
• MDM capabilities must be augmented
– defenses to control mobile access ; perform real-time analysis of potentially malicious content across all vectors.
• Email security requires real-time threat analysis
– Must be coordinated with web, mobile and other defenses.
• Malware defenses need to monitor both inbound and outbound
– HTTP and HTTPS traffic to prevent infection and detect CnC communications