ht seminar uniten-cyber security threat landscape

CYBER THREAT LANDSCAPE HARIS TAHIR

18 NOVEMBER 2016

All images used in this presentation are for educational purposes only. All images are either in the public domain and not

subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this

presentation are trademarks of their respective owners.

21 November 2016 10:06:06

2 of 39

Introduction Setting the right expectations

ONE

Top Cyber Threats The current threat landscape

TWO

Key Trends asia pacific region

THREE

Mitigation for the better information security

FOUR

All images used in this presentation are for educational purposes only. All images are

either in the public domain and not subject to copyright, or they have been purchased

from the relevant websites. Any and all marks used throughout this presentation are

trademarks of their respective owners.

What is Cyber Threat Landscape?

Threat Actor

Attack Vectors

Threat Agents

The Cyber Threat Landscape is a list of threats containing information about threat agents and attack vectors affecting the Information Security assurance and/or objective.





How many kinds of Threat Landscape?

Region

Group of assets

Sector

5 of 39

21 November 2016 10:06:07




Factors leading to change of threat landscape

Risks

Assets

Attack vectors

Vulnerabilities

Threats

Security control

Threat agents

use

based on

to

increase

tha

t ex

plo

it

give rise to

leading to

may be aware of these

impose

Wish to abuse and/or damage

reduce

reevaluate

reduced by

to

wish to minimise

Owners

6 of 39

21 November 2016 10:06:07




Risks

Assets

Attack vectors

Vulnerabilities

Threats

Security control

Threat agents

use

based on

to

increase

tha

t ex

plo

it

give rise to

leading to

may be aware of these

wish to minimise impose

Wish to abuse and/or damage

reduce

reevaluate

reduced by

to

capabilities

change over

time

introduction of new

people, process and

technology

Owners

Factors leading to change of threat landscape




21 November 2016 10:06:07

7 of 39

Introduction setting the right expectations

ONE

Top Cyber Threats the current threat landscape repor t

TWO


THREE


FOUR

8 of 39

21 November 2016 10:06:07




# cyber threat landscape 2014 and 2015

Overview and comparison of cyber threat landscape

Top Threats 2014 Ranking Top Threats 2015 Ranking Ranking Status

Malware Malware

Web-based attacks Web-based attacks

Web application attacks Web application attacks

Botnets Botnets

Denial of service Denial of service

Spam Physical damage/theft/loss

Phishing Insider threat

Exploit kits Phishing

Data breaches Spam

Physical damage/theft/loss Exploits kits

Insider threat Data breaches

Cyber espionage Ransomware

Ransomware Cyber espionage

Legends:

Trends: declining, Stable, Increasing

Ranking: Going up, Same, Going down





20 years old malware infection (Microsoft Office documents via Visual Basic

macros)

CONFICKER still in the wild (7 years old works leads to 37% infection)

Increasing of malicious URLs compared to malicious email attachment

Mobile devices innovation slows down mobile malware

Apple store and app stores remain as a main target for “packaging” and spreading of malware

60% 60%

58% 58% 58%

Top Countries Infected

50%

12% 8% 5% 3%

Top Countries Hosting Malware

Top Cyber Threat: malicious software





Top Cyber Threat: web based attack

Social networking and social media became important tactics for infection campaigns

90% of bad URLs are used for spam (change within hours or minutes)

Malicious advertising (malvertising) campaigns uses 4000 different name and 500 domains

40%

6% 3% 2%

United State Russia Portugal Netherlands

Top Countries Hosting Maliciouis URLs





Top Cyber Threat: web application attack

30-55% web sites are vulnerable to web application attack

Lack of transport layer protection, information leakage, XSS, brute force, content sniffing, cross-

site request forgery and URL redirection

80%

7% 4% 9%

United State Brazil China Others

Top Targeted Countries

18% 28%

40%

LFI SQLi Shellshock

Top Web Attacks





Top Cyber Threat: Botnets

Between 20% and 40% of the DDoS attacks have botnet fingerprint

Reached market maturity in the area of cybercrime-as-a-service (CaaS)

Average lifetime of a botnet is estimated with 38 days, and average size of a single botnet is 1700

infected servers

Botnet operators are in favour of using rogue virtual machines for C2 server infrastructure

US, Ukraine, Russia, The Netherlands, Germany, Turkey, France, UK, Vietnam and Romania





Top Cyber Threat: Insider Threat

Reduced care, insufficient training, increased work load, inconvenience of security policies,

users do not take security seriously

Many companies do not have an insider threat prevention program

Increasing of monetization opportunities created by cyber-criminals or cyber-

espionage

Ineffective security measure for Bring Your Own Device (BYOD) and open Wi-Fi




21 November 2016 10:06:09

14 of 39


ONE


TWO


THREE


FOUR

15 of 39

21 November 2016 10:06:09




Key trends: asia pacific region

Breaches in APAC never

make the news

headlines

Unprepared to identify

and respond to breaches

Detection period too

long

Tools exclusively

target organizations within APAC

Failed to eradicate





APAC Incident responses statistics for 2015

Characteristic Quantity (average)

Number of days compromise

went undiscovered 520

Number of machines analysed

in an organization 21,584

Number of machines

compromised by threat actor 78

Number of user accounts


Number of admin accounts


Amount of stolen data 3.7GB





APAC threat actor main objectives

Email

40%

Sensitive Docs

20%

Personally

Identifiable

Information

(PII)

20%

Infrastructure

Docs

20%

18 of 39

21 November 2016 10:06:10




• Custom malware • Command and

control • Web-based backdoor

• Staging servers • Data consolidation • Data theft

• Credential theft • Password cracking • “Pass-the-hash” • Local root/admin

exploitation

• Social engineering • Internet-based

attack • Via service provider

Case study: how it’s happened? Attack lifecycle model with classic attacker techniques

Initial

Attack

Establish

Foothold

Internal

Recon

Escalate

Privileges

Complete

Missions

} { • net use commands • smbclient commands • mount commands • reverse shell access

• Backdoors • VPN • Sleeper malware • Account abuse • Service provider Lateral

movement Maintain Access





Case study: social engineering

Reconnaissance

Develop attack vector

Distribution medium

Remote Access





Case study: reconnaissance

passive recon

4 pdf docs, 66 employee details

haveibeenpwned.com: 109 email addresses used in different sites

208 employee details (mostly email) from online contacts database

105 profiles

780 email addresses from an unprotected site

Search engines, associated forums, websites, social networks etc.

passive recon

Assistant manager HR services

Assistant Vice President

Company secretary

Executive secretary

Human resources dev & training consultant

Legal counsel

Project executive

Senior HR manager

Senior Vice President

Vice President

Clerk





Case study: develop attack vector

File type Status

EXE Quarantined/blocked

DLL Quarantined/blocked

JavaScript Quarantined/blocked

MSI File Quarantined/blocked

Double extension Quarantined/blocked

CVE-15-1641 doc Quarantined/blocked

PowerShell cmd Quarantined/blocked

Java code Quarantined/blocked

ASP code Quarantined/blocked

Docx (encrypted) Quarantined/blocked

Docx Quarantined/blocked

Phishing link Quarantined/blocked

Generic content





Case study: develop attack vector

Non-generic content

File type Status

EXE Quarantined/blocked

DLL Deleted

JavaScript Quarantined/blocked

MSI File Quarantined/blocked

Double extension Deleted

CVE-15-1641 doc Delivered

PowerShell cmd Delivered

Java code Delivered

ASP code Deleted

Docx (encrypted) Delivered

Docx Delivered

Phishing link Delivered





Case study: distribution medium

Email

Packet injection

USB drop





Case study: distribution medium





Case study: remote access




21 November 2016 10:06:14

26 of 39


ONE


TWO


THREE


FOUR

27 of 39

21 November 2016 10:06:14




Technology is not enough

Listen to the expert

Security Technologies, Cryptographer and Author

Bruce Schneier

“If you think technology can solve your

security problems, then you don’t understand

the problems and you don’t understand the

technology”

Chairman and CEO, Google

Eric Schmidt

“The Internet is the first thing that humanity

has build that humanity doesn’t understand,

the largest experiment in anarchy that we

have ever had”





No single unique solution to protect the people

People

Application

Presentation

Session

Transport

Network

Data Link

Physical

Lower Layers

Upper Layers

Most difficult to secure and the weakest link in the security chain





Security

People

Process Technology

Continue process not a static state





Securing the human it starts with you

Metric

Long term sustainment

Promoting awareness & change

Compliance focused

Non-existent

“thank you” “gracias” “terima kasih” “謝謝” “dankie” “je ve remerci” “धन्यवाद”

“Спасибо” “takk skal du ha” “고맙습니다” “hvala ti” “ありがとうございました” HARIS TAHIR

18 NOVEMBER 2016