top security trends for 2013

Top Security Trends for 2013

Rob Rachwald, Director of Security Strategy, Imperva

© 2012 Imperva, Inc. All rights reserved.

Agenda

Trends 2012: A look back Trends 2013: High-level overview Trends 2013: Details on the big 5


Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva

Research + Directs security strategy + Works with the Imperva Application Defense Center

Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and

Australia

Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today

Graduated from University of California, Berkeley


How Did We Do?

SSL gets caught in the crossfire HTML5 goes live DDoS moves up the stack Internal collaboration meets its evil twin NoSQL = NoSecurity? The kimono comes off of consumerized IT Anti-social media The rise of the middle man Security (finally) trumps compliance


Trends 2013: Summary

Good News Security will improve

for larger, well-funded organizations.

Community policing comes to cyber security.


Trends 2013: Summary

Bad News As bigger firms get smarter and

more effective, hackers will choose the path of least resistance

—small companies. Not surprisingly, hackers will

continue to get more sophisticated.

CONFIDENTIAL

#5: Hacktivism Gets Process Driven


Hacktivism in the Past

Key Problem Past performance no guarantee of future returns.


Example


Process Driven: What is it?

In 2012, Hacktivists moved towards awareness campaigns rather than targeted attacks

Hacktivism awareness means more for less + Arbitrary targets in order to get easy results + Automation in all stages of the process + More aggressive marketing of Hacktivism campaigns


Example: Team GhostShell

In order to maximize results, Hacktivists now: 1. Target CMS systems with known vulnerabilities and harvest

vulnerability databases to collect potential attack vectors 2. For other targets, Hacktivists simply run vulnerability scanners 3. Use Google Dork and error message hunting to allocate

potential targets within a domain list 4. Use automated injection tools (SQLmap or Havij) to automate

the final process of dumping the data 5. Publish the campaign open letters on pastebin.com on

Facebook and Twitter to distribute their message


Supporting Evidence

From TeamGhostShell December hack letter : ProjectWhiteFox will conclude this year's series of attacks by promoting hacktivism worldwide and drawing attention to the freedom of information on the net.

It was clear through this group and others that the targets were chosen not by sector or interest, but by the fact that they were vulnerable.

CONFIDENTIAL

#4: Government Malware Goes Commercial


Military Influence on the Private Sector


The Same Will Hold True in the Cyber World

With Flame and Stuxnet, modern malware has evolved dramatically, which will:

+ Inspire private hackers to follow—Technologies previously attributed to “state sponsored” attacks are going to become commercialized (or commoditized), blurring the difference between Cyber Crime and Cyber War.

+ Increase in compromised insiders—Devices affected by modern malware (APT), representing a “compromised insider” threat, are going to become a more prominent risk factor than malicious insiders.


Malware is Popular in Hacking Communities

2012 Verizon Data Breach Report • Malware is on the rise: “69% of all data breaches

incorporated malware” - a 20% increase over 2011 • Malicious insider incidents declining: “4% of data

breaches were conducted by implicated internal employees” - a 13% decrease compared to 2011

Director of National Intelligence • “Almost half of all computers in the United States

have been compromised in some manner and ~60,000 new pieces of malware are identified per day”.


Differences: Commercial vs APT Malware

Commercial Broader target Relies on broader

vulnerabilities Purpose is theft

APT Focused Heavily relies on 0-Day Purpose can be theft,

espionage or sabotage


Similarities: Commercial vs APT Malware

Similarity #1: Bypass antivirus. Similarity #2: More sophisticated malware.

+ Some of the modules are larger than 1MB and in some of the instances we tracked the total code size amounted to almost 10MB.

+ We saw version numbers grow substantially over time.

Similarity #3: The command and control structure needs to get bigger and more robust.

+ Managing more, better methods to control the redirection of user traffic to the attacker controlled server provide improved efficacy and redundancy.

+ Individual operation able to last a few weeks before being shut down.


A person with no malicious motivation who becomes an unknowing accomplice of third parties who gain access to their device and/or user credentials.

The Objective: Compromised Insider

Compromised Insider

Few Users are Malicious, All Can be Compromised

“Less than 1% of your employees may be malicious insiders, but 100% of your employees have the potential to be

compromised insiders.”

Source: http://edocumentsciences.com/defend-against-compromised-insiders


CONFIDENTIAL

#3: Black Clouds on the Horizon


“Just in Time” Hacking


Some Problems with Hacking Today

Problem #1: Blacklisting by enterprises limits attack duration.

Problem #2: Hackers needed to acquire infrastructure—often illegally—made matters a bit more complex.


What is it?

We expect to see a growing use of IAAS by attackers for different activities due to:

+ Elasticity: the ability to quickly get hold of a lot of computing resources without too many prerequisites.

+ Cost: the ability to closely tie up spending with specific attack campaign and the potential gain.

+ Resilience: the use of commercial cloud computing platforms reduces the ability of defenders to black list attackers and adds much valued latency to the process of server takedown.

Amazon’s EC2 is a good example


How Does it Work?

1. Steal a credit card

2. Leverage cloud infrastructure for attacks • More power • Better anonymization

3. Use cloud infrastructure to process bounty

• Unstructured data or files • Data


Examples

Fraud and business logic attacks DDoS

Over the past year we have seen a number of attack campaigns in which attackers were deploying attack servers in Amazon EC2 cloud.

CONFIDENTIAL

#2: Strength in Numbers


A Short History in Community Policing


Strength in Numbers: What is it?

Business and government parties will create collaborative defenses by sharing individual protection data.

+ In order to get the most out of their initial investment in hacking infrastructure, attackers strive to reuse their attack infrastructure against as many targets as possible.

+ When there’s no collaboration between defending parties, then each new target has to react to the attack as if it’s new, while most chances other targets had already experienced the same attack in the past.


The Concept

Use the fact that hackers rely on reusing infrastructure to launch attacks.


A Precedent

CONFIDENTIAL

#1: APT Targets the Little Guy


A Rare Interview


The Details

Highlights the partnership between government, hacking, and industry in China.

Evidence that China is winning their intention to be “the leader in information warfare.”


What is it?

We expect that in 2013 attackers will also extend the practice commonly dubbed as APT to smaller businesses.

+ The industrialization of hacking that successfully automated Web application attacks.

+ Attackers have learned to exploit and profit from compromised Web applications—especially since automation can help uncover poorly protected, smaller companies.

+ Automation and poor protection will assist APT hackers target smaller organizations containing valuable information.


Industrialization of Hacking and Automation

Researching Vulnerabilities Developing Exploits

Growing Botnets Exploiting Targets

Consuming

Direct Value – i.e. IP, PII, CCN

Command & Control Malware Distribution

Phishing & Spam DDoS

Growing Botnets and Exploiting Vulnerabilities

Selecting Targets via Search Engines

Templates & Kits Centralized Management

Service Model

Roles Optimization Automation


Quantifying Automation

CONFIDENTIAL

Conclusion


Rebalance the Portfolio

CONFIDENTIAL

Webinar Materials

40


Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

Webinar Materials

www.imperva.com

top security trends for 2013

Technology

imperva research

security trends

rights r

security strategy works

director of security

agenda trends

summarygood news security

middle man security