top security trends for 2014
DESCRIPTION
Imperva's dedicated research organization, the Application Defense Center (ADC), constantly monitors hackers - and their attack methods - to isolate the most relevant attack campaigns. Based on this research data, the ADC has identified the top trends poised to have the most significant impact on the security landscape in 2014. This presentation outlines the trends that will resonate across the globe in the upcoming year like the return of compromised web servers, the rise of cloud platform breaches, and the spread of 3rd party application vulnerabilities.TRANSCRIPT
© 2013 Imperva, Inc. All rights reserved.
Top Security Trends for 2014
1
Amichai Shulman, CTO, Imperva
© 2013 Imperva, Inc. All rights reserved.
Agenda
2
§ Introduction § 2013 forecast scorecard § 2014 security trends § Summary and conclusion § Q&A
© 2013 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO, Imperva
3
§ Speaker at industry events • RSA, Appsec, Info Security UK, Black Hat
§ Lecturer on information security • Technion - Israel Institute of Technology
§ Former security consultant to banks and financial services firms
§ Leads the Imperva Application Defense Center (ADC) • Discovered over 20 commercial application vulnerabilities
§ Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2013 Imperva, Inc. All rights reserved.
2013 Forecast Scorecard
4
Trend Score
1 Hack%vism gets process driven C
2 Government malware goes commercial B+
3 Black clouds on the horizon B+
4 Community policing A
5 APT targets the li?le guy A
© 2013 Imperva, Inc. All rights reserved.
#1 - 3rd Party is “No Party”
5
© 2013 Imperva, Inc. All rights reserved.
Known Vulnerabilities: The Known Knowns
6
§ There are known knowns; these are things we know that we know…
• Donald Rumsfeld, U.S. Secretary of Defense, February 2002
§ 3rd Party Known vulnerabilities Vulnerable components (e.g., framework libraries) can be identified and exploited (OWASP: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities)
© 2013 Imperva, Inc. All rights reserved. 7
Rich Attack Surface
According to Veracode: • Up to 70% of internally developed code originates outside of the
development team • 28% of assessed applications are identified as created by a 3rd
party
© 2013 Imperva, Inc. All rights reserved.
Security Falls Between the Cracks
8
§ Application developers • Introduce 3rd party code into the system • Not responsible for 3rd party code security (or
quality) • Not responsible for run-time configuration of 3rd
party components
§ IT operations • Not always aware of 3rd party components
§ Web server type is more visible than a library
• Reluctant to change configuration settings that might impact application behavior
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Bigger! Stronger! Faster!
9
§ Bigger! – More Vulnerabilities! § Stronger! – As a result of the
of the vulnerabilities’ market richness, attackers will create vulnerabilities “mash-ups,” combining several different vulnerabilities together
§ Faster! – Shorter time from vulnerabilities’ full disclosure to exploits in the wild
Source: http://cdn.thinksteroids.com
© 2013 Imperva, Inc. All rights reserved.
Bigger! Disclosure Rate Increases
10
§ More software + more security researchers + more bounty programs = more vulnerabilities’ disclosures
§ CVE IDs Enumeration syntax was changed to track more than 10,000 vulnerabilities in a single year, starting on 2014
© 2013 Imperva, Inc. All rights reserved.
Stronger! Vulnerabilities “Mash-Up”
11
§ Take several “cheap” (low CVSS impact score) known vulnerabilities • CVE-2010-3065: PHP
§ NIST assigned impact score: 2.9
• CVE-2011-2505: PHPMyAdmin session modification vulnerability § NIST assigned impact score: 4.9
§ To create a shining exploit • PHPMyAdmin full server takeover exploit • Effective impact score: a perfect 10
§ Read more on Imperva’s HII report: http://www.imperva.com/docs/HII_PHP_SuperGlobals_Supersized_Trouble.pdf
© 2013 Imperva, Inc. All rights reserved.
Stronger! 1 + 1 = 3
12
© 2013 Imperva, Inc. All rights reserved.
Faster! Vulnerability Weaponization
13
§ Since a vulnerability has a limited time span, attackers strive for a faster vulnerability weaponization
§ We had witnessed weaponization time cut from weeks to days
§ Infrastructure is the key to fast weaponization • Exploit code is often publicly available • Dormant botnets are ready to launch the attack • Command and Control (C2) servers and zombies support
§ Dynamic content § Dynamic targets
© 2013 Imperva, Inc. All rights reserved.
#2 - Server Based APT Alternative
14
© 2013 Imperva, Inc. All rights reserved.
Web Servers Infection is the New Black
15
§ Goals of infecting corporate work stations • Harness computing resources
§ Network bandwidth to be used in DDoS attacks
§ CPU power to mine Bitcoins
• Use as a bridgehead into the corporate datacenter
§ Both goals are better achieved by targeting web servers • More powerful • Inherently connected to the corporate datacenter
© 2013 Imperva, Inc. All rights reserved.
Traditional Infiltration Attack
16
© 2013 Imperva, Inc. All rights reserved.
Why Start with Web Servers?
17
§ Easier reconnaissance • Detect type and components, discover vulnerabilities
§ Accept inbound communications from the Internet (by definition) • Direct attack, no need for “human factor” • Remote control becomes easier • Attacker identity
§ Land (almost) directly into the data center • No need for “lateral movement”
§ Wide outgoing pipe • Exfiltration made easier
© 2013 Imperva, Inc. All rights reserved.
Means and Opportunity
18
§ Many code execution / full server takeover vulnerabilities exist
§ Most are easy to weaponize and exploit § In 2013, the following environments were vulnerable to
such attacks • ColdFusion • Apache Struts • vBulletin (TA) • Jboss (TA) • PHP
http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html
© 2013 Imperva, Inc. All rights reserved.
Warning Signs
19
© 2013 Imperva, Inc. All rights reserved.
Warning Signs
20
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Server Based APTs
21
§ We expect more APT operations to happen through server compromise
§ Such attacks have even a smaller footprint than existing APT techniques • Initial infection • Lateral movement • Exfiltration
§ Public disclosure will probably arrive 2015
© 2013 Imperva, Inc. All rights reserved.
#3 - Ad Networks = Added Risk
22
© 2013 Imperva, Inc. All rights reserved.
Reality Check 1
23
§ Malware infected PCs = potential income § Plenty of ways to monetize (KrebsOnSecurity)
Source: http://krebsonsecurity.com
© 2013 Imperva, Inc. All rights reserved.
Reality Check 2
24
§ Infected mobile devices are even more valuable § Can do anything a PC does, therefore can be monetized
the same way § Additionally, can send “premium SMS” – a very effective
and direct monetization method
Source: http://thenextweb.com
© 2013 Imperva, Inc. All rights reserved.
Black Market Economy 101
25
§ Infected end points are valuable § Therefore, driving traffic for infecting site is valuable § Sample price list for geo-location profiled traffic (per
thousand unique visitors; Credit: Webroot blog):
Source: http://webrootblog.files.wordpress.com
© 2013 Imperva, Inc. All rights reserved.
Malware + Advertising = Malvertising
26
§ Paying someone to show your content is an already established business practice
§ It’s called advertising! § And when the content is
malicious it’s Malvertising § Targeted advertising is very
efficient § And so is targeted
malvertising Source: http://bluebattinghelmet.files.wordpress.com
© 2013 Imperva, Inc. All rights reserved.
Malvertising so 2010…
27
© 2013 Imperva, Inc. All rights reserved.
Not!
28
Source: http://upload.wikimedia.org
© 2013 Imperva, Inc. All rights reserved.
Not!
29
Source: http://upload.wikimedia.org
© 2013 Imperva, Inc. All rights reserved.
The Main Door is (Pretty Much) Locked
30
§ Vendors closely monitor their app shops for malware § Result: attackers cannot directly upload malicious apps
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Year of Mobile Malvertising
31
§ Dynamic content to already installed apps does not go through the app shop
§ Supply - mobile app vendors • Have many users • Do not have a way to monetize on the traffic • Eager for advertising revenues
§ Demand – cyber criminals • Have malicious content • Look for alternative delivery to end users, as market is blocked • Eager for traffic
§ Outcome: Mobile Malvertising
© 2013 Imperva, Inc. All rights reserved.
BadNews Ad Network Infected Apps
32
Source: https://blog.lookout.com
© 2013 Imperva, Inc. All rights reserved.
The Ad Market is Very Complex
33
§ Complex environment is a hotbed for attackers
§ Many opportunities for the attacker to attack • Can choose the weakest link • Can move to the next target
when denied
§ App makers have a vast “deniability region”
Source: http://ad-exchange.fr
© 2013 Imperva, Inc. All rights reserved.
#4 - (Finally) Cloud Data Breaches
34
© 2013 Imperva, Inc. All rights reserved.
We are Not in Kansas Anymore Toto!
35
§ Demand • SaaS and DBaaS are becoming mainstream • Not early adapters anymore • Less technical oriented organizations • Test and pilot deployments become production • Dial moves from “nice to have” applications to “mission critical”
applications
§ Supply • Many new providers • Smaller, less experienced organizations • Carpe Diem
§ I wanted an app of my own but ended up building a cloud service
© 2013 Imperva, Inc. All rights reserved.
Everybody Is Doing It
36
§ According to Verizon ‘2013 State of the Enterprise Cloud Report’ (January 2012 – June 2013) • The use of cloud-based storage has increased by 90 percent • Organizations are now running external-facing and critical
business applications in the cloud – production applications now account for 60 percent of cloud usage
© 2013 Imperva, Inc. All rights reserved.
Hiding in the Fog
37
§ Outsourcing data MISTAKEN for outsourcing responsibility
§ Low number of breaches § False sense of safety
© 2013 Imperva, Inc. All rights reserved.
Ball Waiting for the Player
38
§ Traditional RDBMS services • Used as C&C and dropper infrastructure by cyber criminals • Security attitude is not adapted to cloud reality • See our “Assessing the Threat Landscape of DBaaS” HII for
more details
§ Big Data services • Innovative • Smaller providers • Using innovative technologies with little to no security built-in • Widely adopted by web application startup community, often
storing personal information
© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls
39
© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls
40
© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls
41
© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls
42
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Cloud Breaches Increase
43
§ We expect to see a significant increase in cloud service data breaches • SaaS • DBaaS
§ We expect to see a growing use of DBaaS by attackers. It’s a newcomer to our 2013 ‘Black Cloud on the Horizon’ trend
© 2013 Imperva, Inc. All rights reserved.
#5 – Commercial Malware for Data Centers
44
© 2013 Imperva, Inc. All rights reserved.
Advanced Threat – State Sponsored
45
Stuxnet • Manual
intelligence • Advanced
malware attack
Doqu • Automatic intelligence
Rocra • Both • See
Red October: The Hunt For the Data
© 2013 Imperva, Inc. All rights reserved.
Growing Criminal Interest
46
© 2013 Imperva, Inc. All rights reserved.
Growing Criminal Interest
47
© 2013 Imperva, Inc. All rights reserved.
Growing Criminal Interest
48
© 2013 Imperva, Inc. All rights reserved.
Commercialization of Military Technologies
49
§ Advanced threat malware capabilities flow into criminal malware • Technology – modular code, two tier C&C, include data access
and handling code • Target – enterprise internals
§ Examples • Narilam – destroys business application databases • Malware targeting business application (SAP) spotted
© 2013 Imperva, Inc. All rights reserved.
Built-in Database Access
50
§ Our december 2013 HII shows commercial malware using DBaaS as infrastructure
§ Data store accessing capabilities § Mevade – using an integrated services language based on SQL, called
WQL (SQL for Windows Management Interface) to query the target system's database to learn the security settings.
§ Shylock – SQLlite - Any messages that Skype sends are stored in Skype's main.db file, which is a standard SQLite database. Shylock accesses this database and deletes its messages and file transfers so that the user could not find them in the history.
§ Kulouz – SQLlite to access browser data repositories for sensitive information, such as credentials
§ Database access malware was used in SK Comms data breach
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Datacenter is the Goal
51
§ We are the tipping point and in 2014 we will see active automated attacks against enterprise data centers • Infection methods are more effective than ever • Malware infrastructure is mature and ready • Criminal use cases are staring to show up
§ We expect business applications to become first class target for criminals • Easier to manipulate • The internal version of “web application attacks”
© 2013 Imperva, Inc. All rights reserved.
Summary and Conclusion
52
© 2013 Imperva, Inc. All rights reserved.
Summary
53
§ Our five trends for 2014 • 3rd party vulnerability exploit – bigger, stronger, faster • Web server compromise – alternative to APT • Ad network infections – more targeted, mobile oriented • Cloud breaches – sharp rise in actual incidents • Commercial malware – criminals are after your data center
§ Attackers focus their attention on getting into the data center – physical or virtual
§ Attackers prefer to use the front door (web servers) but at the same time are constantly improving on the alternatives (malware and infection methods)
© 2013 Imperva, Inc. All rights reserved.
Recommendations
54
§ Protect your front door protection • Web Application Firewalls are not “nice to have” • SDLC and patching fail in modern software and threat
environments
§ Improve your internal DATA controls • Enhance visibility to data access, both structured and
unstructured • Introduce capabilities to detect abusive access to data center
resources
§ Evaluate solutions for your cloud data repositories • Perform better due diligence of providers
© 2013 Imperva, Inc. All rights reserved.
Bottom Line
55
§ Balance your security budget to reflect the need for more data protection over end-point and network perimeter protection
© 2013 Imperva, Inc. All rights reserved.
Webinar Materials
56
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
57