Presentation is loading. Please wait.

Presentation is loading. Please wait.

IBM X-Force ® 2012 Cyber Security Threat Landscape Michael Montecillo – IBM Security Services Threat Research and Intelligence Principal August 2012.

Similar presentations


Presentation on theme: "IBM X-Force ® 2012 Cyber Security Threat Landscape Michael Montecillo – IBM Security Services Threat Research and Intelligence Principal August 2012."— Presentation transcript:

1 IBM X-Force ® 2012 Cyber Security Threat Landscape Michael Montecillo – IBM Security Services Threat Research and Intelligence Principal August 2012

2 © 2009 IBM Corporation Building a smarter planet IBM X-Force web intelligence lifecycle Develop Protection Deliver Updates Apply Updates Monitor Browsing of: -Million of End-users -Thousands of Customers -Hundreds of Countries Block Malicious Links Send Links to X-Force Deep Crawl of Known Malicious Websites Analyze New Exploit Techniques Provide New Protection Guidance Classify MSS Links Find Related Websites (Deep Crawl) Search for Malware Find New Malicious Websites Block All Malicious Domains

3 © 2009 IBM Corporation Building a smarter planet X Force Research 3 The mission of the IBM X-Force ® research and development team is to: Research and evaluate threat and protection issues Deliver security protection for todays security problems Develop new technology for tomorrows security challenges Educate the media and user communities X-Force Research 14B analyzed Web pages & images 40M spam & phishing attacks 75K documented vulnerabilities 13B security events daily Provides Specific Analysis of: Vulnerabilities & exploits Malicious/Unwanted websites Spam and phishing Malware Other emerging trends

4 © 2009 IBM Corporation Building a smarter planet 2011 Year of the Security Breach 4

5 © 2009 IBM Corporation Building a smarter planet Who is attacking our networks? 5

6 © 2009 IBM Corporation Building a smarter planet SQL injection attacks against web servers 6

7 © 2009 IBM Corporation Building a smarter planet Shell Command Injection attacks 7

8 © 2009 IBM Corporation Building a smarter planet SSH brute force activity 8

9 © 2009 IBM Corporation Building a smarter planet Explosion of phishing based malware distribution and click fraud 9

10 © 2009 IBM Corporation Building a smarter planet Anonymous proxies on the rise 10 Approximately 4 times more anonymous proxies than seen 3 years ago Some used to hide attacks, others to evade censorship Signature detects situations where clients are attempting to access websites through a chain of HTTP proxies Could represent –legitimate (paranoid) web surfing –attackers obfuscating the source address of launched attacks against web servers

11 © 2009 IBM Corporation Building a smarter planet Vulnerability disclosures down in 2011 11 Total number of vulnerabilities decline but its cyclical –We have witnessed a two year, high-low cycle in vulnerability disclosures since 2006

12 © 2009 IBM Corporation Building a smarter planet Public exploit disclosures 12 Total number of exploit releases down to a number not seen since 2006 –Also down as a percentage of vulnerabilities

13 © 2009 IBM Corporation Building a smarter planet Better Patching 13

14 © 2009 IBM Corporation Building a smarter planet Decline in web application vulnerabilities 14 In 2011, 41% of security vulnerabilities affected web applications –Down from 49% in 2010 –Lowest percentage seen since 2005

15 © 2009 IBM Corporation Building a smarter planet Many major operations have important security blindspots 15 IBM scanned 678 websites –Fortune 500 & 178 popular sites 40% contain client-side JavaScript vulnerabilities Third party code is primary culprit

16 © 2009 IBM Corporation Building a smarter planet Mobile OS vulnerabilities & exploits 16 Continued interest in Mobile vulnerabilities as enterprise users request a bring your own device (BYOD) strategy for the workplace Attackers finding these devices represent lucrative new attack opportunities

17 © 2009 IBM Corporation Building a smarter planet Zeus Crimeware Service Hosting for costs $50 for 3 months. This includes the following: # Fully set up ZeuS Trojan with configured FUD binary. # Log all information via internet explorer # Log all FTP connections # Steal banking data # Steal credit cards # Phish US, UK and RU banks # Host file override # All other ZeuS Trojan features # Fully set up MalKit with stats viewer inter graded. # 10 IE 4/5/6/7 exploits # 2 Firefox exploits # 1 Opera exploit We also host normal ZeuS clients for $10/month. This includes a fully set up zeus panel/configured binary Hosting for costs $50 for 3 months. This includes the following: # Fully set up ZeuS Trojan with configured FUD binary. # Log all information via internet explorer # Log all FTP connections # Steal banking data # Steal credit cards # Phish US, UK and RU banks # Host file override # All other ZeuS Trojan features # Fully set up MalKit with stats viewer inter graded. # 10 IE 4/5/6/7 exploits # 2 Firefox exploits # 1 Opera exploit We also host normal ZeuS clients for $10/month. This includes a fully set up zeus panel/configured binary

18 © 2009 IBM Corporation Building a smarter planet Mobile OS vulnerabilities & exploits 18

19 © 2009 IBM Corporation Building a smarter planet Connect with IBM X-Force research & development 19 Follow us at @ibmsecurity and @ibmxforce Download X-Force security trend & risk reports http://www.ibm.com/security/xforce Subscribe to the security channel for latest security videos www.youtube.com/ibmsecuritysolutions Attend in-person events http://www.ibm.com/events/calendar / Subscribe to X-Force alerts at http://iss.net/rss.php or Frequency X at http://blogs.iss.net/rss.phphttp://iss.net/rss.php http://blogs.iss.net/rss.php Join the Institute for Advanced Security www.instituteforadvancedsecurity.com

20 © 2009 IBM Corporation Building a smarter planet Blackhole Crimeware 20 Blackhole Exploit Kit First appeared in August 2007 Advertised as a Systems for Network Testing Protects itself with blacklists and integrated antivirus Comes in Russian or English Currently the most purchased exploit pack Flexible Pricing Plan Purchase $1500/annual $1000/semi-annual $700/quarterly Lease $50/24 hours $200/1 week $300/2 weeks $400/3 weeks $500/month *($35 domain name change fee if necessary) Blackhole Exploit Kit First appeared in August 2007 Advertised as a Systems for Network Testing Protects itself with blacklists and integrated antivirus Comes in Russian or English Currently the most purchased exploit pack Flexible Pricing Plan Purchase $1500/annual $1000/semi-annual $700/quarterly Lease $50/24 hours $200/1 week $300/2 weeks $400/3 weeks $500/month *($35 domain name change fee if necessary)

21 © 2009 IBM Corporation Building a smarter planet Blackhole Crimeware - Sample 21 Discovery: 15 June 2012 Site: Passionforstudy.com Host: hosted-by.krhosting.biz ASN: 58182

22 © 2009 IBM Corporation Building a smarter planet Blackhole Crimeware – Sample (Problems) 22 Your AV will not like this. This will trigger alerts in your IPS –Snort Possible Request for Blackhole Exploit Kit Landing Page DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit –ISS Blackhole-exploit-kit-detected The several attack vectors

23 © 2009 IBM Corporation Building a smarter planet Blackhole Crimeware – IPS Alert 23 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:trojan- activity; sid:2014725; rev:2;) What you need to recognize: –Looking for a URI with the following regular expression pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; –Looking for a content and flowbit <applet isset,et.exploitkitlanding

24 © 2009 IBM Corporation Building a smarter planet Blackhole Crimeware - Exploits 24 CVE 2012-0507 Java CVE 20120-1423 Java CVE 2010-0886 Java CVE-20120-0842 Java CVE-2010-0840 Java CVE-2010-1885 CVE-2010-1423 CVE-2009-1671 Java CVE-2009-0927 Adobe Reader CVE-2008-2992 Adobe Reader CVE-2007-5659 Adobe Reader CVE-2006-0003 IE MDAC

25 © 2009 IBM Corporation Building a smarter planet Blackhole Crimeware – A Look at the Attack 25

26 © 2009 IBM Corporation Building a smarter planet Blackhole Crimeware – A Look at the Attack 26

27 © 2009 IBM Corporation Building a smarter planet Blackhole Crimeware – Exploit Breakdown 27 Source: http://www.ic3.gov/media/2012/120420.aspx *It is estimated 60% of Java users have not yet patched CVE-2012- 0507 Source: http://www.infosecisland.com/blogview/21118-IC3- Blackhole-Exploit-Kit-123-Released.html

28 © 2009 IBM Corporation Building a smarter planet The drive-by-download process Desktop Users Browse The Internet Malicious iframe host Web server with embedded iframe Web browser targeted Downloader installed Malware installed and activated Exploit material Served The drive-by-download process

29 © 2009 IBM Corporation Building a smarter planet Michael Montecillo mmontec@us.ibm.com Twitter: @Montejam (FOLLOW ME!) 29

30 © 2009 IBM Corporation Building a smarter planet Connect with IBM X-Force research & development 30 Follow us at @ibmsecurity and @ibmxforce Download X-Force security trend & risk reports http://www.ibm.com/security/xforce Subscribe to the security channel for latest security videos www.youtube.com/ibmsecuritysolutions Attend in-person events http://www.ibm.com/events/calendar / Subscribe to X-Force alerts at http://iss.net/rss.php or Frequency X at http://blogs.iss.net/rss.phphttp://iss.net/rss.php http://blogs.iss.net/rss.php Join the Institute for Advanced Security www.instituteforadvancedsecurity.com

31 © 2009 IBM Corporation Building a smarter planet 31


Download ppt "IBM X-Force ® 2012 Cyber Security Threat Landscape Michael Montecillo – IBM Security Services Threat Research and Intelligence Principal August 2012."

Similar presentations


Ads by Google