Fiaaz Walji Sr. Director Websense Canada
Shift in attacks = shift in Defense began with a report from IDC stating Signature-based tools (anti-virus, firewalls and intrusion prevention) are only effective against 30% – 50% of current security threats Much of this can be attributed to how attacks have evolved to specifically counter those defenses Websense® Security Labs team produced report on the key threats and trends
Behind the 2013 Threat Report 3 Data Collection Threat Analysis Expert Interpretation
4 ThreatSeeker Network Largest Security Intelligence Network Up to 5 billion requests per day 900 million global end points Largest Security Intelligence Network Up to 5 billion requests per day 900 million global end points 400+ million sites per day 1 billion pieces of content per day 10+ million s per hour 2.5 billion URLs per day
# Viruses undetected by Top 5 AV Engines 5
Areas Covered in this Report 6
Victims are Everywhere 7
8
9
10 Social Media Mobile Attack Vectors Web Victims are funneled to the Web Redirects Malware Recon XSS Dropper Files CnCCnC Exploit Kits Phishing
© 2012 Websense, Inc. Proprietary and Confidential Lure Redirect Exploit Kit Dropper File Call Home Data Theft Victims are funneled to the Web Recon CYBER KILL CHAIN
Web Threats 12
13 Web traffic To FIs SOURCE: COMSCORE
Top 5 most popular types of sites compromised 14
Key Take Away 15 The web is both an attack vector AND support for other attack vectors.
16
Social Media Adoption in Canada 17 Source: Comscore
18 Social Media Threats Presidents Family s, Photos Apparently Hacked ow.ly/hxY2a of malicious links in social media used shortened web links 32% 8. CANADA
KEY TAKE AWAY 19 As social media use increased in the workplace, so did the exposure of sensitive information
20
Mobile Phone Penetration by country 21
22 Source: Comscore ; Dec 2011 British Columbia ranks #1 in Canada in smartphone/capita 43% of Canadian smartpho ne subscribe rs own a connecte d device
23 of Canadians with Smartphones would consider using them like credit cards. CIBC poll by Harris/Decima Jul %
24 More Canadians are accessing online banking through their smartphones SOURCE: COMSCORE
25 Method of Access SOURCE: COMSCORE
26 1 Billion Apps were downloaded in the last week of 2012 Source: Flurry
Social Media: #2 use of Smartphones Lost Device Malicious URLs Exploitable technologies App Stores 27 Mobile Threats
SMS abused by 82 percent of malicious apps –SEND_SMS –RECEIVE_SMS –READ_SMS –WRITE_SMS 1 in 8: RECEIVE_WAP_PUSH 1 in 10: INSTALL_PACKAGES 28 Mobile Apps Malicious "Top 20"Android Permission Type Legitimate "Top 20" 1INTERNET1 2READ_PHONE_STATE3 3SEND_SMSX 4WRITE_EXTERNAL_STORAGE4 5ACCESS_NETWORK_STATE2 6RECEIVE_SMSX 7READ_SMSX 8RECEIVE_BOOT_COMPLETED11 9CALL_PHONE17 10WAKE_LOCK9 11ACCESS_COARSE_LOCATION6 12VIBRATE8 13RECEIVE_WAP_PUSHX 14ACCESS_FINE_LOCATION7 15WRITE_SMSX 16ACCESS_WIFI_STATE5 17GET_TASKS10 18SET_WALLPAPER14 19READ_CONTACTS15 20INSTALL_PACKAGESX Malicious "Top 20"Android Permission Type Legitimate "Top 20" 1INTERNET1 2READ_PHONE_STATE3 3SEND_SMSX 4WRITE_EXTERNAL_STORAGE4 5ACCESS_NETWORK_STATE2 6RECEIVE_SMSX 7READ_SMSX 8RECEIVE_BOOT_COMPLETED11 9CALL_PHONE17 10WAKE_LOCK9 11ACCESS_COARSE_LOCATION6 12VIBRATE8 13RECEIVE_WAP_PUSHX 14ACCESS_FINE_LOCATION7 15WRITE_SMSX 16ACCESS_WIFI_STATE5 17GET_TASKS10 18SET_WALLPAPER14 19READ_CONTACTS15 20INSTALL_PACKAGESX
KEY TAKE AWAY 29 Data stored on and accessed through a mobile device are at risk minimal control of web, and social media traffic and access. Lost devices are also a risk.
30
Only 1 in 5 s were safe and legitimate 31 Threats Breakdown by Content & URLs Breakdown by Content Only
92% of Spam s contain URLs Spam distribution rate: 250,000 per hour 32 Spam Top 5 Malicious Web Links in Spam 1Potentially Damaging ContentSuspicious sites with little or no useful content. 2Web and Spam Sites used in unsolicited commercial . 3Malicious WebsitesSites containing malicious code. 4Phishing and Other FraudsSites that counterfeit legitimate sites to elicit information. 5Malicious Embedded iFrameSites infected with a malicious iframe.
Increasingly focused on Commercial & Govt 69% sent on Mondays & Fridays More Targeted –Regionalized –Spear phishing on the rise Phishing 33 Top 5 Countries Hosting Phishing
KEY TAKE AWAYS 34 -based threats evolved significantly to circumvent keyword, reputation and other traditional defenses. Increased spear-phishing. Cybercriminals added a time-delay to some targeted attacks, >50% of users accessed from outside the corporate network.
35
Top 10 Countries Hosting Malware 36 United States Russian Federation Germany China Moldova Czech Republic United Kingdom France Netherlands Canada Organizations can no longer dismiss malware threats as solely an English-language or American phenomenon.
More aggressive –15% connected in first 60 sec. –90% requested information –50% accessed dropper files 37 Malware
38 Top 10 Countries Hosting CnC Servers
KEY TAKE AWAY 39 Todays malware is more dynamic and agile, adapting to an infected system within minutes. Half of web-connected malware downloaded additional executables in the first 60s The remainder proceeded more cautiously often a calculated response to bypass short- term sandbox defenses
40
Data Theft 41 Planned data theft attacks through cyberspace grew last year, targeting high value intellectual property (IP) and using all available vectors PII value/target remained flat
KEY TAKE AWAY 42 Remove temptation ; mitigate accidental loss through security improvements address growing SSL/TLS usage, provide an integrated approach to monitoring and controlling both inbound and outbound content
© 2012 Websense, Inc. Proprietary and Confidential Lure Redirect Exploit Kit Dropper File Call Home Data Theft Real World Example: Boston Tragedy Recon Shocking news lures in & SEO leading to the web redirect. Video page of the drama with a hidden malicious iFrame Redkit exploit kit leverages CVE , an Oracle Java 7 known vulnerability. Two known bot infection files allowing remote control of infected system. Two known botnet families registers newly infected systems &opens to commands Cyber criminals now control infected systems and targeted data topical or event-based campaigns, attempts to propagate as widely as possible, rather than being directed at specific individuals or organizations.
Conclusion 44 Primary attack foundation was the Web –Threats increased across all vectors –Attacks grew more: Aggressive ; Dynamic ; Multi-staged ; Multi-vector Defenses must adapt : –Real-time point-of-click ; Inbound & outbound ; Content & Context inspection MDM capabilities must be augmented –defenses to control mobile access ; perform real-time analysis of potentially malicious content across all vectors. security requires real-time threat analysis –Must be coordinated with web, mobile and other defenses. Malware defenses need to monitor both inbound and outbound –HTTP and HTTPS traffic to prevent infection and detect CnC communications
45 Thank You