Follow the Money, Follow the Crime
-
date post
14-Sep-2014 -
Category
Technology
-
view
421 -
download
2
description
Transcript of Follow the Money, Follow the Crime
© 2012 IBM Corporation
IBM Security Systems
1© 2013 IBM Corporation
Follow the Money, Follow the Crime
19th March 2014
© 2014 IBM Corporation
IBM Security Systems
Agenda
IBM X-Force Threat Intelligence Quarterly 1Q 2014– Michael Hamelin, Lead X-Force Security Architect
CTO Office, IBM Security Systems
Protecting Enterprise Endpoints against Advanced Malware with Trusteer Apex– Dana Tamir, Director of Enterprise Security
Trusteer, an IBM Company
Connect with IBM Security
Questions?
© 2012 IBM Corporation
IBM Security Systems
3© 2013 IBM Corporation
IBM X-Force Threat Intelligence Quarterly1Q 2014
Michael HamelinLead X-Force Security ArchitectCTO Office, IBM Security Systems
© 2014 IBM Corporation
IBM Security Systems
X-Force is the foundation for advanced security and threat research across the IBM Security Framework
© 2014 IBM Corporation
IBM Security Systems
At IBM, the world is our security lab
v13-016,000+IBM researchers, developers, and subject matter experts focused on security
3,000+IBM securitypatents
Security Operations Centers
Security Research and Development Labs
Institute for Advanced Security Branches
© 2014 IBM Corporation
IBM Security Systems
6
Collaborative IBM teams monitor and analyze the changing threat landscape
Coverage
20,000+ devices under contract
3,700+ managed clients worldwide
15B+ events managed per day
133 monitored countries (MSS)
1,000+ security related patents
Depth
17B analyzed web pages & images
40M spam & phishing attacks
76K documented vulnerabilities
Billions of intrusion attempts daily
Millions of unique malware samples
© 2014 IBM Corporation
IBM Security Systems
7
Attackers optimize and refine target selection
© 2014 IBM Corporation
IBM Security Systems
8
more than
half a billion recordsof personally identifiable information (PII) were leaked in 2013
© 2014 IBM Corporation
IBM Security Systems
9
© 2014 IBM Corporation
IBM Security Systems
10
What is the impact of a data breach
and
Where are customer’s most affected?
© 2014 IBM Corporation
IBM Security Systems
11
Weaponized content focused on end user apps
© 2014 IBM Corporation
IBM Security Systems
12
Attackers use exploit kits to deliver payloads
Blackhole Exploit KitMost popular in 2013Creator arrested in
October
Styx Exploit KitRising in popularitySuccessful in exploiting IE
and Firefox on Windows
© 2014 IBM Corporation
IBM Security Systems
13
Effectively targeting end users
MalvertisingWatering Hole Attacker injects malware
on special interest website Vulnerable niche users
exploited
Attacker injects malwareon ad network
Malicious ad embedded on legitimate websites
Vulnerable users exploited
© 2014 IBM Corporation
IBM Security Systems
14
Production Applications
Developed in house Acquired Off-the-shelf commercial
apps
In-house development Outsourced development
Applications in Development
Web app vulnerabilities: the dominant threat
© 2014 IBM Corporation
IBM Security Systems
15
Vulnerabilities designed to gain additional or unauthorized access
ExploitationGain accessXSS typically attacks web apps
© 2014 IBM Corporation
IBM Security Systems
16
Declines in key reporting – Web App Vulns
Could indicate…Better job at writing secure web applications
CMS systems & plugins maturing as older vulns are patched
Attacks continue…XSS, SQLi exploitation still observed in high numbers
© 2014 IBM Corporation
IBM Security Systems
17
Declines in key reporting – True Exploits
Two Categories trackedProof-of-concept codeFully functional programs capable of attacks are true exploits
Continue to decreaseLowest levels we’ve seen in past 5 years
© 2012 IBM Corporation
IBM Security Systems
18© 2014 IBM Corporation
Protecting Enterprise Endpoints against Advanced Malwarewith Trusteer Apex
Dana TamirDirector of Enterprise Security
Trusteer, an IBM Company
© 2014 IBM Corporation
IBM Security Systems
19
About Trusteer
© 2014 IBM Corporation
IBM Security Systems
20
APTs and Targeted AttacksThe Tool of Choice: Exploits and Advanced Malware
The Entry Point:
–Vulnerable User Endpoints
The Means:
–Exploits, Drive-by Download–Advanced Malware–Compromised Credentials
© 2014 IBM Corporation
IBM Security Systems
21
Vulnerability disclosures leveled out in 2013, but attackers have
plenty of older, unpatched systems to exploit.
60% of the exploits target vulnerabilities that have been publicly known for over 12 months!!!
© 2014 IBM Corporation
IBM Security Systems
22
Do you patch applications?
22
Source: Ponemon
© 2014 IBM Corporation
IBM Security Systems
23
The Threat Lifecycle
Exploit Chain Data Exfiltration
Data Exfiltration Prevention
Exploit Chain Disruption
© 2014 IBM Corporation
IBM Security Systems
24
Controlling Strategic Chokepoints To break the threat lifecycle
# of
Typ
es
Attack Progression
Weaponized Content: Endless
(IPS, Sandbox)
Unpatched and zero-day vulnerabilities:
Many (Patching)
Ways to deliver and
infect:Hundreds
Malicious Files: Endless
(AV, Whitelisting)
Ways to establish communication
channels:Hundreds
Destinations:
Endless(C&C traffic detection)
Strategic Chokepoint
Strategic Chokepoint
Malicious Behavior:
Many(HIPs)
Data exfiltrationExploit Chain
© 2014 IBM Corporation
IBM Security Systems
25
Trusteer Apex: 3 Security Layers
© 2014 IBM Corporation
IBM Security Systems
26
A few words about Java
A powerful yet dangerous application:
Did you know that…
Java is installed on ~85% of the desktop computers.
Google Analytics
© 2014 IBM Corporation
IBM Security Systems
27
… combined with a presence in every enterprise makes Java the
top target for exploits.
explosive growth of Java vulnerabilities…
© 2014 IBM Corporation
IBM Security Systems
28
Most successful Java exploits are applicative, exploiting
vulnerabilities related to the Java security manager and bypassing native OS-level protections.
Applicative exploits Difficult to defend Gain unrestricted privileges Bypass native OS-level protections
Native exploits Buffer Overflow Illegal memory use Use-after-free
© 2014 IBM Corporation
IBM Security Systems
29
Java Execution Should be Monitored and Controlled
Prevent Exploitation of both Native and Applicative Vulnerabilities
Execution of Java code on the endpoint must be restricted–Fine grained control is needed
Oracle’s solution: Allow execution of signed JARs –Not good enough
© 2014 IBM Corporation
IBM Security Systems
30
Connect with IBM Security
Follow us at @ibmsecurity and @ibmxforce
X-Force Security Insights blog at www.SecurityIntelligence.com/x-force
Download IBM X-Force Threat Intelligence Reports http://www.ibm.com/security/xforce/
Trusteer Apex https://www.trusteer.com/products/trusteer-apex
© 2014 IBM Corporation
IBM Security Systems
31
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.