X-Force Research, Results and Observations · • The number of active, automated attacks on web...
Transcript of X-Force Research, Results and Observations · • The number of active, automated attacks on web...
X-Force Research, Results
and Observations
Dr. Jean Paul Ballerini
Sr. Technology Solutions Expert, X-Force Expert
IBM Internet Security Systems
Agenda• Who is X-Force?
• How can you protect?
• Conclusions
2
The mission of theIBM Internet Security Systems™
X-Force® research and development team is to:
Research and evaluate threat and protection issues
Develop assessment and countermeasure technology
Educate the media and user communities
3
4
Vulnerability Highlights
5
• Overall number of disclosed vulnerabilities increased in comparison to previous years
• 5% increase over the first half of year 2007
Analyze Them AllX-Force analyzed every single vulnerability disclosed
Web Server Application Vulnerabilities
7
• Three newcomers to the top ten vendor list were web server application software vendors
• Web server application vulnerabilities account for 54% of all 2008 H1 disclosures and 51% since 2006
Web Server Application Vulnerabilities: SQL Injection
• SQL injection vulnerability disclosures more than doubled in comparison to 2007
• The number of active, automated attacks on web servers was unprecedented
Endpoint Vulnerabilities
9
• More than 80% of public exploits released on the same day as the vulnerability
• The main target of public exploits has shifted from the operating system to the browser
Browser Vulnerabilities
10
• Memory corruption is the main vulnerability.
• No substantial difference.
Primary Exploit Target: Browser Plug-Ins
• The majority of publicly released exploits are for browser plug-ins
• The top five most exploited browser vulnerabilities all target plug-ins
• Although most active exploitation focuses on older vulnerabilities, newer attack tools have automatic methods to incorporate the most recent exploits
11
2007 Malcode Highlights
12
• X-Force collected and analyzed nearly 410,000 new malware samples in 2007, almost a third more than it researched in 2006.
• Trojans represent the largest category of malware in 2007—109,246 varieties account for 26% of all malware.
• The most frequently occurring malware on the Internet was Trojan.Win32.Agent—26,573 varieties in 2007 account for 24% of all Trojans.
• The most common worm in 2007 was Net-Worm.Win32.Allaple with 21,254 varieties. It is a family of polymorphic worm thatpropagates by exploiting Windows® vulnerabilities instead of using e-mail.
New Year, Same Story
13
Full Mid-Year Report: http://www-935.ibm.com/services/us/iss/xforce/midyearreport/
Agenda• Who is X-Force?
• How can you protect?
– X-Force Strategy
• Conclusions
14
The Ever Growing Danger Zone
ISS Preemptive Protection
Vulnerability Focused Protection
Protection Advances
The Threat Lifecycle
19
The initial culprits in owning a system can be as innocent as an email from
Mom or as malicious as a hacker set to steal valuable information.
How do you get “owned” these days?
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
The Threat Lifecycle
20
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
The Threat Lifecycle
21
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
Shellcode is then
injected to enable
remote code
execution
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
The Threat Lifecycle
22
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
Shellcode is then
injected to enable
remote code
execution
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
Shell code is executed to
create a buffer overflow
that opens the back door
to the system
The Threat Lifecycle
23
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
Shellcode is then
injected to enable
remote code
execution
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
Shell code is executed to
create a buffer overflow
that opens the back door
to the system
Malcode, such as a
trojan or rootkit is
executed to wreak
havoc on the system
The Threat Lifecycle
24
Inherent in any computer program
are vulnerabilities, or small cracks
in the code, that allow things in that
were not originally intended.
Shellcode is then
injected to enable
remote code
execution
A “proof of concept”, or exploit,
is created to take advantage of
the lowered defenses from the
vulnerability
Shell code is executed to
create a buffer overflow
that opens the back door
to the system
Malcode, such as a
trojan or rootkit is
executed to wreak
havoc on the system
The Threat Lifecycle
25
X-Force Protection Engines
26
Shellcode HeuristicsCobion
VPS
The Virus Prevention System (VPS) is a behavioral
anti-virus technology that can stop not only new
malware variants, but also new malware families.
VPS uses pre-execution behavioral analysis to
stop malware before it can run and do damage.
BOEP
PAM
The Protocol Analysis Module (PAM) is the
network IPS component in IBM ISS desktop, server,
and network products. PAM uses behavioral and
vulnerability-centric methods to detect and block
network-based exploits affecting more than 7,400
vulnerabilities.
This engine uses generic
shellcode detection to block
shellcode payloads, one of
the most prevalent method of
infecting non-binary files like
html, docs, and images.
Buffer Overflow Exploit Prevention
(BOEP) blocks execution payloads
delivered through buffer overflow
exploits, providing 0-day protection
for this class of threats.
Cobion e-mail and content
filtering technology has analyzed
over 8.7B URLs and images and
1B unique spam messages. Over
100k web/700k spams
analyzed daily.
Agenda
27
• Who is X-Force?
• How can you protect?
• Conclusions
Conclusions
28
• Web Applications are the target of vulnerability research.
• The endpoint is the target of exploits.
• Multiple protection technologies give better granularity.
• Defense in depth is still mandatory
• X-Force research is the way to stay “Ahead of the ThreatTM”
X-Force R&D Drives IBM ISS Security Innovation
Protection Technology
Research
Threat Landscape
Forecasting
Malware Analysis
Public Vulnerability
Analysis
Original Vulnerability
Research
Research
X-Force Protection Engines
• Extensions to existing engines
• New protection engine creation
X-Force XPU’s
• Security Content Update
Development
• Security Content Update QA
X-Force Intelligence
• X-Force Database
• Feed Monitoring and Collection
• Intelligence Sharing
Technology Solutions
Questions?Thank You
Dr. Jean Paul Ballerini
Sr. Technology Solutions Expert, X-Force Expert
IBM Internet Security Systems