Modern Cyber Threatsaccenet.org/publications/Downloads/Presentations... · •Detect and block new...
Transcript of Modern Cyber Threatsaccenet.org/publications/Downloads/Presentations... · •Detect and block new...
Modern Cyber Threats – how yesterday’s mind set gets in the way of securing tomorrow’s critical infrastructure
Axel Wirth Healthcare Solutions Architect Distinguished Systems Engineer
AAMI 2013 Conference – ACCE Clinical Engineering Symposium
A Little History
AAMI 2013 Conference – ACCE Clinical Engineering Symposium 2
Changing Threat Landscape
3 AAMI 2013 Conference – ACCE Clinical Engineering Symposium
•The goal is to do damage, destruct, influence, reach political goals, or support a conventional attack.
Changing Threat Landscape – revisited
•Highly sophisticated
•Infinite financial resource
•Well-planned and executed with unprecedented levels of control.
Newest Motivation
Political
Espionage and Sabotage
4 AAMI 2013 Conference – ACCE Clinical Engineering Symposium
TARGETED ATTACKS
Internet Security Threat Report 2013 :: Volume 18 5
Internet Security Threat Report 2013 :: Volume 18
Targeted Attacks
in 2012
6
Internet Security Threat Report 2013 :: Volume 18 7
Targeted Attacks by Company Size
Greatest growth in 2012 is at companies with <250 employees
Employees 2,501+
50% 2,501+ 50% 1 to 2,500
50%
1,501 to 2,500
1,001 to 1,500
501 to 1,000
251 to 500
1 to 250
18% in 2011
9%
2% 3%
5%
31%
Internet Security Threat Report 2013 :: Volume 18 8
Targeted Attacks predominantly start as spear phishing attacks
In 2012, Watering Hole Attacks emerged (popularized by the Elderwood Gang)
Send an email to a person of interest
Spear Phishing
Infect a website and lie in wait for them
Watering Hole Attack
Steps of a Targeted Attack
1. Gather information from public sources (Social Media, etc.)
2. Target a few strategic persons (not only CEOs!)
3. Create 0-day & backdoor or use existing one
– Send with malicious document or other method
4. Extract desired information -> restart at 1.) if needed
– Attacks run often unnoticed for multiple month
9
1. Intelligence
4. Extract
2. Develop
3. Execute
AAMI 2013 Conference – ACCE Clinical Engineering Symposium
Internet Security Threat Report 2013 :: Volume 18 10
Effectiveness of Watering Hole Attacks
Watering Hole attacks are targeted at specific groups
Can capture a large number of victims in a very short time
Infected 500 Companies
Watering Hole Attack in 2012
All Within 24 Hours
Thwarting Targeted Attacks
Internet Security Threat Report 2013 :: Volume 18 11
• Scan and monitor inbound/outbound email and web traffic and block accordingly
• Create and enforce security policies so all confidential information is encrypted
• Restrict removable devices and functions to prevent malware infection
• Discover data spills of confidential information that are targeted by attackers • Detect and prevent exfiltration of confidential information that are targeted by
attackers
• Human Intelligence regarding active and anticipated attack campaigns, targeted attacks, and emerging threats
• Use full capabilities of monitoring solutions to provide full visibility into security posture and events across the entire enterprise footprint
• Ensure formal Incident Response capabilities are in place and fully tested • Conduct periodic penetration tests and red-team exercises to evaluate defense
and response capabilities from the perspective of an attacker
Email & Web Gateway Filtering
Encryption
Removable Media Device Control
Data Loss Prevention
Security Intelligence
Holistic Security Monitoring
Incident Preparedness & Response
SPAM TRENDS
Internet Security Threat Report 2013 :: Volume 18 12
Spam has declined for second year in a row (as % of email)
Botnet takedowns continue to have an affect
Internet Security Threat Report 2013 :: Volume 18
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Jan-11
Apr Jul Oct Jan-12
Apr Jul Oct
Global Spam Rates 2011-2012
Spam Decline
13
79% January 2011 69%
October 2012
The Risk of Spam Continues
Internet Security Threat Report 2013 :: Volume 18 14
1 in 414 Emails are a phishing attack
1 in 283 Emails are a malware attack
of all email is spam
Thwarting Spam-borne Attacks: Defense
Internet Security Threat Report 2013 :: Volume 18
• Use more than just AV – use full functionality of endpoint protection including heuristics, reputation-based, behavior-based and other technologies
• Restrict removable devices and turn off auto-run to prevent malware infection
• Ensure employees become the first line of defense against socially engineered attacks, such as phishing, spear phishing, and other types of attacks
• Detect and block new and unknown threats based on global reputation and ranking
• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies
• Network protection is more than just blacklisting
• Human Intelligence regarding active and anticipated attack campaigns, targeted attacks, and emerging threats
• Scan and monitor inbound/outbound email and web traffic and block accordingly
Layered Endpoint Protection
Security Awareness Training
Advanced Reputation Security
Holistic Network Monitoring & Layered Defenses
Security Intelligence
Email & Web Gateway Filtering
15
Internet Security Threat Report 2013 :: Volume 18
VULNERABILITIES
16
One group can significantly affect yearly numbers
Elderwood Gang drove the rise in zero-day vulnerabilities
Internet Security Threat Report 2013 :: Volume 18 17
2006 2007 2008 2009 2010 2011 2012 0
2
4
6
8
10
12
14
16
14 13
15
9
12
14
8
Total Volume
Stuxnet
4
2
3 4
Elderwood
Zero-Day Vulnerabilities
Internet Security Threat Report 2013 :: Volume 18 18
Our Websites are Being Used Against Us
61%
of web sites serving malware are legitimate sites
25%
have critical vulnerabilities unpatched
53%
of legitimate websites have unpatched vulnerabilities
19
In 2012, one threat infected more than
1 million websites
The next time it’s likely to be ransomware
Internet Security Threat Report 2013 :: Volume 18
Our Websites are Being Used Against Us
Its payload was FakeAV
Internet Security Threat Report 2013 :: Volume 18 20
21
http://money.msn.com/health-and-life-insurance/for-ransom-your-medical-records
http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-
against-us-corporations.html?pagewanted=all&_r=0
http://www.informationweek.com/security/attacks/hackers-hold-australian-medical-records/240144164?printer_friendly=this-page
AAMI 2013 Conference – ACCE Clinical Engineering Symposium
Average number of attacks seen from
one threat in 18 day period
Ransomware
Internet Security Threat Report 2013 :: Volume 18 22
Number of criminal gangs
involved in this cybercrime
Estimated amount extorted
from victims in 2012
Internet Security Threat Report 2013 :: Volume 18
Protecting Against Vulnerabilities: Defense
• Detect and block new and unknown threats based on global reputation and ranking
• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies
• Network protection is more than just blacklisting
• Leverage application virtualization technologies to reduce risk when legacy web browsers and older versions of 3rd party applications like JAVA or Adobe Reader must be used for compatibility reasons
• Use more than just AV – use full functionality of endpoint protection including heuristics, reputation-based, behavior-based and other technologies
• Restrict removable devices and turn off auto-run to prevent malware infection
• Routine, frequent vulnerability assessments and penetrations tests to identify vulnerabilities in applications, systems, and mobile devices
• Formal process for addressing identified vulnerabilities
• Ensure all operating system and application patches are evaluated and deployed in a timely manner
• Ensure adherence to formal, secure configuration standards
Advanced Reputation Security
Layered Network Protection
Application Virtualization
Layered Endpoint Protection
Vulnerability Management Program
Configuration & Patch Management Program
23
Internet Security Threat Report 2013 :: Volume 18
MOBILE TRENDS
24
Android Malware Growth
Internet Security Threat Report 2013 :: Volume 18 25
0
20
40
60
80
100
120
140
160
180
200
Jan'11
Apr Jul Oct Jan'12
Apr Jul Oct
5,000
4,500
4,000
3,500
3,000
2,500
2,000
1,500
1,000
500
0
Cumulative Android Families 2011-2012
Cumulative Android Variants 2011-2012
What Does Mobile Malware Do?
Internet Security Threat Report 2013 :: Volume 18 26
0% 5% 10% 15% 20% 25% 30% 35%
Reconfigure device
Adware/Annoyance
Send Content
Track User
Traditional Threats
Steal Information
Mobile Threats by Type
32%
25%
15%
13%
8%
8%
Internet Security Threat Report 2013 :: Volume 18
Information Stealing Malware
Android.Sumzand
1. User received email with link to download app
2. Steals contact information
3. Harvested email addressed used to spam threat to others
27
Mitigating Mobile Threats
Internet Security Threat Report 2013 :: Volume 18 28
• Use application management capabilities to protect sensitive data in BYOD scenarios or where full MDM capabilities are undesirable
• Identify confidential data on mobile devices and use technologies to prevent future exposure
• Protect data from moving between applications • Encrypt mobile devices to prevent lost devices from turning into lost
confidential data
• Provide strong authentication and authorization for access to enterprise applications and resources
• Ensure safe access to enterprise resources from right devices with right postures
• Remotely wipe devices in case of theft or loss • Update devices with applications as needed without physical access • Get visibility and control of devices, users and applications
• Guard mobile device against malware and spam • Prevent the device from becoming a vulnerability • Enforce compliance across organization, including security standards & passwords
Mobile Application Management
Content Security
Identity and Access
Device Management
Device Security
Internet Security Threat Report 2013 :: Volume 18
MAC MALWARE
29
Mac Malware Trend
Internet Security Threat Report 2013 :: Volume 18 30
1
3 4
3
6
2007 2008 2009 2010 2011 2012
10 new Mac families
of malware in 2012
Internet Security Threat Report 2013 :: Volume 18 31
Flashback
But in 2012
1 Mac Threat infected 600,000
machines
Thwarting Mac Attacks: Defense
Internet Security Threat Report 2013 :: Volume 18 32
• Ensure employees become the first line of defense against socially engineered attacks, such as phishing, spear phishing, and other types of attacks Security Awareness Training
• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies
• Network protection is more than just blacklisting Layered Network Protection
• Ensure all operating system and application patches are evaluated and deployed in a timely manner
• Ensure adherence to formal, secure configuration standards
Configuration & Patch Management Program
• Use robust endpoint protection on your Macs – they are not immune to malware Layered Endpoint Protection
Stay Informed
symantec.com/threatreport
Security Response Website
Twitter.com/threatintel
Internet Security Threat Report 2013 :: Volume 18 33
Thank you!
Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 04/13 21284433
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
34
Axel Wirth
617 999 4035
AAMI 2013 Conference – ACCE Clinical Engineering Symposium