UK CERT QUARTERLY UPDATE

20
QUARTERLY REPORT Apr – Jun 2014

description

uk cert update

Transcript of UK CERT QUARTERLY UPDATE

Page 1: UK CERT QUARTERLY UPDATE

QUARTERLY REPORT Apr – Jun 2014

Page 2: UK CERT QUARTERLY UPDATE

2

Contents Letter from the Director .......................................................................................... 3

Executive Summary ................................................................................................ 4

Trends per Sector................................................................................................... 7

What next? ...................................................................................................... 10

Tracking malicious activity in the UK ........................................................................ 10

Case Study: Heartbleed ......................................................................................... 12

Threats .............................................................................................................. 15

Gameover ZeuS and Cryptolocker ........................................................................ 15

Internet Explorer 0-day ...................................................................................... 16

Focus-on: Non-CNI incidents .................................................................................. 17

Defending your infrastructure ............................................................................. 19

CERT-UK was formally launched on 31st March 2014 and is the UK National Computer

Emergency Response Team. We work closely with industry, government and academia to

enhance UK cyber resilience and is funded via the National Cyber Security Programme (NCSP).

CERT-UK has four main responsibilities that flow from the UK’s Cyber Security Strategy:

National Cyber Security Incident Management.

Support to Critical National Infrastructure companies to handle cyber security incidents.

Promoting cyber security situational awareness across industry, academia, and the public sector.

Providing the single international point of contact for co-ordination and collaboration between national CERTs.

All data in this report applies to April – June 2014.

Report ID: CUK-QRPT-01-14

Page 3: UK CERT QUARTERLY UPDATE

3

Letter from the Director

Welcome to CERT-UK’s first Quarterly Report.

In the first 100 Days since the formal launch of CERT-UK we have been

busy engaging with stakeholders across industry, government and

academia, building upon existing and developing new partnerships

within the Cyber-security Information Sharing Partnership (CiSP),

which now sits within CERT-UK and dealing with ‘malicious activity’ (as

you can see later in the report).

We have also celebrated the first anniversary of the launch of CiSP,

which was established in March 2013 and we are proud to say that during July we have

surpassed our ministerial target of 500 companies joining the platform, 5 months early. This

is a fantastic achievement and one that we are all very proud of at CERT-UK. We hope that as

member numbers continue to increase so will the consistency and value of the information

that is shared to the whole of the CiSP community.

Along with attracting new members to the CiSP platform, we have also increased our capacity

in the Fusion Cell with many industry colleagues interested, and lined up to join. Having this

wide variety of expertise, drawn from across industry and government, will allow us to push

out more information through the CiSP platform as well as providing more products and

services, like this Quarterly Report.

As this is the first in a series of reports, we are very keen

to get your feedback and hear your thoughts so that we

can build upon this start, and, continue to provide you

with content and intelligence that helps you protect

and secure your networks.

In this edition we look back at the Heartbleed vulnerability, review what sort of incident

activity we have seen over the last quarter (and CERT-UK’s first quarter of course) as well as

a threat update on various forms of malware, amongst much more.

Once again, I hope you find this Report useful and if you have any feedback or comments

please do email them to us at [email protected].

Chris Gibson

Director, CERT-UK

CERT-UK is enhancing the

UK’s Cyber Resilience

Page 4: UK CERT QUARTERLY UPDATE

4

Executive Summary

Since CERT-UK launched on 31 March 2014, we have handled a

wide variety of incident types, with many different root causes.

The type of incidents have generally been similar to those we

were seeing in the first quarter of 2014, where the vast majority

would have been prevented by following the UK Government’s

10 Steps to Cyber Security1. For the rest of the incidents, the

guidance would have helped to limit the impact across the organisation. It is important to

note that the information in this quarterly is based upon the incidents that have been

reported to CERT-UK and so does not represent a complete picture of UK cyber health.

Key points from this quarter include:

The Heartbleed vulnerability highlighted how important it is to have an accurate

inventory of software installed on devices – and to keep abreast of vulnerabilities in

that software

Malware related incidents accounted for over 25% of all incidents handled by CERT-

UK

Reports to CERT-UK relating to social media account compromises and data loss were

very low; presumably because these are normally reported to Law Enforcement and

the Information Commissioner's Office (ICO)

CERT-UK’s primary purpose is to support

the Critical National Infrastructure (CNI) –

yet the majority of incidents handled this

quarter are actually related to non-CNI

infrastructure2 (i.e. other infrastructure

and systems in the UK). The vast majority of

these incidents were ‘abuse’ reports (e.g.

relating to phishing websites, networks

sending spam emails, etc). Across the rest

of the sectors it was a fairly even

distribution of incidents, with the public

and finance sectors then comprising the

next largest proportion of incidents

reported.

1 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility

2 This is how we currently categorise these incidents and will continue to refine this over time

Incidents by sector

Academia Defence

Energy Financial Services

Govt/wider public sector Professional Services

Supply chain Transport

Water Non-CNI Infrastructure

Malware related

incidents accounted for

over 25% of all

incidents handled

Page 5: UK CERT QUARTERLY UPDATE

5

Malware continues to be a serious threat to

businesses, identified as the root cause in

over a quarter of all incidents that CERT-UK

dealt with in the period April – June. Most

businesses have anti-virus (AV) products

deployed, but that alone will not completely

protect businesses from adversaries. We

continue to see malware evolving in

sophistication to include advanced

functionality to evade detection by AV

products – which the AV vendors will swiftly

move to counter in this long game of cat and

mouse. Securely configuring end-point

devices, whether desktop, laptop, tablet or

mobile can go a long way in preventing malware from compromising your network. The UK

Government’s 10 Steps to Cyber Security3 provides an overview of this and other mitigation

steps that can be taken.

The Cyber-security Information Sharing Partnership (CiSP)4 has continued to grow, building

upon its successful first year with membership approaching 500 companies by the end of

June. A large amount of outreach work, particular to trade and membership bodies, has

assisted in this effort. The UK Engagement team in CERT-UK are continuously working to

enhance our existing relationships, as well as to establish new relationships needed to achieve

our responsibilities derived from the UK’s Cyber Security Strategy. We are always happy to

demonstrate CiSP membership to individual companies and most importantly, CiSP

membership has no annual cost. For more information visit our website,

https://www.cisp.org.uk

Following its integration into CERT-UK, CiSP has been able to take advantage of the access to

the CERT-UK incident handlers to provide a more seamless and effective response to

customers – and vice versa. By using information of incidents handled by CERT-UK as an

intelligence source, we are able to ensure that CiSP members are aware of new attacks as

3 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility

4 https://www.cisp.org.uk

Malware27%All other

incident types73%

Malware vs all other incident

types

Page 6: UK CERT QUARTERLY UPDATE

6

well as trends we may be spotting. In addition they may be given advanced notice of

operations to take down cyber-crime networks, like OP TOVAR which targeted the Gameover

Zeus botnet. Likewise, the ability for incident handlers to have a dedicated communications

channel, directly with our industry members, ensures that information flows freely between

Government and industry.

When the Heartbleed vulnerability was publically disclosed, CiSP provided clear messaging

regarding the vulnerability and what mitigation action to take. There was a huge amount of

discussion on CiSP, with members contributing to the overall understanding as well as

providing real-world views on its impact.

We have received evidence of many customers taking swift and effective action based on

information provided, including a large British transport organisation who described the

outputs from CiSP as ‘actionable and credible information that we used to support our

infrastructure.’

As well as working to establish and enhance our existing UK relationships, the International

Engagement team has been working to integrate themselves as part of the international CERT

community. High on the priorities list was building trusted CERT-to-CERT relationships –

membership of the Forum of Incident Response and Security Teams (FIRST)5 and to the

European Government CERTs (EGC) Group have helped us to accomplish this. These efforts

were conducted in parallel with bi-lateral discussions and representation at international

conferences on cyber-security. Working to strengthen the international relationships has

helped to ensure that CERT-UK is readily able to connect with cyber security experts around

the globe; helping us to do our part in keeping the UK safe in cyber space6.

5 http://www.first.org/

6 https://www.gov.uk/government/policies/keeping-the-uk-safe-in-cyberspace

Page 7: UK CERT QUARTERLY UPDATE

7

Trends per Sector

As mentioned, this quarter, just over half of the incidents handled by CERT-UK have related

to non-CNI infrastructure. For the most part this takes the form of abuse reporting, which is

reported to CERT-UK by affected parties either in the UK or internationally. CERT-UK will then

verify that the reported abuse is occurring within the UK and work with the hosting provider

or Internet Service Provider (ISP) to rectify

the issue. The rest of the incidents handled

are then split fairly evenly, with the Public

Sector and the Financial Services slightly

ahead in the number of incidents reported.

All of these statistics are derived from information about the number of incidents reported to

CERT-UK directly and does not take into account incidents reported or handled through CiSP.

Incidents reported via CiSP are handled by the community on CiSP – augmented by the Fusion

Cell – allowing originators to solve the incidents themselves. This may help to explain why

some of the sector incidents are so low. As an example, the Defence sector represents a small

proportion of the incidents handled directly by CERT-UK, but are well represented on the CiSP

environment. This low reporting rate can also be attributed to the growing maturity of that

sector. Other sectors such as Retail and Health are currently under represented on CiSP and

we are working to further develop these links and associated situational awareness. To

address this, the UK Engagement team are now focussing on engaging with these sectors to

improve our knowledge of the issues they are facing.

Academia

4%

Defence

1%Energy

4%

Financial Services

11%

Govt/wider public

sector13%

Professional Services

5%Supply chain

7%

Transport

3%

Water

1%

Non-CNI Infrastructure

51%

Non-CNI infrastructure is how CERT-UK

currently categorises incidents that are

outside of our core mission, the CNI.

We will continue to refine this over time.

Page 8: UK CERT QUARTERLY UPDATE

8

Incident Types

Malware reports made up the largest proportion of incidents that CERT-UK handled in May

and June, and was the third largest in April. A number of these relate to CERT-UK passing

information from one of our national, or international, partners to an infected organisation.

CERT-UK is then able to provide further advice and guidance to the victim depending on their

cyber maturity level. Some organisations are able to

handle the incident through existing capabilities, while

others decide to bring in a Cyber Incident Response

(CIR)7 certified company to assist them.

Throughout this quarter, Denial of Service (DoS) attacks have maintained a steady but low

level of reporting. CERT-UK believes that this indicates a maturing response to this type of

threat. DoS attacks have risen in prominence over the last few years, and the mitigation

advice relating to them is well established. The low level of incident reports received by CERT-

UK could be indicative that businesses are now well prepared to mitigate this attack, and so

7http://www.cesg.gov.uk/servicecatalogue/service_assurance/CIR/Pages/Finding-a-Service-Provider.aspx

39%

19%

10%

26%15%

14%

45%

36%

APRIL MAY JUNE

Vulnerability Website vulnerabilityAttacker infrastructure Network - compromise of infrastructureUnsecured infrastructure Abuse - credentialsDenial of service MalwareSocial media account compromised Spear phishingSPAM/Phishing Data loss

Malware reports made up the

largest proportion of incidents

Page 9: UK CERT QUARTERLY UPDATE

9

no longer need to seek assistance if afflicted by a DoS attack. Whether this trend continues

through the next quarter remains to be seen.

Vulnerability reports accounted for a large

amount of the incidents recorded in April, but

dropped to a fraction of that amount during

May and June. Heartbleed was a primary

contributor to the spike in April, as CERT-UK

handled incidents associated to, or believed to be associated to, this vulnerability. Website

vulnerabilities includes reporting of sites vulnerable to, for example, Cross-Site Scripting (XSS)

and SQL injection. While reporting to CERT-UK accounted for 7% of the incidents in April, it

dropped to 0% for May before recovering slightly in June. It is important that all businesses

ensure that their external web-facing presences are securely coded and routinely tested for

vulnerabilities. Securely coding sites from the development stages ensures that security is

built-in, rather than an add-on. Routine tests for site vulnerabilities are important, as it

ensures that any third-party plugins used are not lowering the overall security of the site. It is

as important to ensure that any website plugins are patched and up-to-date as it is to ensure

that the host operating system is patched and up-to-date.

Attacker infrastructure (i.e. the website or IP address is hosting some malicious script that an

adversary is using to attack someone else, or perhaps, is serving as a controlling node for

infected clients) was reasonably consistent this quarter and the majority of reports related to

abuse notifications. Compromise of infrastructure showed similar consistency, but these

incidents relate to reports of websites hosting phishing webpages – either a legitimate site

compromised to host the phishing page, or a site dedicated to phishing activity. Unsecured

infrastructure had a low proportion of the incident reports, but was consistent across the

quarter; these are incidents where a vulnerability has been detected, but may not have been

exploited, such as an open mail relay or insecurely configured Network Time Protocol (NTP)

service.

Reports of credential abuse were consistent through May and June, although we handled no

incidents related to this in April. Where feasible, CERT-UK aims to ensure that if we receive

notification of compromised account information, it is passed to the affected organisation.

The volume of spear-phishing reports peaked in May, before completely disappearing in June.

It is not unusual to see spikes in activity coupled with a near absence of reporting following

the spear-phishing ‘wave’ as the attacker looks to exploit the successfully compromised

recipients further.

Nearly 40% of incidents in April

were related to vulnerabilities

Page 10: UK CERT QUARTERLY UPDATE

10

What next?

Based on the information from April-June, over the next quarter (July – September) we would

expect to see malware continuing to be the most prevalent threat. Infrastructure and

credential abuse are likely to remain high on our activity list.

There are measures businesses can take to prevent (or at least limit) the frequency and impact

of these events. One important strategy is to ensure that board or senior executives are aware

of, and understand why, cyber security is important to their business. UK Government have

resources that can help with this, such as the 10 steps to Cyber security8,

Cyberstreetwise.com9 and the Cyber Essentials scheme10.

Tracking malicious activity in the UK

On CiSP, CERT-UK routinely publishes a

list of the ‘command and control’ (C2)

servers that we see being used by

malware. This list is produced by the

Fusion Cell and is aggregated from all of

our feeds of commercial and non-

commercial information. Using a

specialist tool, we are able to take in

over 250,000 reports of ‘abuse’

information that has been traced to the

UK, every day. The ‘abuse’ could be

anything from a botnet infected client to

an IP address in the UK launching

automated scans across the internet.

In addition to using this information to

produce a list of C2 servers that

businesses can use to identify malicious

activity on their networks, CERT-UK

provides an automated alerting system

8 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility

9 https://www.cyberstreetwise.com

10 https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

Page 11: UK CERT QUARTERLY UPDATE

11

for free to CiSP members. As the abuse reports are automatically processed by the system,

they are checked against the network information that members have provided to us. This

could be in the form of IP addresses, autonomous system number (ASN) or domain name.

Should the system correlate a report of abuse with a member’s network information, an

automatic email alert is sent to the listed point of contact. The email alert contains as much

information as we are able to provide, but as a minimum will provide sufficient basic

information to start an internal investigation to locate the ‘abuse’. Feedback from members

that are using this service has been very positive.

This service should not be used as a replacement for any internal security monitoring and best

practice though, as monitoring on your own networks should always provide superior

detection. This is an additional free service that CERT-UK offer to CiSP members that we hope

provides further assurance that their network defences are working as expected. If the system

does not match any abuse to a members network information, then no email is sent; however

if it does match, members can use the alert to quickly identify whether there is an issue.

CERT-UK processes over 250,000 reports of ‘abuse’ every day

Page 12: UK CERT QUARTERLY UPDATE

12

Case Study: Heartbleed

On 7 April a vulnerability disclosure by the OpenSSL team quickly gained worldwide attention

in the technical press as well as significant coverage in the mainstream media. What made

Heartbleed garner such widespread attention, and was it justified?

OpenSSL is integrated into many different

operating systems and software applications. As

an open-source software library, OpenSSL is

maintained by a worldwide community of

volunteers who contribute their time and

knowledge to developing and supporting the

development of the OpenSSL library.

A small change to the code in December 2011 included an

unnoticed bug in the Heartbeat Extension for OpenSSL. The

Heartbeat Extension allows “the usage of keep-alive functionality

without performing a renegotiation”11, and is a defined part of the

Internet Standards. The bug introduced a buffer over-read

vulnerability, which allowed for anyone communicating with a

vulnerable device to request more information than would otherwise be

possible. The extra information returned was discovered to contain

information from the device’s memory. If enough requests were made

it was possible to reconstruct the memory fragments into their

original file. In a typical client-server exchange, as might

occur if you did online shopping for example, it would be

possible to retrieve files currently held in the server’s memory. This could include personal

information such as usernames and passwords – anything that had been communicated to

the server was potentially available.

Heartbleed was discovered independently by two different companies, both of which

responsibly disclosed it to the OpenSSL project so they could fix the code and issue a software

patch. One of these companies, Codenomicon, also registered the heartbleed.com domain,

designed to raise awareness of the issue and provide information on action to take. Within

hours, the online community was feverishly dealing with the implications of Heartbleed, and

11 https://tools.ietf.org/html/rfc6520

OpenSSL is a library that allows

developers to easily implement

some of the secure protocols that

underpin the operation of the

Internet – in this case SSL and TLS

Page 13: UK CERT QUARTERLY UPDATE

13

reacting to the revelations that the bug had been present for so long without anyone noticing

it.

Websites were quick to react to the implications of Heartbleed by patching their servers in

quick succession and alerting their users. Due to this vulnerability, and how long it may have

been present, many websites (and later media reporting) advised users to change their

passwords. This response was only effective, of course, once the website had patched all of

their servers – otherwise users would need to reset their password again once the servers

had been patched.

Another impact of Heartbleed was that many vulnerable servers had also potentially exposed

the private key to the encryption certificate. This is the certificate that allows you to verify

that the website you are visiting is legitimate, and that your connection to it is secure. If an

attacker was able to gain a copy of the private key they would be able to impersonate the

website, or eavesdrop on your ‘secure’ interactions with the site. This saw the largest

simultaneous revocation and reissue of certificates the Internet had ever seen.

CERT-UK issued a number of alerts about

Heartbleed, updating our advice as more

information became available. On CiSP, more

detailed technical information was shared and

a dedicated ‘Heartbleed’ section was

established to bring all of the information

together in one place. Members actively

exchanged information between themselves,

and one of the most popular discussions was

the exchange of IP addresses that had been detected scanning for servers vulnerable to the

Heartbleed vulnerability. This allowed our members to proactively monitor who was scanning

their networks; as well as blocking them if they choose to do so.

Even now, three months after Heartbleed was publicised, there are still a number of servers

out there which have not been patched. While the number will likely continue to fall over

time, the remaining unpatched servers are at a significant risk to attackers. As an example, an

international revenue collection agency was hacked shortly after Heartbleed was made public

with 900 social insurance numbers being stolen. National law enforcement quickly arrested

the perpetrator.

Page 14: UK CERT QUARTERLY UPDATE

14

A unique combination of events made Heartbleed into the headline grabbing story that it was.

Combining a long-present vulnerability, with an immediate and widespread reaction from the

technical community made Heartbleed particularly newsworthy. There has also been

discussion around the impact the Heartbleed logo had on media reporting, as vulnerabilities

rarely have their own logo to identify them by. This is not to say that the attention was

unwarranted – but there are many other vulnerabilities being disclosed on a daily basis, each

with their own risks and mitigation actions. If you patched your systems for Heartbleed, are

you also patching for these other vulnerabilities?

Page 15: UK CERT QUARTERLY UPDATE

15

Threats

Gameover ZeuS and Cryptolocker

Operation TOVAR was the international effort to

tackle the Gameover ZeuS peer-to-peer botnet,

which is also responsible for distributing

Cryptolocker ransomware. Gameover ZeuS is a

banking trojan that aims to steal banking and

other sensitive private information. If this fails to deliver significant financial information, the

criminals can deploy Cryptolocker, which encrypts your personal files on your computer and

then attempts to extort money out of you in return for the decryption key. Without the key

the files are permanently locked and the only way to recover the contents is from backup

files.

The global effort to disrupt the botnet saw the temporary disruption of the domains that the

criminals used to control the malware. This provided an opportunity for infected clients to be

cleaned and the systems updated to protect against reinfection.

The National Crime Agency led the UK effort in the global

operation. Partnering with Get Safe Online, a dedicated page

provided information and explanations, as well as links to

tools that would scan to determine if you were infected as

well as cleaning up infected hosts. Get Safe Online also

provided useful advice about how the malware spreads and

how you can defend yourself against it.

CERT-UK participated in the information sharing campaign, raising awareness of the event

and hosting a copy of the advice and links to the clean-up tools. Additionally we received and

processed the sinkhole data, which we then distributed to Internet Service Providers (ISPs) to

allow them to assist their customers who had been infected. On CiSP, we have a dedicated

area providing the latest information on the Gameover ZeuS malware, allowing members to

further protect themselves.

While this co-ordinated international action will no doubt have a significant impact on the

criminals behind this malware, it will do little to help those that have already fallen victim to

Page 16: UK CERT QUARTERLY UPDATE

16

this and other 'crimeware’. For commercial organisations, the impact of ransomware cannot

be underestimated. User education about cyber risks, along with robust security controls and

a proven incident management capability, will help businesses to minimise the risk from, and

impact of, crimeware like Gameover ZeuS and Cryptolocker.

Incidents Internet Explorer 0-day

On 1st May 2014, Microsoft released a security update to

address a vulnerability impacting all versions of Internet

Explorer. Microsoft release their software updates on the

second Tuesday of each month, Update Tuesday, allowing

businesses to plan their testing and deployment cycles

accordingly. Microsoft will generally issue any other security

updates needed for vulnerabilities when a higher risk warrants

an exception to the existing monthly update schedule.

In this particular case, FireEye disclosed to Microsoft that they detected this vulnerability

being used in very limited targeted attacks, by a known and persistent cybercriminal group.

Within a short period of time, FireEye publically disclosed details highlighting this

vulnerability. Microsoft responded quickly to ensure customers knew that they were actively

investigating the issue and reviewing various options to help protect them.

Despite the much publicised end-of-support for Windows XP in April 2014, Microsoft took the

unusual decision to provide an update for customers still running on the unsupported

operating system, while encouraging them to migrate to a modern operating system.

On CiSP, members actively shared the information they had on any attacks using this

vulnerability, with CERT-UK providing additional information aggregated from across all of our

data sources and partners that we work with. This allowed members to act quickly in

protecting their own networks.

Page 17: UK CERT QUARTERLY UPDATE

17

Focus-on: Non-CNI incidents

CERT-UK has a primary focus towards protecting the Critical National Infrastructure (CNI), but

from the statistics of the incidents that have been handled this quarter, over 50% were

deemed to be “non-CNI Infrastructure”. For us, this is any infrastructure (e.g. a website or IP

address) that does not belong to one of our customers on the list of CNI as defined by the UK

Government12.

As the international cyber point of contact for the UK, CERT-UK receives numerous reports

about abuse occurring within the UK. This could be identified by domain (e.g. something.co.uk

or badness.org.uk), or, by an IP address listed as originating in the UK (e.g. 62.172.97.230).

Many of these reports are passed

directly to the ‘abuse’ contact listed

in the WHOIS information for a

website. This can be the domain

registrar or the hosting provider,

who will act in accordance with their

terms and conditions. If the abuse

persists, follow-up emails may be

sent, but this time copied to CERT-UK

to inform us of the abuse. Where

feasible, CERT-UK will work with our

partners and industry contacts to try

and resolve the incident. This could involve working with the contacts that we have through

CiSP at relevant organisations, such as Internet Service Providers (ISPs) or domain registrars.

If the reported abuse is in relation to a crime, such as fraud, CERT-UK will advise the originator

to report it via Action Fraud (www.actionfraud.police.uk). Other national CERTs also contact

CERT-UK looking to work with us in tackling abuse originating in the UK which is affecting their

country. In one example of this, an international CERT engaged us seeking assistance with a

Distributed Denial of Service (DDoS) attack, where some of the attacking infrastructure had

been attributed to the UK. We were able to associate the activity to an organisation, and

identified a point of contact there who would be able to progress the incident investigation.

12 http://www.cpni.gov.uk/about/cni/

‘WHOIS’ allows the querying of detail about a

domain or IP address, and can also provide

information about the registrant, including

technical and abuse contact addresses.

Since the start of this year, ICANN (the body

responsible for co-ordinating the global

internet addresses) has instructed domain

registrars to validate WHOIS information in an

effort to combat spam and phishing.

Page 18: UK CERT QUARTERLY UPDATE

18

Initial analysis indicated that the DDoS activity was the result of an insecurely configured NTP

server.

CERT-UK is not just the recipient of these reports – we work on behalf of the entire country

to ensure that other nations are similarly dealing with network abuse in their countries. The

type of work we engage with our counterpart national CERTs can range from sharing details

of abuse gathered from across the entirety of CiSP, to requesting specific action for a single

incident that has been reported to us. We have established a number of strong international

partnerships to help facilitate this work, as well as allowing us to explore other mutually

beneficial topics of work and improving our situational awareness by exchanging information.

Looking at the incidents we have dealt with relating to non-CNI infrastructure, we can see

that the majority of incidents are regarding ‘attacker infrastructure’ i.e. the website or IP

address is hosting some malicious script that an adversary is using to attack someone else, or

perhaps is serving as a controlling node for infected clients. The adversary could be anyone,

from the ‘script kiddie’ level right through to sophisticated cyber criminals .

Non-CNI Infrastructure incidents

Website vulnerability

Attacker infrastructure

Network - compromise ofinfrastructure

Unsecured infrastructure

Abuse - credentials

Denial of service

Malware

Spear phishing

SPAM/Phishing

Page 19: UK CERT QUARTERLY UPDATE

19

The next two largest segments relate to malware and the compromise of infrastructure.

Incidents categorised as ‘malware’ indicate that the website is actively serving up malicious

software to visitors of the site – whereas a compromise of infrastructure incident could mean

that the site has been defaced or similar.

Defending your infrastructure

For many of these incidents it was found that attackers gained access to the server in

generally one of two ways:

1. Weak passwords on administrator accounts

2. Unpatched software, including website plugins

Defending against either of these is simple and straight-forward – use strong and unique

passwords for administrator accounts and ensure that all software is kept patched and up-to-

date, including any plugins that maybe used (e.g. WordPress Plugins).

The 10 Steps to Cyber Security13 provides an excellent reference for ensuring that you have

considered all the necessary points when trying to protect your network, whilst

cyberstreetwise.com has a 'business health check’ quiz which allows businesses to informally

assess themselves. The Cyber Essentials Scheme14 is a more formalised assessment, which

once completed, allows businesses to display a Cyber Essentials Badge, indicating compliance

with this government endorsed standard.

CERT-UK ensures that the latest information about attacker trends and patterns is shared on

CiSP, and we encourage members to share any new or emerging threat behaviours that they

observe with the whole community, so everyone can benefit.

13 https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility

14 https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

Page 20: UK CERT QUARTERLY UPDATE

20

www.cert.gov.uk

@CERT_UK

A CERT-UK PUBLICATION

COPYRIGHT 2014 ©