Follow the Money, Follow the Crime

© 2012 IBM Corporation
IBM Security Systems
1© 2013 IBM Corporation
Follow the Money, Follow the Crime
19th March 2014

Agenda
 IBM X-Force Threat Intelligence Quarterly 1Q 2014
– Michael Hamelin, Lead X-Force Security Architect
CTO Office, IBM Security Systems
 Protecting Enterprise Endpoints against Advanced Malware with Trusteer Apex
– Dana Tamir, Director of Enterprise Security
Trusteer, an IBM Company
 Connect with IBM Security
 Questions?

IBM X-Force Threat Intelligence Quarterly
1Q 2014
Michael Hamelin
Lead X-Force Security Architect
CTO Office, IBM Security Systems

X-Force is the foundation for advanced security and
threat research across the IBM Security Framework

At IBM, the world is our security lab
v13-016,000+
IBM researchers,
developers, and
subject matter experts
focused on security
3,000+
IBM
security
patents
Security Operations Centers
Security Research and Development Labs
Institute for Advanced Security Branches

6
Collaborative IBM teams monitor and analyze
the changing threat landscape
Coverage
20,000+ devices
under contract
3,700+ managed
clients worldwide
15B+ events
managed per day
133 monitored
countries (MSS)
1,000+ security
related patents
Depth
17B analyzed
web pages & images
40M spam &
phishing attacks
76K documented
vulnerabilities
Billions of intrusion
attempts daily
Millions of unique
malware samples

7
Attackers optimize and refine target selection

8
more than
half a billion records
of personally identifiable information (PII) were leaked in 2013

9

10
What is the impact of
a data breach
and
Where are customer’s
most affected?

11
Weaponized content focused on end user apps

12
Attackers use exploit kits to deliver payloads
Blackhole Exploit Kit
Most popular in 2013
Creator arrested in
October
Styx Exploit Kit
Rising in popularity
Successful in exploiting IE
and Firefox on Windows

13
Effectively targeting end users
MalvertisingWatering Hole
 Attacker injects malware
on special interest website
 Vulnerable niche users
exploited
 Attacker injects malware
on ad network
 Malicious ad embedded on
legitimate websites
 Vulnerable users exploited

14
Production Applications
 Developed in house
 Acquired
 Off-the-shelf commercial
apps
 In-house development
 Outsourced development
Applications in Development
Web app vulnerabilities: the dominant threat

15
Vulnerabilities designed to gain additional or
unauthorized access
Exploitation
Gain access
XSS typically
attacks web apps

16
Declines in key reporting – Web App Vulns
Could indicate…
Better job at writing
secure web applications
CMS systems & plugins
maturing as older vulns
are patched
Attacks continue…
XSS, SQLi exploitation
still observed in high
numbers

17
Declines in key reporting – True Exploits
Two Categories tracked
Proof-of-concept code
Fully functional programs
capable of attacks are true
exploits
Continue to decrease
Lowest levels we’ve seen
in past 5 years

Protecting Enterprise Endpoints against
Advanced Malware
with Trusteer Apex
Dana Tamir
Director of Enterprise Security
Trusteer, an IBM Company

19
About Trusteer

20
APTs and Targeted Attacks
The Tool of Choice: Exploits and Advanced Malware
 The Entry Point:
–Vulnerable User Endpoints
 The Means:
–Exploits, Drive-by Download
–Advanced Malware
–Compromised Credentials

21
Vulnerability disclosures leveled
out in 2013, but attackers have
plenty of older,
unpatched systems to
exploit.
60% of the exploits
target vulnerabilities
that have been
publicly known for
over 12 months!!!

22
Do you patch applications?
22
Source: Ponemon

23
The Threat Lifecycle
Exploit Chain Data Exfiltration
Data Exfiltration
Prevention
Exploit Chain
Disruption

24
Controlling Strategic Chokepoints
To break the threat lifecycle
#ofTypes
Attack Progression
Weaponized
Content:
Endless
(IPS,
Sandbox)
Unpatched
and zero-day
vulnerabilities:
Many
(Patching)
Ways to
deliver and
infect:
Hundreds
Malicious Files:
Endless
(AV, Whitelisting)
Ways to establish
communication
channels:
Hundreds
Destinations
:
Endless
(C&C traffic
detection)
Strategic
Chokepoint
Strategic
Chokepoint
Malicious
Behavior:
Many
(HIPs)
Data exfiltrationExploit Chain

25
Trusteer Apex: 3 Security Layers

26
A few words about Java
A powerful yet dangerous application:
Did you know that…
Java is installed on ~85%
of the desktop computers.
Google Analytics

27
… combined with a presence in
every enterprise makes Java the
top targetfor exploits.
explosive growth of Java
vulnerabilities…

28
Most successful Java exploits are applicative, exploiting
vulnerabilities related to the Java security manager and
bypassing native OS-level protections.
Applicative exploits
 Difficult to defend
 Gain unrestricted privileges
 Bypass native OS-level protections
Native exploits
 Buffer Overflow
 Illegal memory use
 Use-after-free

29
Java Execution Should be Monitored and Controlled
 Prevent Exploitation of both Native and Applicative Vulnerabilities
 Execution of Java code on the endpoint must be restricted
–Fine grained control is needed
 Oracle’s solution: Allow execution of signed JARs
–Not good enough

30
Connect with IBM Security
@ibmxforceand@ibmsecurityFollow us at
force-www.SecurityIntelligence.com/xForce Security Insights blog at-X
Download IBM X-Force Threat Intelligence Reports
http://www.ibm.com/security/xforce/
Trusteer Apex
https://www.trusteer.com/products/trusteer-apex

31
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Follow the Money, Follow the Crime

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Follow the Money, Follow the Crime

Ähnlich wie Follow the Money, Follow the Crime (20)

Mehr von IBM Security

Mehr von IBM Security (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Follow the Money, Follow the Crime

Hinweis der Redaktion