The Executive`s Guide to the 2016 Global Threat
Transcription
The Executive`s Guide to the 2016 Global Threat
The Executive’s Guide to the 2016 Global Threat Intelligence Report Insights to protect your organisation against cybercrime in the digital era Contents Page 02 Introduction Page 04 2015 attack analysis Page 14 End-point security remains a key weakness 2 Page 20 Incident response – many still on the back foot Page 24 Cybercriminals continue to up their game Page 26 About NTT Group Security Introduction The Executive’s Guide to the 2016 Global Threat Intelligence Report provides insights on the latest security threats and offers recommendations for protecting organisations from cybersecurity incidents as they accelerate to become digital businesses. This year’s analysis is based on validated log, attack, incident, and vulnerability data gathered from across Dimension Data and NTT’s Managed Security Services platforms, as well as from NTT’s research sources, including its global honeypots and sandboxes which are located in over 100 countries. The Report aggregates threat data from: • over 3.5 trillion logs • 6.2 billion attacks • 8,000 clients worldwide In addition, the inclusion of data from the 24 Security Operations Centres and 7 research and development centres of the NTT Group security companies enables us to provide a highly accurate representation of the global threat landscape. 3 2015 attack analysis In this section, we analyse global attack data gathered by NTT Group security companies during 2015. 4 2.1. Sources of attacks 65% of attacks detected originated from IP addresses within the US. This continues the trend we’ve observed over the past three years. During 2013, 49% of attacks originated from within the US, while that number increased to 56% in 2014. This continues the history of the US serving as a major source of hostile activity due to the ease of provisioning and low cost of US cloud hosting services. A significant number of the detected attacks are targeting US clients, so attackers often host such attacks locally, in the same geographic region as their victims, to reduce the chances they’ll experience potential geolocation blocking or alerting. While the source IP address is based in the US, the actual attacker could be anywhere in the world. Due to the ease with which attackers can disguise their IP addresses, attack sources can often be more indicative of the country in which the target is located, or perhaps of where the attacker is able to compromise or lease servers, rather than where the attack actually originates. Figure 1: US as a source of attacks % increase year-on-year Year % attacks from US 2013 49% 2014 56% 14% 2015 65% 16% Figure 2: 2015 top attack source countries These countries were the US, the UK, Turkey, China, and Norway. 2015 top attack source countries 0% 0% 10% 10% US US 30% 30% 40% 40% 50% 50% 60% 60% 70% 70% 65% UK UK of Great Britain 5% Turkey Turkey 4% China China 4% Norway Norway 20% 20% 3% Germany Germany 2% Netherlands Netherlands 2% Sweden Sweden 2% Japan Japan 1% France France 1% Australia Australia 1% Russian Federation Russia 1% Canada Canada 1% Brazil Brazil 1% Thailand Thailand Other Other 1% The top five attack source countries accounted for 81% of all identified attacks in 2015. 7% Interestingly, China – which was the source of the second-largest number of attacks in 2014 (9%), accounted for only 4% of attacks in 2015. Similarly, Australia – which was in a close third place in 2014, also featured less prominently as a source of attacks in 2015 (1%). 5 The UK became the number one source of non-US based attacks. In 2015, attacks from addresses based in the UK rose slightly from 3% to 5% – making this country the primary source of non US-based attacks. Other observations: Turkey emerged as a primary source of attacks; this was based on a wide variety of attacks and malware delivered to clients throughout the US and Europe, spread across the year. Activity from Turkey included several campaigns directed against government agencies in Europe. • 3 8% of the attacks that originated outside the US showed IP addresses from the top three source countries. • W e detected attacks from a total of 217 different countries during 2015. • B eyond the top 10 source countries, the distribution of source IP addresses was flat. Figure 3: 2015 non-US attack source countries 2015 non-US attack source countries 0% 0% UK United Kingdom of Great Britain and Northern Ireland Turkey Turkey China China Norway Norway Germany Germany Netherlands Netherlands Sweden Sweden Japan Japan France France Australia Australia Russia Russian Federation Canada Canada Brazil Brazil Thailand Thailand Malaysia Malaysia India India Republic of of Korea Republic Korea Ukraine Ukraine Italy Italy Other Other 6 2% 2% 4% 4% 6% 6% 8% 8% 10% 10% 12% 12% 14% 14% 16% 16% 2.2. Attacks by sector The retail sector showed the highest number of attacks, at just under 11% … knocking the finance sector out of first place. Clients in the retail sector experienced nearly three times as many attacks as those in the finance sector – which was the target of just 4% of all attacks in 2015, compared to 18% in 2014. The fact that cybercriminals are turning their attention away from the finance sector – possibly in search of easier or more lucrative targets – is an interesting development. Retail companies are becoming increasingly popular targets as they often process large volumes of personal information, including credit card data, in highly distributed environments with many endpoints and point of service devices. Such diverse environments can be difficult to protect. Figure 4: 2015 attacks by sector 2015 attacks by sector 12% 12% 11% 10% 10% 9% 10% 8% 8% 7% 8% 6% 7% 6% 6% 5% 6% 4% 4% 5% 4% 4% 4% 4% 2% 3% 2% 2% 2% 2% Education n ga uc Legal at io Ed Gaming Le am Media in g l a G di M Finance e e nc F in Non-profit a s ea on H m m co lth Telecommunications ca Ph re ar m ac eu Healthcare tic al Bu s si ne ss Pu Pharmaceuticals an bl d ic Pr of es si Public on al Tr Te an c sp hn or Business and professional ol ta og nd y di st rib Technology ut io n N on -P Transport and distribution ro fit T at Manufacturing i g un ic a el ct Government e u rin en t uf M an G ov e rn Insurance m nc e s In ei Retail s ur Hospitality, leisure, and entertainment a H os pi ta lit y, l R ur et a e il 0% 0% 7 Attacks related to the hospitality, leisure, and entertainment sector increased in 2015. Other observations: • T he insurance and government sectors both ranked in the top five ‘most attacked’ sectors in 2015. The hospitality, leisure, and entertainment sector faces many of the same challenges as the retail sector, as they also process high volumes of sensitive information including credit card data. Transactions in the hospitality sector, which includes hotels and resorts, tend to be sizable, which can make compromise of those card numbers more attractive to attackers. The hospitality sector also participates in a significant number of loyalty plans which include even more personal information. This sector fell victim to several high profile breaches during 2015, including properties from Starwood Hotels & Resorts, the Trump Hotel Collection, Hilton Worldwide, Mandarin Oriental, and White Lodging Services Corporation. Not all of these were attacked directly; many of the breaches involved point-of-sale malware directed against providers and retail companies which offered service on hospitality properties. The end result targets the same clients, without directly targeting the property’s information security programme. • T he manufacturing sector continued to be the target of significant attacks, consistent with levels experienced in previous years. • O verall, clients in the top five sectors experienced over 44% of attacks. 2.3. Types of attack Anomalous activity represented the most common type of attack and jumped from 20% of all attacks in 2014 to 36% during 2015. What is? Anomalous activity: includes privileged access attempts, exploitation software, and other unusual activity Web application attacks represented the second highest volume of attacks, accounting for 15% of attacks, the same percentage as last year. Figure 5: 2015 attacks by type 2015 attacks by type Other Other Evasion attempts Evasion attempts Client activity Client botnet botnet activity Service specific attack Service specific attack DoS/DDoS DoS/DDoS Network manipulation Network manipulation Malware Malware Known bad source Known bad source Brute forcing Brute forcing Application specific attack Application specific attack Reconnaissance Reconnaissance Web application attack Web application attack Anomalous activity Anomalous activity 0% 0% 8 2% 2% 3% 3% 3% 4% 5% 5% 7% 8% 9% 15% 36% 5% 5% 10% 15% 20% 25% 30% 35% 35% 40% 40% 10% 15% 20% 25% 30% Malware jumped from less than 2% of attacks in 2014 to 5% during 2015. The volume of denial of service (DoS) and distributed denial of service (DDoS) attacks dropped by 39%. Malware detection rose gradually throughout 2015, including a 6% jump during the fourth quarter alone. This increase in malware was not due to a specific campaign, malware, or source but resulted from increases in most malware categories across the entire year. It appears this drop was due to a combination of events. First, attackers simply conducted fewer DoS/DDoS attacks during 2015 than they had in previous years. Second, 2015 saw the improved adoption of more effective DoS/DDoS mitigation techniques and services. However, extortion based on victims paying to avoid or stop DDoS attacks became more prevalent. Brute force attacks jumped 135% from 2014 levels. Brute force attacks jumped from less than 2% in 2014 to almost 7% in 2015. Throughout the year, we detected SSH brute-force attacks across our entire client base, from 75 different source countries. Threat actors are always on the lookout for ‘low hanging fruit’, the weakest link in the chain. Weak passwords remain an easy target for hackers to break into systems. It’s far simpler than creating custom malware, or building exploits for new vulnerabilities. We also experienced a reduction in the number of DoS/DDoS incident response engagements, as shown in the section titled Incident response – many still on the back foot. What is? Denial of service (DoS) and distributed denial of service (DDoS): attacks which make a machine or network resource unavailable to intended users; a DDoS attack originates from many devices at once What is? Brute force attack: a trial-and-error method used to obtain information such as a user password or personal identification number (PIN) 2.4. Vulnerabilities analysis We compiled vulnerability data for 2015 from clients in every industry sector and geographic location serviced. Vulnerability results included information from a wide range of scanning data, and from multiple vendor products, including Qualys, Nessus, Saint, McAfee, Rapid7, Foundstone, and Retina. The findings are based on analysis of any vulnerability with an assigned common vulnerability scoring system (CVSS) score of 4.0 or higher. 9 Older vulnerabilities remain in client environments: nearly 21% of vulnerabilities are more than three years old. Along with considering the volume and types of identified vulnerabilities, we evaluated their ages, as presented in Figure 6. Over 79% of identified vulnerabilities were disclosed within the past three years, which means nearly 21% of vulnerabilities are more than three years old. Continuing the trend from previous years in which old vulnerabilities are remaining in client environments, more than 12% of vulnerabilities observed were more than five years old. We observed vulnerabilities as much as 16 years old, and over 5% of vulnerabilities were more than 10 years old. Figure 6: 2015 vulnerabilities by year of disclosure 2015 vulnerabilities by year of disclosure 0% 5% 0% 5% 1999 1999 0% 2001 2001 0% 0% 2004 2004 0% 2005 2005 0% 2006 2006 0% 2007 2007 1% 2008 2008 1% 2010 2010 15% 15% 20% 25% 20% 25% 30% 30% 35% 35% 40% 40% 1% 2003 2003 2009 2009 10% 4% 2000 2000 2002 2002 10% 2% 3% 2011 2011 4% 2012 2012 4% 2013 2013 34% 2014 2014 2015 2015 25% 20% Finance sector still falling victim to older, well-known vulnerabilities What is? Our analysis also revealed some interesting vulnerability trends relating to the finance sector: Dyreza: a banking Trojan that steals user credentials and attempts to take money from a victim’s bank account • S ome of the older vulnerabilities detected in 2015 were Heartbleed and POODLE. • S ince 2015 included some notable breaches in the finance sector, Recorded Future1 analysed exploited vulnerabilities in the finance industry and identified Heartbleed, POODLE, and a vulnerability tied to Dyreza as the top three. • F irst identified by researchers in June of 2015, updated versions of Dyreza used CVE-2015-0057 and CVE-2013-3660 to target banking customers using spam campaigns. • C VE-2014-0160 (Heartbleed) appeared prominent partially due to linkage with a large financial breach the previous year. Multiple banks were identified as vulnerable to CVE-2014-3566 (POODLE) in August 2015 – months after the exposure of the vulnerability. NTT Group has expanded its view of the threat landscape to include findings from some of our key partners, including Recorded Future. 1 10 Figure 7: 2015 ‘popular’ vulnerabilities in the finance sector 2015 reference counts for the top three vulnerabilities targeting the finance sector Vulnerability CVE-2014-0160 (Heartbleed) CVE-2014-3566 (POODLE) CVE-2015-0057 (via Dyreza) 0 75 150 225 300 Reference counts 2.5. Malware observations We analysed malware samples from a wide range of sources, including: Key findings relating to malware: • security platforms • W e detected malware from 191 different countries during 2015. • incident response investigations • The US was the source of over 62% of malware detected. • malware repositories and feeds • A lmost 79% of all non-US malware originated from the top five non-US sources. • interaction with clients • privately maintained honeypot networks The analyses enable us to develop proprietary detection and prevention signatures. What is? Malware: a general term for malicious software including viruses, worms, Trojans, and spyware Figure 8: Top five non-US countries as sources of malware Source country % of malware China 32% Netherlands 18% Germany 16% Turkey 8% Norway 4% 11 2015 showed a decrease in total malware volume compared to 2014, largely due to changes within a single industry – education. Malware detection for all other industries shows an 18% increase for the year. The volume of malware detections within the education industry showed a 94% decrease from 2014 to 2015. This was after a drop from 2013 to 2014. This most recent drop does not necessarily represent a decrease in malware as much as it indicates a shift in the way the education industry managed their environments. During 2015, educational institution clients tended to reduce their focus on managing student and guest environments, and increased their focus on internal, institutional environments. Less focus on student and guest networks dramatically decreased the emphasis on the portions of their networks which have historically been the most vulnerable, so resulted in drastically fewer logs and events for the entire education sector. The majority of this malware increase was a combination of sustained, elevated activity across several industries throughout the year: • R ising from 8% of malware detected in 2014, the government sector climbed to the top of the list of sectors affected by malware, as seen in Figure 9. • T his was primarily due to a sustained increase in a large variety of malware targeting multiple government clients throughout the year, and included campaigns against several government agencies in Europe. Figure 9: 2015 malware by sector 2015 malware by sector Government Government 18% Manufacturing Manufacturing 16% 9% Hospitality, Leisure and Entertainment Hospitality, leisure and entertainment Finance Finance 9% Retail Retail 8% Healthcare Healthcare 7% Pharmaceuticals Pharmaceuticals 5% 5% Public Public Telecommunications Telecommunications 4% Technology Technology 4% 4% Businessand andprofessional Professional Services Services Business Education Education 3% Insurance Insurance 3% Transport anddistribution Distribution Transport and 2% Gaming Gaming 2% Non-Profit Non-profit 1% 0% 0% 12 2% 2% 4% 4% 6% 6% 8% 8% 10% 10% 12% 12% 14% 14% 16% 16% 18% 18% 20% 20% The volume of malware detected in the finance sector rose sharply. The total volume of malware detected in the finance sector increased dramatically, up by over 140% from 2014. Detections in the finance industry included both long-term sustained activity and targeted attack campaigns such as the Dyreza malware. The retail; government; hospitality, leisure and entertainment; and manufacturing industry sectors are most highly victimised across the board. Malware is only one of many attack vectors used, and can be a key component of modern exploit kits. • M alware detected within the manufacturing sector, along with the hospitality, leisure and entertainment sector, both rose over 30% during 2015. These sectors ranked second and third, respectively, for malware per client. • T he retail sector also showed a modest increase over 2014 numbers. Retail clients experienced 8% of detected malware, making retail the fifth most affected industry. These results show the retail; government; hospitality, leisure and entertainment; and manufacturing industry sectors appear in both the top five sectors targeted by malware and the top five sectors targeted by attacks, making them the most highly victimised of any sectors. Malware is only one of many attack vectors used, and can be a key component of modern exploit kits. We’ll explore our key findings relating to exploit kits in the next section, where we consider the importance of end-point security. 13 End-point security remains a key weakness End-users are the weakest link … and the target of most attacks; user education and training and disciplined patch management are critical to raising organisations’ defences. 14 Our analysis of 2015 data points to a lack of focus on bolstering end-point security and a lack of user awareness within most organisations … the continuation of a trend that we’ve observed over the last several years. This is even more concerning when you consider that attackers are increasingly targeting end users. In 2015, spear phishing attacks accounted for approximately 17% of incident response activities supported in 2015, up from 2% the previous year. These types of attacks are typically targeted at individual users within organisations. The objective is to acquire information such as user names, passwords, and credit card details (and indirectly, money) by masquerading as a trustworthy entity in an electronic communication such as email. In 2015, many of the attacks were related to financial fraud and targeted executives and finance department personnel in retail clients. Attackers often gained detailed knowledge of the organisational structure and performed well-crafted social engineering and spear phishing attacks. We’ve also noted an increase in attacks related to internal threats, often involving employees and contractors. In 2015, internal threats jumped to 19% of overall investigations compared to the previous year’s 2%. Vulnerability exposure and remediation time remain an organisational challenge. Organisations are slow to patch and inadequately safeguard their assets. As businesses increasingly adopt and transform their operations using a digital strategy, this challenge is set to remain and become even more complex. While new attacks are constantly emerging, exploitation of old vulnerabilities and misconfigurations afford attackers the most success. This is directly attributable to the reality that attackers exploiting out-of-date software and misconfigurations continues to outpace organisations’ ability to repair or replace the same. Client-side vulnerabilities still remain high and expose organisations to inherent risk. Again, it seems that the message that effective patch management involves remediating both internal and external vulnerabilities, isn’t getting through. The vulnerabilities that we’ve detected in Adobe Flash and Internet Explorer represent a case in point. Securing the endpoint against next-generation threats is an essential element in a security programme aimed at reducing and mitigating risk. The evolving nature of exploit kits also supports the notion that cybercriminals are keeping end users firmly in their sights. All this points to the growing need for organisations to put end-user and end-point security firmly on their agenda. In the rest of this section, we review the technologies targeted by exploit kits in 2015, and provide some recommendations on how organisations can improve their end-point security and raise their defences against end-user related attacks. What is? Spear phishing: attempting to acquire individuals’ information such as user names, passwords, and credit card details (and indirectly, money) by masquerading as a trustworthy entity in an electronic communication such as email Exploit kit: a malicious toolkit often used in cybercrime to exploit vulnerabilities in software applications Patch management: a systematic process for installing vendor-supplied software patches 15 Exploits are increasingly targeting end-user technologies. Technologies targeted by exploit kits in 2015: Exploits can allow attackers to install malicious software on vulnerable devices. Software exploits take advantage of unpatched flaws in operating systems and applications. Exploit kits are software packages commonly sold in hacking forums and IRC channels, and capitalise on software exploits for known vulnerabilities across a range of end-user technologies (Internet Explorer, Adobe Flash, etc.). Exploit kits are most often delivered via social engineering and phishing attacks. As a result, they enable attackers to execute large-scale attacks against vulnerable systems and individuals without needing a great deal of expertise. We’ve tracked unique exploits targeted by popular exploit kits released in the years 2012-2015. This information, organised by the technology targeted, is presented in Figure 10.2 There are three clear trends in this data: • A dobe Flash was the most dominant software targeted in exploit kits in 2015. • N ew Java exploits virtually disappeared from exploit kits during 2015. • Internet Explorer exploitation remained consistent. Figure 10: Technology targeted in exploit kits Unique vulnerabilities targeted in exploit kits by technology 2012-2015 70% 60% 50% 2012 40% 2013 2014 30% 2015 20% 10% 0% Java Adobe Acrobat Internet Explorer Adobe Flash Firefox Microsoft Windows Silverlight 2 This chart includes data from http://contagiodump.blogspot.com, an excellent resource for historical and current exploitkit data. It also includes data from http://malware.dontneedcoffee.com/, an indispensable source for exploit kit analysis and exploit kit tracking. 16 Other The trends observed in this graph are discussed below: • Increase in Adobe Flash targeting – There was a steady increase in Adobe Flash exploit usage in exploit kits from 2012 to 2014, followed by a dramatic increase in 2015. Exploit researchers have increasingly focused on Flash after significant improvements were made to Java security in 2014. The total number of Flash vulnerabilities identified in 2015 was the highest ever, with an almost 312% increase from 2014, as shown in Figure 11. Flash is in widespread use on the Internet, and is supported across all modern operating systems. These facts, coupled with a stream of significant security flaws that have not always been patched in a timely manner, explain the dramatic shift toward Flash in exploit kits since 2014. Figure 11: Adobe Flash vulnerabilities by year Adobe Flash vulnerabilities discovered by year adapted from cvedetails.com -0 50 50 100 100 150 150 200 200 250 250 300 300 350 350 2005 2006 2007 2008 2009 2010 2011 2011 2012 2013 2014 2014 2015 17 • Decrease in Java targeting – The number of Java vulnerabilities targeted in exploit kits has decreased steadily from 2013 to 2015, due at least in part to security improvements introduced in Java (including blocking of unsigned applets by default). These security improvements are reflected in the decrease of Java vulnerabilities identified over the last two years, as displayed in Figure 12. • C onsistent targeting of Internet Explorer – Internet Explorer is still the default browser on Windows operating systems and is common on end-user systems in the corporate environment. Internet Explorer continues to be a target of choice, not only because it’s common, but because vulnerabilities continue to be discovered in Internet Explorer at a consistent rate, as shown in Figure 13. Figure 12: Java vulnerabilities by year Oracle Java JRE vulnerabilities published by year adapted from cvedetails.com 0 - 50 50 100 100 150 150 2010 2010 2011 2011 2012 2012 2013 2013 2014 2014 2015 2015 Figure 13: Internet Explorer vulnerabilities by year Internet Explorer vulnerabilities published by year adapted from cvedetails.com 2015 2015 2014 2014 2013 2013 2012 2012 2011 2011 2010 2010 2009 2009 2008 2008 2007 2007 2006 2006 2005 2004 2004 2003 2003 2002 2002 2001 2001 2000 2000 1999 1999 0 0 18 50 50 100 100 150 150 200 200 250 250 300 300 200 200 Adobe Flash dominates the list of most popular vulnerabilities targeted in 2015 exploit kits; Java falls off the list. Endpoint protection – Implementation of endpoint protection can help detect malware dropped on a device by an exploit kit before significant damage occurs. In 2013, only one Adobe Flash exploit was among the 10 most popular exploits included in exploit kits. In 2014, four Adobe Flash exploits were included in the top 10. In 2015, the top 10 consist exclusively of Adobe Flash exploits. Threat intelligence – Threat intelligence services can help organisations identify vulnerabilities that are being actively exploited. These services act as a complementary control to patch management processes, to ensure patching is prioritised for vulnerabilities that attackers are targeting. Recommendations for bolstering your end-point and end-user defences and protecting your organisation from exploit kits: Ad-blocking software – Attackers frequently use malvertising to lure victims onto exploit kit landing pages. Use of ad-blocking software, or Web proxies with content filtering, can limit the effectiveness of this attack approach. Ensure effective patch management – Exploit kits typically use exploits for which patches exist. Exploit kit developers take advantage of the time between initial vulnerability disclosure and the implementation of patches by end users or organisations. Ensuring effective patch management processes for end-user devices is a critical first step to protect against exploit kits. Organisations should pay particular attention to Web browser plugins and technologies such as Adobe Flash. These do not have the same types of enterprise class rollout capabilities as Microsoft technologies, and organisations need to ensure there are tools in place to deploy and measure adoption of patches. Social engineering (phishing) training – Exploit kits are most often delivered via social engineering and phishing attacks. Standard security awareness training is no longer adequate for organisations that maintain highly sensitive data. Organisations should implement real world social engineering testing for key employees, to confirm their ability to respond to actual phishing scenarios. IP reputation services – IP reputation services can warn or block users from visiting known bad IP addresses and domains. These services should only be considered a supplemental control. Addresses of exploit kits are constantly changing in order to evade detection, and the services are unlikely to maintain accurate and comprehensive real-time lists of landing page URLs. Attackers regularly use new IP addresses which have clean reputations, and ‘bad URL’ lists take time to update. What is? Social engineering: gaining unauthorised access through methods such as personal visits, telephone calls or social media websites; these attacks primarily target people and take advantage of human weaknesses associated with security Malvertising: malware that appears as a benign advertisement on a Web page, and is activated when a user clicks on it 19 Incident response – many still on the back foot 20 Incidents do happen … and when they do, you need to be prepared to respond. Throughout the year there were many media headlines due to confidential information being stolen, denial of service attacks, and insider threats, but the data we collected in 2015 indicates organisations are not making focused efforts to prepare for such attacks. Organisations need to invest not only in detective and defensive controls, but also in the ability to take action when an attack is occurring. In this section we discuss how prepared organisations are, the types of incidents we’ve observed, and basic steps that should be considered for an effective incident response. Lack of investment in preparedness continues to prevail. During incident response engagements, we track metrics related not only to the impact of the incident, but also to how well organisations are prepared to respond. Unfortunately, many that engage us for incident support do so because they have little investment in their own incident response capabilities, do not have the technical knowledge to respond, or the ability to attribute the attack back to its source. Figure 14: Percentage of organisations that are preparing response cababilities Incident preparedness Organisations need to invest not only in detective and defensive controls, but also in the ability to take action when an attack is occurring. 77 79 74 2013 2014 23 NoNo formal plan plan 2013 2015 26 21 Actively maturing Actively Maturing 2014 2015 21 Types of incident response: Observing the trend of incidents supported since 2013, there has been little improvement in preparedness. In 2015 there was a slight increase in organisations that were unprepared and had no formal plan to respond to incidents. Over the last three years, an average 77% of organisations fall into this category, leaving only 23% having some capability to effectively respond. Figure 15 presents our incident response engagements from 2013 through 2015. We measured an increase in breach investigations, with 28% this year compared to 16% last year, and many of the activities focused on theft of data and intellectual property. Analysis indicated these were targeted and not opportunistic attacks. In 2015, we continued to provide client support focused on several core incident categories (malware, DDoS and breach investigations, spear phishing, and internal threats). Within these areas there were some notable changes from previous years, including a rise in breach investigations, internal threats and spear phishing, and a drop in malware and DDoS mitigation support. In cases where incidents spanned types, they were categorised according to their most significant threat vector. Due to an increase in attacks related to internal threats, often involving employees and contractors, we created a new category for these types of attacks. In 2015, internal threats jumped to 19% of overall investigations compared to the previous year’s 2%. Many of these investigations were the result of internal employees and contractors abusing information and computing assets, and were initiated by Human Resource departments. Figure 15: Percentage of incidents across three years of data Percentage by year and incident category 60% 50% 52 43 2013 40% 30% 20% 2014 31 19 18 10% 6 Malware DDoS 19 17 16 Breach Similar circumstances resulted in the creation of a separate category for spear phishing attacks. Spear phishing attacks accounted for approximately 17% of incident response engagements, up from 2% the previous year. Many of the attacks were related to financial fraud targeting executives and finance department personnel in retail clients. Attackers often gained detailed knowledge of the organisational structure and performed well-crafted social engineering and spear phishing attacks. Several of these attacks were focused on duping organisations into paying phony invoices. 17 10 11 2 0% 22 2015 28 2 Internal threat 2 2 Spear phishing 5 Other Although 2015 saw the rise of DDoS hacking groups like DD4BC and the Armada Collective, we again noticed a drop in DDoS related support compared to the previous two years. This drop is likely related to a continuing investment in defence against these types of threats. Adoption of the proper tools and services for DDoS mitigation is vital to surviving a wellcoordinated attack. There has also been a decline in successful DDoS attacks, resulting in less support required during 2015. Incidents by vertical market Although finance was the leading sector for incident response in our previous annual reports, the retail sector took the lead this year with 22% of all response engagements, up from 12%. This matches data that shows retail clients experienced the highest number of attacks per client, as shown in the ‘Attacks by sector’ section. The financial sector declined approximately 10% from last year’s observations. Most of the spear phishing attacks previously discussed focused on the retail sector and help account for the increase in incident response in this area. Figure 16: Percentage of incident response engagements by vetical smarket Incident response engagements by vertical market RETAIL Retail 22 18 FINANCE Finance 17 SERVICES Business BUSINESS services 13 MANUFACTURING Manufacturing 5 TECHNOLOGY Technology 4 GOVERNMENT Government GAMING & ENTERTAINMENT Gaming and entertainment 3 & UTILITIES Energy and ENERGY utilities 3 0 0 5 5 10 10 15 15 • E valuate your response effectiveness – We don’t see a significant number of organisations testing the effectiveness of their plans. When incidents occur, the last thing you want is to lack an understanding of standard incident response operating procedures. Evaluation of preparedness should include regular test scenarios. Consider post-mortem reviews to document and build upon response activities that worked well, as well as areas needing improvement. • U pdate your escalation rosters – As organisations grow and roles change, it’s important to update documentation related to who is involved in incident response activities. Time is critical to incident response, and not being able to quickly involve the correct people can hamper your effectiveness. Updating contact information for vendors such as your ISP, external incident response support, and other providers is just as important. 15 EDUCATION Education • P repare incident management processes and run books – Many organisations have limited guidelines describing how to declare and classify incidents. These are critical to ensuring a response can be initiated. Depending on the type of attack, potential impact, and other factors, response activities will be very different for each. Common practices for incident response also suggest organisations should develop ‘run books’ to address how common incidents should be handled in their environment. For instance, if DDoS activities are often used against your organisation, it’s a good investment to create a run book describing the procedures your response team can follow based on the tools and capabilities available. 20 20 25 25 • P repare technical documentation – To make accurate decisions and identify impacted systems you must have comprehensive and accurate details about your network. This should include: • IP ranges and host names • DNS information Incident response recommendations During 2015, we supported many different types of incident response activities affecting clients in diverse vertical markets. There are several places where organisations consistently fell short in their capabilities to respond effectively. The following recommendations represent only a fraction of what needs to go into a comprehensive programme and is intended to highlight some of the common issues observed. • s oftware and operating system names, versions, and patch levels • user and computer roles • ingress and egress points between networks Only when you’re prepared to respond to incidents can you hope to effectively mitigate their impact. 23 Cybercriminals continue to up their game The data we gathered and analysed in 2015 indicates that cybercriminals’ intentions and capabilities are increasingly mirroring the goals of a robust security programme: survivability and resilience. 24 Cybercriminals are increasingly leveraging malware to breach perimeter defences: In 2015 we detected an 18% increase in malware across all industries, with the exclusion of education. The frequency and complexity of malware is becoming more stealthy and sophisticated: While organisations are developing sandboxes to better understand cybercriminals’ tactics and protect themselves from attacks, malware developers are just as aggressively developing anti-sandbox techniques. (Read more about sandboxes later in this section). Cybercriminals have identified the value in breaching organisational defences: Rather than engaging in distributed denial of service activities, hackers are starting to recognise the intrinsic value in breaching organisational defences and conducting data and intellectual property exfiltration. This causes legitimate business to become competitively disadvantaged and often times financially unviable over the long term. In 2015, breaches and social engineering activities increased. Often, this involved the use of malware that enabled attackers to gain a foothold into the organisation, laterally move, and maintain persistence once compromised. The longer an attacker’s ‘dwell time’ in a compromised network, the larger the opportunity to exfiltratel, commercially and personally sensitive data. Cybercriminals have shifted attack targeting toward the retail vertical away from traditional financial markets: Retail and financial verticals process large volumes of personal information, and credit card data. This supports the notion that cybercriminals are targeting less mature verticals involved in high volume financial transactions. Gaining access to these organisations enables cybercriminals to monetise sensitive data in the black market. This points to the fact that cybercriminals are increasingly motivated by financial crime and its rewards. Retailers largely rely on dated security technologies and have not kept pace by investing in the maturity of their security programmes in line with the evolving threat landscape. This disparity exposes retailers to financial and reputation losses, and incentivises cybercriminals to accelerate their campaigns targeting businesses in this space. Cybercriminals are increasingly adopting lowcost, highly available, and geographically strategic infrastructure to perpetrate malicious activities: This can be seen by the increase in US-sourced attacks leveraging cloud infrastructure and highlights the importance of cloud security as business migrate towards more flexible, scalable, and efficient environments. 5.1. Anti-sandbox techniques Sandboxes have become essential analysis systems for detecting malware and acquiring deep visibility into the behaviour of that malware. Sandboxes execute suspicious code in a controlled environment, where they observe malware behaviours such as network-related activities, file changes, and registry operations. Although malware developers can easily evade signature-based and static analysis-based detection methods by using encryption or polymorphism, sandboxes are able to detect malware by observing known malicious activities. What is? Knowing that sandboxes are widely used for analysis, attackers have developed anti-sandbox techniques to evade detection. Some of these techniques detect the presence of a sandbox by inspecting specific artifacts related to the sandbox. These techniques then thwart malware analysis by terminating malware processes or showing fake behaviour. Another common anti-sandbox technique uses the act of stalling execution or waiting for an event such as a reboot. To ensure researchers can continue effectively using sandboxes for analysis, it is imperative to gain an understanding of anti-sandbox techniques attackers are currently using. Sandboxes: analysis systems for detecting malware and acquiring deep visibility into the behaviour of that malware 25 About NTT Group Security NTT Group Security is a portfolio of operating companies within the NTT Group – Dimension Data’s security business, NTT Com Security, and Solutionary. We function in a complementary and collaborative manner while preserving the services and regional strengths of each organisation. 26 NTT Group Security develops and delivers a full lifecycle of security services that draws on our global threat intelligence capabilities, technology, and security expertise to: • help businesses keep pace with the constantly changing threat landscape • enhance business and government efforts to protect social and economic activities globally Our services: • security assessment and planning • risk and compliance management • security services integration • security consulting • managed security services • cloud security services • incident response 24/7 • global threat intelligence nttgroupsecurity.com Other contributors: Wapack Labs: www.wapacklabs.com Recorded Future: www.recordedfuture.com Lockheed Martin: www.lockheedmartin.com Center for Internet Security: www.CISecurity.org 27 www.dimensiondata.com/globalthreatreport