The Threat Landscape and Security Trends

Transcription

The Threat Landscape
and Security Trends
Jeremy Ward
DTI Survey 2004 - Incidence of breaches
What proportion of UK businesses had a security incident last year?
Threat Landscape & Security Trends
Trends since 2002
What proportion of UK businesses had a malicious security incident in the last
year?
General Threat Evolution
Flash threats
Massive worm
driven DDoS
Web Services
Global
Impact
Scope
Sector
Regional
Individual
Orgs.
Individual
PCs
1st gen. viruses
Individual DoS
Web defacement
email worms
DDoS
Credit hacking
1990s
2000
Blended threats
Limited Warhol threats
Worm driven DDoS
National credit hacking
Infrastructure hacking
2003
Time
‘Flash to Bang…’
Software
Vulnerability
Announced
Firewall/IDS Alert
Software
Vulnerability
Announced
Tell-tale Activity
time
Media Circus!
Firewall/IDS Alert
Software
Vulnerability
Announced
Tell-tale Activity
time
Sasser Development
1400
Drop Page Fields Here
Sum of Sources
Cisco & Dragon
Signatures
Pushed
1200
1000
Sasser Worm
Released
800
Type
IDS
Firewall
600
400
MS LSASS
Vulnerability
Released
200
0
4/22/04
0:00
4/23/04
1:00
4/24/04
1:00
4/25/04
1:00
4/26/04
1:00
4/27/04
1:00
4/28/04
1:00
4/29/04
1:00
Threat Landscape & Security Trends Date
4/30/04
1:00
5/1/04
1:00
5/2/04
1:00
5/3/04
1:00
5/4/04
1:00
5/5/04
1:00
5/6/04
1:00
Less time to react
Vulnerability Release Date v Time to Active Exploitation
350
300
Code Blue
Days
250
200
Nimda
150
100
Lion
50
0
1-Oct-00
Masana
Code Red
19-Apr-01
5-Nov-01
Modap
Scalper
24-May-02
10-Dec-02
Blaster
Welchia
28-Jun-03
Sasser
14-Jan-04
Date
Source: Symantec
DeepSight Analysis
1-Aug-04
Vulnerability Summary
2,636 distinct vulnerabilities documented
by Symantec in 2003
100 serious “potential” vulnerabilities per
month
= 60 easy & prevalent
= 40-45 patches a month
Vulnerability Trends
6% rise in vulnerabilities requiring no exploit code,
5% increase in vulnerabilities with published exploit code.
350
No Exploit Required
Exploit Available
No Exploit Available
Number of vulnerabilities
300
250
200
150
100
50
0
Jan02
Mar02
May02
Jul02
Sep02
Nov02
Jan03
Mar03
May03
Jul03
Sep03
Nov03
Month
Source: Symantec
Internet Threat Report March 2004
Today’s Threat Landscape
Significant increase in mass-mailers
Significant increase in criminal
activity
54% of all attacks are blended
Speed of building is at an all time
record
Highly automated
24% increase in targeting
2003 Top 10 Malicious Code
Threats
1
2
3
4
W32.Bugbear.B@mm
W32.Klez.H@mm
HTML.Redlof.A
W95.Hybris.worm
5
6
7
8
9
W32.Sobig.F@mm
W32.Blaster.Worm
W32.Swen.A@mm
W32.Nimda.E@mm
W32.Bugbear.B.Dam
10
W32.Sobig.A@mm
Source: Computer Economics
Growth of ‘Remote Access’ Threat in 2004
16
14
12
10
8
All Malware
Backdors
6
4
2
0
Jul-Dec
2002
Jan-Jun
2003
Jul-Dec
2003
Jan-Jun
2004
Network Threats: Min. Risk = 3. Min. Severity = 5
Data from Symantec DeepSight Alert
Why?
…It’s easy – just cut & paste
Proof that it’s easy - re-engineered malware
158 Gaobot variants
(25/10/02)
43 Backdoor.Sdbot
variants (09/07/02)
30 Netsky variants
(16/02/04)
26 Beagle variants
(20/01/04)
Data from Symantec DeepSight Alert
And it’s worth
money…
In the marketplace
The Botnet Threat
Botnets can be so large (250,000 PCs) they
could “take whole countries offline” (Met Police
CCU)
Botnet ‘herders’ pay hackers for their botnets
Sell to spammers mostly in eastern Europe
DoS attacks and blackmail
Businesses report being targets of demands for $50k
from a Russian crime Syndicate
What helps them succeed?
“Bypass firewalls to chat with
your friends and download files.
Works with Kazaa, iMesh,
Messenger, ICQ and any other
application that supports the
SOCKS protocol.
No configuration hassles, no
techie-talk or geek-speak.
Not only does hopster configure
itself, it even knows how to
configure Kazaa, MSN Messenger
and many others - so you don't
need to.
Once installed, hopster operates
silently in the background, you
won't even notice it's there.”
Blaster reuse & peer-to-peer filesharing
Rank
Percentage
of Attackers
Port
Description
1
TCP/135
Microsoft / DCE-Remote Procedure Call
(Blaster & Variants)
32.9%
2
TCP/80
HTTP / Web
19.7%
3
TCP/4662
E-donkey / Peer-to-peer file sharing
9.8%
4
TCP/6346
Gnutella / Peer-to-peer file sharing
8.9%
5
TCP/445
Microsoft CIFS Filesharing
6.9%
6
UDP/53
DNS
5.9%
7
UDP/137
Microsoft CIFS Filesharing
4.7%
8
UDP/41170
Blubster / Peer-to-peer Filesharing
3.2%
9
TCP/7122
Unknown
2.5%
10
UDP/1434
Microsoft SQL Server (Slammer)
2.4%
Source: Symantec
Pace of Change
The window of opportunity…
? Next development
2002 - ? Internet mature
☺ High predictability
2001 Dotcom bubble bursts
1995-2001 Internet developing fast
Low predictability
Time
To detect reconnaissance & attack activity
Pre-attack
Reconnaissance
40%
Exploit Attempts
17%
43%
Worms & Blended
Threats
Source: Symantec
Community Defence
To prioritise patch activities on the basis of
likelihood & damage
To plan defence based on likely attack
mechanisms
To prepare resources for appropriate responses
To understand and detect attacks
Community Alerting for Sasser
1400
Sum of Sources
1200
Specific
Alerts
1000
800
Tele
conf
Type
IDS
Firewall
600
Community Alerts
Initial
Alert
400
200
0
4/14/04
4/22/04
0:00
4/23/04
1:00
4/24/04
1:00
4/25/04
1:00
4/26/04
1:00
4/27/04
1:00
4/28/04
1:00
4/29/04
1:00
Date
4/30/04
1:00
5/1/04
1:00
5/2/04
1:00
5/3/04
1:00
5/4/04
1:00
5/5/04
1:00
5/6/04
1:00
Community Summary for June 2004
The overall number of varied threats continues to increase
Web and Application attacks continue to rise steadily
DoS attacks continue to increase sharply
After a significant drop over the last few months, O/S
attacks rose dramatically
Malicious code attacks overall have doubled over 6
months.
June 2004 Top 10 Attacks
1. Generic UTF8 Encoding in URL Attack
2. Microsoft Indexing Server/Indexing Services ISAPI Buffer Overflow Attack
3. SQLExp Worm Activity
4. Mal HTTP Commands
5. W32.Novarg.A@mm/W32.Mydoom.B@mm
6. Generic TCP Syn Flood Denial of Service Attack
7. Generic X86 Buffer Overflow Attack
8. Suspicious SSH Traffic
9. Dot-Dot Exploit
10. Generic WebDAV/Source Disclosure "Translate: f" HTTP Header Request
Attack
*excludes probes and scans
Analysis of variety of attacks on Community in 2004
Total Attack Signatures for Community
2000
1800
1600
1400
1200
1000
800
600
400
200
0
Jan
Feb
Mar
Apr
2004
May
Jun
Community Benchmarking – Security Events
Average Security Event Count (Jan-Jun 2004)
250
200
150
100
50
0
P
J
Q
D
M
C
F
S
Z
X
G
L
V
O
Y
H
N
T
K
Community Organisations
W
AA
E
R
B
I
A
U
Summary
Vulnerabilities increase –
patch times decrease
Internet parasites come of age –
now they make money
The tools make it easier –
both for the hacker and the careless
But we have an opportunity –
we can use the tools for defence
Community defence could give us the break we need!
End – Questions?
Thank you

The Threat Landscape and Security Trends

Transcription

Similar documents

Landscape Designer / Landscape Architect

Market Street at DC Ranch

Foothills

Agritopia - Floor Associates

Förankring av vindkraften i människors landskap

PDF of Presentation

PDF Version

OPEN - Paul de Kort

Katy`s Korner Current Project

BIESBOSCH STATION TOD PROJECT