Idea Transcript
Global Intelligence Network (GIN) Identifies more threats, takes action faster & prevents impact
Calgary, Alberta
San Francisco, CA Mountain View, CA Culver City, CA
Dublin, Ireland
Reading, England
Tokyo, Japan
Alexandria, VA
Chengdu, China
Austin, TX
Taipei, Taiwan Chennai, India Pune, India
Sydney, AU
Worldwide Coverage
Global Scope and Scale
24x7 Event Logging
Rapid Detection Attack Activity • 240,000 sensors • 200+ countries
Malware Intelligence
Vulnerabilities
Spam/Phishing
• 175M client, server, gateways monitored • Global coverage
• 32,000+ vulnerabilities • 11,000 vendors • 72,000 technologies
• 2.5M decoy accounts • 8B+ email messages/day • 1B+ web requests/day
Preemptive Security Alerts
Information Protection
Threat Triggered Actions Copyright 2016, Symantec Corporation
2
In 2009 there were
2,361,414 new pieces of malware created. In 2015 that number was
430,555,582 That’s
1 Million 179 Thousand a day. 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
3
Information Security Threats ‐ Zero‐days ‐ Targeted Attacks ‐ Breeches ‐ Vulnerabilities ‐ Professionalization of Cyber Crime
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
4
Zero‐Days “Is an unknown exploit that is used in the wild that exposes a vulnerability in software or hardware.”
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
5
Zero‐Day Vulnerabilities
54
24 23
16 15
14 12
14
14 13
12
10 9
8
8
6 4 2 0
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
Copyright 2016, Symantec Corporation
6
Hackers Unleash Trove of Data from Hacking Team • Hacking Team (HT) had zero‐days in Adobe Flash, Internet Explorer, and Microsoft Windows CVE
Affected Product
First Notice
Patch Date
CVE‐2015‐5119
Adobe Flash
July 7
July 8
CVE‐2015‐5122
Adobe Flash
July 10
July 14
CVE‐2015‐5123
Adobe Flash
July 10
July 14
CVE‐2015‐2425
Internet Explorer
July 14
July 14
CVE‐2015‐2426
Microsoft Windows
July 20
July 20
CVE‐2015‐2387
Microsoft Windows
July 8
July 14
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
7
Adobe Releases Out‐of‐Band Patch for Flash Vulnerability • On June 23, Adobe released an out‐of‐band patch for a critical zero day vulnerability, designated CVE‐2015‐3113 • Within a week, 5 of the most well known exploit kits had integrated this vulnerability into their platforms Exploit Kit
First Seen
Magnitude
June 27, 2015
Angler
June 29, 2015
Nuclear
July 1, 2015
RIG
July 1, 2015
Neutrino
July 1, 2015
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
8
Targeted Attacks “A targeted attack is one that seeks to breach the security measures of a specific individual or organization.”
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
9
Targeted Attack Campaigns • Average Number of Email Attacks per Campaign • Recipients per Campaign • Campaigns
150
1,500
1,305
122 120
1,200
55% increase
111 90
900
779
841 600
60
30
408
29
23
25
300 12
18 11
2012 2016 Internet Security Threat Report Volume 21
2013
2014
2015 Copyright 2016, Symantec Corporation
1 0
Breaches “A security breach is any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms.”
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
11
Sources Of A Breach
Organized Criminal
Well Meaning Insider
Malicious Insider
Copyright 2016, Symantec Corporation
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
13
Total Identities Exposed 600
552
500
MILLION
500
429
400 300
348
+23% +30%
2014
2015
ESTIMATED
232
200
93
100 0
2011 2016 Internet Security Threat Report Volume 21
2012
2013
Copyright 2016, Symantec Corporation
14
Mega Breaches 2015
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
15
Vulnerabilities “Is a weakness which allows an attacker to reduce a system's information assurance.”
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
16
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
17
Who Cares About Vulnerabilities on Websites?
They Did 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
18
The Alleged Attackers Used DDoS Attacks “The accused men are alleged to have built the botnet by scanning the internet for servers running older versions of a ‘popular website content management software’ that had not been updated to patch known vulnerabilities. These vulnerabilities allow them to install the Brobot malware on affected servers.”
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
19
Professionalization of Cyber Crime
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
20
Butterfly – The Attackers’ Tools • Hacktool.Bannerjack – locates vulnerable server on local network • Hacktool.Multipurpose – basic network enumeration, hides activity by editing logs, deleting file, etc. • Hacktool.Eventlog – parses event logs, dumps content, deletes entries
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
21
Hacktool.MultiPurpose
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
22
Butterfly – Command & Control Operations
C&C Server Mail Server
Content Management Systems
2016 Internet Security Threat Report Volume 21
C&C Server
C&C Server
Copyright 2016, Symantec Corporation
23
Butterfly – Command & Control Operations
Mail Server
Content Management Systems
2016 Internet Security Threat Report Volume 21
• • •
C&C run from virtual OS Virtual OS Encrypted Server Logs are wiped
C&C Server
Copyright 2016, Symantec Corporation
24
Tech Support Scams – Outbound Call Centers (Boiler Rooms) to Support the Scam
Hello sir, Your computer is infected. Please purchase a support plan for $75 so we can help you…
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
25
TeslaCrypt Ransomware – Technical Support Available
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
26
Dridex Gang – Number of Known Spam Runs per Day
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
27
When Cyber Criminals work in call centers, write documentation, and take weekends off, You Know It’s a Profession
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
28
Best Practices
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
29
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
30
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
31
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
32
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
33
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
34
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
35
Thank you!
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
APPENDIX
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
37
Key Findings • A large business attacked once in 2015 was likely to be attacked 3 more times • Half of all targeted attacks were against small businesses • 55% increase in the number of spear‐phishing campaigns attacks in 2015 • 3 out of every 4 legitimate websites found to have unpatched vulnerabilities • 125% increase in the number of zero‐day vulnerabilities discovered • 100 Million Technical Support scams blocked • 35% increase in crypto‐ransomware as it spread beyond end users to holding businesses hostage • A record 9 mega breaches occurred in 2015 • 430 Million new pieces of unique malware discovered 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
38
Top 10 Sectors Breached by Number of Incidents
Top 10 Expanded Sectors Breached by Number of Incidents Sector
# of Incidents
% of Incidents
# of Incidents
% of Incidents
1
Health Services
120
39.3%
1 Services
200
65.6%
2
Business Services
20
6.6%
2 Finance, Insurance, & Real Estate
33
10.8%
3
Educational Services
20
6.6%
3 Retail Trade
30
9.8%
4
Insurance Carriers
17
5.6%
4 Public Administration
17
5.6%
5
Hotels & Other Lodging Places
14
4.6%
5 Wholesale Trade
11
3.6%
6
Wholesale Trade ‐ Durable Goods
10
3.3%
6 Manufacturing
7
2.3%
7
Eating & Drinking Places
9
3.0%
7 Transportation & Public Utilities
6
2.0%
8
Executive, Legislative, & General
9
3.0%
8 Construction
1
0.3%
9
Depository Institutions
8
2.6%
6
2.0%
Sector
10 Social Services 2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
39
Top Causes of Data Breach by Incidents
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
40
Top Sub Level Sectors Breached by Number of Identities Exposed and Incidents
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
41
Timeline of Data Breaches
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
42
Top 5 High‐Level Sectors Breached by Number of Identities Exposed and Incidents
2016 Internet Security Threat Report Volume 21
Copyright 2016, Symantec Corporation
43
Top Industries Targeted in Spear‐Phishing Attacks Distribution
Attacks per Org
% Risk in Group*
Finance, Insurance, & Real Estate
34.9%
4.1
8.7%
Services
21.6%
2.1
2.5%
Manufacturing
13.9%
1.8
8.0%
Transportation & Public Utilities
12.5%
2.7
10.7%
Wholesale Trade
8.6%
1.9
6.9%
Retail Trade
2.5%
2.1
2.4%
Public Administration
2.0%
4.7
3.2%
Non‐Classifiable Establishments
1.6%
1.7
3.4%
Mining
1.4%
3.0
10.3%
Construction
0.7%
1.7
1.1%
Agriculture, Forestry, & Fishing
0.2%
1.4
2.0%
2.0 2.0
8.4% 1.1%
Industry Detail
1
2 3 4 5 6 7 8 9 10 11
*NB: The Risk in Group figure is a measure of the likelihood of an organization in that industry being attacked at least once during the year. For example, if there are 100 customers in a group and 10 of them were targeted, that would indicate a risk of 10 percent.
Non SIC Related Industries Energy Healthcare 2016 Internet Security Threat Report Volume 21
1.8% 0.7%
Copyright 2016, Symantec Corporation
44