Embed Size (px)
Citation preview
IBM X-Force Threat Intelligence Index
Limor Kessem
April 2017
Executive Security Advisor
Michelle AlvarezThreat Research, IBM Security
2 IBM Security
Key Trends from 2016
Unprecedented leaks of
comprehensive data sets
Tried and true methods stock the successful
attacker’s arsenal
The average security client experienced fewer attacks
The continued need for focus
on security fundamentals
3 IBM Security
An unprecedented amount of records and unstructured data leaked around the global in 2016
2014
1,000,000,000 recordsbreached, while CISOs cite increasing
risks from external threats
2015
Healthcare mega-breachesset the trend for high value targets of
sensitive information
Source: IBM X-Force Threat Intelligence Index - 2017
2016
Larger than life breachesas over four billion records and entire
digital footprints of many companies
were exposed
4 IBM Security
Source: IBM X-Force Threat Intelligence Index - 2017
In addition to PII, much larger caches of unstructured data were also exposed in 2016.
5 IBM Security
Despite a slight rise in security events for monitored security clients in 2016, average attacks were down.
54MSecurity
events
up 3%
Attacks
down 12% 1,019
Incidents
down 48% 93
2016 Monitored Security Client Statistics
Source: IBM X-Force Threat Intelligence Index - 2017
Notable Attack Vectors
7 IBM Security
Spam email volume grew fourfold, with nearly half of spam containing malicious attachments
Source: IBM X-Force Threat Intelligence Index - 2017
8 IBM Security
Record vulnerabilities disclosures topped 10,000, with new discoveries up across all classes of software.
Source: IBM X-Force Threat Intelligence Index - 2017
9 IBM Security
The top attack vectors for monitored security clients used malicious input data, like SQLi or CMDi, or system data structure manipulation.
Source: IBM X-Force Threat Intelligence Index - 2017
Industry Trends
11 IBM Security
Information and communications led the pack in most successfully breached companies
Source: IBM X-Force Threat Intelligence Index - 2017
12 IBM Security
Financial Services
• Financial Services sector moved from the 3rd
most-attacked industry in 2015 to the most
most-attacked industry in 2016.
• SQLi and OS CMDi attacks accounted for
almost half of all FSS attacks.
• The large portion of Inadvertent Actors may
mean these industries having a greater
susceptibility to phishing attacks.
Malicious Insider,
5%
Inadver-tent Actor,
53%
Outsiders, 42%
Insider vs Outsiders
To learn more, check out the “Focusing on
financial institutions” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
13 IBM Security
Information & Communications
• Information and Communications jumped into the
2nd most-attacked industry in 2016.
• The number one mechanism of attack in this
industry was “Manipulate Data Structures”, like
buffer overflow conditions.
• After Injection attacks, third most common attack
class was the “Indicator” category, largely due to
attempted connections from Tor exit nodes,
which could be attackers disguising their originating
location.
• The overwhelming attacks from Outsiders are
indicative of the data-rich targets in this industry, and
comprised 23% of the breaches, but over 80% of
the total records exposed in 2016.
Malicious Insider,
1%
Inadver-tent Actor,
3%
Outsiders, 96%
Insider vs Outsiders
To learn more, check out the “Indicators of
Compromise” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
14 IBM Security
Manufacturing
• Manufacturing kept it’s position in the most
attacked industries as the 3rd most-attacked
industry in 2016.
• SQL Injection accounted for 71% of the
attacks on monitored Security manufacturing
clients.
• The overwhelming attacks from Outsiders in
Manufacturing stem from perceptions that
many systems within the sector are weak
by design as a result of a failure to be held to
compliance standards.
Malicious Insider,
4%
Inadver-tent Actor,
5%
Outsiders, 91%
Insider vs Outsiders
To learn more, check out the “Cyber spies target
manufacturers” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
15 IBM Security
Retail
• Retail rose to the 4th most-attacked industry
in 2016.
• SQLi and CMDi, which accounted for 50% of
the attacks, are used to target the large
amount of financial records and other PII such
as credit card and Social Security numbers.
• The overwhelming attacks from Outsiders in
Retail stem from the data-rich troves of PII
owned by companies in these industries.
Malicious Insider,
2%
Inadver-tent Actor,
7%
Outsiders, 91%
Insider vs Outsiders
To learn more, check out the “Security Trends in
Retail” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
16 IBM Security
Healthcare
• Healthcare dropped to the 5th most-attacked
industry in 2016.
• SQLi and CMDi, which accounted for almost
half of the attacks, are used to target the large
amount of personal health records.
• The large portion of attacks from Inadvertent
Actors can be attributed to situations when a
desktop client is compromised via malicious
email attachments, clickjacking, phishing or
vulnerable computer services that have been
attacked from another internal networked
system.
Malicious Insider,
25%
Inadver-tent Actor,
46%
Outsiders, 29%
Insider vs Outsiders
To learn more, check out the “Security Trends in
Healthcare” paper from IBM X-Force.
Source: IBM X-Force Threat Intelligence Index - 2017
Cybercrime Trends
18 IBM Security
Globally, cybercriminals pursued targets with proven returns in 2016 while exploring new geographies.
Zeus, 28%
Neverquest, 17%
Gozi, 16%
Dridex, 11%
Ramnit, 9%
GozNym, 7%
Tinba, 6%
Gootkit, 3% Qadars, 2%Rovnix, 1%
Most prevalent financial malware familiesGlobal, 2016
Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
19 IBM Security
Attackers are engaging more methodical distribution methods for malware campaigns
• Less mass-blasting of spam
• Use of lower-end opportunistic malware
like ransomware, IoT bots, and
keyloggers
• Employ anti-security features to avoid
detection
• Create minimal campaigns in a single
country with a smaller target lists of
companies
20 IBM Security
Cybercriminals are sharpening their focus on business accounts
• Organized gangs lean toward business
targets because they can steal more
money at a time than with consumer
accounts
• Gangs are also more likely to have
necessary resources at their disposal to
steal larger amounts of money, such as:
Fraudsters with reconnaissance
experience to plan out the scenario.
Funding to hire professional criminal call
centers to support the fraud process and
manipulate the victim.
Straw companies and straw men to funnel,
cash out, and launder millions in stolen
funds.
50% 52%
42%
Dridex GozNym TrickBot
Portion of Business Account Targets
Source: IBM X-Force Threat Intelligence Index - 2017
21 IBM Security
Commercial malware is making a comeback
• Android overlay malware replaced banking
Trojans as the “banking malware” commodity
in open and semi-open forums on the
cybercrime underground.
• Ransomware and ransomware-as-a-service
offerings are low-cost money makers for gangs
that wish to make a minimal up-front
investment.
• New malware variants built on the Zeus v2
source code, leaked in 2011, kept Zeus at the
top of the list of prolific malware.
• A new developer arose in an attempt to sell
brand new banking Trojan NukeBot in the
underground.
Ransom32, a Ransomware as a Service offering
22 IBM Security
In 2016, cybercriminals mimicked traditional organized crime by diversifying illicit profit sources.
• Dridex banking Trojan partnered with
Locky61 ransomware.
• Ransomware dropper Nymaim had a
Gozi banking Trojan module embedded,
creating a new two-headed beast:
GozNym.
23 IBM Security
Asia continued to attract organized cybercrime groups in 2016
Japan
• The scarcity of attack tools in its
complex language kept Japan
isolated until late 2015 when the
Shifu Trojan emerged, laying the
foundation for further attacks.
• Most active financial malware in
Japan, per attack volume, includes:
1. Gozi
2. URLZone
3. Rovnix
4. Shifu
Australia / New Zealand
• Australia ranks 4th in 2016 most targeted
by banking Trojan attacks, following the UK,
the US and Canada.
• Most active financial malware in in AUS/NZ
includes:
1. Ramnit
2. Gozi
3. Dridex
4. TrickBotSource: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
24 IBM Security
In North America, the US remained a top target and Canada became a bigger target in 2016, while
Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
0
500
1,000
1,500
2,000
2,500
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Gozi and Ramnit Activity in Canada - 2016
Gozi Ramnit
Gozi, 21%
GozNym, 20%
Neverquest, 17%
Zeus varieties, 9%
Dridex, 9%
Tinba, 8%
GootKit, 7%
Kronos, 6%
Ramnit, 2% URLZone, 1%
TrickBot, 1%
Most prevalent financial malware familiesUS, 2016
25 IBM Security
In Europe, the UK and Germany remained at the top of the target list for cybercriminals
Neverquest, 46%
Kronos, 16%
GootKit, 8%
Tinba, 8%
Gozi, 5%
Dridex, 4%
Zeus, 3%
Ramnit, 3%
URLZone, 2% Shifu, 2% GozNym, 1%
Others, 2%
Most prevalent financial malware familiesUK, 2016
Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
Germany saw the emergence of two sophisticated gangs
operating GozNym and Trickbot. Both emerged in
Germany shortly after their global debut.
26 IBM Security
Growing sophistication changed the malware landscape in Brazil
October of 2016 saw a notably sophisticated
twist on the old phishing attack kit: live,
interactive phishing attacks
1. The attack takes place over a web session
between attacker and victim, on a website
that mimics the look and feel of the original
bank’s site.
2. Attacker uses Ajax-powered screens switch up
messages victims see, asking for critical
identification and transaction authorization
elements.
3. The flow of events is controlled from a web-
based admin interface, where the attacker
automates the screens shown to the victim,
also allowing personalization.
Source: The shifting panorama of global financial cybercrime, IBM X-Force, 2017
Zeus moved into Brazil in time for a large
international sporting event in the summer
New malcode discovered in the wild,
including a proper AV-disabling loader in
driver form
New cryptographic ransomware variants
targeted businesses, including hospitals
Other key trends:
27 IBM Security
Many of the incidents we’ve seen could be avoided with a focus on security basics
Instrument your environment with
effective detection.
Keep up with threat intelligence.
Maintain a current and accurate
asset inventory.
Maintain identity governance to
audit and enforce access rules &
permissions.
Have a patching solution that covers
your entire infrastructure.
Create and practice a broad incident
response plan.
Implement mitigating controls.
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
FOLLOW US ON:
THANK YOU
