View
0
Download
0
Category
Preview:
Citation preview
The trends of cyber incidents leading to large scale cyber-crisis
Ilias Chantzos
1
Senior Director Government Affairs EMEA, Global CIP and Privacy Advisor
Agenda for discussion
• Do you remember?
• Who is being attacked and how?
• Most recent example
• Political considerations
• Conclusions
2
Code Red
Back in early 2000……Fast Spreading Exploits
Spread Even Faster…
Slammer
Since then…..
5
The change in the game
• When was the last time you saw mass malware distribution?
• Botnet usage reminiscent of this style of attack
• No longer hacking for fame but for fortune
• The biological bug vs the digital
• Polymorphism
• 1 mutation per 10 victims
6
7
• Targeted Attacks predominantly start as spear phishing attacks
• In 2012, Watering Hole Attacks emerged
– Popularized by the Elderwood Gang
Infect a website and lie in wait for them
Watering Hole Attack
Send an email to a person of interest
Spear Phishing
1 Watering Hole Attack in 2012
Infected 500 Companies
All Within
24 Hours
• Watering Hole attacks are targeted at specific groups
• Can capture a large number of victims in a very short time
8
Effectiveness of Watering Hole Attacks
Watering Hole Targeted iOS Developers
• The Watering Hole
• The attackers were looking for iOS developers
9
To watch out - Vulnerabilities & Mobile Malware
• Today there is no significant link between mobile OS vulnerabilities and exploitation by malware
• In the future that may change
10
Platform Vulnerabilities
Apple iOS 387
Android 13
Blackberry 13
Windows Mobile 2
Device Type # of Threats
Apple iOS Malware 1
Android Malware 103
Symbian Malware 3
Windows Malware 1
Targeted Attacks by Company Size
• Greatest growth in 2012 is at companies with <250 employees
• Up 42% in total in comparison to last year
11
50% 50%
9% 9%
2% 2%
1,501 to 2,500
3% 3%
5% 5%
31% 31%
1,001 to 1,500 501 to 1,000
251 to 500
1 to 250
18% in 2011
Employees 2,501+
50% 2,501+ 50% 1 to 2,500
• Manufacturing moved to top position in 2012
• But all industries are targeted
12
1%
2%
2%
2%
8%
10%
12%
17%
19%
24%
0% 10% 20% 30%
Transportation, Communications, Electric, Gas
Aerospace
Retail
Wholesale
Services – Professional
Energy/Utilities
Government
Services – Non-Traditional
Finance, Insurance & Real Estate
ManufacturingManufacturing
Finance, Insurance & Real Estate
Services – Non-Traditional
Government
Energy/Utilities
Services – Professional
Wholesale
Retail
Aerospace
Transportation, Communications, Electric, Gas
Targeted Attacks by Industry
R&D 27%
Senior 12%
C-Level 17%
Sales 24%
Shared Mailbox
13%
Recruitment 4%
Media 3% PA
1%
0%
5%
10%
15%
20%
25%
30%
• Attacks may start with the ultimate target but often look opportunistically for any entry into a company
13
Targeted Attacks by Job Function
14
Latest example - Hidden Lynx
Who is the Hidden Lynx group?
• “Hackers for Hire” established < 2009
• Based in China
• Highly customize tools & access to 0-day exploits
• Pioneered large scale “Watering Hole” attacks (AKA the VOHO Campaign)
• More capable than Comment Crew/APT1
• Proficient, Innovative, Methodical
15
TOOLS TOOLS TOOLS
Characteristics of Hidden Lynx
Symantec Security Response 16
Well resourced 50-100 people
Diverse range of targets
Concurrent campaigns
Can penetrate tough targets
The Two Sides of Hidden Lynx
Same organization but different teams…
17
Team Naid Elite, Precise, Surgical
Uses: Trojan.Naid
Scope: Special operations (small team)
Targets: Information of national interest
Examples: Bit9 attack, Operation Aurora
Team Moudoor Skilled, Prolific, Indiscriminant
Uses: Backdoor.Moudoor
(custom “Gh0st RAT”)
Scope:
Wide scope attacks (large team)
Targets: Financial sector, all levels of
government, healthcare, education and legal
Who’s Targeted – Verticals
18
Hundreds of targets
Hundreds of targets
Dozens of campaigns Dozens of campaigns
Direct/Indirect attacks
Direct/Indirect attacks
52.7% USA
15.5% Taiwan
9% China
4% Hong Kong
3% Japan
2.4% Canada
2.2% Germany
1.7% Russian Federation
1.5% Australia
1.5% Republic of Korea
Who’s Targeted – Top 10 Countries
19
Tools, Tactics and Procedures
• Custom Trojans
• Early adopters of watering hole techniques (VOHO)
• Spear-phishing
• Supply chain attacks
– Trojanizing driver files in the supply chain to infiltrate final targets
• 0-day and known exploits
– Since 2011, 5 exploits including 3 0-day exploits
– Including gaining early access to exploit details (Oracle Java CVE-2013-1493)
• Adaptable and resourceful
– Stole Bit9 signing certificate to bypass their trust protection model
• Tell-tale characteristics of a professional and skilled group
20
Political considerations
21
• Cyber as a tool for SIGINT
• Cyber as a tool in conflict management
• Asymmetric, deniable, effective
• Political tension and cyber links
• Cyber+CNI= Physical crisis
• Presumed capability and deterrence
• Trust model and PPP
Conclusions
• No agreed definition of large-scale cybercrisis
• Deterrence by denial is likely to prove superior to deterrence by counterstrike
• Militarization of some technologies is inevitable
• Cybersecurity moving towards SIGINT, EW, sabotage and strategic warfare
• Reliance on robotics will extend civilian and military use of cyber
• Combination of targeted and mass-scale likely to evolve
• Financial motivation will remain a prime driver
• Another political tool?
22
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
23
Ilias_chantzos@symantec.com
Recommended