cybercrime - attack of the cyber spies
DESCRIPTION
Globally cybercrime casused €83bn of damage, this presentation looks at the dangers and the measures you can take to stay safe. To view the webcast click here https://www.brighttalk.com/webcast/6331/90937TRANSCRIPT
Cybercrime – Attack of the Cyber Spies3 December 2013
Andrew HorburySenior Product Marketing Manager Symantec Website Security Solutions
Cybercrime is a growing challenge
2
Agenda today
1
2
3
4
5
6
7
Cybercrime cost in numbers
Attack types and targets
Vulnerabilities
Insiders
Phishing and Ransomware
Watering holes and different attack tactics
Conclusion and resources3
€83 BNFRAUD 38%
THEFT OR LOSS 21%
REPAIRS 24%
OTHER 17%
€220Average cost per victim
50% increase over 2012
Which is enough to host the 2012 London Olympics nearly 10 times over
4
The global price tag of consumer cybercrime
.7
ALL AMOUNTS IN EURO
28 USA
BN
2.2MEXICO
BN
6 BRAZIL
BN
9 EUROPE
BN
.7 RUSSIA
BN
27 CHINA
BN
3 INDIA
BN .7 JAPAN
BN
AUSTRALIA
BN0.2
SOUTH AFRICA
BN
The global price tag of consumer cybercrime
5
Different motives – Different attacks
6
Money
Espionage/Sabotage
Banking Trojan
Extortion
Scam
HacktivismDDoS
Defacement
SQL Injection
Different motives – Different attacks
7
Money
Espionage/Sabotage
Banking Trojan
Extortion
Scam
HacktivismDDoS
Defacement
SQL Injection
1.Hacktivists, 46%2.Organised crime, 42%3.Competitors/industrial
espionage, 41%4.Nation state, 34%5.Terrorist organisation, 28%
Different motives – Different attacks
8
Money
Espionage/Sabotage
Banking Trojan
Extortion
Scam
HacktivismDDoS
Defacement
SQL Injection
What activity do we see? And how can you prepare and react?
9
Motivation and Activity
Employee Challenges
How you will detect and react
Cyber Criminals have time and money
10
They are global and skilled
11
Top Targeted Countries Per Financial Trojan Family Count
12
United St
ates
Great
Britain India
German
yIta
ly
France
Spain
Canad
a
Australi
a
Netherla
nds
Hong Kong
Switz
erland
Sweden
Norway
New Zeala
nd $-
$5,000,000,000,000.00
$10,000,000,000,000.00
$15,000,000,000,000.00
$20,000,000,000,000.00
$25,000,000,000,000.00
$30,000,000,000,000.00
$35,000,000,000,000.00
$40,000,000,000,000.00
$45,000,000,000,000.00
$50,000,000,000,000.00
0
1
2
3
4
5
6
7
Population x Wealth per Capita Trojan Family Count Linear (Trojan Family Count)
Popu
latio
n x
Wea
lth p
er C
apita
Troj
an F
amily
Cou
nt
Top Targeted Countries Per Financial Trojan Family Count
13
United St
ates
Great
Britain India
German
yIta
ly
France
Spain
Canad
a
Australi
a
Netherla
nds
Hong Kong
Switz
erland
Sweden
Norway
New Zeala
nd $-
$5,000,000,000,000.00
$10,000,000,000,000.00
$15,000,000,000,000.00
$20,000,000,000,000.00
$25,000,000,000,000.00
$30,000,000,000,000.00
$35,000,000,000,000.00
$40,000,000,000,000.00
$45,000,000,000,000.00
$50,000,000,000,000.00
0
1
2
3
4
5
6
7
Population x Wealth per Capita Trojan Family Count Linear (Trojan Family Count)
Popu
latio
n x
Wea
lth p
er C
apita
Troj
an F
amily
Cou
nt
Financial Trojans - Profile of Countries
14
• Preferred targets: developed country, sizeable wealthy population• Fewer banks means, less variation needed by the attacker
Country Banks Population Wealth Per Capita Number of ThreatsUnited Kingdom 52 62262000 128959 6Germany 1873 81857000 89871 5Austria 752 8452835 66639 5Netherlands 277 16751323 120086 5Italy 729 60849247 119704 4France 644 65350000 93729 4Spain 322 46163116 92253 4Ireland 472 4588252 89327 3Finland 313 5424360 38754 2
Portugal 154 10561614 53357 2Lithuania 141 3180394 22126 2Cyprus 137 838897 99526 2Malta 27 417617 75694 1Estonia 16 1294236 26361 1Belgium 107 10839905 85818 0Slovakia 29 5445324 23968 0Slovenia 25 2061400 36672 0
Number of threats fund in EU countries
Financial Trojans - Profile of Countries
15
• Preferred targets: developed country, sizeable wealthy population• Fewer banks means, less variation needed by the attacker
Country Banks Population Wealth Per Capita Number of ThreatsUnited Kingdom 52 62262000 128959 6Germany 1873 81857000 89871 5Austria 752 8452835 66639 5Netherlands 277 16751323 120086 5Italy 729 60849247 119704 4France 644 65350000 93729 4Spain 322 46163116 92253 4Ireland 472 4588252 89327 3Finland 313 5424360 38754 2
Portugal 154 10561614 53357 2Lithuania 141 3180394 22126 2Cyprus 137 838897 99526 2Malta 27 417617 75694 1Estonia 16 1294236 26361 1Belgium 107 10839905 85818 0Slovakia 29 5445324 23968 0Slovenia 25 2061400 36672 0
Number of threats fund in EU countries
Hidden Lynx
16
Can penetrate tough targets
Hidden Lynx
17
Diverse range of targets
Can penetrate tough targets
Hidden Lynx
18
Well resourced50-100 people
Diverse range of targets
Can penetrate tough targets
Hidden Lynx
19
Well resourced50-100 people
Diverse range of targets
Concurrent campaigns
Can penetrate tough targets
Hidden Lynx 2
20
Cybercriminals will look for your weakest link
21
• One group can significantly affect yearly numbers• Elderwood Gang drove the rise in zero-day vulnerabilities
22
2006 2007 2008 2009 2010 2011 20120
2
4
6
8
10
12
14
16
1413
15
9
12
14
8
Total Volume
Stuxnet
4
2
34
Elderwood
Zero-Day Vulnerabilities
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
• No significant rise or fall in discovery of new vulnerabilities in last 6 years
23
All Vulnerabilities
2006 2007 2008 2009 2010 2011 2012
4,842
5,562
4,814
6,253
4,9895,291
4,644
24
30% increasein web attacks blocked…
190,370
2011 2012
247,350
25
Our Websites are Being Used Against Us
61%of web sites serving
malware are legitimate sites 25%
have critical vulnerabilities unpatched
53%of legitimate websites have unpatched vulnerabilities
Are your employees are the cybercriminals greatest ally?
26
27
Malicious Insiders could pose the greatest risk
Who are they?1. The disgruntled
employee2. The profit-seeking
employee 3. A soon to depart
employee4. The one who owns
the code
28
Malicious Insiders could pose the greatest risk
Considerations• Know your people• Focus on deterrence,
not detection• Identify information that
is most likely to be valuable
• Monitor ingress and egress
• Baseline normal activity
Cybercriminals will find your most sensitive information even if you can’t
29
Your assumptions are wrong!Don’t’ assume you are not a target.Targets are not always the CEO or senior managers
30
Cybercriminals are Persistent and Flexible
31
Your assumptions are wrong!Don’t’ assume you are not a target.Targets are not always large orgs and governments
32
Use Case: Taidoor
33
Phishing (Brand impersonation)
34
Criminals use well-known brands to trick people into disclosing information or installing malware.
• 79% of companies experienced one or more Web-borne attacks in 2012, and 55 percent were affected by phishing attacks.*
• 20% more brands were targeted by attackers in the first half of 2013
• 30% of people will still open a suspicious email
*Webroot/Qualittics Research 2012
Ransomware
• Anti-Fraud Service for Fraudsters• Multiple Pricing options
• “FBI" Ransomware – Now offers optional extras
– Authors resort to disturbing images in bid to make victims pay
• Cryptolocker– Continues to cause problems
– Roughly 25 per cent of computers are not running any real-time protection vs. malware
– Encrypts files with full PKI encryption and sets a deadline
– Offers a discount? 2 0.5 Bitcoins
36
PWNED
Ransomware is ever present
• New variants encrypt data with strong cryptography• Making an appearance on mobile devices• Problem: People don’t back-up their data!
37
Percentage of Ransomware infections in the Netherlands
JanuaryFebruary March April May June July August0.00%
0.50%
1.00%
1.50%
2.00%
2.50%
3.00%
3.50%
4.00%
4.50%
5.00%
Targeted Attacks can come via partners, customers or suppliers
38
Everyone is a target now.
Top targeted sectors in 2013
39
WholeSales / Distributor
Raw Material / Mining / Chemical
Transport/Logistic
Food/Agriculture
Services
Energy
Computer/IT
Banking / Financial Services / Real Estate
Manufacturing
Government / Public Sector / Academia
0 0.05 0.1 0.15 0.2 0.25 0.3
July-Dec 2012Jan-June 2013
40
Targeted Attacks by Company Size
Greatest growth in 2012 is at companies with <250 employees
Small business often not well protected, but connected to others
Employees2,501+
50% 2,501+ 50% 1 to 2,500
50%
1,501 to 2,500
1,001 to 1,500501 to 1,000251 to 500
1 to 250
18%in 2011
9%
2%3%5%
31%
41
Targeted Attacks by Company Size
Greatest growth in 2012 is at companies with <250 employees
Small business often not well protected, but connected to others
Employees2,501+
50% 2,501+ 50% 1 to 2,500
50%
1,501 to 2,500
1,001 to 1,500501 to 1,000251 to 500
1 to 250
18%in 2011
9%
2%3%5%
31%
87% of SMBs suffered a cyberattack last year, only
44% see security as a priority
0%
5%
10%
15%
20%
25%
30% R&D27%
Senior12%
C-Level17%
Sales24%
Shared Mailbox
13%
Recruitment4% Media
3% PA1%
Attacks may start with the ultimate target, but often look opportunistically for any entry into a company
42
Targeted Attacks by Job Function
It’s not just about direct attacks or e-mail
43
44
Targeted Attacks predominantly start as spear phishing attacks
In 2012, Watering Hole Attacks emerged
Send an email to a person of interest
Spear Phishing
Infect a website and lie in wait for them
Watering Hole Attack
45
Effectiveness of Watering Hole Attacks
Watering Hole attacks are targeted at specific groups
Can capture a large number of victims in a very short time
Infected 500 Companies
Watering Hole Attack in 2012
1All Within 24 Hours
Watering Hole Targeted iOS Developers
46
In 2013 this type of attack will become widely usedSeveral high profile companies fell victim to just such an attack
Using the Phone to back up a Phishing Attack• What can attackers do to improve success rate of phishing
email?• On 11 April 2013, an employee in an “Organisation A” in
France received a phone call• French speaking caller, urges her to download an invoice
from a link she will receive through email• Link doesn’t go to an invoice but instead
installs a version of W32.Shadesrat, a well-known Remote Access Trojan
• Suspicious, the employee shuts down the machine 15 minutes later and contacts the CISO
47
The Motive – Financially Driven• Targets accountants or finance department employees• These targets may have access to…
• Sensitive commercial information• May have authority to carry out financial
transactions• May have access to information that
could facilitate future attacks• Email addresses• Phone numbers• Invoices• Account numbers
48
The potential attack space is growing...
49
Smart carsSmart homes/TVs
Ransom Trojans
DDoS attacks
Financial Trojans
Password theft
Mobile threats
Privacy Cloud
Cyberwarfare
Wearables (glasses)Targeted attacks
Social mediaSQL injection
Browser attacks
SCADA attacks
419 scams
Auction scams
Bitcoin
WLAN hotspot
Internet of things
How to detect when you’ve been breached
50
Build a sustainable
program
Stay ahead of threats
Complete
visibility
Focus on top
priorities
Present in business context
Technical ControlsProcedural ControlsPolicy Management
Demonstrable ProcessesMassive Data Volumes
TH
REAT
COM
PLIANCE
Risk Awareness
Addressing Cyber Risk
Insider AbuseCommodity MalwareCoordinated Attacks (APT)Changing LandscapeMassive Data Volumes
Visibility of Risk
Who do you call when you’ve been attacked
52
53
Legal
PR
IT
Business Leaders
Police
Forensics
Conclusion
• Patch, patch, patch• Is your AV up to date?• Scan your sites for vulnerabilities and malware• Email and web gateway filtering• Host based intrusion detection• Two factor authentication• Look inside as well as out.
54
Avoid breaches and mitigate risks
Where you can learn more
• Internet Security Threat – http://go.symantec.com/istr/
– http://www.symantec.com/security_response/publications/
– http://www.symantec.com/connect/blogs/elderwood-project-infographic
– @threatintel
• Endpoint Security– http://go.symantec.com/sep12/
• Website Security Solutions– http://go.symantec.com/ssl
– http://www.symantec.com/connect/blogs/website-security-solutions
– @NortonSecured
– Monthly webinar channel – 4 December 2013
– https://www.brighttalk.com/channel/6331
55
Print Screen now
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
56
Andrew [email protected]@andyhorbury