Three Simple Steps to Prevent Targeted Attacks

Kevin Haley Dr, PM, Symantec Security Technology & Response

2

+91% Increase in targeted attack campaigns

2012

2013

3

4

5

Zero-Day Vulnerabilities

13 15

9 12

14

8

14

23

0

5

10

15

20

25

30

2006 2007 2008 2009 2010 2011 2012 2013

Zero-Day Vulnerabilities, Annual Total, 2006 - 2013 Source: Symantec

23 zero-day vulnerabilities discovered in 2013 Increase from 14 in 2012

More zero-day vulnerabilities discovered in 2013 than in any year since we started tracking More zero-days in 2013 than in past two years combined

7

Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114)

Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352).

An Example - Exploiting Sandworm

8

• (CVE-2014-4114)

• (CVE-2014-6352)

• Dropper

• Backdoor/downloader

• RATS

• Web Attack: Microsoft OLE RCE CVE-2014-6352

• Bloodhound.Exploit.553

• Trojan.Mdropper

• Backdoor.Lancafdo, Backdoor.Lancafdo.A

• Trojan.Taidoor, Backdoor.Darkmoon

Improving Security - Zero Days Disarm

9

Targeted Attacks by Company Size

10

Risk of Being Targeted by Industry Size

11

Ratio of Organization Targeted by Industry Size Sent by Spear-Phishing Email Source: Symantec

High

Medium

Risk

2,500+

1,501-2,500

1,001-1,500

501-1,000

251-500

1-250

2.3

2.9

2.9

3.8

4.3

5.2

1 in

12

13

#1 Run More Than AV on Your Endpoints

14

An Example - Dragonfly

• Ongoing cyberespionage campaign

• Targeting the energy sector in Europe and US

• Stealing information

• Capable of sabotage

15

Dragonfly Attack Methods

Send an email to a person of interest

Spear Phishing

16

Dragonfly Attack Methods

Send an email to a person of interest

Spear Phishing

Infect a website and lie in wait for them

Watering Hole Attack

17

Watering Hole Attacks

Energy industry related sites Lightsout Exploit Kit

Backdoor.Oldrea or

Trojan.Karagany

18

Website Vulnerabilities

19

Scanned Websites With Vulnerabilities

53% 78% +25%

pts 2012 2013

1 IN 8 sites had critical unpatched vulnerabilities

Malicious Websites

With so many vulnerable websites, cybercriminals don’t need to set up own websites to host malware

New Unique Malicious Web Domains

56,158 74,001

55,000

-24% 2013

2012

2011

21

1.2 Billion Records Breached

7 month period 400,000 websites SQL Vulnerability

Dragonfly Attack Methods

Send an email to a person of interest

Spear Phishing

Infect a website and lie in wait for them

Watering Hole Attack

Infect software update victim downloads

Trojanized Update

23

24

25

#2 Protect Your Websites – Patch Vulnerabilities

26

1014 4562 1916 5432 1734 5690 2554 2344 1014 4562 1916 5432

An Example - POS System Attacks

Internet

POS Network

Payment Processor

1014 4562 1916 5432 1734 5690 2554 2344 1014 4562 1916 5432

Internet

Corporate Network

POS Network

Payment Processor

1014 4562 1916 5432 1734 5690 2554 2344 1014 4562 1916 5432

Internet

Corporate Network

POS Network

Payment Processor

1014 4562 1916 5432 1734 5690 2554 2344 1014 4562 1916 5432

Internet

Corporate Network

POS Network

Payment Processor

1014 4562 1916 5432 1734 5690 2554 2344 1014 4562 1916 5432

32

Internet

Payment Processor

1014 4562 1916 5432 1734 5690 2554 2344 1014 4562 1916 5432

#3 Demand That Your Partners Have Good Security

34

Security Intelligence

35

Security is Only Intelligent if its Unified

Q & A

36

Kevin Haley khaley@symantec.com

@kphaley

symantec.com/threatreport