top security trends for 2014

© 2013 Imperva, Inc. All rights reserved.

Top Security Trends for 2014

1

Amichai Shulman, CTO, Imperva


Agenda

2

§  Introduction §  2013 forecast scorecard §  2014 security trends § Summary and conclusion § Q&A


Amichai Shulman – CTO, Imperva

3

§ Speaker at industry events •  RSA, Appsec, Info Security UK, Black Hat

§  Lecturer on information security •  Technion - Israel Institute of Technology

§  Former security consultant to banks and financial services firms

§  Leads the Imperva Application Defense Center (ADC) •  Discovered over 20 commercial application vulnerabilities

§  Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”


2013 Forecast Scorecard

4

Trend Score

1 Hack%vism gets process driven C

2 Government malware goes commercial B+

3 Black clouds on the horizon B+

4 Community policing A

5 APT targets the li?le guy A


#1 - 3rd Party is “No Party”

5


Known Vulnerabilities: The Known Knowns

6

§  There are known knowns; these are things we know that we know…

•  Donald Rumsfeld, U.S. Secretary of Defense, February 2002

§  3rd Party Known vulnerabilities Vulnerable components (e.g., framework libraries) can be identified and exploited (OWASP: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities)

© 2013 Imperva, Inc. All rights reserved. 7

Rich Attack Surface

According to Veracode: •  Up to 70% of internally developed code originates outside of the

development team •  28% of assessed applications are identified as created by a 3rd

party


Security Falls Between the Cracks

8

§ Application developers •  Introduce 3rd party code into the system •  Not responsible for 3rd party code security (or

quality) •  Not responsible for run-time configuration of 3rd

party components

§  IT operations •  Not always aware of 3rd party components

§  Web server type is more visible than a library

•  Reluctant to change configuration settings that might impact application behavior


2014 Forecast: Bigger! Stronger! Faster!

9

§ Bigger! – More Vulnerabilities! § Stronger! – As a result of the

of the vulnerabilities’ market richness, attackers will create vulnerabilities “mash-ups,” combining several different vulnerabilities together

§  Faster! – Shorter time from vulnerabilities’ full disclosure to exploits in the wild

Source: http://cdn.thinksteroids.com


Bigger! Disclosure Rate Increases

10

§ More software + more security researchers + more bounty programs = more vulnerabilities’ disclosures

§ CVE IDs Enumeration syntax was changed to track more than 10,000 vulnerabilities in a single year, starting on 2014


Stronger! Vulnerabilities “Mash-Up”

11

§  Take several “cheap” (low CVSS impact score) known vulnerabilities •  CVE-2010-3065: PHP

§  NIST assigned impact score: 2.9

•  CVE-2011-2505: PHPMyAdmin session modification vulnerability §  NIST assigned impact score: 4.9

§  To create a shining exploit •  PHPMyAdmin full server takeover exploit •  Effective impact score: a perfect 10

§ Read more on Imperva’s HII report: http://www.imperva.com/docs/HII_PHP_SuperGlobals_Supersized_Trouble.pdf


Stronger! 1 + 1 = 3

12


Faster! Vulnerability Weaponization

13

§ Since a vulnerability has a limited time span, attackers strive for a faster vulnerability weaponization

§ We had witnessed weaponization time cut from weeks to days

§  Infrastructure is the key to fast weaponization •  Exploit code is often publicly available •  Dormant botnets are ready to launch the attack •  Command and Control (C2) servers and zombies support

§  Dynamic content §  Dynamic targets


#2 - Server Based APT Alternative

14


Web Servers Infection is the New Black

15

§ Goals of infecting corporate work stations •  Harness computing resources

§  Network bandwidth to be used in DDoS attacks

§  CPU power to mine Bitcoins

•  Use as a bridgehead into the corporate datacenter

§ Both goals are better achieved by targeting web servers •  More powerful •  Inherently connected to the corporate datacenter


Traditional Infiltration Attack

16


Why Start with Web Servers?

17

§ Easier reconnaissance •  Detect type and components, discover vulnerabilities

§ Accept inbound communications from the Internet (by definition) •  Direct attack, no need for “human factor” •  Remote control becomes easier •  Attacker identity

§  Land (almost) directly into the data center •  No need for “lateral movement”

§ Wide outgoing pipe •  Exfiltration made easier


Means and Opportunity

18

§ Many code execution / full server takeover vulnerabilities exist

§ Most are easy to weaponize and exploit §  In 2013, the following environments were vulnerable to

such attacks •  ColdFusion •  Apache Struts •  vBulletin (TA) •  Jboss (TA) •  PHP

http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html


Warning Signs

19


Warning Signs

20


2014 Forecast: Server Based APTs

21

§ We expect more APT operations to happen through server compromise

§ Such attacks have even a smaller footprint than existing APT techniques •  Initial infection •  Lateral movement •  Exfiltration

§ Public disclosure will probably arrive 2015


#3 - Ad Networks = Added Risk

22


Reality Check 1

23

§ Malware infected PCs = potential income § Plenty of ways to monetize (KrebsOnSecurity)

Source: http://krebsonsecurity.com


Reality Check 2

24

§  Infected mobile devices are even more valuable § Can do anything a PC does, therefore can be monetized

the same way § Additionally, can send “premium SMS” – a very effective

and direct monetization method

Source: http://thenextweb.com


Black Market Economy 101

25

§  Infected end points are valuable §  Therefore, driving traffic for infecting site is valuable § Sample price list for geo-location profiled traffic (per

thousand unique visitors; Credit: Webroot blog):

Source: http://webrootblog.files.wordpress.com


Malware + Advertising = Malvertising

26

§ Paying someone to show your content is an already established business practice

§  It’s called advertising! § And when the content is

malicious it’s Malvertising §  Targeted advertising is very

efficient § And so is targeted

malvertising Source: http://bluebattinghelmet.files.wordpress.com


Malvertising so 2010…

27


Not!

28

Source: http://upload.wikimedia.org


Not!

29

Source: http://upload.wikimedia.org


The Main Door is (Pretty Much) Locked

30

§ Vendors closely monitor their app shops for malware § Result: attackers cannot directly upload malicious apps


2014 Forecast: Year of Mobile Malvertising

31

§ Dynamic content to already installed apps does not go through the app shop

§ Supply - mobile app vendors •  Have many users •  Do not have a way to monetize on the traffic •  Eager for advertising revenues

§ Demand – cyber criminals •  Have malicious content •  Look for alternative delivery to end users, as market is blocked •  Eager for traffic

§ Outcome: Mobile Malvertising


BadNews Ad Network Infected Apps

32

Source: https://blog.lookout.com


The Ad Market is Very Complex

33

§ Complex environment is a hotbed for attackers

§ Many opportunities for the attacker to attack •  Can choose the weakest link •  Can move to the next target

when denied

§ App makers have a vast “deniability region”

Source: http://ad-exchange.fr


#4 - (Finally) Cloud Data Breaches

34


We are Not in Kansas Anymore Toto!

35

§ Demand •  SaaS and DBaaS are becoming mainstream •  Not early adapters anymore •  Less technical oriented organizations •  Test and pilot deployments become production •  Dial moves from “nice to have” applications to “mission critical”

applications

§ Supply •  Many new providers •  Smaller, less experienced organizations •  Carpe Diem

§  I wanted an app of my own but ended up building a cloud service


Everybody Is Doing It

36

§ According to Verizon ‘2013 State of the Enterprise Cloud Report’ (January 2012 – June 2013) •  The use of cloud-based storage has increased by 90 percent •  Organizations are now running external-facing and critical

business applications in the cloud – production applications now account for 60 percent of cloud usage


Hiding in the Fog

37

§ Outsourcing data MISTAKEN for outsourcing responsibility

§  Low number of breaches §  False sense of safety


Ball Waiting for the Player

38

§  Traditional RDBMS services •  Used as C&C and dropper infrastructure by cyber criminals •  Security attitude is not adapted to cloud reality •  See our “Assessing the Threat Landscape of DBaaS” HII for

more details

§ Big Data services •  Innovative •  Smaller providers •  Using innovative technologies with little to no security built-in •  Widely adopted by web application startup community, often

storing personal information


Warning Signs and Wakeup Calls

39



40



41



42


2014 Forecast: Cloud Breaches Increase

43

§ We expect to see a significant increase in cloud service data breaches •  SaaS •  DBaaS

§ We expect to see a growing use of DBaaS by attackers. It’s a newcomer to our 2013 ‘Black Cloud on the Horizon’ trend


#5 – Commercial Malware for Data Centers

44


Advanced Threat – State Sponsored

45

Stuxnet • Manual

intelligence • Advanced

malware attack

Doqu • Automatic intelligence

Rocra • Both • See

Red October: The Hunt For the Data


Growing Criminal Interest

46



47



48


Commercialization of Military Technologies

49

§ Advanced threat malware capabilities flow into criminal malware •  Technology – modular code, two tier C&C, include data access

and handling code •  Target – enterprise internals

§ Examples •  Narilam – destroys business application databases •  Malware targeting business application (SAP) spotted


Built-in Database Access

50

§ Our december 2013 HII shows commercial malware using DBaaS as infrastructure

§ Data store accessing capabilities §  Mevade – using an integrated services language based on SQL, called

WQL (SQL for Windows Management Interface) to query the target system's database to learn the security settings.

§  Shylock – SQLlite - Any messages that Skype sends are stored in Skype's main.db file, which is a standard SQLite database. Shylock accesses this database and deletes its messages and file transfers so that the user could not find them in the history.

§  Kulouz – SQLlite to access browser data repositories for sensitive information, such as credentials

§  Database access malware was used in SK Comms data breach


2014 Forecast: Datacenter is the Goal

51

§ We are the tipping point and in 2014 we will see active automated attacks against enterprise data centers •  Infection methods are more effective than ever •  Malware infrastructure is mature and ready •  Criminal use cases are staring to show up

§ We expect business applications to become first class target for criminals •  Easier to manipulate •  The internal version of “web application attacks”


Summary and Conclusion

52


Summary

53

§ Our five trends for 2014 •  3rd party vulnerability exploit – bigger, stronger, faster •  Web server compromise – alternative to APT •  Ad network infections – more targeted, mobile oriented •  Cloud breaches – sharp rise in actual incidents •  Commercial malware – criminals are after your data center

§ Attackers focus their attention on getting into the data center – physical or virtual

§ Attackers prefer to use the front door (web servers) but at the same time are constantly improving on the alternatives (malware and infection methods)


Recommendations

54

§ Protect your front door protection •  Web Application Firewalls are not “nice to have” •  SDLC and patching fail in modern software and threat

environments

§  Improve your internal DATA controls •  Enhance visibility to data access, both structured and

unstructured •  Introduce capabilities to detect abusive access to data center

resources

§ Evaluate solutions for your cloud data repositories •  Perform better due diligence of providers


Bottom Line

55

§ Balance your security budget to reflect the need for more data protection over end-point and network perimeter protection


Webinar Materials

56

Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609


www.imperva.com

57