Date post: | 09-May-2015 |
Category: |
Technology |
Upload: | imperva |
View: | 1,412 times |
Download: | 1 times |
© 2013 Imperva, Inc. All rights reserved.
Top Security Trends for 2014
1
Amichai Shulman, CTO, Imperva
© 2013 Imperva, Inc. All rights reserved.
Agenda
2
§ Introduction § 2013 forecast scorecard § 2014 security trends § Summary and conclusion § Q&A
© 2013 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO, Imperva
3
§ Speaker at industry events • RSA, Appsec, Info Security UK, Black Hat
§ Lecturer on information security • Technion - Israel Institute of Technology
§ Former security consultant to banks and financial services firms
§ Leads the Imperva Application Defense Center (ADC) • Discovered over 20 commercial application vulnerabilities
§ Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2013 Imperva, Inc. All rights reserved.
2013 Forecast Scorecard
4
Trend Score
1 Hack%vism gets process driven C
2 Government malware goes commercial B+
3 Black clouds on the horizon B+
4 Community policing A
5 APT targets the li?le guy A
© 2013 Imperva, Inc. All rights reserved.
#1 - 3rd Party is “No Party”
5
© 2013 Imperva, Inc. All rights reserved.
Known Vulnerabilities: The Known Knowns
6
§ There are known knowns; these are things we know that we know…
• Donald Rumsfeld, U.S. Secretary of Defense, February 2002
§ 3rd Party Known vulnerabilities Vulnerable components (e.g., framework libraries) can be identified and exploited (OWASP: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities)
© 2013 Imperva, Inc. All rights reserved. 7
Rich Attack Surface
According to Veracode: • Up to 70% of internally developed code originates outside of the
development team • 28% of assessed applications are identified as created by a 3rd
party
© 2013 Imperva, Inc. All rights reserved.
Security Falls Between the Cracks
8
§ Application developers • Introduce 3rd party code into the system • Not responsible for 3rd party code security (or
quality) • Not responsible for run-time configuration of 3rd
party components
§ IT operations • Not always aware of 3rd party components
§ Web server type is more visible than a library
• Reluctant to change configuration settings that might impact application behavior
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Bigger! Stronger! Faster!
9
§ Bigger! – More Vulnerabilities! § Stronger! – As a result of the
of the vulnerabilities’ market richness, attackers will create vulnerabilities “mash-ups,” combining several different vulnerabilities together
§ Faster! – Shorter time from vulnerabilities’ full disclosure to exploits in the wild
Source: http://cdn.thinksteroids.com
© 2013 Imperva, Inc. All rights reserved.
Bigger! Disclosure Rate Increases
10
§ More software + more security researchers + more bounty programs = more vulnerabilities’ disclosures
§ CVE IDs Enumeration syntax was changed to track more than 10,000 vulnerabilities in a single year, starting on 2014
© 2013 Imperva, Inc. All rights reserved.
Stronger! Vulnerabilities “Mash-Up”
11
§ Take several “cheap” (low CVSS impact score) known vulnerabilities • CVE-2010-3065: PHP
§ NIST assigned impact score: 2.9
• CVE-2011-2505: PHPMyAdmin session modification vulnerability § NIST assigned impact score: 4.9
§ To create a shining exploit • PHPMyAdmin full server takeover exploit • Effective impact score: a perfect 10
§ Read more on Imperva’s HII report: http://www.imperva.com/docs/HII_PHP_SuperGlobals_Supersized_Trouble.pdf
© 2013 Imperva, Inc. All rights reserved.
Stronger! 1 + 1 = 3
12
© 2013 Imperva, Inc. All rights reserved.
Faster! Vulnerability Weaponization
13
§ Since a vulnerability has a limited time span, attackers strive for a faster vulnerability weaponization
§ We had witnessed weaponization time cut from weeks to days
§ Infrastructure is the key to fast weaponization • Exploit code is often publicly available • Dormant botnets are ready to launch the attack • Command and Control (C2) servers and zombies support
§ Dynamic content § Dynamic targets
© 2013 Imperva, Inc. All rights reserved.
#2 - Server Based APT Alternative
14
© 2013 Imperva, Inc. All rights reserved.
Web Servers Infection is the New Black
15
§ Goals of infecting corporate work stations • Harness computing resources
§ Network bandwidth to be used in DDoS attacks
§ CPU power to mine Bitcoins
• Use as a bridgehead into the corporate datacenter
§ Both goals are better achieved by targeting web servers • More powerful • Inherently connected to the corporate datacenter
© 2013 Imperva, Inc. All rights reserved.
Traditional Infiltration Attack
16
© 2013 Imperva, Inc. All rights reserved.
Why Start with Web Servers?
17
§ Easier reconnaissance • Detect type and components, discover vulnerabilities
§ Accept inbound communications from the Internet (by definition) • Direct attack, no need for “human factor” • Remote control becomes easier • Attacker identity
§ Land (almost) directly into the data center • No need for “lateral movement”
§ Wide outgoing pipe • Exfiltration made easier
© 2013 Imperva, Inc. All rights reserved.
Means and Opportunity
18
§ Many code execution / full server takeover vulnerabilities exist
§ Most are easy to weaponize and exploit § In 2013, the following environments were vulnerable to
such attacks • ColdFusion • Apache Struts • vBulletin (TA) • Jboss (TA) • PHP
http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html
© 2013 Imperva, Inc. All rights reserved.
Warning Signs
19
© 2013 Imperva, Inc. All rights reserved.
Warning Signs
20
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Server Based APTs
21
§ We expect more APT operations to happen through server compromise
§ Such attacks have even a smaller footprint than existing APT techniques • Initial infection • Lateral movement • Exfiltration
§ Public disclosure will probably arrive 2015
© 2013 Imperva, Inc. All rights reserved.
#3 - Ad Networks = Added Risk
22
© 2013 Imperva, Inc. All rights reserved.
Reality Check 1
23
§ Malware infected PCs = potential income § Plenty of ways to monetize (KrebsOnSecurity)
Source: http://krebsonsecurity.com
© 2013 Imperva, Inc. All rights reserved.
Reality Check 2
24
§ Infected mobile devices are even more valuable § Can do anything a PC does, therefore can be monetized
the same way § Additionally, can send “premium SMS” – a very effective
and direct monetization method
Source: http://thenextweb.com
© 2013 Imperva, Inc. All rights reserved.
Black Market Economy 101
25
§ Infected end points are valuable § Therefore, driving traffic for infecting site is valuable § Sample price list for geo-location profiled traffic (per
thousand unique visitors; Credit: Webroot blog):
Source: http://webrootblog.files.wordpress.com
© 2013 Imperva, Inc. All rights reserved.
Malware + Advertising = Malvertising
26
§ Paying someone to show your content is an already established business practice
§ It’s called advertising! § And when the content is
malicious it’s Malvertising § Targeted advertising is very
efficient § And so is targeted
malvertising Source: http://bluebattinghelmet.files.wordpress.com
© 2013 Imperva, Inc. All rights reserved.
Malvertising so 2010…
27
© 2013 Imperva, Inc. All rights reserved.
Not!
28
Source: http://upload.wikimedia.org
© 2013 Imperva, Inc. All rights reserved.
Not!
29
Source: http://upload.wikimedia.org
© 2013 Imperva, Inc. All rights reserved.
The Main Door is (Pretty Much) Locked
30
§ Vendors closely monitor their app shops for malware § Result: attackers cannot directly upload malicious apps
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Year of Mobile Malvertising
31
§ Dynamic content to already installed apps does not go through the app shop
§ Supply - mobile app vendors • Have many users • Do not have a way to monetize on the traffic • Eager for advertising revenues
§ Demand – cyber criminals • Have malicious content • Look for alternative delivery to end users, as market is blocked • Eager for traffic
§ Outcome: Mobile Malvertising
© 2013 Imperva, Inc. All rights reserved.
BadNews Ad Network Infected Apps
32
Source: https://blog.lookout.com
© 2013 Imperva, Inc. All rights reserved.
The Ad Market is Very Complex
33
§ Complex environment is a hotbed for attackers
§ Many opportunities for the attacker to attack • Can choose the weakest link • Can move to the next target
when denied
§ App makers have a vast “deniability region”
Source: http://ad-exchange.fr
© 2013 Imperva, Inc. All rights reserved.
#4 - (Finally) Cloud Data Breaches
34
© 2013 Imperva, Inc. All rights reserved.
We are Not in Kansas Anymore Toto!
35
§ Demand • SaaS and DBaaS are becoming mainstream • Not early adapters anymore • Less technical oriented organizations • Test and pilot deployments become production • Dial moves from “nice to have” applications to “mission critical”
applications
§ Supply • Many new providers • Smaller, less experienced organizations • Carpe Diem
§ I wanted an app of my own but ended up building a cloud service
© 2013 Imperva, Inc. All rights reserved.
Everybody Is Doing It
36
§ According to Verizon ‘2013 State of the Enterprise Cloud Report’ (January 2012 – June 2013) • The use of cloud-based storage has increased by 90 percent • Organizations are now running external-facing and critical
business applications in the cloud – production applications now account for 60 percent of cloud usage
© 2013 Imperva, Inc. All rights reserved.
Hiding in the Fog
37
§ Outsourcing data MISTAKEN for outsourcing responsibility
§ Low number of breaches § False sense of safety
© 2013 Imperva, Inc. All rights reserved.
Ball Waiting for the Player
38
§ Traditional RDBMS services • Used as C&C and dropper infrastructure by cyber criminals • Security attitude is not adapted to cloud reality • See our “Assessing the Threat Landscape of DBaaS” HII for
more details
§ Big Data services • Innovative • Smaller providers • Using innovative technologies with little to no security built-in • Widely adopted by web application startup community, often
storing personal information
© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls
39
© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls
40
© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls
41
© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls
42
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Cloud Breaches Increase
43
§ We expect to see a significant increase in cloud service data breaches • SaaS • DBaaS
§ We expect to see a growing use of DBaaS by attackers. It’s a newcomer to our 2013 ‘Black Cloud on the Horizon’ trend
© 2013 Imperva, Inc. All rights reserved.
#5 – Commercial Malware for Data Centers
44
© 2013 Imperva, Inc. All rights reserved.
Advanced Threat – State Sponsored
45
Stuxnet • Manual
intelligence • Advanced
malware attack
Doqu • Automatic intelligence
Rocra • Both • See
Red October: The Hunt For the Data
© 2013 Imperva, Inc. All rights reserved.
Growing Criminal Interest
46
© 2013 Imperva, Inc. All rights reserved.
Growing Criminal Interest
47
© 2013 Imperva, Inc. All rights reserved.
Growing Criminal Interest
48
© 2013 Imperva, Inc. All rights reserved.
Commercialization of Military Technologies
49
§ Advanced threat malware capabilities flow into criminal malware • Technology – modular code, two tier C&C, include data access
and handling code • Target – enterprise internals
§ Examples • Narilam – destroys business application databases • Malware targeting business application (SAP) spotted
© 2013 Imperva, Inc. All rights reserved.
Built-in Database Access
50
§ Our december 2013 HII shows commercial malware using DBaaS as infrastructure
§ Data store accessing capabilities § Mevade – using an integrated services language based on SQL, called
WQL (SQL for Windows Management Interface) to query the target system's database to learn the security settings.
§ Shylock – SQLlite - Any messages that Skype sends are stored in Skype's main.db file, which is a standard SQLite database. Shylock accesses this database and deletes its messages and file transfers so that the user could not find them in the history.
§ Kulouz – SQLlite to access browser data repositories for sensitive information, such as credentials
§ Database access malware was used in SK Comms data breach
© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Datacenter is the Goal
51
§ We are the tipping point and in 2014 we will see active automated attacks against enterprise data centers • Infection methods are more effective than ever • Malware infrastructure is mature and ready • Criminal use cases are staring to show up
§ We expect business applications to become first class target for criminals • Easier to manipulate • The internal version of “web application attacks”
© 2013 Imperva, Inc. All rights reserved.
Summary and Conclusion
52
© 2013 Imperva, Inc. All rights reserved.
Summary
53
§ Our five trends for 2014 • 3rd party vulnerability exploit – bigger, stronger, faster • Web server compromise – alternative to APT • Ad network infections – more targeted, mobile oriented • Cloud breaches – sharp rise in actual incidents • Commercial malware – criminals are after your data center
§ Attackers focus their attention on getting into the data center – physical or virtual
§ Attackers prefer to use the front door (web servers) but at the same time are constantly improving on the alternatives (malware and infection methods)
© 2013 Imperva, Inc. All rights reserved.
Recommendations
54
§ Protect your front door protection • Web Application Firewalls are not “nice to have” • SDLC and patching fail in modern software and threat
environments
§ Improve your internal DATA controls • Enhance visibility to data access, both structured and
unstructured • Introduce capabilities to detect abusive access to data center
resources
§ Evaluate solutions for your cloud data repositories • Perform better due diligence of providers
© 2013 Imperva, Inc. All rights reserved.
Bottom Line
55
§ Balance your security budget to reflect the need for more data protection over end-point and network perimeter protection
© 2013 Imperva, Inc. All rights reserved.
Webinar Materials
56
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
57