Announcing the IBM X-Force 2013 Mid-Year Trend and Risk Report
For over 15 years, IBM X-Force has been tracking trends and emerging threats. Today we released the 2013 mid-year trend and risk report which highlights some of our key findings.
While vulnerability statistics, attack trends, and data breaches are all covered in detail, one of the more interesting points of discussion is a look at the psychology and social engineering around how these attacks are implemented. We explore how attackers have learned to capitalize and take advantage of the human factor in trust relationships.
Attackers are optimizing tactics
Attackers are optimizing their operations around many key initiatives which include a path of least resistance to reach the largest number of potential targets for the minimal amount of exploit effort.
For example, attackers are optimizing:
- The exploitation of trust via social media.
- Coordinated operations leaking user data as well as exploiting weak entry points into global brands such as foreign local language or franchise sites.
- Mobile malware with Android devices as the market expands.
- Take over of central strategic targets to access and exploit a broader base of end users.
- Diversion and distraction techniques which throw security administrators off path, while breaching targets under the cover.
Consider the following…
As technology began its meteoric rise alongside humanity, the maturity and understanding of how we react to each other face-to-face was left behind. Suddenly we were getting schooled on how to send proper emails. Companies began to initiate programs to teach human users how to use technology responses so conversations didn’t leave a harsh two-dimensional trail of requests. Users had to begin learning new phrases like spam, phishing and spear-phishing. In one quick decade, the way we create and transact business with each other had changed drastically.
How is this relevant to today’s ever changing technology?
Rise in Exploitation of Trusted Relationships
In this quickening pace of technology, it is imperative for security professionals to understand how attackers are taking advantage of trust in relationships to breach an organization, target groups of users, and create methods of diversion.
Attackers today are operating more like marketing organizations in professional enterprises by leveraging metrics such as return on investment (ROI) and search engine optimization (SEO) to gain higher click through rates with maximum reach, to ultimately optimize their capital gain.
There’s also shattered trust or diminished trust relationships that continue to affect business practice. Some examples:
- Enterprises who trust the correct security procedures and policies are implemented on their networks but are shown differently by high breach activity that continues.
- Users who trust that a company is protecting their personal data.
- Enterprises that “want to trust” the growing wave of infrastructure that is social media and mobile as it expands the fluidity of our lives.
- Network and security admins who trust that “old attack methods and historic vulnerabilities” are not as important as other more current issues.
- Software developers and technical, security-savvy people who visit a trusted site not thinking that they have to protect themselves from drive-by-downloads.
In the previous IBM X-Force 2012 Trend and Risk Report, we discussed the idea of operational sophistication versus technical sophistication. Throughout the first half of 2013, we observed a continuation of this trend in both the type of breaches that have occurred and the motivations behind them.
Security incidents and data breach activity continues into the year crossing many geographies and industries. In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.
Many of the breaches reported in the last year were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice. Attackers seem to be capitalizing on this “lack of security basics” by using a model of operational sophistication that allows them to increase their return on exploit. The idea that even basic security hygiene is not upheld in organizations, leads us to believe that, for a variety of reasons, companies are struggling with a commitment to apply basic security fundamentals.
Poisoning the Waterhole
An interesting area where trust relationship has taken a turn is the attack technique called a “Water hole.”
Attackers focusing on a central, strategic target like special interest Websites that are heavily frequented by a select group of potential targets is an effective and optimized means of exploitation. These central targets may not always have strong security solution and policies deployed, and even if they do, the cost of figuring out how to get through them is worth the opportunity to compromise the user-base.
These “watering hole” attacks are a great example of how operational sophistication is being used to reach targets not previously susceptible. By compromising the central site and using it to serve malware, attackers are able to reach more technically savvy victims who may not be fooled in phishing attempts, but would not suspect that sites they trust could be malicious.
Distraction and Diversion Techniques
Another very popular technique given new life in the last two years is the distributed denial-of-service (DDoS) attack.
While disruptive and damaging on their own, DDoS attacks can also be used as a distraction, allowing attackers to breach other systems in the enterprise while IT staffs are forced to make difficult risk-based decisions, possibly without visibility of the full scope of what is occurring. Attackers have demonstrated enhanced technical sophistication in the area of DDoS using methods of increasing the amounts of capable bandwidth as a new and powerful way to halt business by interrupting online service as well as new DDoS mitigation evasion techniques.
The banking industry has been heavily attacked, causing downtime and business interruptions for online banking customers. An interesting emerging trend in DDoS targets has been unfolding since June where many DNS providers have reported service interruptions and downtime. Open DNS Resolvers, which serve a legitimate purpose, can also allow attackers to amplify DDoS attacks to create a huge burst of traffic directed at a single target. Several prominent DNS providers were knocked offline impacting their own business and customers, while serving as unwilling accomplices in large scale DDoS attacks. Attacks on the DNS providers are another example of compromising central strategic targets to reach a larger group of potential victims.
Disenfranchised far from home
Additional operational sophistication was seen in the attack of major global corporations by breaching franchises or local language sites in countries outside of corporate headquarters. These satellite sites are not always secured with the same standard as the home office. By going after a weaker point of entry into larger enterprises, attackers were able to reach and tarnish well-known brands. This can result in a reputation hit as well as legal implications for leaking sensitive customer data. These types of leaks affected the food, consumer electronics, automotive, and entertainment industries in particular.
Social Media – a tool for Business, Reconnaissance, and Attacks
Criminals are selling accounts on social networking sites, some belonging to actual people whose credentials were compromised, others fabricated and designed to be credible through realistic profiles and a web of connections. As a minimum function their use is to inflate page ‘likes’ or falsify reviews; though more insidious uses include hiding one’s identity to conduct criminal activities – the online equivalent of a fake ID, but with testimonial friends, adding to the deception.
IBM X-Force expects to see these newer applications of social engineering become more sophisticated as attackers create complex internetworks of identities while refining the art of deceiving victims. Users must adopt a mindset of guilty until proven innocent when it comes to social media and companies should engender suspicion to protect users and assets.
Technology advancements and controls are available, best practices continue to be refined and taught, but ultimately the trust the user believes they have, may circumvent anything security practitioners put into place.
Recent advances in Android malware
In the past few years, there has been explosive growth in Android devices and malware authors are turning their attention in that area of growth.
As the number of users who own and operate Android devices is rapidly expanding, so too have malware authors increased their effort to take advantage of this larger market. Older mobile devices are even more vulnerable as only 6% of Android devices are running the latest version of the platform which has the security enhancements needed to combat these threats.
For the rest of 2013, X-Force expects to see the number of Android malware apps continuing to rise. We also anticipate that the degree of sophistication for this malware will eventually rival those found in desktop malware. There could be more improvements to combat malware in future versions of Android, but we believe that OS fragmentation (older versions that are being used as much as newer ones) will remain a problem.
Zero-day attacks in 2013 H1
Another example of how attackers are increasing their return on exploit is in the way they are targeting cross platform services to reach a maximum number of potential targets.
It is worth noting that almost 80 % of the zero-day vulnerabilities covered by IBM X-Force in the first half of 2013, were vulnerable on Microsoft Windows and Apple Mac OSX. Nearly half were also vulnerable on some Linux distributions. This cross-platform reach emphasizes the operational sophistication which has been utilized for widespread exploitation.
Exploit effort vs. potential reward
As cyber-attacks intensify, monitoring the numerous vulnerability disclosures every day becomes daunting. Within IBM X-Force, we track publicly issued vulnerabilities through a triage process to identify which ones are most likely to be used by an attack, and then determine which ones require deeper research.
By performing this review, we recognize that all vulnerabilities are characterized by two factors; the exploit “potential reward” that entices the attacker and the “exploit effort to achieve” that deters the attacker from further development. The exploit-probability matrix is devised by charting the “exploit reward” and “exploit effort to achieve” along the axes. By assigning vulnerabilities to the appropriate quadrant, it becomes clear which are favored by attackers.
As illustrated in the exploit-probability matrix, easy exploitation with high potential reward – aka target impact, is still the sweet spot for the most prevalent attacks.
X-Force Trends by the Numbers
In the first half of 2013, we entered just over 4,100 new publicly reported security vulnerabilities. If this trend continues throughout the rest of the year, the total projected vulnerabilities would approach 8200 total vulnerabilities, virtually the same number we saw in 2012.
Web Application vulnerabilities, which have been on the rise in recent years, are down slightly in 2013. More than half of all web application vulnerabilities are cross-site scripting.
The most prevalent consequence of vulnerability exploitation for the 1st half of 2013 was “gain access” at 28 percent of all vulnerabilities reported. In most cases, gaining access to a system or application provides the attacker complete control over the affected system, which allows them to steal data, manipulate the system, or launch other attacks from that system.
In countries where malware is distributed, we see the United States dominates the scene by hosting more than 42 percent of all malicious links. The geography with the second highest concentration of malicious links is Germany, with nearly 10 percent.
The top three campaigns observed, enticing users to click on bad links and attachments in emails, are Internet payment companies, social networks, and internal scanners or fax devices. Together these three focus areas account for more than 55 percent of all scam and phishing incidents.
As discussed throughout the report, while attackers continue to optimize their operational sophistication, a return to security basics is still one of the most effective strategies to mitigate both old established, as well as evolving techniques.
If anything is certain, we can see that the concept of trusted devices and services is long gone. To learn more where attackers are coming from, and where they will strike next, we invite you to check out the full Trend and Risk Report.