The Threat Landscape and Security Trends. Jeremy Ward

Transcription

1 The Threat Landscape and Security Trends Jeremy Ward

2 DTI Survey Incidence of breaches What proportion of UK businesses had a security incident last year?

3 Trends since 2002 What proportion of UK businesses had a malicious security incident nt in the last year?

4 General Threat Evolution Global Impact Sector Flash threats Massive worm driven DDoS Web Services Scope Regional Individual Orgs. Individual PCs 1 st gen. viruses Individual DoS Web defacement worms DDoS Credit hacking Blended threats Limited Warhol threats Worm driven DDoS National credit hacking Infrastructure hacking 1990s Time

5 Flash to Bang Software lnerability nnounced

6 Flash to Bang Firewall/IDS Alert Software lnerability nnounced Tell-tale Activity time

7 Media Circus Flash to Bang Firewall/IDS Alert Software lnerability nnounced Tell-tale Activity time

8 Sasser Development Drop Page Fields Here 1400 Sum of Sources Sasser Worm Released Cisco & Dragon Signatures Pushed Type IDS Firew MS LSASS Vulnerability Released 0 4/22/04 0:00 4/23/04 4/24/04 4/25/04 4/26/04 4/27/04 4/28/04 4/29/04 4/30/04 5/1/04 5/2/04 5/3/04 5/4/04 5/5/04 5/6/04 Date

9 Less time to react Vulnerability Release Date v Time to Active Exploitation 350 Days Code Blue Nimda Lion Masana Blaster Welchia Code Red Modap Sasser 0 Scalper 1-Oct Apr-01 5-Nov May Dec Jun Jan-04 1-Aug-0 Date Source: Symantec

10 Vulnerability Summary 2,636 distinct vulnerabilities documented by Symantec in serious potential vulnerabilities per month = 60 easy & prevalent = patches a month

11

12 Vulnerability Trends 6% rise in vulnerabilities requiring no exploit code, 5% increase in vulnerabilities with published exploit code No Exploit Required Exploit Available No Exploit Available Number of vulnerabilities Jan02 Mar02 May02 Jul02 Sep02 Nov02 Jan03 Mar03 May03 Jul03 Sep03 Nov03 Month Source: Symantec

13 Today s Threat Landscape Significant increase in mass-mailers Significant increase in criminal activity 54% of all attacks are blended Speed of building is at an all time record Highly automated 24% increase in targeting 2003 Top 10 Malicious Code Threats 1 W32.Bugbear.B@mm 2 W32.Klez.H@mm 3 HTML.Redlof.A 4 W95.Hybris.worm 5 W32.Sobig.F@mm 6 W32.Blaster.Worm 7 W32.Swen.A@mm 8 W32.Nimda.E@mm 9 W32.Bugbear.B.Dam 10 W32.Sobig.A@mm Source: Computer Economics

14 Growth of Remote Access Threat in All Malware Backdors Jul-Dec 2002 Jan-Jun 2003 Jul-Dec 2003 Jan-Jun 2004 Network Threats: Min. Risk = 3. Min. Severity = 5 Data from Symantec DeepSight Ale

15 Why? It s easy just cut & paste

16 Data from Symantec DeepSight Ale Proof that it s easy - re-engineered malware 158 Gaobot variants (25/10/02) 43 Backdoor.Sdbot variants (09/07/02) 30 Netsky variants (16/02/04) 26 Beagle variants (20/01/04)

17 nd it s worth oney

18 In the marketplace

19 The Botnet Threat Botnets can be so large (250,000 PCs) they could take whole countries offline (Met Police CCU) Botnet herders pay hackers for their botnets Sell to spammers mostly in eastern Europe DoS attacks and blackmail Businesses report being targets of demands for $50k from a Russian crime Syndicate

20

21 What helps them succeed? Bypass firewalls to chat with our friends and download files. orks with Kazaa, imesh, essenger, ICQ and any other pplication that supports the OCKS protocol. o configuration hassles, no echie-talk or geek-speak. ot only does hopster configure tself, it even knows how to onfigure Kazaa, MSN Messenger nd many others - so you don't eed to. nce installed, hopster operates ilently in the background, you on't even notice it's there.

22 Blaster reuse & peer-to-peer filesharing Rank Port Description Percentage of Attackers 1 TCP/135 Microsoft / DCE-Remote Procedure Call (Blaster & Variants) 32.9% 2 TCP/80 HTTP / Web 19.7% 3 TCP/4662 E-donkey / Peer-to-peer file sharing 9.8% 4 TCP/6346 Gnutella / Peer-to-peer file sharing 8.9% 5 TCP/445 Microsoft CIFS Filesharing 6.9% 6 UDP/53 DNS 5.9% 7 UDP/137 Microsoft CIFS Filesharing 4.7% 8 UDP/41170 Blubster / Peer-to-peer Filesharing 3.2% 9 TCP/7122 Unknown 2.5% 10 UDP/1434 Microsoft SQL Server (Slammer) 2.4% Source: Symantec

23 The window of opportunity Pace of Change ? Internet mature High predictability 2001 Dotcom bubble bursts Internet developing fast Low predictability? Next development Time

24 To detect reconnaissance & attack activity Pre-attack Reconnaissance 40% Exploit Attempts 17% 43% Worms & Blended Threats Source: Symantec

25 Community Defence To prioritise patch activities on the basis of likelihood & damage To plan defence based on likely attack mechanisms To prepare resources for appropriate responses To understand and detect attacks

26 Community Alerting for Sasser 1400 Sum of Sources Specific Alerts Tele conf Type IDS Firewall Initial Alert Community Alerts 0 4/14/04 4/22/04 0:00 4/23/04 4/24/04 4/25/04 4/26/04 4/27/04 4/28/04 4/29/04 4/30/04 5/1/04 5/2/04 5/3/04 5/4/04 5/5/04 5/6/04 Date

27 Community Summary for June 2004 The overall number of varied threats continues to increase Web and Application attacks continue to rise steadily DoS attacks continue to increase sharply After a significant drop over the last few months, O/S attacks rose dramatically Malicious code attacks overall have doubled over 6 months.

28 June 2004 Top 10 Attacks 1. Generic UTF8 Encoding in URL Attack 2. Microsoft Indexing Server/Indexing Services ISAPI Buffer Overflow Attack 3. SQLExp Worm Activity 4. Mal HTTP Commands Generic TCP Syn Flood Denial of Service Attack 7. Generic X86 Buffer Overflow Attack 8. Suspicious SSH Traffic 9. Dot-Dot Exploit 10.Generic WebDAV/Source Disclosure "Translate: f" HTTP Header Request Attack *excludes probes and scans

29 Analysis of variety of attacks on Community in 2004 Total Attack Signatures for Community Jan Feb Mar Apr May Jun 2004

30 Community Benchmarking Security Events 250 Average Security Event Count (Jan-Jun 2004) P J Q D M C F S Z X G L V O Y H N T K W AA E R B I A U Community Organisations

31 Summary Vulnerabilities increase patch times decrease Internet parasites come of age now they make money The tools make it easier both for the hacker and the careless But we have an opportunity we can use the tools for defence Community defence could give us the break we need!

32 End Questions? Thank you