THE RISE OF GLOBAL THREAT INTELLIGENCE 1
THE RISE OF GLOBAL THREAT INTELLIGENCE IN THE DIGITAL BUSINESS WORLD In developing the Global Threat Intelligence Report (GTIR), the NTT Group security team used extensive data gathering tools and technologies, including managed security services across the NTT Infrastructure, professional service engagements, customer incidents and NTT s new Global Threat Intelligence Platform (GTIP). This includes data and analysis from Dimension Data, NTT DATA, NTT Com Security, Solutionary and NTT Innovation Institute (NTT i3). The Challenge for IT NTT Group cast a wide data collection net to capture the diversity of attacks which are normal in the modern security landscape. For this report, NTT Group used that broad dataset to analyze the attacks. In reality, this same challenge is faced by IT departments on a daily basis, and these groups must respond to these same types of attacks. Organizational IT exists in a hybrid model which combines on premise as well as cloud and SaaS-based services which diversify the attack landscape. At the same time, IT departments in compliance- and regulation-dominated industries need to maintain high levels of security for their existing mission-critical systems, thereby establishing a bi-modal world. This infrastructure diversity creates a dramatic increase in the complexity of managing security operations and requires analysis which is not just confined to the local infrastructure. Cybercriminals are globally organized, well funded, skilled, and easily outnumber security staffers at most organizations. 2
The challenge is multi-faceted because of: The burden of learning new technologies Increasing costs with hard-to-factor ROI A world-wide shortage of skilled security engineers and professionals Inconsistent user experiences across the variety of products needed Incompatible or poor integration between the hierarchy of products Typical conventional frameworks were designed to fight a very different battle. They require a number of different products, from a variety of vendors, to control and protect a variety of network access points, processes and products. Security control is accomplished using the hierarchy of networks and products to create a wall around a network to protect endpoints and servers as well as valuable data and information. The Broader View with Threat Intelligence With threat intelligence, corporations can address customers security challenges with verified, live, and actionable supporting data based on the larger world context. Thanks to close collaboration with global security communities, customers, vendors, industry forums and governments, the quality of available security information is improving. What is most needed is a framework which effectively consumes the available security information, then converts it to genuine intelligence through the application of context-aware analysis. This new framework will improve the industry s ability to deliver security controls using an integrated hierarchy of products, services and intelligence. Organizations will be able to consider intelligence which is meaningful to them, and when combined with awareness of their own environments, will enable better management of risk and application of appropriate controls. An ultimate intrusion resilient framework will deliver the latest in elastic security specifically designed to meet pressures from today s digital world cybercrime, statesponsored attacks and hacktivism. 3
The best threat intelligence establishes security flexibility and integration for: Proactive protection Threat mitigation before attacks even begin Minimal damage even if attacked Faster recovery from the damage Continuously improved security operations Threat Intelligence is an evolving capability in security, and there are many vendors entering the marketplace. Vendors utilize data from their respective installed bases or through customer service engagements. Threat intelligence in the marketplace is constrained by delivery technologies, the nature of the information sources, trustworthiness of the data and the geographical coverage. The NTT Global Threat Intelligence Platform (GTIP) Within the threat intelligence world, NTT GTIP gathers, analyzes, exchanges, and uses threat information from across NTT s global infrastructure, threat sensor networks, and partners on a global scale. GTIP enables NTT security experts to provide actionable insight which can minimize cybersecurity threats, mitigate damages, and quickly recover to effectively reduce business disruption. This threat intelligence enables NTT Group to provide new and enhanced proactive security services, including threat watch for clouds and applications hosted on NTT cloud servers. Read more at the Global Threat Intelligence Report Online at: https://nttgroupsecurity.com/ 4
THE USER IS THE PERIMETER: THE USER IS VULNERABLE 1
THE USER IS VULNERABLE During 2014, NTT Group observed millions 7 of the top 10 vulnerabilities of vulnerabilities on client systems. Looking were on end-user systems. at the details of some of these vulnerabilities reveals some interesting information, including that 7 of the top 10 vulnerabilities were on end-user systems, as opposed to servers. To read about the impact this has on actual attacks, read more in the article on Weekend Trends. TOP 10 VULNERABILITIES Outdated Java Runtime Environment Oracle Java SE Critical Patch Update Multiple Vulnerabilities In Java Web Start Missing MS Windows Security Updates Outdated Flash Player Version Outdated Adobe Reader And Acrobat Outdated Internet Explorer Multiple Oracle Vulnerabilities Outdated/Missing Patches Oracle DB Outdated OpenSSH Version Caption: Top 10 most common vulnerabilities in 2014. 2
The ultimate impact is that the end-user becomes a liability because their systems are often full of unpatched vulnerabilities. At the time this report was written there were patches available which would mitigate the impact of all 10 of the top vulnerabilities seen in 2014. Patching and keeping systems updated is tedious and can be very difficult, especially in a geographically distributed organization with a highly mobile, heterogeneous hardware and software environment. VULNERABILITIES BY YEAR OF RELEASE 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 0% 2% 4% 6% 8% 10% 12% 14% Caption: Detected vulnerabilities by year of release, 2014. During 2014, 76 percent of identified During 2014, 76 percent of vulnerabilities throughout all systems in the identified vulnerabilities were enterprise were from 2012 or earlier, making more than 2 years old, and them more than 2 years old, and almost almost 9% of them were over 9 percent of them were over 10 years old. 10 years old. Many are also rapidly incorporated into common and simple-to-use exploit kits so that attackers can more readily use them as part of their attack suite (read more in the Exploit Chapter). 3
Caption: A page from a website on the Dark Web selling an encryption tool. It includes support and security. Fortunately, there is a single best step organizations can take to reduce their exposure due to client-based vulnerabilities. Organizations should improve their vulnerability management programs. More specifically, ensure that all end-user client systems are included in their patch management process. Admittedly, this is much more complicated than it sounds, and can include a variety of related recommendations: 4
Define a set of approved configurations to harden and operate end-user machines. This should include approved operating systems, applications and utilities, and even which browser is supported for organizational use. The smaller and more consistent the organization can make its gold standard, the easier it is to maintain systems using that standard. Clearly inform users what those standards are, and make it clear that unapproved software is not just unapproved, but unauthorized. Ensure that it is clear to all users that the use of unauthorized software can result in disciplinary action. Minimize the use of admin or other accounts which are allowed to change system configurations, including installation of new, potentially unauthorized software. Actively patch end-user systems on a regular basis, and confirm that patches are installed. Conduct regular internal and external authenticated vulnerability scans to help identify systems which are out of policy, then patch those systems. Actively manage an exception process which tracks special software as well as users with elevated permissions. Read more at the Global Threat Intelligence Report Online at: https://nttgroupsecurity.com/ 5
THE USER IS THE PERIMETER: WEEKEND TRENDS 1
WEEKEND TRENDS The article The User is Vulnerable discusses how significant vulnerabilities are related to end-user machines instead of servers. But do vulnerabilities on enduser systems have anything to do with which systems are being attacked? The graph below shows the number of Flash/Java/Adobe (Acrobat and Acrobat Reader) exploit attempts detected by NTT Group in 2014. The chart shows regular activity spread across the year, with shorter periods of higher attack detection. The large spikes show a combination of events which often overlap, occurring where alerts were triggered by new vendor signatures on old vulnerabilities, unproven signatures which tended to produce false-positive alerts, and some genuine new vulnerabilities and campaigns. If you look closely at the data, however, you can see another interesting trend. The regular drops in detected attacks coincides perfectly with weekends. DAILY FLASH/JAVA/ADOBE, 2014 600 Adobe Java Flash 500 400 300 200 100 0 01/02/14 04/02/14 08/02/14 10/31/14 Caption: The dips in the chart are on weekends when users are not typically on a corporate network. 2
The weekend trend is not just limited to Flash/Java/Adobe exploitation. The next chart shows the volume of all Internet-based attacks through 2014. Much like the detection of Flash/Java/Adobe attacks, the chart of all Internet-based attacks shows a certain amount of regularity throughout the year. The chart also shows the same regular trends: steady weeklong detection, with drops in the attack line coinciding with weekends. Does that mean there are fewer attacks on weekends? DAILY ATTACKS, 2014 600 550 500 450 400 350 300 250 200 150 100 Average Events 01/02/14 03/25/14 06/02/14 9/15/14 12/31/14 Caption: Yearly view of the internet based attacks during 2014. We wouldn t expect the days of the week to matter for attacks against websites, e-commerce sites, applications and systems historically targeted by cybercriminals. In fact, we might expect an increase on weekends, when staffing and monitoring levels might be lower. However, the organizational security infrastructures monitored by NTT Security during 2014 consistently detected considerably fewer attacks on weekends and holidays. On weekends and holidays, the workers are not in the office and corporate end-user systems are either turned off, or not being used. This major 3
drop in weekend attacks demonstrates that organizational controls are detecting security events related to end users. This involvement of end users has become a major component of all attacks seen. Targeting end users has become a major component of all attacks seen. Organizations can take actions to help mitigate the effectiveness of attacks on end-user systems. Maintain an active and current anti-virus/anti-malware solution on all enduser devices which have access to organizational networks or data. Although this is a simple control, properly maintained anti-virus does detect 40-50 percent of malware. Consider extended endpoint protection including file integrity monitoring, endpoint encryption and event monitoring. Minimize the use of admin accounts. Require the user to log on with a user-level password which has the minimum level of permissions required to perform their job. Browsing while using admin access increases risk. Require all work computers to access the Internet through the organizational VPN whether they are at work or not. Enforce safe browsing habits through the VPN connection, including blacklisting websites, and actively monitoring security on portable laptops at all times so that the organization is more likely to detect an attack and compromise. Provide an active security awareness and training program which includes training on attacks designed for end-user systems. Include social engineering and phishing in the organizational training program. Maintain offline backups of end-user data to help minimize the impact of localized system compromises, malware and ransomware. Implement and monitor proxies and content-filtering capabilities. Read more at the Global Threat Intelligence Report Online at: https://nttgroupsecurity.com/ 4