Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.
3. Targeted Attacks
in 2012
Internet Security Threat Report 2013 :: Volume 18 3
4. Targeted Attacks by Industry
Manufacturing 24%
Finance, Insurance & Real Estate 19%
Services – Non-Traditional 17%
Government 12%
Energy/Utilities 10%
Services – Professional 8%
Wholesale 2%
Retail 2%
Aerospace 2%
Transportation,
1%
Communications, Electric, Gas
0% 5% 10% 15% 20% 25% 30%
Manufacturing moved to top position in 2012
But all industries are targeted
Internet Security Threat Report 2013 :: Volume 18 4
5. Targeted Attacks by Company Size
50% 2,501+ 50% 1 to 2,500
Employees 9% 1,501 to 2,500
2,501+
2% 1,001 to 1,500
3% 501 to 1,000
5% 251 to 500
50%
31% 31% 1 to 250
growth
since
2011
Greatest growth in 2012 is at companies with <250 employees
Internet Security Threat Report 2013 :: Volume 18 5
6. Targeted Attacks by Job Function
30% R&D
27%
Sales
25% 24%
20% C-Level
17% Shared
Mailbox
15% Senior
13%
12%
10%
Recruitment
Media
5% 4%
3% PA
1%
0%
Attacks may start with the ultimate target, but often look opportunistically for any
entry into a company
Internet Security Threat Report 2013 :: Volume 18 6
7. Spear Phishing Watering Hole Attack
Send an email to a person Infect a website and lie
of interest in wait for them
Targeted Attacks predominantly start as spear phishing attacks
In 2012, Watering Hole Attacks emerged (popularized by the Elderwood Gang)
Internet Security Threat Report 2013 :: Volume 18 7
8. Effectiveness of Watering Hole Attacks
Watering Hole Infected 500 All Within
Attack in 2012 Companies 24 Hours
Watering Hole attacks are targeted at specific groups
Can capture a large number of victims in a very short time
Internet Security Threat Report 2013 :: Volume 18 8
9. Recent Example of Watering Hole Attack
In 2013 this type of attack will become widely used
Several high profile companies fell victim to just such an attack
Internet Security Threat Report 2013 :: Volume 18 9
10. Watering Hole Targeted iOS Developers
In 2013 this type of attack will become widely used
Several high profile companies fell victim to just such an attack
Internet Security Threat Report 2013 :: Volume 18 10
11. Thwarting Targeted Attacks
• Human Intelligence regarding active and anticipated attack campaigns, targeted
Security Intelligence attacks, and emerging threats
• Use full capabilities of monitoring solutions to provide full visibility into security
Holistic Security Monitoring posture and events across the entire enterprise footprint
Removable Media Device
• Restrict removable devices and functions to prevent malware infection
Control
Email & Web Gateway Filtering • Scan and monitor inbound/outbound email and web traffic and block accordingly
• Discover data spills of confidential information that are targeted by attackers
Data Loss Prevention • Detect and prevent exfiltration of confidential information that are targeted by
attackers
Encryption • Create and enforce security policies so all confidential information is encrypted
Incident Preparedness & • Ensure formal Incident Response capabilities are in place and fully tested
• Conduct periodic penetration tests and red-team exercises to evaluate defense
Response and response capabilities from the perspective of an attacker
Internet Security Threat Report 2013 :: Volume 18 11
13. Spam Decline
79%
January 2011 Global Spam Rates 2011-2012 69%
90% October 2012
80%
70%
60%
50%
40%
30%
20%
10%
0%
Jan- Apr Jul Oct Jan- Apr Jul Oct
11 12
Spam has declined for second year in a row (as % of email)
Botnet takedowns continue to have an affect
Internet Security Threat Report 2013 :: Volume 18 13
15. The Risk of Spam Continues
1 in 414 1 in 283
Emails are a phishing attack Emails are a malware attack
of all email is spam
Internet Security Threat Report 2013 :: Volume 18 15
16. Thwarting Spam-borne Attacks: Defense
• Human Intelligence regarding active and anticipated attack campaigns, targeted
Security Intelligence attacks, and emerging threats
Email & Web Gateway Filtering • Scan and monitor inbound/outbound email and web traffic and block accordingly
• Detect and block new and unknown threats based on global reputation
Advanced Reputation Security and ranking
• Use more than just AV – use full functionality of endpoint protection including
Layered Endpoint Protection heuristics, reputation-based, behavior-based and other technologies
• Restrict removable devices and turn off auto-run to prevent malware infection
Holistic Network Monitoring • Monitor globally for network intrusions, propagation attempts and other
suspicious traffic patterns, including using reputation-based technologies
& Layered Defenses • Network protection is more than just blacklisting
• Ensure employees become the first line of defense against socially engineered
Security Awareness Training attacks, such as phishing, spear phishing, and other types of attacks
Internet Security Threat Report 2013 :: Volume 18 16
18. Zero-Day Vulnerabilities
16
14 15
14 14
12 13 Total Volume
12
Stuxnet
10
Elderwood
8 9
8
6
2
4
4 4
3
2
0
2006 2007 2008 2009 2010 2011 2012
One group can significantly affect yearly numbers
Elderwood Gang drove the rise in zero-day vulnerabilities
Internet Security Threat Report 2013 :: Volume 18 18
19. All Vulnerabilities
7,000
6,000 6,253
5,562
5,000 5,291
4,842 4,989
4,644 4,814
4,000
3,000
2,000
1,000
0
2006 2007 2008 2009 2010 2011 2012
No significant rise or fall in discovery of new vulnerabilities in last 6 years
Internet Security Threat Report 2013 :: Volume 18 19
20. 30% Increase
in web attacks blocked…
247,350
190,370
2011 2012
Internet Security Threat Report 2013 :: Volume 18 20
21. Our Websites are Being Used Against Us
53%
61% of legitimate websites have
unpatched vulnerabilities
of web sites serving
malware are legitimate sites
25%
have critical vulnerabilities
unpatched
Internet Security Threat Report 2013 :: Volume 18 21
22. Our Websites are Being Used Against Us
In 2012,
one threat infected more than
1 million websites
Its payload was FakeAV
The next time it’s likely to be ransomware
Internet Security Threat Report 2013 :: Volume 18 22
25. Ransomware
Number of criminal gangs Estimated amount extorted
involved in this cybercrime from victims in 2012
Average number of attacks seen from
one threat in 18 day period
Internet Security Threat Report 2013 :: Volume 18 25
26. Protecting Against Vulnerabilities: Defense
Vulnerability • Routine, frequent vulnerability assessments and penetrations tests to identify
vulnerabilities in applications, systems, and mobile devices
Management Program • Formal process for addressing identified vulnerabilities
Configuration & Patch • Ensure all operating system and application patches are evaluated and deployed in
a timely manner
Management Program • Ensure adherence to formal, secure configuration standards
• Leverage application virtualization technologies to reduce risk when legacy web
Application Virtualization browsers and older versions of 3rd party applications like JAVA or Adobe Reader
must be used for compatibility reasons
Advanced Reputation Security • Detect and block new and unknown threats based on global reputation and ranking
• Use more than just AV – use full functionality of endpoint protection including
Layered Endpoint Protection heuristics, reputation-based, behavior-based and other technologies
• Restrict removable devices and turn off auto-run to prevent malware infection
• Monitor globally for network intrusions, propagation attempts and other
Layered Network Protection suspicious traffic patterns, including using reputation-based technologies
• Network protection is more than just blacklisting
Internet Security Threat Report 2013 :: Volume 18 26
29. Vulnerabilities & Mobile Malware
Platform Vulnerabilities Device Type # of Threats
Apple iOS 387 Apple iOS Malware 1
Android 13 Android Malware 103
Blackberry 13 Symbian Malware 3
Windows Mobile 2 Windows Malware 1
Today there is no significant link between mobile OS
vulnerabilities and exploitation by malware
In the future that may change
Internet Security Threat Report 2013 :: Volume 18 29
30. What Does Mobile Malware Do?
Mobile Threats by Type
Steal Information 32%
Traditional Threats 25%
Track User 15%
Send Content 13%
Adware/Annoyance 8%
Reconfigure device 8%
0% 5% 10% 15% 20% 25% 30% 35%
Internet Security Threat Report 2013 :: Volume 18 30
31. Information Stealing Malware
Android.Sumzand
1. User received email with link to
download app
2. Steals contact information
3. Harvested email addressed used
to spam threat to others
Internet Security Threat Report 2013 :: Volume 18 31
32. Mitigating Mobile Threats
• Remotely wipe devices in case of theft or loss
Device Management • Update devices with applications as needed without physical access
• Get visibility and control of devices, users and applications
• Guard mobile device against malware and spam
Device Security • Prevent the device from becoming a vulnerability
• Enforce compliance across organization, including security standards & passwords
• Identify confidential data on mobile devices and use technologies to prevent
future exposure
Content Security • Protect data from moving between applications
• Encrypt mobile devices to prevent lost devices from turning into lost
confidential data
• Provide strong authentication and authorization for access to enterprise
Identity and Access applications and resources
• Ensure safe access to enterprise resources from right devices with right postures
Mobile Application • Use application management capabilities to protect sensitive data in BYOD
scenarios or where full MDM capabilities are undesirable
Management
Internet Security Threat Report 2013 :: Volume 18 32
34. Mac Malware Trend
10 new Mac families
of malware in 2012
6
4
3 3
1
2007 2008 2009 2010 2011 2012
Internet Security Threat Report 2013 :: Volume 18 34
35. Mac Malware
Only 2.5%
of threats found on
Macs are Mac
malware
Internet Security Threat Report 2013 :: Volume 18 35
36. Flashback
But in 2012
1 Mac Threat
infected 600,000
machines
Internet Security Threat Report 2013 :: Volume 18 36
37. Thwarting Mac Attacks: Defense
Layered Endpoint Protection • Use robust endpoint protection on your Macs – they are not immune to malware
• Monitor globally for network intrusions, propagation attempts and other
Layered Network Protection suspicious traffic patterns, including using reputation-based technologies
• Network protection is more than just blacklisting
• Ensure employees become the first line of defense against socially engineered
Security Awareness Training attacks, such as phishing, spear phishing, and other types of attacks
Configuration & Patch • Ensure all operating system and application patches are evaluated and deployed in
a timely manner
Management Program • Ensure adherence to formal, secure configuration standards
Internet Security Threat Report 2013 :: Volume 18 37