IBM X-Force Report: Enterprise Security Exploits Are Rising
Trends in the Enterprise
According to IBM X-Force report, in 2010 the teenager hacking for fun gives room to the organized computer criminals which attack for money, and an even bigger threat appears at the horizon: intelligence organizations funded by states. The term Advanced Persistent Threat (APT) is more widely circulated in organizations referring to
a variety of different groups from different nation states that attack computer networks in order to steal intelligence information, as opposed to groups with a more direct financial motivation, such as those who target caches of credit card numbers. The word persistent is used to characterize the capacity that APT groups have for maintaining access to and control of computer networks even when the network operators are aware of their presence and are taking active steps to combat them. APT groups are patient—they slowly develop access to the information they want while staying below an activity threshold that would attract attention.
APT is much more sophisticated than common attacks, using public information found on social networks, forums, and other websites in order to
develop a complete picture of a targeted organization; who works there, what they do, and who they report to within the organization. This picture enables them to identify the particular individuals who may have access to the kind of information that they seek.
Then the attackers decide who is their next victim and they attempt to take control of his workstation/laptop, spreading to other systems in the organization or even trying to access other secured networks. The attacks are carried through
malformed documents or Web pages that target zero-day vulnerabilities with obfuscated exploits. The attack might come as an email, addressed from a business partner or colleague, with a malicious attachment that sounds directly relevant to the victim’s job function. It might be a link to a juicy document that is hosted on a competitor’s website, or perhaps a USB token handed to the victim at a trade show with an interesting presentation.
As examples of such attacks, without nominating anyone, the report mentions:
Power plants have been attacked by state-sponsored cyber warriors as well as criminal groups who are simply interested in blackmail. The same sort of sophisticated spear phishing attacks that have been used to target government strategists have also been directed at executives in financial institutions who have access to funds transfer systems.
The authors of the report don’t believe in a silver bullet against APT, but they express their confidence that organizations can fight it. Besides using adequate security tools and new processes and technologies, such as “the wider use of physical network segmentation, universal email signing, and application white-listing”, the authors suggest finding out which persons in the organization are most likely going to be subject to an attack":
In our experience, one of the most effective things that you can do to combat this sort of threat on your network is to enlist your people. We reject the idea that it is impossible to train users to be on guard for sophisticated spear phishing attacks, because we’ve seen it work. If you can identify the people who work in your organization who are most at risk for this kind of attack, and you sit down with them and explain the nature of the threat and how it works, they can become your first line of defense. They can report suspicious emails to you. Once you’ve got a sample of an exploit being used by these attackers, you’ve got a foothold on the problem. You may be able to identify other targeted victims, identify malware command and control patterns, and begin to unravel the infestation.
Vulnerabilities and Exploits
IBM X-Force report has noticed an increase in security attacks and exploitations in spite of advances in network security. Some of the most important exploitations are:
PDF – is increasingly used to get a weak point in the enterprise in order to carry on attacks. The following graphic shows a rise in PDF exploits during 2010:
Reported Vulnerabilities – 2010 has known an increase in security vulnerability reports
Sun, Microsoft and Mozilla take the first spots on the top 12 vendors list with vulnerabilities disclosed and not patched:
Other vulnerabilities and exploits mentioned by the report include the Conficker worm, Zeus Botnet, BlackHat Search Engine Poisoning, Rogue Anti-Virus products, Spam with the majority of top spamming domains moving to Russia, and Phishing – lead by Brasil and followed by India and South Korea.
The IBM X-Force report contains details on discovered vulnerabilities and exploits, companies and applications/technologies most vulnerable, and trends for the future. Two domains that will most likely be targeted in the future are going to be virtualization and cloud computing.