Cyber criminals are looking for the 'data motherlode'; sites with huge aggregations of data online, says Trend Micro.
Rik Ferguson, director of security research and communication, EMEA, at Trend Micro, told the sixth annual ITWeb Security Summit in Sandton that these days, cyber criminals are concentrating on looking for huge amounts of data online and are targeting companies accordingly.
“Companies with large amounts of data stored online are now legitimate targets. When there is so much low-hanging fruit, you don't need a ladder.”
Speaking on the topic: 'Life after Stuxnet', Ferguson said the virus was indicative of an assumption widely held, that zero-day attacks are essential to online crime industry. He said that need not be the case.
“The general trend of disclosed vulnerabilities is down, although we can reach the assumption that maybe the amount disclosed doesn't bear relation to those that exist.”
In addition, the time from patch to exploit has shrunk. “In 2005 you had around a week, these days, it has become a matter of hours.”
According to Ferguson, the perception is that criminals devote much time to finding zero-day vulnerabilities and that zero-day vulnerabilities are crucial for targeted attacks. “There is also the perception that once a patch is available the problem is solved, this is not true. It is only once the patch has been deployed that you may be more secured.”
Another misconception, he said, is that operating system (OS) flaws are more widely exploited than applications, and that this is not the case.
“The reality is; social engineering is most widely used in the execution of cyber crime. In addition, insecure application environments cause major problems, as one thing criminals love is a monoculture, which is why Windows and Adobe are targeted so much. The more popular a platform is, the more it will be targeted by cyber criminals.”
Another trend we are seeing, Ferguson added, is 'cyber crime-as-a-service'; it's amazing how the online crime world mirrors the world of business, and is moving into the 'something-as-a-service' or criminal services subscribed to online.
Cyber crime toolbox
Commercial attack toolkits are also becoming increasingly popular, he said, cyber criminals need very little skill to set up a Web site used to exploit, and moreover, zero-day vulnerabilities are automatically incorporated into these toolkits.
Interestingly enough, Ferguson said 666 is the number of unique detections for PDF threats found by Trend Micro in the first half of 2010. “All of these were designed to automatically exploit vulnerabilities.”
He explained that the most popular exploits are drive by attacks, or attacks where a user visits a Web sites and become automatically infected.
“In addition, we run out of date environments and criminals exploit this. All of these trends have lead to cyber crime becoming a huge economy.”
He says there are 60 000 new strains of malware discovered every day, equating to three unique malware components every second.
“Conficker was a huge problem, one of the biggest botnets every seen. However, it didn't use a zero-day vulnerability. It used an already patched vulnerability, and relied on the fact that users don't always apply patches.”
Another example, Epsilon, Ferguson said was compromised through targeted social engineering, and similarly the attack on Play.com.
Ferguson posed the question: 'Do zero-day exploits matter?' Of course they do, he said, and for many reasons. “For example, the Aurora attack, a prime example of industrial espionage, used a zero-day vulnerability.
“However, the initial trigger was social engineering - cyber criminals sending messages to people they knew within Google, containing a malicious link to try to access the servers.”
He cited the recent Sony incident as an example. “Hearsay had it that Sony running an outdated application environment.”
Speaking of Stuxnet, he said that attack too, used four zero-day vulnerabilities, but was a highly targeted attack. It was very good at what it did, but was definitely a result of government involvement.
“No cyber criminals would be stupid enough to waste four zero-day vulnerabilities, when one would have sufficed,” he joked.
He said EMC security division, RSA, was compromised through a zero-day vulnerability, run through an Excel spreadsheet. However, he said the attack still used social engineering. The company lost some valuable intellectual property, and suffered damage to its reputation.
Unfortunately, Ferguson said, weaponisation of vulnerabilities is much faster than remediation. “Widespread application and plug-ins are most at risk of vulnerabilities. Criminals actively exploit zero-day vulnerabilities.
“Monocultures are a huge problem as well as the fact that people don't patch application environments.
“Overlap, is a big concern. When security professionals are discovering similar things at the same time, you can bet that criminals and intelligence agencies are discovering them too.”
The question, he said, is where attention be focussed? What is most widely exploited and abused?
“Botnets continue to be a huge problem, Trend Micro tracks 23 000 000 at any one time. Shadowserver tracks 5 500 command and control servers. Even Gartner says botnets will continue to dominate the security landscape.”
Another enormous problem is Javascript. “If Javascript could be eliminated from operating environments, it would be a great thing. It is the most widely used initial infection tool. Criminals love it cause its easy to disguise and extremely portable. It is found embedded in HTML documents, in Web sites, in PDF documents.”
Window of opportunity
The bottom line is the requirement for regression testing and patch windows creates a criminal window of opportunity.
Another popular tactic is search engine optimisation, he added. “This is becoming leaner meaner, faster. Cyber criminals use popular events to lure unsuspecting users, and the beauty of it, is the user comes to them, it's almost effortless. They don't have to get through the user's perimeter at all.”
He said single attacks use multiple vectors. “AV protection networks have multiple layers of protection [and] all the layers need to be looked at - the exposure layer, the infection layer, the execution layer and the vulnerability layer.”
Looking to the future, he posed the question as to what would happen if the OS is nothing but a browser.
“The erosion of MS windows is well under way and the mobility of the endpoint has been established, what do we do then? If there is no longer a single dominant OS? Or if Adobe Flash is replaced by HTML5?
“How would the bad guys continue to make money, where will this monculture be in the future?” The answer, Ferguson said, is the cloud, and this is what we must look to secure more effectively.”
Virtualisation, highly mobile devices, shared data storage and the application platform are the areas to focus in the future in terms of security, he concluded.
Share