Verizon 2014 Veri Sızıntısı Değerlendirmeleri - Barikat 2016-I

Transkript

Verizon DBIR 2014 Değerlendirme Raporu
MURAT H. CANDAN
12/02/15 Barikat 2015 – Yeni Nesil Güvenlik Yaklaşımı 1 Verizon DBIR
• Verizon; 2008 yılından beri, yılda bir defa olmak üzere DBIR yayınlamaktadır. • Kapsam seneye ait rapor edilmiş olaylara (incident) ve sızınFlara (breach) ait verilerden derlenmektedir. • 2013 yılı DBIR Raporu 27 ülkeden gelen veri ile hazırlanmışFr. • 2014 yılı DBIR raporu ise 95 ülkeden gelen veri ile hazırlanmışFr. • 2014 yılı raporunda 1,367 onaylanan sızma, 63,437 güvenlik olayı üstüne hazırlanmışFr. • 2014 yılı raporunda 2004-‐2012 yılları arasındaki sızınFlar da dikkate alınmışFr. • Bu dokümanda; gizlilik, bütünlük veya devamlılığa aykırı durumlar yaratan hususlar ‘olay’; verinin kurum dışına çıkFğı, yayıldığı olaylara da ‘sızınF’ denecekVr. Rev.01 -‐ 15.03.2014 12/02/15 -‐ 2 Barikat Neden Bu Sunumu Yapıyor? • 2014 raporu, geçmiş yıllardaki verileri dikkate alarak karşılaşFrmalı olarak hazırlanmışFr. Bu yönüyle daha kıymetlidir. • Değerlendirmemizin sizlere faydası olacağını düşünmekte ve Barikat’in diğer uzmanlıklarını okuyucuya gösterebilmeyi ummaktayız. Bu değerlendirme raporumuzu vesile olarak düşünüyoruz. • Temel alınan doküman, kaynağı belli olmasa da yerleşmiş bazı ezberleri bozan tespitler içermekte; bu manada firma görüşlerimizi teyit etmektedir. • Güvenliğin, sadece ürünlere ayrılan bütçeler ile sağlanamayacağının kanıFdır. • Rapor pek çok ülkede(Türkiye de bunlara dahildir) yapılan incelemelerle hazırlanmışFr. • Rapora temel olan incelemelerin çoğu kamu alanında yapılmışFr. • h[p://www.verizonenterprise.com/DBIR/2014/ Rev.01 -‐ 15.03.2014 12/02/15 -‐ 3 show us.
The 2013 DBIR featured breaches affecting organizations in 27
countries. This year’s report ups that tally by 350%, to 95 distinct
countries (Figure 1). All major world regions are represented, and
we have more national Computer Security Incident Response Teams
data differ so much between CSIRTs that it’s difficult to attribute
differences to true variations in the threat environment.2 However,
regional blind spots are getting smaller thanks to our growing list of
contributors (see Appendix C), and we’re very happy with that.
Gözlenen Hususlar
Figure 1.
Countries represented in combined caseload
Countries represented in combined caseload (in alphabetical order): Afghanistan, Albania, Algeria, Argentina, Armenia, Australia, Austria, Azerbaijan, Bahrain, Belarus,
Belgium, Bosnia and Herzegovina, Botswana, Brazil, Brunei Darussalam, Bulgaria, Cambodia, Canada, Chile, China, Colombia, Congo, Croatia, Cyprus, Czech Republic, Denmark,
Egypt, Ethiopia, Finland, France, Georgia, Germany, Greece, Hong Kong, Hungary, India, Indonesia, Iran, Islamic Republic of, Iraq, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan,
Kenya, Korea, Republic of, Kuwait, Kyrgyzstan, Latvia, Lebanon, Lithuania, Luxembourg, Macedonia, the former Yugoslav Republic of, Malaysia, Mali, Mauritania, Mexico,
Moldova, Republic of, Montenegro, Morocco, Mozambique, Nepal, Netherlands, New Zealand, Oman, Pakistan, Palestinian Territory, Occupied, Peru, Philippines, Poland,
Portugal, Qatar, Romania, Russian Federation, Saudi Arabia, Singapore, Slovakia, Slovenia, South Africa, Spain, Switzerland, Taiwan, Province of China, Tanzania, United
Rev.01 -‐ United
15.03.2014 12/02/15 -‐ 4 Republic of, Thailand, Turkey, Turkmenistan, Uganda, Ukraine, United Arab
Emirates,
Kingdom, United States, Uzbekistan, Vietnam, Virgin Islands.
Gözlenen Hususlar
Rev.01 -‐ 15.03.2014 12/02/15 -‐ 5 Gözlenen Hususlar
Rev.01 -‐ 15.03.2014 12/02/15 -‐ 10 Analiz
• Verizon verileri incelendiğinde 9 temel kategori tespit edilmiş. • Verizon 2014 DBIR raporunun güvenlik sektörüne en kıymetli katkısı, gerçek verilerden çıkar_ğı 9 saldırı kategorisidir. • Detayları bu inceleme raporunun kapsamında olmayan ve esas dokümanda detaylı açıklanan sınıflandırma metodolojisi ile, 9 saldırı kategorisinde incelenen sızınFların %94’i açıklanabilmişVr. • Verizon raporlarına konu olan olaylar dışında da (VCDB gibi) bu metodolojiyi kullanmış ve 100,000+ olayın %92’si, bu sınıflandırmalarla açıklanabilmişVr. • ÇalışFğımız kurum veya firmanın yapısı ne olursa olsun, sırf bu 9 kategoriye ve detayına eğilerek, karşılaşılabilecek saldırıların %90+ oranındaki bir küme adreslenebilmektedir. Rev.01 -‐ 15.03.2014 12/02/15 -‐ 11 may be surprised to find that POS intrusions are trending down
hat’s mainly because we’ve seen comparatively fewer attack sprees
nchises. Brute forcing remote access connections to POS still leads
or. A resurgence of RAM scraping malware is the most prominent
3.
ch
Analiz – POS Figure 20.
Comparison of POS Intrusions and Web App Attacks patterns,
2011-2013
60%
o-
l
s
ow
are
r
ought
g
or
seen
ting
e
e sold
POS Intrusions
40%
20%
2009
Web App Attacks
2010
2011
2012
2013
From an attack pattern standpoint, the most simplistic narrative
is as follows: compromise the POS device, install malware to
collect magnetic stripe data in process, retrieve data, and cash
in. All of these attacks share financial gain as a motive, and most
can be conclusively attributed (and the rest most likely as well)
Rev.01 -‐ 15.03.2014 to organized criminal groups operating out of Eastern Europe.3
12/02/15 -‐ 12 Analiz – POS Figure 24.
99%
All External
All Internal
1%
Ext - law
enforcement
75%
14%
Ext - fraud detection
Ext - customer
11%
Int - NIDS
<1%
Int - reported by user
<1%
Regardless of how large the victim organization was or which
methods were used to steal payment card information, there
is another commonality shared in 99% of the cases: someone
else told the victim they had
suffered
Rev.01 -‐ 15.03.2014 a breach. This is no
Figu
Time
n=169 Compromise n=169
Top 5 discovery methods for POS Intrusions (n=197)
The
vect
quic
pass
base
thei
12/02/15 -‐ 13 The timelines in Figure 25 reinforce both the compromise
vectors and the discovery methods. Entry is often extremely
quick, as one would expect when exploiting stolen or weak
passwords. Most often it takes weeks to discover, and that’s
based entirely on when the criminals want to start cashing in on
their bounty.
Analiz – POS 21%
1%
11%
5%
1%
0%
88%
1%
1%
1%
11%
0%
0%
0%
85%
1%
0%
Never
13%
1%
Years
0%
Months
0%
Weeks
0%
Days
hen
36%
Hours
wiss
51%
Minutes
tion
on
ches
ment
OS
vering
their
Seconds
ch
e
ne
Figure 25.
Timespan of events within POS Intrusions
Discovery n=178 Exfiltration n=169 Compromise n=169
9%
ral
t it
et
a
wn.
Rev.01 -‐ 15.03.2014 12/02/15 -‐ 14 cre
th
th
so
Eu
perpetrated by those motivated by espionage are certainly
relevant, discussion of these is taken up in the Espionage
section.
Analiz – Web Uygulama
Figure 26.
External actor motives within Web App Attacks (n=1,126)
65%
Ideology/Fun
33%
Financial
Espionage
2%
Rev.01 -‐ 15.03.2014 Wi
pr
th
we
ex
in
lev
in
we
12/02/15 -‐ 15 Ext - fraud detection
POINT-OF-SALE
INTRUSIONS
74%
Ext - customer
6%
Int - IT audit
4%
Ext - unrelated party
3%
Ext - law enforcement 2%
Int - fraud detection 2%
Ext - monitor service 1%
Ext - fraud detection 4%
Ext - law enforcement 1%
Int - reported by user <1%
Ext - actor disclosure <1%
PHYSICAL THEFT
AND LOSS
Ext - audit 1%
98%
Total Internal 2%
Ext - unrelated party
Int - reported by user 2%
Ext - actor disclosure 2%
Total External
INSIDER AND
PRIVILEGE MISUSE
Ext - customer <1%
Discovery method looks a little bleaker for activists. 99%
Figure 29.
Int - unknown <1%
of the notifications were external parties (primarily CSIRTs)
Rev.01 -‐ 15.03.2014 Timespan of events within Web App Attacks
contacting victims to let them know their hosts were involved in
MI
eb server
omised in the
ed in nearly all
e actors didn’t
der into the
y not reporting
o don’t take this
t is logical and a
12%
Total Internal
88%
Figure 28.
Top 5 discovery methods for ideologically motivated incidents
within Web App Attacks (n=775)
WEB APP
ATTACKS
ocial, political, or
ng at the crown
all senses of the
ising that we
rs going after
hijacking the
s.
Total External
WEB APP
ATTACKS
Figure 27.
Top 10 discovery methods for financially motivated incidents
within Web App Attacks (n=122)
INSIDER AND
IVILEGE MISUSE
POINT-OF-SALE
INTRUSIONS
n of motives
end to be
ied and true
uts in executed
than Content
upal, and
gins than the
93%
RECO
S
The writ
authent
draw yo
web app
verifica
conside
your cus
R
And we
12/02/15 -‐ active
16 p
WEB APP
ATTACKS
Nearly all misuse incidents prior to 2013 centered on obtaining
backdoors.
Thesetocads
even resorted
to physical
theft,we saw more
from following security policies because of their privileged
information
use have
for fraud.
As Figure
34 shows,
6
suse (n=99) taking
One of those “white-collar resort
documents
such
as
blueprints
and
other
intellectual
status
in
the
company.
insider espionage targeting internal organizational data and
property,
often denying
availability
trade secrets
than ever
before.to the original organization prisons” won’t do for their ilk.
23%
PHYSICAL THEFT
AND LOSS
INSIDER AND
PRIVILEGE MISUSE
%
Analiz – SuisQmal
by taking the only copy.
Figure 34.
Actor motives within Insider Misuse (n=125)
Figure 31.
Vector for threat
actions within Insider Misuse (n=123)
Financial
LANEspionage
access
Grudge
Physical access
Convenience
Remote access
18%
10%
4%
28%
21%
71%
Figure 33.
Variety of external actors within Insider Misuse (n=25)
72%
Organized crime
Former employee
24%
Unaffiliated
24%
Fun 3%
Competitor
N/A 2%
Acquaintance
Other 2%
Non-corporate 1%
36%
16%
8%
According to The Recover Report,7 published by one of our DBIR
contributors, Mishcon de Reya, the two most common scenarios
As mentioned in the beginning of this section, insiders aren’t the
It’involve
s also worth
noting thattaking
the corporate
LANto:was the vectorRev.01 in -‐ 15.03.2014 perpetrators
the data
only ones who misuse entrusted privileges and resources. Figure 12/02/15 -‐ 17 308 308
(user dev) (user dev)
Documents 140 140
Documents
(media) (media)
Desktop 108 108
Desktop
Flash drive 102 102
Flash drive
(media) (media)
Victimsecure
secure area
Victim
area
4%
4%
4%
4%
Tapes Tapes
36
Partner vehicle
Partner
vehicle
36
Other Other
27
Public facility
Public
facility
27
(media)
(media)
(server)
(server)
Other Other
12 12
(media) (media)
Database
Database
11 11
(server) (server)
5%
5%
Partner facility
Partner
facility
37
(media)
10%
10%
Personal residence
residence
Personal
Disk drive
Disk drive
37
(media)
23%
23%
Personal vehicle
Personal
vehicle
3%
3%
2%
Victim grounds
Victim
grounds 2%
2%
Public
vehicle 2%
Public vehicle
2%
Victim
area 2%
Victim public
public area
VERIZON 2014
DATA2014
BREACH
INVESTIGATIONS
REPORT
VERIZON
DATA BREACH
INVESTIGATIONS
REPORT
27
Rev.01 -‐ 15.03.2014 ELSE
LaptopLaptop
43% 43%
Victim work
work area
Victim
area
ATTACKS
892
892
ESPIONAGE
Other Other
SKIMMERS
EVERYTHING
ELSE
Figure40.
40.
Figure
Top10
10locations
locations for
Theft/Loss
(n=332)
Top
fortheft
theftwithin
within
Theft/Loss
(n=332)
DOS
ATTACKS
Figure 39.
Figure 39.
Top 10varieties
action varieties
of Theft/Loss
(n=9,678)
Top 10 action
of Theft/Loss
(n=9,678)
Analiz – Hırsızlık Ve Kayıp
CYBERESPIONAGE
Observation
#1 relates
to demographics;
we have
evidence
Observation
#1 relates
to demographics;
we have
evidence
thattype
every
type
andofsize
of organization
loses
stuff
and/or
has
that every
and
size
organization
loses
stuff
and/or
has
stuff That
stolen.may
Thatnot
may
be much
of a shock,
at least
stuff stolen.
benot
much
of a shock,
butbut
it’sit’
ats least
employees from
from losing
(not
gonna
happen)
or b)or
minimize
employees
losingthings
things
(not
gonna
happen)
b) minimize
theimpact
impact when
when they
money
is onisoption
b, though
the
theydo.
do.The
Thesmart
smart
money
on option
b, though
bio-implanted computing
dodo
hold
some
future
promise
bio-implanted
computingdevices
devices
hold
some
future
promise
foroption
option a.
a. That’
s about
going
to say
about
loss,loss,
but but
for
That’s
aboutallallwe’re
we’re
going
to say
about
theftstill
still has
has aa few
forfor
us.us.
theft
fewmore
morelessons
lessons
PAYMENT CARD
SKIMMERS
lost orhad
stolen
to store,
process,
or transmit
information
lost or stolen
to had
store,
process,
or transmit
information
in in
to get
our attention.
order toorder
get our
attention.
27
12/02/15 -‐ 18 rom
s.
l
d
ees
t
e
hat
e
om
s
d of
Analiz – Hırsızlık Ve Kayıp
Figure 45.
Discovery and containment timeline within Miscellaneous
Errors
Discovery n=127
Seconds
6%
3%
Days
27%
17%
13%
6%
Months
47%
8%
Years
Never
38%
10%
Hours
Weeks
4%
9%
Minutes
Containment n=55
0%
6%
2%
6%
Organizations only discover their own mistakes about one-third
of the time. Otherwise, an external entity makes them aware
of the incident, and most frequently it’s the organization’s own
customers. You could try the “Inconceivable!” tactic when a
customer calls to say they found their unprotected personal data
on your website — but if you keepRev.01 using
word, they’ll figure
-‐ 1that
5.03.2014 out it doesn’t mean what you think it means.
12/02/15 -‐ 19 f access
a buck
way
more
n
can also
also
h of
spite
nd the
owed
hed,
their
fact,
d
re
hin
d to
and specific institutions since March, 2013. So-called “booter
websites” have made this type of attack available to literally
anyone who wants to attack a company or institution. Naturally,
a host of other malware families made appearances last year, but
these two stood out to us as worthy of a brief mention.
Analiz – Suç Yazılımları
Figure 47.
Top 10 threat action varieties within Crimeware (n=2,274)
86%
C2
24%
Unknown
13%
Spyware/keylogger
10%
Downloader
Spam
Client-side attack
9%
6%
Backdoor
4%
DoS
4%
Adware
2%
Export data
1%
Rev.01 -‐ 15.03.2014 12/02/15 -‐ 20 VERIZON ENTERPRISE SOLUTIONS
to achieve and maintain control of a device to command it to
do your bidding. Whether the little compromised minions are
participating in a spam botnet, stealing banking credentials, or
hijacking a browser to artificially boost ad revenue, there are
numerous ways to leverage compromised workstations that
don’t entail deeper penetration into a network.
W
Figure 48.
Top 10 vectors for malware actions within Crimeware (n=337)
43%
Web drive-by
38%
Web download
6%
Network propagation
Email attachment
Email link
5%
4%
Download by malware
2%
Other
2%
Remote injection
1%
Unknown
1%
Removable media
1%
Like u
IDS a
provid
metho
their
the 1%
Figur
differ
infect
detec
The majority of crimeware incidents start via web activity —
downloads or drive-by infections from exploit kits and the like
Figur
— rather than links or attachments in email.15 Adware still shows
Rev.01 -‐ 15.03.2014 -‐ 21 up, though Bonzi Buddy thankfully
remains extinct. For malware12/02/15 Exter
(n=18
Figure 50.
Top 10 assets affected within Crimeware (n=1,557)
Other
43%
(server)
Other
19%
(user dev)
Web application
14%
(server)
Mail
Other
10%
(people)
Desktop
n=337)
8%
Unknown
3%
Laptop
<1%
End-user
<1%
Mobile phone
<1%
(user dev)
(people)
(user dev)
Like us, your first reaction might be “why not technologies like
IDS and AV?” This reflects the role of CSIRTs as the primary
provider of crimeware incidents in this dataset. The discovery
method wasn’t known for 99% of incidents;
it’s not usually within
Rev.01 -‐ 15.03.2014 their visibility or responsibility. For all we know, CSIRTs only saw
INSIDER AND
PHYSICAL TH
PRIVILEGE MISUSE
AND LOSS
43%
7%
(user dev)
WEB APP
ATTACKS
13%
(server)
POINT-OF-SALE
INTRUSIONS
when they
SIRTs
goal is
it to
s are
ials, or
e are
that
12/02/15 -‐ 22 PHYSICAL THEFT
AND LOSS
Analiz – Sahte Ödeme KarV Okuyucuları
NSIDER AND
VILEGE MISUSE
nearly all victims of payment card skimmers in this report are
Access reader 2%
(network)
U.S. organizations
(the U.S. Secret
and
There’Service
s not a ton
of public
variationdisclosures
in this pattern at the VERIS level: criminal groups install skimmers
Key findings
PED pad 2%
being the primary sources for this
data).
While
someand
don’t
think
on ATMs
(most
common)
other
card swipe devices. On a more
qualitative level, the skimmers
(terminal)
we should include this type of attack
in the
DBIR,
we in
can’t
justify and more efficient
POS terminal
are getting
more
realistic
appearance
at exporting data
2%through the use of
(user dev)
excluding a tried-and-true method
used cellular
by criminals
to steal
Bluetooth,
transmission,
etc.
Backup 1%
(server)
payment card information.
Database 1%
(server)
Figure 53.
Figure
54.
For a wide array of criminals ranging from highly organized crime
Mail 1%
Origin of external actors within Card Skimmers (n=40)
(server)
Assets
affected
within
Card
Skimmers (n=537)
rings to garden variety ne’er-do-wells who are turning out no
Mainframe 1%
good just
like their mama warned them they would, skimming 38%
(server)
Bulgaria
ATM
87%
(terminal)
Proxy 1%
continues to flourish as a relatively easy way to “get rich quick.”
(server)
Gas terminal
Armenia
18%
9%
While most
incidents are linked to Eastern
European actors,
(terminal)
In 2013, most skimming occurred on ATMs (87%) and gas pumps
nearly all
victims of payment card skimmers
in this report are
18%
Romania
Access reader 2%
(network)
(9%) due
to the relative ease with which they can be approached
U.S. organizations (the U.S. Secret Service and public disclosures
Brazil
8%
pad 2%
and PED
tampered
with. Gas pump skimmers are often installed by
being the primary sources for this data). While some don’t think
(terminal)
a small
group of people acting in concert. One scenario involves
we
shouldStates
include this type of8%
attack in the DBIR, we can’t justify
United
POS
terminal
2%
(user
dev) conspirators going into the station to make a
one
or
more
excluding
a
tried-and-true
method
used
by
criminals
to
steal
Bosnia and
2%
Backup
purchase
and1%
distract the cashier’s attention, while a partner in
Herzegovina
(server)
payment
card information.
crime
plants the device inside the machine using a universal key.
Cuba
2%
Database
1%
(server)
Figure
53.
Iran, Islamic
ATM skimmers,
2%
Mail 1%on the other hand, are installed on the outside
Republic
of actors within Card Skimmers (n=40)
Origin
of external
(server)
of the machine. While some ATM skimming devices are clunky
Mexico
2%
Mainframe 1%
homemade
(server) affairs that might afford an opportunity for
Bulgaria
38%
Nigeria
2%
Proxycustomers
observant
to spot them, the design of many skimmers
1%
(server)
Armenia
18%
(both those created by the criminal and those purchased “off the
In 2013,shelf”)
most skimming
occurred
on ATMs
(87%) and gas
pumps
can be so
realistic
in appearance
that
they are virtually
18%
Romania
(9%) due
to the relative
which
they can
be approached
invisible
to theease
endwith
user.
In most
cases
they can be snapped in
Brazil
8%
and tampered
with.
Gas
pump
skimmers
are
often
installed
by
place in a matter of seconds and can be produced
in sufficient
a
small
group
of
people
acting
in
concert.
One
scenario
involves
quantities to make the attacks scalable and highly organized.
United States
8%
one or more
going
intothe
the station
to make
a time and warrants
This,conspirators
however, has
been
norm for
some
Bosnia and
2%
purchase
andadistract
themention
cashier’sin
attention,
while What
a partner
in changed over
Herzegovina
only
cursory
this report.
has
Rev.01 -‐ 15.03.2014 12/02/15 -‐ 23 crime plants
device inside
the methods
machine using
a universal
Cuba 2%
time,the
however,
are the
by which
thekey.
data is retrieved by
MISCELLANEOUS
ERRORS
CRIMEWARE
PAYMENT CARD
SKIMMERS
CYB
ESPIO
organizations join the cause. We can’t help but wonder why we
have no examples of Italian victims of espionage in our dataset.
Our best hypothesis is that sophisticated actors remember the
classic blunder of “go[ing] in against a Sicilian when death is on
the line” when selecting targets (the most famous blunder, of
course, is getting involved in a land war in Asia).
Analiz – Siber Casusluk
Figure 57.
Victim country within Cyber-espionage (n=470)
54%
United States
6%
South Korea
Japan
Russian Federation
4%
3%
Colombia
2%
Ukraine
2%
Vietnam
1%
Belarus
1%
Kazakhstan
1%
Philippines
1%
In addition to geographic broadening, we see a wide distribution
of both sizes and types of victim organizations. Unfortunately,
victim size is often not tracked, so there are a lot of unknowns
here. Insofar as we can determine from the data before us,
-‐ 15.03.2014 targeting factor.
however, size doesn’t seem to beRev.01 a significant
Other times it’s rul
analysis of compet
are perfect. It’s imp
to make sure one is
bias.21 It would be m
Sherman Kent’s “W
when describing at
threat actors. With
“Probable” and “Alm
Figure 58.
Variety of externa
State-affiliate
Organized crim
Competit
Former employe
Unknow
As expected, most
to state-affiliated
organized criminal
former employees
longer game of esp
exhibits a nearer-t
An example would
digital certificates
12/02/15 -‐ 24 interested
party.
Figure 58.
Variety of external actors within Cyber-espionage (n=437)
State-affiliated
11%
Competitor 1%
Former employee 1%
Unknown <1%
MISCELLANE
ERRORS
As expected, most incidents in this category are attributed
to state-affiliated actors. But the data also reminds us that
Rev.01 -‐ 15.03.2014 organized criminal groups, competitors, and current23 and
PHYSICAL THEFT
AND LOSS
Organized crime
87%
INSIDER AND
PRIVILEGE MISUSE
4%
when describing attribution to particular countries, regions, and
threat actors. With that in mind, the following would fall between
“Probable” and “Almost Certain.”
12/02/15 -‐ 25 rch
ection
will
t
st
ed to
ere
he
ave
e
ed
e
)
toward their objective. The proportion of espionage incidents
incorporating phishing is lower than our last report (it was 95%),
but not because of a drop in actual frequency. This is primarily
due to a big increase in the use of strategic web compromises
(SWCs) as a method of gaining initial access.
Figure 61.
Vector for malware actions within Cyber-espionage (n=329)
78%
Email attachment
20%
Web drive-by
4%
Direct install
Downloaded by
malware
3%
Email link
2%
Email autoexecute
<1%
Network propagation
<1%
Remote injection
<1%
Unknown
<1%
Instead of email bait, SWCs set a trap within (mostly) legitimate
Rev.01 -‐ the
15.03.2014 12/02/15 -‐ 26 websites likely to be visited
by
target demographic. When
Figure
Discov
Figure 62.
Variety of at-risk data within Cyber-espionage (n=355)
85%
Internal
83%
Secrets
80%
System
31%
Classified
19%
Unknown
Payment
Minu
Ho
D
39%
Credentials
Personal
Secon
2%
1%
Copyrighted
<1%
Other
<1%
We
Mon
Ye
The mo
from t
observ
infrast
per se,
tool fo
Once the phishing email or SWC has done its work, and an
internal system is infected, the name of the game is moving
determinedly through the network to obtain the prize. This may
happen quickly, but it also may last for years. Common methods
-‐ 15.03.2014 to maintain access,
12/02/15 -‐ 27 involving loading backdoors Rev.01 on systems
Figure 64.
Discovery timeline within Cyber-espionage (n=101)
85%
Seconds 0%
3%
Minutes 0%
%
Hours
Days
9%
8%
16%
Weeks
Months
Years
62%
5%
The most common method of discovery is ad hoc notification
from threat intelligence and research organizations that
Rev.01 -‐ 15.03.2014 observe, for instance, the victim communicating with C2
12/02/15 -‐ 28 Sonuç • DBIR 2014 raporunda geçen tehditlerle karşılaşmadığını düşünmek aşırı iyimserlik olacakFr. • Güvenlik olayları yaşamıyor olmanın geçerli ve sağlam bir güvenlik alt yapısından kaynaklandığını düşünmek ise zafiyete kapı açacak zararlı bir öz güvendir. • Güvenlik üreVcilerin flaş teknolojilerine bütçe ayırıyor ve sadece ürünlerden sonuç bekliyor olmak sorunu çözmemişVr ve çözmeyecekVr. • Ulusal bir sorumlu kurumun olmaması; her pozisyonda görev yapan yöneVcilerin ve çalışanların sorumluluğunu daha da arFrmaktadır. • Endişemiz ise kriVk sayılacak pek çok özel ve kamu sisteminin siber casusluk saldırılarına karşı hak gereken koruma seviyesinde olmadığıdır. • Siber casusluk saldırılarının ,din ve ırk gözetmeksizin, dost/düşman pek çok ülke taraindan ülkemize yapıldığına inanarak tedbir almak durumundayız. Rev.01 -‐ 15.03.2014 12/02/15 -‐ 29 Sorularınız ve Önerileriniz
? !
Rev.01 -‐ 15.03.2014 12/02/15 -‐ 30 Teşekkürler
12/02/15 Rev.01 -‐ 15.03.2014 31

Verizon 2014 Veri Sızıntısı Değerlendirmeleri - Barikat 2016-I

Transkript

Benzer belgeler

IATA AHM560 - THY AHM560

Syllabus

Part 08 - Baldwin`s