IBM X-Force 2012 Annual Trend & Risk Report Has Been ReleasedApril 4, 2013 No Comments
It is always exciting to be able to announce the next version of the IBM X-Force® 2012 Trend & Risk Report and today we are announcing the full year 2012 findings of key highlights that were researched by IBM X-Force. One of the differentiators that we observed across various attacker efforts was that by targeting vulnerabilities in cross-platform frameworks, and building on a solid foundation of tried-and-true attack techniques, attackers are achieving a greater return on exploit development in 2012.
Looking back over the year, there was a measurable increase in the public announcements of security incidents and breaches, where SQL injection and DDoS attacks continued to wreak havoc on IT infrastructures.
Over the past year the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, had both consumers and corporations inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in 2011—continued their upward trajectory.
At the mid-year of 2012, we predicted that the explosive nature of attacks and security breaches seen in the first half would continue. Indeed this was the case.
Operational Sophistication—Advanced Persistent Threats—not always so Advanced
2012 marked notable advances in operational sophistication – more than technical sophistication – across all attacker groups and many attack methods. While media headlines are dominated by the achievements of advanced tactics used to breach high profile organizations, more often than not, these efforts follow a path of least resistance and rely on simpler, tried-and-true methods rather than zero-day attacks and sophisticated malware. Advanced persistent threats, while persistent, did not always use advanced technical approaches such as zero-day exploits and self-modifying malware.
The exploitation of web application vulnerabilities rose 14% in 2012 to more than 3,500 known issues or 43% of all reported vulnerabilities led by Cross-site scripting (XSS) and SQL injection. The level of XSS vulnerabilities was the highest X-Force has ever seen at 53% and driven by third party add-ons or plug-ins for Content Management Systems. Attackers know that CMS vendors more readily address and patch their exposures compared to smaller organizations and individuals producing the add-ons and plug-ins, and went after the softer targets.
ABC’s and DDoS’s
Denial of Service (DoS or DDoS) is another approach where attackers modified their tactics to increase sophistication. 2012 saw an enormous increase in DoS traffic volumes using up to 60 – 70 Gbps of data driven by compromised 24X7 higher bandwidth web servers instead of PCs. Hacktivists selected DDoS as their weapon of choice, and the ready availability of exploit toolkits such as ‘itsnoproblembro’ provided upgraded technology to even the rank-and-file antagonists.
The Java Connection
In 2012, it was clear that web browser exploit kit authors were favoring the use of exploits targeting newly discovered Java vulnerabilities, and successfully incorporating them within a span of two to three months after the code was made available or detailed information published. The reason for this is simply: Java is a means to successfully infect the highest number of systems possible.
Unlike the often exploited web browser environment, the Java platform has the following important characteristics:
1. Exploits written for Java vulnerabilities, particularly logic vulnerabilities leading to a Java Virtual Machine (JVM) sandbox bypass, are very reliable and do not need to circumvent exploit mitigations in modern operating systems.
2. The Java plugin runs without a process sandbox, meaning that once a Java plugin is compromised, an attacker will be able install persistent malware on the system without the need to exploit a separate privilege elevation vulnerability.
3. Java is available on multiple operating systems making it a cross-platform attack opportunity and one of the primary ways that drive-by downloads are affecting the Mac OS X platform.
IBM X-Force offers several suggestions to better prepare organizations for whatever the next actions of mass exploit kit authors might be. These include reducing your attack surface, keeping your software up-to-date, and taking advantage of the security features offered by your browser and browser plugins.
Social media and intelligence gathering
Few innovations have impacted the way the world communicates quite like social media; however, the mass interconnection and constant availability of individuals has introduced new vulnerabilities and caused a fundamental shift in intelligence gathering. In 2012, social media repositories were leveraged for enhanced spear-phishing techniques, duping users into clicking on bad links seemingly originating from friends and co-workers. The ability to focus on individuals allowed attackers to see enterprises as a collection of personalities helping them take advantage of the employees’ personal activities, and more easily bypass enterprise email security countermeasures or perimeter security defenses.
Attacker reaction to botnet take downs
And while overall spam volume is down in 2012, the nature of this spam and the resiliency of the botnet command and control servers continue to cause problems. Today’s spam is better targeted and continues to include effective methods to inject malicious code–such as images and zip files–or instead pointing users to malicious links. IBM X-Force also witnessed operational sophistication in the way botnet command and control servers improved their resiliency against take downs by compensating with other readily available networks.
Mobile Security Practices can Increase Overall Security and Lower Risk
Mobile computing devices should be more secure than traditional user computing devices by 2014. This is a bold prediction that IBM recently made as part of its look ahead in technology trends. While this prediction may seem far-fetched on the surface, it is based on existing security control trends and needs that already exist driven by the popularity of mobile computing and BYOD. The challenges have resulted in new control technologies that will allow for more finite controls over previous approaches for traditional computing devices. It is also logical that we’ve already seen some of these improvements trickle down into mainstream desktop operating systems and should expect this trend to continue.
Developing applications for mobile environments is fundamentally different. Application sandboxing limits the exposure of system level interfaces, digital signing prevents the installation of rogue code, the ability to remotely wipe the whole device—or selected applications and associated data—is another built-in safeguard, and biocontextual authentication involving physical location, network identification, voice recognition, eye and facial recognition are all being pioneered on mobile platforms.
Operational Security Practices
Risk modeling, assessment and management
Finally, the IBM Professional Security Services (PSS) Emergency Response team provides readers with creative methods to help reconsider risk modeling, assessment and management. Helping security professionals to assess risk for the threats to their networks and to help document ways to treat, transfer, tolerate or terminate that threat within systems. Below is a chart from this article which discusses example threat assessment and actionable mitigation processes.
We encourage readers to not only check out the highlights listed here, but read the full report with additional contributions from the IBM Security division.
Download a copy of the X-Force 2012 Annual Trend and Risk Report.News