Академический Документы
Профессиональный Документы
Культура Документы
Executive Summary.................................................................................................... 3
Introducing the 2015 Global Threat Intelligence Report.......................................... 3
Key Findings............................................................................................................... 4
Geographic and Vertical Market Trends................................................................. 4
Vulnerabilities, Attacks and Exploitation................................................................. 4
Incident Response and Case Studies.................................................................... 5
The Rise of Global Threat Intelligence in the Digital Business World...................... 7
The Challenge for IT............................................................................................... 7
The Broader View with Threat Intelligence.............................................................. 8
Global Data Analysis and Findings............................................................................ 9
2014 Attack Analysis.............................................................................................. 9
Exploit Kits Operational Lifecycles and Current Trends........................................ 15
Exploit Kit Development and Operation Lifecycles................................................. 15
Vulnerabilities Targeted in Exploit Kits ................................................................... 20
Exploit Kit Detection by Month............................................................................... 26
The User is the Perimeter.......................................................................................... 29
The User is Vulnerable........................................................................................... 30
Weekend Trends.................................................................................................... 32
Case Study, Spear-Phishing Campaign................................................................. 35
Incident Response..................................................................................................... 40
Enterprise Capabilities Mature at Slow Pace.......................................................... 40
Types of Incident Response................................................................................... 40
Incidents by Sector................................................................................................ 41
Five Key Recommendations Based on Incident Review......................................... 44
Threat Intelligence Defined..................................................................................... 49
Distributed Denial of Service Attacks ....................................................................... 56
Distributed Denial of Service Observations............................................................ 56
Calendar View of the Distribution of DDoS Attack Types........................................ 59
Case Study, Web Application DDoS Attack........................................................... 61
NTT Group Resource Information ............................................................................. 65
About NTT Group Security Companies................................................................. 65
The NTT Global Data Analysis Methodology.......................................................... 67
The NTT Global Threat Intelligence Platform (GTIP)................................................ 67
Terminology and Glossary......................................................................................... 69
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 2
EXECUTIVE SUMMARY
Introducing the 2015 Global Threat
Intelligence Report
Over the last several years, there has been significant security industry focus on Advanced
Persistent Threats (APTs, or advanced threats), and rightly so. Advanced threats are after
organizations crown jewels, and even the most sophisticated security vendors struggle to detect
advanced attacks in progress. However, without the practical fundamentals, such as mature patch
management processes, incident response procedures, endpoint protection controls, and proper
training for users to detect phishing attacks or malware on their computer, attacks dont need to be
advanced to succeed. If the attacker can successfully exploit an old vulnerability or succeed with a
social engineering attack, they can use their advanced techniques to maintain the attack instead of
initiating it.
This report demonstrates that APTs arent the only attacks with which organizations need to be
concerned. The data gathered by NTT Group in 2014 demonstrates that many organizations are
still not effectively defending against less advanced threats.
As a result, this report focuses on techniques used in less advanced attacks, and the ways in which
organizations can effectively defend against and respond to those attacks. This report also includes
a chapter focused on the risks to end users, who are exclusively the targets of exploit kit and spear
phishing attacks. End users are the perimeter for organizations, and they need to be treated that
way.
It is a common refrain in the security industry that everyone needs to anticipate being compromised,
but we do not see enough organizations taking this advice. NTT Groups observations in 2014 are
that most organizations are not adequately prepared to handle major incidents in their environment. NTT observes that
most organizations
In other research areas, threat intelligence is a hot topic, but there appears to be some confusion in
are not adequately
the market about what threat intelligence is and what it is not. For this reason we have included
prepared to handle
a brief introduction to threat intelligence, how NTT Group defines threat intelligence, and how it is
major incidents in
achieved. Proper threat intelligence is only recently being recognized for the true value it can bring
their environment.
to an organization. While it is being treated as an extension of existing security controls, it is more
appropriate to consider this as a foundational element.
Distributed Denial of Service (DDoS) attacks are attacks from multiple sites which are conducted
with the purpose of making the target unavailable for intended users. We present an overview of the
DDoS attacks NTT Group observed in 2014, with a focus on the rise and fall of specific attacks as
well the distribution of DDoS attack types observed throughout the year.
Each section of this report presents recommendations for organizations to compare what controls
they have in place against techniques which are proven to help mitigate threats.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 3
KEY FINDINGS
Geographic and Vertical Market Trends
Attacks against
Throughout this years report NTT Group provides insight into the different threats we have observed
business and
against our clients, both by geographic location and alignment with specific business sectors.
professional services
moved from 9% to
ww Finance continues to represent the number one targeted sector with 18% of all
detected attacks. The long-term trend of targeted attacks against the finance sector
continues. Most incident response engagements supporting the finance sector in 2014 were
directly related to wire fraud, phishing and spear-phishing attacks.
15% .
ww Attacks against business and professional services moved from 9% to 15%. Business
and professional services increases are the result of the risks inherited through business-to-
business relationships. The likely implication is that this sector is generally softer, but high value
targets for attackers.
ww Malware related events in the education sector dropped from 42% to 35%. Although
there was a 7% decrease when compared to the 2013 findings, the education sector still
represents over one-third of all malware-related events across all sectors.
ww 56% of attacks against the NTT global client base originated from IP addresses within
the United States. This represents a climb of 7% from 49% identified in 2013 data. Attackers
often leverage systems close to their intended targets, bypassing geo-filtering defense tactics.
The United States is also a highly networked country and there is no shortage of resources for
attackers to use.
ww Over 80% of vulnerabilities in 2014 exploit kits were published in 2013 and 2014.
In 2012, the average age of vulnerabilities in exploit kits was slightly less than two years old. In
2013 and 2014, the average age of vulnerabilities in exploit kits was just over one year. Exploit
kit developers are focusing on usability and effectiveness of their kits to ensure successful
compromise of targeted systems. Keeping content and capabilities of exploit kits fresh is a key
factor which supports cybercrime as a business.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 4
ww There has been an increase in Adobe Flash exploit usage in exploit kits from 2012
to 2014. The number of Flash vulnerabilities identified in 2014 was the highest ever. This
contributed to the steady increase of Flash-related exploits found in exploit kits. The Angler
exploit kit has included zero-day Adobe Flash exploits, differentiating itself from competition.
ww Network Time Protocol (NTP) amplification attacks contributed to 32% of all DDoS
attacks observed by NTT Group in 2014. During the first quarter of 2014, NTP amplification
accounted for the single largest amount of DDoS activity for the entire year. The simplicity of
76%
of identified
launching these types of attacks and the availability of DDoS tools to support them were key vulnerabilities
contributors. throughout all
systems in the
ww DDoS amplification attacks using User Datagram Protocol (UDP) accounted for 63%
enterprise were more
of all DDoS attacks observed by NTT Group. In addition to the NTP amplification attacks
than 2 years old.
observed, other UDP based attacks (SSDP and DNS) accounted for almost two-thirds of all
attacks.
ww During 2014, 76% of identified vulnerabilities throughout all systems in the enterprise
were more than 2 years old, and almost 9 percent of them were over 10 years old.
Considering the data represents vulnerabilities with a Common Vulnerability Scoring System
score of 4.0 and higher, this should be cause for significant concern about the effectiveness of
patch management solutions. According to the CVSS, a score of 4.0 or higher would include
vulnerabilities rated as medium and high, and would likely result in failing of many compliance
assessments. Many of these vulnerabilities also have exploits available in exploit kits.
ww NTT Group observed incident response efforts focused in three core areas (malware,
DDoS and breach investigations). Although it appears some organizations are realizing the
importance of managing incident response capabilities in-house, there is still a very clear trend
in organizations needing external support for these core areas. Organizations appear to be
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 5
fairly well suited for day-to-day operational response, but still rely on third-party expertise when
it comes to more complex security events.
ww NTT Group support for DDoS attack response sharply decreased from 31% in 2013 to
18% in 2014. As technology capabilities become more widely available and affordable, and
education about DDoS mitigation becomes more widespread, NTT Group has observed a
decline in external support required for DDoS attacks. Although there was significant focus
on NTP and SSDP DDoS attacks in 2014, mitigation controls are often able to handle these
74%
of organizations
threats, resulting in fewer incident response support events in this area. do not have formal
incident response
ww Incident response engagements involving malware threats increased 9% compared
plans.
to 2013, from 43% to 52%. With the increased capabilities of exploit kits, NTT Group
experienced a steady increase of incident response support for malware threats. A majority of
this was in response to mass distributed malware.
ww Basic controls are still not implemented in all cases. 74% of organizations do not have
formal incident response plans. Proper network segregation, malware prevention controls,
patch management, monitoring, and incident response planning could have prevented or
mitigated a significant portion of the incidents NTT Group saw in 2014. These foundational
controls are absent even in many large organizations.
ww Case Study: Spear Phishing Attack Organization saves over 80% by successful
mitigation. In this case study, NTT Group describes in detail how a spear phishing attack cost
an organization over $25,000 in legal and investigation costs, but could have cost $127,000 or
much more.
ww Case Study: Web Application-based DDoS Attack. Due to rapid detection and response
efforts an organization was able to successfully address DDoS attacks, resulting in significant
reduction of reputation and monetary losses. Proactive DDoS services saved organization
reputation and significant financial impact.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 6
THE RISE OF GLOBAL
THREAT INTELLIGENCE
IN THE DIGITAL
BUSINESS WORLD
In developing the Global Threat Intelligence Report (GTIR), the NTT Group security team used
extensive data gathering tools and technologies, including managed security services across the
NTT Infrastructure, professional service engagements, customer incidents and NTTs new Global
Threat Intelligence Platform (GTIP). This includes data and analysis from Dimension Data, NTT Data,
NTT Com Security, Solutionary and NTT Innovation Institute (NTT i3).
Organizational IT exists in a hybrid model which combines on premise as well as cloud and
SaaS-based services which diversify the attack landscape. At the same time, IT departments in
compliance- and regulation-dominated industries need to maintain high levels of security for their
existing mission-critical systems, thereby establishing a bi-modal world.
This infrastructure diversity creates a dramatic increase in the complexity of managing security
operations and requires analysis which is not just confined to the local infrastructure. Cybercriminals
are globally organized, well-funded, skilled, and easily outnumber security staffers at most
organizations.
Typical conventional frameworks were designed to fight a very different battle. They require a
number of different products, from a variety of vendors, to control and protect a variety of network
access points, processes and products. Security control is accomplished using the hierarchy of
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 7
networks and products to create a wall around a network to protect endpoints and servers as well
as valuable data and information.
This new framework will improve the industrys ability to deliver security controls using an integrated
hierarchy of products, services and intelligence. Organizations will be able to consider intelligence
which is meaningful to them, and when combined with awareness of their own environments, will
enable better management of risk and application of appropriate controls. An ultimate intrusion
resilient framework will deliver the latest in elastic security specifically designed to meet pressures
from todays digital world cybercrime, state-sponsored attacks and hacktivism.
The best threat intelligence establishes security flexibility and integration for:
ww Proactive protection
ww Threat mitigation before attacks even begin
ww Minimal damage if attacked
ww Faster recovery from the damage
ww Continuously improved security operations
Threat intelligence is an evolving capability in security, and many vendors are entering the
marketplace. Vendors utilize data from their respective installed bases or through customer service
engagements. Threat intelligence in the marketplace is constrained by delivery technologies, the
nature of the information sources, trustworthiness of the data and the geographical coverage.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 8
GLOBAL DATA ANALYSIS
AND FINDINGS
This section presents an analysis of global attack data gathered by NTT Group security companies
in 2014. The analysis is based on log, event, attack, incident and vulnerability data from clients and
NTT research sources, including honeypots, sandboxes and DDoS services.
During normal operations, NTT Group gathers security log, alert, event and attack information,
enriches it to provide context, and analyzes the contextualized data. NTT Group processes trillions
of logs and billions of attacks each year. The size and diversity of our client base makes this data
representative of the threats encountered by most organizations.
The data presented in this section is derived from correlated log events identifying attack events.
The use of validated attack events, as opposed to raw log data or network traffic volumes, more
accurately represents actual occurrences of attack. Without proper categorization of attack events,
the disproportionately large volume of untargeted network reconnaissance traffic, false positives,
and large floods of DDoS actively monitored by Security Operations Centers (SOCs), would obscure
the actual incidence of attacks.
NTT Group security companies continually analyze this data for additional context. The raw data
may suggest the United States is a buzzing hive of digital attackers while the rest of the world sits
56%
of attacks against
idly by, but the reality is significantly different. Due to the ease of provisioning, cheap cost and quality the NTT client base
of U.S. based cloud hosting services, attackers frequently host their attacks on U.S. based servers originated from IP
using these services as a mechanism to hide their actual source address. While the source IP addresses from within
address is based in the U.S., the actual attacker could be anywhere in the world. the United States.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 9
ATTACK SOURCES, 2014
United States
China
Australia
Great Britain
France
Germany
Russia
Netherlands
India
Ukraine
Denmark
Canada
Other
FIGURE 1
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60%
Attack Sources
Percent of events
The next figure documents the distribution of NTT clients contained in the data set, across their
associated industry sectors. For this years report, clients were remapped from 14 verticals
industries to 18 industry sectors, allowing for a more accurate representation of industries. Based
on the analyzed data, NTT Group identifies in this report when this sector redistribution had a
significant impact on the presented findings.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 10
The below figure represents the overall distribution of attacks by the targeted industry sector.
With 18 percent of all detected attacks, finance continues to represent the number one targeted
vertical sector. This is essentially unchanged from 2013, when 20 percent of attacks were directed
at organizations in the finance vertical. Due to redistribution of sectors, along with the addition of
new clients and more diverse geographies, many of the details relating to attacks by sectors have
evolved since 2013, making the data difficult to compare.
Considering the changes in client composition and available attack details, attacks against
With 18%
of all detected
manufacturing remained at a level comparable to last year, while attacks against business and attacks, finance
professional services and retail sectors both rose. NTT Group has seen some campaigns specifically continues to
targeting business & professional services. The likely implication is that this sector may not have represent the number
the equivalent security resources as other companies, yet yields high value for attackers as both an one targeted vertical.
end target and a gateway target to strategic partners. The retail sector continues to be an attractive
attack target.
One of the interesting data points to dive into is the distribution of attack types across all sectors
and countries. Anomalous activity, including privileged access attempts, exploitation software and
other unusual activity, moved from the second position (15 percent) into first, with 20 percent of the
total attack events. Network manipulation, web application attacks, and service specific attacks
all showed marked increases as well. Reconnaissance activity rose from 4 percent in 2013 to 10
percent this year, primarily due to refinement of alerting and reclassification of attacks as less hostile
activity.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 11
This indicates attackers are spending more time and effort to scope out their victims and specifically
target attacks against the devices and applications which exist in the victim environment, and are
likely to be vulnerable. It also speaks to the prominence and effectiveness of exploit kits. Using
actively maintained exploit kits as a piece of the overall delivery mechanism facilitates large-scale
infections of unpatched operating systems and applications. Additional information can be found in
the section on Exploit Kits.
Other categories, such as DoS/DDoS and known bad source, show levels consistent with previous
years reports.
The next figure presents the web application attacks category, which was the third most common
attack category observed by NTT Group in 2014. This is an important category, as it typically
reflects attacks against an organizations Internet-facing applications.
26 percent of observed web application attacks in 2014 were injection-style attacks, such as
SQL injection or LDAP injection. This directly correlates with the OWASP Top Ten Web Application
vulnerability list, where injection is the top vulnerability. It is also a significant increase from the 9
percent identified in the 2013 data. Lining up with OWASP1 ranks four and two, insecure direct
object references and authentication and access control issues both dropped 3 and 4 percent,
respectively. Both of these risk types allow an attacker unauthorized access to data.
Cross-site scripting (XSS) and security misconfigurations both had similar levels of attacks as 2013.
Due to the high level of XSS vulnerabilities in the wild, it is surprising to see such a relatively low
volume of active exploitation.
1 https://www.owasp.org/index.php/Main_Page
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 12
WEB APPLICATION ATTACK TYPE, 2014
Injection
Other
Insecure Direct Object Ref
Authentication & Access Control
XSS
Security Misconfiguration
Sensitive Data Exposure
Session Management
Vulnerability data for 2014 is generated across multiple organization verticals and sizes, and from FIGURE 5
a wide range of scanning data from multiple scanning vendor products, including: Qualys, Nessus,
In 2014, Injection Attacks Leads
Saint, McAfee, Rapid7, Foundstone and Retina. The next figure represents the top ten vulnerabilities Web Application Attack Types
from external and internal scans. The inclusion of additional data from more distributed global
geographies, along with the data from new clients, makes it difficult to compare 2013 and 2014
vulnerability data.
FIGURE 6
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 13
NTT Group gathers and analyzes malware samples from a wide range of sources, including NTT
Group security platforms, incident response investigations, malware repositories, malware feeds,
interactions with clients and privately maintained honeypot networks. The analyses performed allow
for development of proprietary detection and prevention signatures to better protect our clients. The
following figure shows the distribution of malware by sector.
While down from last years 42 percent, at 35 percent the education sector still included more than
a third of all detected malware events during 2014. Universities and other educational institutions
have a large body of users connected to a public network with personal systems and a culture
which promotes making information readily available. The use of personal devices, with various
operating systems and patch levels, as well as different levels of end user education and protection
methods, results in an environment of turmoil under the best of circumstances.
Business & professional services sector accounted for 15 percent of the malware observed, a
decrease of 8 percent from the 23 percent in 2013. This decrease closely matches the drop in
the percentage of clients which are members of the business & professional services sector. The
healthcare sector accounted for 24 percent of the malware observed, with a 21 percent increase
from 3 percent in 2013. Since NTT Group added many healthcare clients, and reorganized some
2013 healthcare clients into different sectors, direct year to year comparisons show greater variance
than is typical. It is possible that attackers have increased their targeting of personally identifiable
information available in the healthcare sector, though NTT Group did not detect a significant jump in
the overall attacks targeting healthcare.
Education
Healthcare
Business & Professional Services
Government
Manufacturing
Finance
Retail
Other
FIGURE 7
0% 7% 15% 23% 30% 38%
Education Leads 2014 Malware
by Sector
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 14
EXPLOIT KITS
OPERATIONAL
LIFECYCLES AND
CURRENT TRENDS
Software exploits take advantage of unpatched flaws or misconfigurations in operating systems,
applications and supporting libraries or frameworks. These exploits can allow an attacker to install
malicious software on a vulnerable device. Exploit kits are software packages commonly sold in
hacking forums and IRC channels. They include software exploits for known vulnerabilities across a
range of end-user technologies (Internet Explorer, Adobe Flash, etc.). Exploit kits enable their users
(in this section, when we use the term attackers, we are discussing Exploit Kit users) to execute
large-scale attacks against vulnerable systems without the user needing to develop their own
exploits. However, exploit kits dont enable attack capabilities for completely inexperienced criminals
who have decided to become hackers. Successful execution of a large-scale attack campaign
requires considerable knowledge and skill, and an exploit kit is only one component of a successful
attack.
This chapter provides an overview of the exploit kit development process, as well as the role which
exploit kits play in large-scale attacks. These discussions will help the reader understand the
lifecycle of exploit kits and the role they play as a component of large-scale attacks. Appropriate use
of an exploit kit requires skill; exploit kits help automate and manage one component of the attack
process. The development of exploit kits requires an entirely different set of skills, but is key to the
success and longevity of the exploit kit. The proliferation of exploit kits is a result of the increased
commoditization and specialization of the cybercrime economy.
This chapter also provides an analysis of exploit kit trends observed by NTT Group in 2014.
Increased competition between available exploit kits is driving these developers to use newer
exploits in their kits. For example, as one key evolution in exploit kits during 2014, NTT Group
observed an increase in the use of Adobe Flash exploits.
The following diagram presents two exploit kit processes. The first presents the process for
development and maintenance of exploit kits. The second presents the process for use of an exploit
kit by an attacker.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 15
EXPLOIT KIT EXPLOIT KIT USER
DEVELOPER PROCESS (ATTACKER) PROCESS
Command
Exploit selection Victim Infrastructure
and Targeting Technique
implementation Infrastructure for
(phishing, drive- payload control
by downloads) and communication
Exploit Kit
Maintenance
Campaign
Exploits are Execution
modified and New exploits
tested to evade acquired
detection
FIGURE 8
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 16
Exploit Kit Developer Process
Building Exploit Delivery Infrastructure and Web Application
Exploit kits are Software as a Service (SaaS) for attackers, and the development cycle for exploit
kits resembles the software development lifecycle used by legitimate organizations. The first
steps in exploit kit development are the creation of the exploit delivery infrastructure, along with
administrative and attacker interfaces. Exploit kits typically include the following components:
ww Attacker access console (Exploit Kit Panel) Attackers who use Exploit kits access the
console via secure login to the exploit kit control panel. This console typically allows the
attacker to monitor the status of exploit attempts and identify the number of compromised
devices, as well as measure rates of exploitation success against different technology profiles,
as shown in the following screenshot of the Fiesta exploit kit2.
FIGURE 9
2 From http://blog.0x3a.com/post/62375513265/fiesta-exploit-kit-analysis-serving-msie-exploit
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 17
ww Administrator console The administrator console is used by the exploit kit developer to
monitor overall application use and exploit effectiveness.
ww Landing page Intended victims are directed to the exploit kits landing page via a custom
URL provided by the developer. This page profiles remote victim systems, and attempts to
execute exploits targeted against the victim system profile.
Payment for exploit kits can be arranged in a number of different ways. Bitcoin is a popular option.
Alternatively, exploit kit developers may permit user access to their kit as long as developer malware
is installed on victim devices along with user malware. This profit sharing agreement allows the
developer to piggyback their own malware onto victims obtained by exploit kit users. The developer
then takes advantage of the attackers work, giving them greater access to victims with less direct
effort.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 18
Removal of End-of-Life Exploits
The exploits value to an exploit kit dissipates over time as detection mechanisms are implemented
into endpoint protection technologies and vulnerabilities are remediated. As exploit kit administrators
identify end-of-life exploits, these are removed from exploit kits.
ww Profit
ww Botnet Infrastructure
ww Extortion
ww Fame/Notoriety
ww Hacktivism
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 19
Trojans, ransomware, or botnet applications. Exploit kits may or may not provide these
payloads, so attackers may be on their own to obtain, upload, and deploy them.
ww Victim Targeting Attacks using exploit kits require a mechanism to lure users to the exploit
kit landing page. This can be accomplished in a number of ways. The most common are:
ww Phishing emails designed to lure victims to a hostile landing page
ww Compromised public websites which redirect unsuspecting site visitors to the landing page
ww Malvertising, where a malicious or compromised advertisement redirects a website visitor
to the landing page
Exploit kits do not provide target acquisition functionality. However, an attacker could purchase this
functionality from a different malicious software developer, such as a spambot operator.
ww Exploitation and Payload Delivery This is the role played by exploit kits. Once a victim is
lured to the exploit kit landing page, the kit profiles the victim, identifies potentially effective
exploits, exploits the target systems, and delivers the attackers payload.
ww Post Exploitation Once victims have been compromised, the attacker requires a
mechanism to control and retrieve data from victim systems. A command and control
infrastructure is generally not provided by exploit kits and the attacker may have to develop or
purchase this capability as well.
ww Campaign execution and conclusion Purchase of an exploit kit typically grants the user
access to the exploit kit console for a limited period of time. After that period ends, the users
access is revoked, use of the exploit kit stops, and the campaign concludes.
3 This chart includes data from http://contagiodump.blogspot.com, an excellent resource for historical and current exploit kit
data.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 20
PERCENTAGE OF UNIQUE VULNERABILITIES
TARGETED IN EXPLOIT KITS BY TECHNOLOGY, 2012-2014
Java
Adobe Acrobat
Internet Explorer
Adobe Flash
Firefox
Windows
2012
2013
Silverlight 2014
Others
FIGURE 10
0% 10% 20% 30% 40% 50%
Percent of Vulnerabilities Targeted
in Exploit Kits by Technology
ww Decrease in Adobe Acrobat targeting - Adobe Acrobat exploit usage in exploit kits has
Between 2013 and
steadily decreased from 2012 to 2014. One contributing factor to this drop-off is that Adobe
2014 there has
Acrobat exploits require a higher degree of user interaction than browser or Flash-based
been a 33% drop
exploits. Between 2013 and 2014 there has been a 33 percent drop in Adobe Acrobat
in Adobe Acrobat
vulnerabilities published, as shown in the following graph.
vulnerabilities.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 21
ADOBE ACROBAT VULNERABILITIES
PUBLISHED BY YEAR
2000
2003
2004
36%
decrease in Java
2005
2006 vulnerabilities
2007 identified in 2014.
2008
2009
2010
2011
2012
2013
2014
FIGURE 11
0 10 20 30 40 50 60 70
Adobe Acrobat Vulnerabilities
Published by Year
ww Decrease in Java targeting The number of Java vulnerabilities targeted in exploit kits has
decreased significantly from 2013 to 2014. This is due to the 36 percent decrease in Java
vulnerabilities identified in 2014, as shown in the following graph.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 22
ww Increase in Adobe Flash targeting There has been an increase in Adobe Flash exploit
usage in exploit kits from 2012 to 2014. Exploit researchers have increasingly focused on
Flash after significant improvements were made to Java and Internet Explorer security in
20144. The number of Flash vulnerabilities identified in 2014 was the highest ever, with a 36
percent increase over 2013 as shown in the following graph.
The number of
Flash vulnerabilities
identified in 2014 was
ADOBE FLASH VULNERABILITIES the highest ever.
PUBLISHED BY YEAR
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 13
0 10 20 30 40 50 60 70 80
Adobe Flash Vulnerabilities
Published by Year
ww Consistent targeting of Internet Explorer Internet Explorer is still distributed as the default
browser on the Windows operating system and is common on end-user systems in the
corporate environment. Internet Explorer continues to be a target of choice, not only because
it is common, but because there has been no shortage of vulnerabilities in Internet Explorer
over the past few years. Even more importantly, a significant number of those vulnerabilities
(71 percent) allow the attacker great control, such as the ability to execute remote code or to
71% of
vulnerabilities found
bypass restrictions. in Internet Explorer
during 2014 gave
the attacker remote
control or bypassed
restrictions.
4 FireEye has recently published a technical discussion of existing Adobe Flash weaknesses at https://www.fireeye.com/blog/
threat-research/2015/03/flash_in_2015.html
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 23
INTERNET EXPLORER
VULNERABILITIES PUBLISHED BY YEAR
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 14
0 20 40 60 80 100 120 140 160 180 200 220 240 260
Internet Explorer Vulnerabilities
Published by Year
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 24
CVES IN EXPLOIT KITS BY
YEAR OF RELEASE 2012 - 2014
2006
Exploit Kit
2007 Release Year
2012
2013
2008
2014
2009
2010
2011
2012
2013
2014 FIGURE 15
0 2 4 6 8 10 12 14 16 18 20
Exploit kit development and
Number of CVEs from each year included in exploit kits
operational lifecycles rely on each
other.
Over 80 percent of vulnerabilities in exploit kits released in 2014 were published in 2013 and 2014.
This data is similar to 2013 and this trend is likely to continue due to strong competition in exploit
kits, as developers look to differentiate their product by including newer exploits with a higher
likelihood of success.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 25
TOP 10 MOST POPULAR VULNERABILITIES IN EXPLOIT KITS
RELEASED IN 20145 FIGURE 16
CVE-2014-0569 29% Adobe Flash
The 10 most popular
CVE-2012-0507 24% Oracle Java SE vulnerabilities in exploit kits
CVE-2012-1723 24% Oracle Java SE released in 2014, with a tie for
10th place.
In 2013, only one Adobe Flash exploit was among the 10 most popular exploits included in exploit
kits. In 2014, four Adobe Flash exploits were included in the top 10. In 2013, eight of the top 10
exploits were related to Java. In 2014, only four of the top 10 exploits involved Java.
A Microsoft Internet Explorer exploit (for CVE-2013-2551) was the most popular exploit included in
exploit kits in 2014. This vulnerability was originally discovered by Vupen Security. Vupen Security
specializes in discovery of zero-day vulnerabilities, and used an exploit for CVE-2013-2551 to
win the 2013 Pwn2Own hacking competition. Vupen subsequently published a blog post6 which
provided a detailed walkthrough of how the vulnerability was exploited. These published details may
explain its popularity in exploit kits. This was a highly reliable exploit against Internet Explorer, which
likely also accounts for its popularity.
Jan. Feb. March April May June July Aug. Sept. Oct. Nov. Dec.
6 http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 26
Exploit kits are difficult to detect reliably. The best exploit kit detection mechanism is identification
of landing pages, which constantly change. There is also a natural ebb and flow to the popularity of
exploit kits, which explains some of the month to month variation observed in detection. Exploit kits
undergo release cycles similar to enterprise applications. An exploit kit may experience a decrease
in popularity as exploits in the kit become stale or ineffective, but once outdated exploits are
replaced with newer and more effective exploits, usage of the kit can increase.
ww Final dissipation of Blackhole After the arrest of Blackhole exploit kit creator Paunch
in October 2013, support for Blackhole ended. NTT observed use of the once popular kit
dwindle throughout 2014, and completely disappear during the 4th quarter. Blackhole was the
premier exploit kit for more than two years and was actively maintained to achieve that status.
ww Demise of Phoenix Exploit Kit - Similar to Blackhole, NTT observed the final demise of the
Phoenix exploit kit in 2014. After the arrest of Phoenixs developer in April 2013, NTT observed
a steady decline in Phoenix exploit kit activity. This kit is now considered retired.
ww Increase in Angler usage - Angler appears to be the most active exploit kit due to inclusion
of the latest exploits and retiring older exploits. Angler has also included zero-day Adobe
Flash exploits, differentiating itself from competition. These characteristics led to a rise in its
popularity in the second half of 2014, and this popularity has continued into 2015, with the
release of Adobe Flash zero day vulnerabilities (CVE-2015-0311, CVE-2015-0313) in Angler.
ww Social engineering (phishing) training Standard security awareness training alone is not
adequate for organizations, which maintain or access highly sensitive data. Real world social
engineering testing should be implemented for key employees, to confirm their ability to detect
and respond to actual phishing scenarios.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 27
ww Ad blocking software Attackers frequently use malvertising to lure victims onto exploit kit
landing pages. Use of ad blocking software, or web proxies with content filtering, can limit the
effectiveness of this attack approach.
ww IP reputation services Use of IP reputation services which can warn or block users
from visiting known bad IP addresses and domains can protect organizational users from
inadvertently accessing those addresses. IP reputation services should only be considered
a supplemental control. Addresses of exploit kits are constantly changing in order to evade
detection, and the services are unlikely to maintain accurate and comprehensive real-time lists
of landing page URLs.
ww Threat intelligence Threat intelligence services can be used to help organizations identify
vulnerabilities which are being actively exploited in the wild. These services can act as a
complementary control to patch management processes, to ensure that patching is prioritized
for vulnerabilities.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 28
THE USER IS THE
PERIMETER
Security professionals have long known that what industry thinks of as the security perimeter has
been changing. IT and security management can no longer count on well-defined network security
perimeters to protect an organization from external attacks. Data is distributed across users,
and users exist in highly mobile, dispersed work environments which simply do not readily lend
themselves to centralized enforcement of consistent controls.
Historically, the concept of the changing perimeter has been supported mostly anecdotally,
by stories rather than verifiable facts. During 2014 NTT Group gathered a significant amount
of vulnerability and attack data which supports the concept of the dissolving perimeter; more
specifically, that the user is the perimeter. (Read the article on The User is Vulnerable).
Detailed analysis of attacks on user end points and infection rates from typical Flash, Java and
Adobe vulnerabilities had more predictable profiles than had been recognized in previous years.
Organizational security controls detected a trend in attacks which correlated to user patterns during
the workweek. Malware traffic spikes during the early days of the workweek when workers return to
the office, and similarly shows declines in detected infection rates and attacks on weekends (read
the article on Weekend Trends). Why?
Malware continues to be even more complex and hackers increasingly use exploit kits to help
deliver malware which is highly effective in the targeted environment. But attacks pointed at users
are usually gateway attacks which compromise the user in an attempt to gain access to the
organizational network on which the user works. For instance, some attacks which deployed point
of sale malware during this years attacks against retailers came from phishing attacks targeted at
end users. It seems obvious that business-minded attackers are optimizing their time by placing
greater emphasis on the weakest link in a security system: the end user (see Case Study, Spear-
Phishing Campaign).
Digital business is all about making effective use of available data. Criminal businesses are likewise
in a constant race with their targets to capitalize on the value of that data. As end users become
accustomed to always-on, real-time access to corporate data, they become targets of criminals
who want those same data sources. Worse yet, that user too often becomes the attackers entry
point to the business.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 29
The User is Vulnerable
During 2014, NTT Group observed millions of vulnerabilities on client systems. Looking at the details
of some of these vulnerabilities reveals some interesting information, including that 7 of the top 10
vulnerabilities were on end-user systems, as opposed to servers.
7 of the top 10
TOP 10 VULNERABILITIES vulnerabilities
Outdated Java Runtime Environment
(of 2014) were on
Oracle Java SE Critical Patch Update
end-user systems.
Multiple Vulnerabilities in Java Web Start
Missing MS Windows Security Updates
Outdated Flash Player Version
Outdated Adobe Reader and Acrobat
Outdated Internet Explorer
Multiple Oracle Vulnerabilities FIGURE 18
Outdated/Missing Patches Oracle DB
2014s Top 10 Most Common
Outdated OpenSSH Version
Vulnerabilities
The ultimate impact is that the end-user becomes a liability because their systems are often full of
unpatched vulnerabilities. At the time this report was written there were patches available which
would mitigate the impact of all 10 of the top vulnerabilities seen in 2014. Patching and keeping
systems updated is tedious and can be very difficult, especially in a geographically distributed
organization with a highly mobile, heterogeneous hardware and software environment.
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 19
0% 2% 4% 6% 8% 10% 12% 14%
Vulnerabilities by Year of Release,
2014
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 30
During 2014, 76 percent of identified vulnerabilities throughout all systems in the enterprise were
from 2012 or earlier, making them more than 2 years old, and almost 9 percent of them were over
10 years old. Many are also rapidly incorporated into common and simple-to-use exploit kits so that
attackers can more readily use them as part of their attack suite.
76%
of identified
vulnerabilities... were
from 2012 or earlier,
making them more
than 2 years old, and
almost 9% of them
were over 10 years
old.
FIGURE 20
Fortunately, there is a single best step organizations can take to reduce their exposure to client-
based vulnerabilities. Organizations should improve their vulnerability management programs. More
specifically, ensure that all end-user client systems are included in their patch management process.
Admittedly, this is much more complicated than it sounds, and can include a variety of related
recommendations:
ww Define a set of approved configurations to harden and operate end-user machines. This
should include approved operating systems, applications and utilities, and even which browser
is supported for organizational use. The smaller and more consistent the organization can
make its gold standard, the easier it is to maintain systems using that standard.
ww Clearly inform users what those standards are, and make it clear that unapproved
software is not just unapproved, but unauthorized. Make it clear to all users that the use of
unauthorized software can result in disciplinary action.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 31
ww Minimize the use of admin or other accounts which are allowed to change system
configurations, including installation of new, potentially unauthorized software.
ww Actively patch end-user systems on a regular basis, and confirm that patches are installed.
ww Conduct regular internal and external authenticated vulnerability scans to help identify systems
which are out of policy, then patch those systems.
ww Actively manage an exception process which tracks special software as well as users with
elevated permissions.
Weekend Trends
The article The User is Vulnerable discusses how significant vulnerabilities are related to end-user
machines instead of servers. But do vulnerabilities on end-user systems have anything to do with
which systems are being attacked?
The graph below shows Flash/Java/Adobe (Acrobat and Acrobat Reader) exploit attempts detected
by NTT Group in 2014. The chart shows regular activity spread across the year, with shorter periods
of higher attack detection. The large spikes show a combination of events which often overlap,
occurring where alerts were triggered by new vendor signatures on old vulnerabilities, unproven
FIGURE 21
signatures which tended to produce false-positive alerts, and some genuine new vulnerabilities and
The dips in the chart are on
campaigns. If you look closely at the data, however, you can see another interesting trend. The
weekends when users are not
regular drops in detected attacks coincides perfectly with weekends. typically on a corporate network.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 32
The weekend trend is not just limited to Flash/Java/Adobe exploitation. The next chart shows all
Internet-based attacks through 2014. Much like the detection of Flash/Java/Adobe attacks, this
chart shows a certain amount of regularity throughout the year. The chart also shows the same
regular trends: steady weeklong detection, with drops coinciding with weekends. Does that mean
there are fewer attacks on weekends?
FIGURE 22
However, the organizational security infrastructures monitored by NTT Security during 2014
consistently detected considerably fewer attacks on weekends and holidays. On weekends and
holidays, workers are not in the office, and corporate end-user systems are turned off or not being
used. This major drop in weekend attacks demonstrates that organizational controls are detecting
security events related to end users. This involvement of end users has become a major component
of all attacks seen.
Organizations can take action to help mitigate the effectiveness of attacks on end-user
systems.
ww Maintain an active and current anti-virus/anti-malware solution on all end-user devices which
have access to organizational networks or data. Although this is a simple control, properly
maintained anti-virus does detect 40-50 percent of malware.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 33
ww Consider extended endpoint protection including file integrity monitoring, endpoint encryption
and event monitoring.
ww Minimize the use of admin accounts. Require the user to log on with a user-level password
which has the minimum level of permissions required to perform their job. Browsing while
using admin access increases risk.
ww Require all work computers to access the Internet through the organizational VPN whether
they are at work or not. Enforce safe browsing habits through the VPN connection, including
blacklisting websites, and actively monitoring security on portable laptops at all times so that
the organization is more likely to detect an attack and compromise.
ww Provide an active security awareness and training program which includes training on attacks
designed for end-user systems. Include social engineering and phishing in the organizational
training program.
ww Maintain offline backups of end-user data to help minimize the impact of local system
compromises, malware and ransomware.
ww Implement and monitor proxies and content-filtering capabilities.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 34
Case Study, Spear-Phishing Campaign
Timeline of Events
The table below shows the chronology of events.
Description of Event
In August 2014, after successfully processing several wire transfers, Aerobanet identified potentially
suspicious emails requesting wire transfers of funds. Their suspicions were aroused when staff
detected an unusually high number of wire transfers in a short period of time. Aerobanet contacted
NTT Group to verify their suspicions and to assist in investigation of the attack.
Initial investigations confirmed the attack was executed via phishing emails. The emails were well
crafted, and included several indications that the attacker had detailed knowledge of Aerobanet
internal processes and employee roles:
ww The attacker knew which users to target internally in order to initiate wire transfers.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 35
ww The attacker had inside knowledge of users who could authorize wire transfers.
ww The emails included fake email thread histories to make the wire transfers appear sanctioned.
ww The emails included PDF attachments designed to help make the emails appear official.
ww The emails used a properly registered and fully active domain to help make the emails appear
official. This domain was registered via a third-party cloud-based provisioning site.
While employees
The emails were constructed to include information and instructions which were key to the wire- believed they were
transfer process. The fake email thread histories appeared to run for several days, and included responding to email
emails in which authorized employees allegedly requested and approved the transfers. The level of from an internal
detail used to construct the emails suggested the attackers had internal knowledge of Aerobanet user, they were
processes and procedures. NTT Group security analysts were unable to determine whether the actually responding
attackers knowledge of Aerobanet resulted from social engineering attacks or from other sources. to the attackers
NTT Group had been following an increase in similar spear-phishing attacks. This helped onsite
fake external email
analysts to determine the nature of the attack against Aerobanet and verify this was a phishing
account.
attack. Security consultants observed that the domain on the phishing emails was slightly different
from Aerobanets legitimate domain. This attacker used a free trial domain service to create and
register valid domains used in the attack. NTT Group has seen an increase in attacker use of cloud-
provisioned domains, because these sites are cheap (or free), easy to set up, and can be rapidly
provisioned. In this case, the cloud-provisioned domain served as a fraudulent email domain.
For Aerobanet, the attacker provisioned the domain Aerobannet which was very similar to the
actual target of the attack. The phishing email recipients did not identify the extra n in the fake
domain name. This allowed the attacker to be included in an email dialog discussing each wire
transfer. The attackers created an email account on their fake Aerobannet site, using the name
of the real Aerobanet official responsible for approving wire transfers (johndoe@aerobanet.com
vs. johndoe@aerobannet.com). While employees believed they were responding to email from an
internal user, they were actually responding to the attackers fake external email account.
The emails also included PDF attachments which identified mailing addresses and account numbers
for the wire transfers. These attachments added credibility to the wire transfer requests. Analysis of
the PDFs uncovered no malware. The addresses in the PDFs were residential street addresses.
Based on analysis by NTT Group, there was no evidence to suggest the attackers had breached the
Aerobanet infrastructure. Analysts identified no malware and no internal access to the environment.
Attacks which are constrained to social-engineering and spear-phishing techniques are relatively
rare, but can be extremely successful, especially when they are as expertly crafted as this attack.
NTT Group has seen several attack scenarios like this in the past year, and these types of attackers
appear to be increasing their level of precision.
NTT Group security consultants demonstrated how the free trial domain had facilitated the attack,
and provided documentation which helped show the wire transfers were fraudulent. Aerobanet
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 36
provided this documentation to its bank and obtained refunds of nearly all the funds which had been
fraudulently transferred.
Aerobanet subsequently changed its approval process to require all wire transfers to be manually
verified in person or by phone prior to completion.
Root Cause
This attack was successful because the highly accurate and targeted content of the email chain
helped convince Aerobanet staff that the wire transfer requests were genuine. The fraudulent
domain used in the attack added credibility to the email chain, resulting in the success of the spear-
phishing attacks.
Cost of Incident
Aerobanet provided the actual cost of this event.
Actual cost of investigation, remediation and professional incident support as described $15,400 Cost of Event Spear Phishing
ww Perform targeted security awareness and training: The attacker conducted a successful
spear-phishing attack. If Aerobanet had previously provided security awareness training,
including guidance on actively looking for social engineering and phishing attacks, the attack
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 37
may have been recognized earlier. Such awareness training must consider the context of the
organization receiving the training. It should be customized to the processes and procedures
of the company, and should use examples of attacks to which employees can relate.
ww Implement dual controls for critical transactions: The attacker included enough information
in the email thread that it appeared the wire transfer had been authorized. Using an active
confirmation of a second approval, outside of the same email communication path, could have
helped raise a red flag over attempts to initiate the transfers. Active confirmation (via phone,
fax, or paper copy) would have initiated an additional dialog to help verify the transfer was truly
authorized.
ww Configure email Phishing Confidence Level: Phishing Confidence Level (PCL) is a tool
which is available via the Microsoft Exchange environment. This tool uses a scale of 1 through
8, which reflects the likelihood an email is part of a phishing attack. When PCL is configured,
the sites email administrator can choose how to treat each email according to its rating on
the PCL value scale. Configuring PCL could assist in identifying further threats or stopping an
attack altogether.
ww Implement anomaly/fraud detection: This particular attack was identified when a single staff
member recognized that the wire-transfer pattern was anomalous. He observed a significant
increase in the number of wire transfer requests, and verified the latest request because it fell
outside of expected boundaries. The ability to identify such anomalous behavior is invaluable,
especially in a large organization which may process a high volume of transactions. For an
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 38
incident such as this, organizations should implement manual and, to the extent possible,
automated checks to help identify when the frequency or size of sensitive transactions
exceeds an expected range. Some financial institutions will also help organizations set and
conform to transaction boundaries.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 39
INCIDENT RESPONSE
Enterprise Capabilities Mature at a Slow Pace
2014 was a year which prompted both security and business leadership to evaluate how
cyberattacks can impact organizations. The year was full of notable household name brands falling
into the crosshairs of malicious actors.
Although many of these very familiar name brands made headlines, they only account for a fraction
of organizations impacted by similar threats and losses.
One of the major factors determining the impact of a breach is the organizations effectiveness at
identifying, isolating and mitigating the breach. Generally, the faster an organization can respond in a
meaningful way, the greater the chance that the organization can control the impact of the breach.
NTT Group performed incident response engagements in a wide variety of industries, demonstrating
that no industry is immune from attack. Every industry needs effective incident response.
Increased awareness and priority resulted in improved mitigation controls for DDoS attacks during
2014. As DDoS mitigation tools have matured, their reduced cost and wider implementation are
likely contributing factors to the reduction of DDoS attacks observed during 2014. The percentage
of incident response investigations related to DDoS attacks sharply decreased (from 31 percent
in 2013 to 18 percent in 2014, as shown in the graphic below). Lessons learned from previously
observed attacks and mainstream media coverage of DDoS attacks against major brands, and
public discussion of lessons learned from previously observed attacks, has likely had a significant
impact on industries ability to manage these attacks.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 40
PERCENT BY YEAR AND INCIDENT
CATEGORY
55%
50%
2013
45% 2014
40%
35%
30%
25%
20%
15%
10%
5%
0% FIGURE 25
Malware DDos Breach Investigation Other
This figure presents the trending
of NTT Group incident response
engagements for incidents
supported in 2013 and 2014.
Incidents by Sector
Several different market sectors made up NTT Groups 2014 Incident Response engagements, as
depicted in the following chart. Even though some of the sectors are statistically less significant, any
comprehensive enterprise security program should include formal incident response processes and
procedures. The high percentage of finance sector incident response support activity is largely due
to malicious attackers continuing to focus on this vertical market as well as the sectors sensitivity to
attacks.
Finance
Business & Professional Services
Technology
Retail
Healthcare
Gaming & Entertainment
Education
Transportation
Energy & Utilites
FIGURE 26
0% 7% 14% 21% 28% 35%
Percent of Incident Response
Engagements by Sector
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 41
The Importance of Incident Response
Although NTT Group has observed some maturation of incident response programs in
organizations, in most cases response capabilities remain reactionary (organizations allocate
resources after a breach has directly impacted them). Based on NTT Group observations, very
few organizations proactively prepare for incidents. As described in last years GTIR, proactive
implementation of core response capabilities can improve an organizations ability to detect, 74%
of the organizations
investigate and respond to incidents, thereby compressing the mitigation timeline and reducing
overall losses for organizations. NTT Group
supported with
How Organizations Are Approaching Incident Response Planning incident response
NTT Group has observed four common approaches for how organizations are approaching their
engagements during
incident response capability. Most organizational incident response planning falls into one of the
2014 had no policy
following four categories:
in place to address a
major incident.
ww No response plan (no external support) Unfortunately, in most cases, organizations are
not spending adequate time developing or testing response plans. Additionally, very few
organizations are allocating budget for external incident response management or support.
Analysis showed that 74 percent of the organizations NTT Group supported with incident
response engagements during 2014 had no policy, plan, procedure, or contracted support to
address a major incident. This trend continued from 2013 when 77 percent of organizations
showed no formal plan.
ww No response plan (with external support) Some organizations realize the value of
incident response and proactively invest in third-party incident response support. Typically,
organizations which have smaller in-house IT resources will contract with incident response
providers who specialize in supporting organizations without response capabilities. This can
be of great value, but the contracting organization must realize they still have a role to play
should an incident occur. It is vitally important to ensure that the organization has a clear
understanding of how incident support capabilities are used and managed during an incident.
ww Currently maturing an existing plan (with external support) A positive trend which NTT
Group has identified over the last year is a slow improvement in how organizations mitigate
the impact of threats. Some organizations have started to invest in development of incident
response capabilities. These organizations are focusing on the development of plans,
processes, procedures, tools and education, and often still rely on third-party providers for
continued support while these capabilities are being built and tested. Additionally, third-party
incident response providers may not only provide support from a technical perspective, but
may also be involved in plan, policy and procedure development. Third-party providers can
share a wealth of experience to help organizations address their incident response needs.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 42
ww Mature plan and capabilities (external support when needed) Few organizations have
the capability, talent and financial backing to define, build, mature and maintain an effective
incident response capability. However, in cases where incident response capabilities are
handled by an internal team, NTT Group still observes circumstances where special expertise
is needed to support advanced response requirements. For instance, many internal incident
response teams do not have training in detailed forensic analysis, or reverse-engineering of
malware threats to extract technical indicators which can be used for further detection of
malicious activity. Some organizations will elect to put a third-party incident response service
on retainer to assist in these situations.
Conclusion
For a majority of organizations the NTT Group has worked with over the last several years, incident
response is either not a top priority, or it is simply too hard for organizations to realize the value of an
effective plan. The urgency to prepare and invest in incident response usually occurs only after an
event with significant impact to the business has been experienced.
A successful security program not only includes the capability to detect vulnerabilities and minimize
impact via well-designed architecture and controls, but also the capability to respond when all else
fails.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 43
Five Key Recommendations Based on Incident
Review
During 2014, NTT Group supported response efforts for a variety of incidents. Review of these
engagements revealed some observations and recommendations which were consistent across
Many of the
these incidents. Additionally, NTT Group compared these results to information available from highly
investigated
publicized breaches. This analysis helped identify a set of control areas which suffer from a lack of
breaches originated
detection, investigation and mitigation capabilities in many organizations.
in one segment of
As a result, we recommend organizations evaluate the effectiveness of these five control areas in the network and
their environments. These recommendations describe basic controls which should be implemented propagated across
as a foundational part of an organizations network and security infrastructure. NTT Group analysis the internal network.
identified that many organizations continue to struggle as they attempt to implement these control
areas in an effective manner.
NTT Group continues to observe organizational network infrastructures which are internally flat (non-
hierarchical). These networks do not adequately define different functional areas of the environment.
Different network areas can have unique data requirements or access requirements, which have
not been recognized or enforced. Internal network segmentation should ensure that data flowing
between segments is appropriately scrutinized. For example, employees in a call center environment
may not need access to development environments, hence this activity should be restricted via
access control lists (ACL) and administrative segregation of functions between environments.
As well as segmenting networks using router access control lists and Virtual Local Area Networks
(VLANs), organizations should implement detective and preventive controls via firewalls, along with
Intrusion Detection and Prevention Systems (IDS/IPS). These enhance the organizations ability to
provide a detective and defensive capability which can help identify potentially malicious network
traffic, including attempts to bypass segregation controls.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 44
Additionally, such controls will significantly impact the tempo of an attack, making network
penetration slower, noisier, and more difficult to accomplish. This is especially true if attackers are
forced to repeat the reconnaissance, attack and compromise process every time they wish to
extend their reach within an environment.
Many security and compliance initiatives can be easier to achieve by properly segregating networks,
data and processes. An important part of this is ensuring proper documentation of controls,
network topology and data transmission paths.
Relying solely on host-based security is not a good strategy for managing malware threats.
Organizations must consider technologies which also scrutinize network and email communications
for signs of malicious activity related to malware.
ww Define your organizations malware mitigation strategy and ensure your controls include
multiple points of detection and visibility.
ww Invest in host-based as well as network-based detection and quarantine capabilities.
ww Collect logs from malware product consoles and ensure they are part of your log monitoring
SIEM/MSSP solution.
ww Develop policies and procedures for how malware incidents are handled.
ww Validate malware controls are operating as designed and make adjustments as required.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 45
It is important to understand that to benefit from even 50 percent protection, host-based anti-virus
solutions must be installed on servers and end points, must be regularly updated, and must scan for
viruses constantly. Network and host-based anti-virus solutions should be continuously monitored
to ensure the solution is providing maximum value.
On average, it
Control Area 3: Patching and Configuration Management
takes organizations
Most breaches analyzed by NTT Group in 2014 included the compromise of unpatched or poorly
without a vulnerability
configured systems. In many cases the compromises were directly related to third-party application
management
vulnerabilities. Malicious attackers seek out systems with unpatched vulnerabilities as a means of
program nearly
200
gaining an initial foothold into a system or network. Many exploit kits are built with the understanding
that attackers can automate exploits faster than target organizations can patch newly discovered
days
vulnerabilities. NTT Group has discovered that on average, it takes organizations without a
to patch
vulnerability management program nearly 200 days to patch vulnerabilities with a CVSS score of 4.0
vulnerabilities.
and higher.
Old, unpatched vulnerabilities can be a relatively easy exploit path for most attackers. During
2014, 76 percent of the vulnerabilities identified in client systems by NTT vulnerability scanning and
management services were from 2012 or earlier, making them more than two years old. Almost 9
percent of vulnerabilities identified by NTT group in 2014 were more than 10 years old.
DETECTED VULNERABILITIES
BY YEAR OF RELEASE
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 27
0% 2% 4% 6% 8% 10% 12% 14%
Many new vulnerabilities in 2014.
But some from as far back as
1999.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 46
Although configuration and patch management are not new concepts, analysis of vulnerability
scanning data illustrates it is something most organizations are still doing poorly. Many organizations
still focus attention on patching critical and public facing servers; however, most attacks today are
focused on the end user and third-party applications.
To mitigate potential losses due to configuration management and patch management issues,
organizations should:
Configuration and patch management can be tedious and difficult, especially when managing a
variety of end-user devices in a highly distributed, heterogeneous environment. Implementing an
active, aggressive patch management program can remove common vulnerabilities from both
servers and end-user systems, minimizing the effectiveness of newer exploits and common exploit
kits.
Many breaches included compromise of multiple systems distributed across the organizations
internal network. These compromised systems were often involved in communications related to
the compromise (downloading of malware, exfiltration of data) for an extended period of time. This
included unauthorized communication between internal servers as well as communications with
both internal and external command and control (C&C) servers.
Truly effective monitoring includes not only system logs and alerts, but also behavioral analysis of
an organizations baseline environment. Behavioral monitoring can detect anomalous activity in an
environment. For example:
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 47
ww Systems which had never communicated are suddenly exchanging large amounts of
information.
ww Multiple distributed systems are suddenly talking with a few centralized systems.
ww Or more obviously, but often still not detected by many organizations, previously quiet internal
systems are suddenly talking to external systems.
To ensure organizations get the most out of their monitoring investment, NTT Group recommends:
ww Understand your environment, knowing that not all logs are created equal. Security engineers
can help your organization identify the logs, devices and systems which provide the most
value and context.
ww Most environments with strong monitoring are the result of years of maturity and constant
planning and improvement. Define your tactical and strategic plans for monitoring and then
work your plan.
ww Your monitoring plan determines how well you can identify activities which occur during
breaches, but can also help your organization meet compliance requirements. Maximize the
value of monitoring by applying it to multiple use cases.
ww Monitoring, like many other security controls, achieves its maximum value when layered. Log
at the network layer and the application layer. Log externally facing IDS/IPS, firewalls, WAFs,
but also consider directory services, anti-virus, file monitoring, databases, web applications,
proxies and DLP.
ww Consider monitoring key devices at the source as opposed to relying on identifying malicious
activity as it traverses other devices.
For the incidents analyzed, NTT Group observed many organizations asking themselves the same
questions:
ww Did the alerts actually constitute a breach? Was the organization actually under attack?
ww Who from the organization should respond? Is the organization primarily interested in retaining
evidence of the breach, restoring service, protecting data, or is there another priority?
ww What systems and/or data should receive the highest response priority?
ww Who are the organizations third-party vendors (e.g., their ISP) and who are the contacts (and
what are their contact phone numbers) at those organizations?
These are exactly the types of questions which a mature incident response plan would identify
during development, coordination, review and test.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 48
During an attack, it will be hard enough to respond to the incident in a planned manner. This failure
will extend the duration and losses associated with an attack. The response process is even more
complicated if the organization tries to figure out what their incident response should be amidst the
chaos of an ongoing breach.
An effective incident response plan will define the following activities before an attack occurs:
ww Define the incident response team, along with their roles and responsibilities.
ww Document contact information for relevant vendors and third-parties, such as ISP tech
support, and define how they fit into the process.
ww Define any required skill sets which do not exist within the organization, and how they will be
obtained and utilized.
ww Define processes to communicate effectively during incidents.
ww Define criteria to declare when an incident has started, as well as when an incident has ended.
This is a drastic simplification of a real incident response plan, which would still have to be
implemented effectively, and include procedures which would be clearly communicated to all
responsible individuals. Unfortunately, NTT Group analysis of incidents in 2014 shows that these
simple concepts are often overlooked by even the most mature organizations.
Conclusion
Not every compromise is a result of missing the fundamental controls discussed in this section.
However, if every breached organization had implemented truly effective controls in these areas,
those organizations would have been more resilient and better prepared to respond to an attack.
Effective implementation of these five control areas can have an immediate, positive impact on the
security of any organization.
Threat intelligence, at its core, is a specific application of broader intelligence principles which
includes the painstaking collection of data and information from many sources, context-aware
analysis, intelligence production, and delivery to the intelligence consumer.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 49
ww Open Source Intelligence (OSINT) explores, exploits and enhances generally-available public
information via data mining and advanced search techniques.
ww Signals Intelligence (SIGINT) the collection and exploitation of signals transmitted from
communications systems, radar and weapon systems.
ww Imagery Intelligence (IMINT) geospatial information collected and processed by a variety of
terrestrial, airborne or satellite-based collectors.
ww Measurement and Signature Intelligence (MASINT) a technical branch of intelligence which
uses information gathered by technical instruments such as radars, lasers, passive electro-
optical sensors, seismic and other sensors to identify them by their signatures.
Defining Cyberintelligence
Cyberintelligence (CYINT) is not one of the core intelligence disciplines, but is a hybrid field which
can consist of any combination or all of the five core disciplines. Although it can be used as a
key component of cybersecurity, CYINT operates independently of the cybersecurity mission and
supports a variety of operations across every sector of government and industry.
It is critical for organizations to recognize the broader capabilities of this rapidly emerging field of
intelligence, and how it can be used beyond identifying cyberthreat actors, technical data about
vulnerabilities, malware or IP reputation data. CYINT goes beyond these narrow parameters
and encompasses the analysis of actions and events associated with an organizations physical
environment which can lead to forecasting digital threats.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 50
Information vs. Intelligence
Despite what many security threat intelligence vendors may say, data and information are not
intelligence. Lets look at an example:
ww Information
Threat intelligence -
An exploit for a zero-day Java vulnerability is publicly released on a security mailing list. Shortly
information gathered
thereafter, malware is identified utilizing the vulnerability. Security vendors notify clients of this
from a number of
threat and provide recommendations for mitigation. This is threat information and while useful,
disparate sources,
it is not, by definition, threat intelligence.
synthesized by human
ww Intelligence analysts to identify a
A security vendor monitoring exploitation of the Java vulnerability notices infection rates in specific threat to a
Asia are much higher than in the U.S. New strains of malware, which install code associated specific target.
with a botnet command and control system on victim devices, are being observed in the wild.
At the same time, a large financial institution has announced the acquisition of a number of
smaller, regional banks initiating an increase in their non-sufficient funds fee from $20 to $35,
thereby angering consumers. A number of hacktivist groups begin discussing a protest against
the U.S. banking system on Twitter and other social media sites, promising to halt online
transactions for a day at major institutions. One hacktivist Twitter account posts instructions
for using botnet command and control software, which appears to be related to the botnet
client code installed by the Java malware.
Piecing these data points together leads to a clearer picture: U.S. banks are likely going to be
targeted with a DDoS (Distributed Denial of Service) attack by a hacktivist group using botnets
based on the Java vulnerability. Based on what is known about infection profiles, banks can expect
the attacks to originate from Asian source IP addresses. This is threat intelligence information
gathered from a number of disparate sources, synthesized by human analysts to identify a specific
threat to a specific target.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 51
organizations often have limited resources and budgets to launch an adequate defense, hence
the asymmetric nature of the threat. The steady rise in documented data loss incidents provides
evidence that recent attacks are increasingly successful. The following chart depicts the increasing
number of documented attacks as identified by http://datalossdb.org/statistics.
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 29
0 200 400 600 800 1000 1200 1400 1600 1800
The number of attacks increases
almost every year.
4,000
The sheer volume of data which information security personnel must analyze can be overwhelming.
Organizations must react to a daily influx of vulnerabilities, zero-day threats, malware, exploit
Over
kits, botnets, Advanced Persistent Threats (APT) and targeted attacks. The number of Common
new security
Vulnerabilities and Exposures (CVEs) (http://web.nvd.nist.gov/view/vuln/statistics) identified every
vulnerabilities have
year for the last 15 years is shown in the figure below over 4,000 new security vulnerabilities have
been identified
been identified annually since 2005.
annually since 2005.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 52
NEW VULNERABILITIES ANNUALLY
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 30
0 1000 2000 3000 4000 5000 6000 7000 8000
The number of new vulnerabilities
annually is almost unmanageable.
The rate of malware identification has also increased in recent years, as shown in the following
chart. Even a glance at the chart below shows the dramatic rise in the amount of new malware
identified annually since 2011 (http://www.av-test.org/en/statistics/malware/).
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 31
0 39 79 119 159
Numbers in Millions The amount of new malware isnt
just rising; it is skyrocketing.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 53
Intelligence about threats targeted to an organizations environment can assist in the prioritization of
remediation actions, so that mitigation efforts and resources are directed to areas with the greatest
need and defensive value.
For example, organizations with limited public exposure, and not storing or transmitting the types
of data typically desired by attackers, are likely to have different threat intelligence needs than
organizations which are highly visible in the public sphere, maintain highly desirable data, or are
associated with controversial topics. And an international organization involved in highly political
industries may require targeted intelligence on topics such as attacks from activist groups, attacks
on competitors, high-profile conferences and events, and industrial espionage.
Conclusion
The terms intelligence, cyberintelligence and cyberthreat intelligence have been used extensively
and interchangeably, and often incorrectly, in the information security community. They have been
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 54
used quite inaccurately to describe automated data feed services or data which may be used to
further identify and mitigate threats. However, the very specific nature of each of these terms builds
on the fundamental understanding of what true intelligence is and how it is derived. It is important
to align security industry terminology with that of the traditional intelligence community for a unified
understanding.
The traditional intelligence community has been managing threat intelligence information for a long
time, and has had the opportunity to improve, if not perfect, the process. Industry should apply their
lessons learned to maximize the effectiveness of a newer breed of cyberthreat intelligence.
Changes to the cybersecurity landscape over the last several years have been the primary driver in
the need for threat intelligence services. As organizations seek new sources of threat intelligence,
they need to be aware of the different types of intelligence being delivered by the security industry.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 55
DISTRIBUTED DENIAL
OF SERVICE ATTACKS
Although Denial of Service (DoS) and Distributed Denial of Service (DDoS) have been common
attack techniques used by malicious actors for some time, organizations still struggle to mitigate
these threats. Such attacks can have a significant impact on a victimized organization. For years,
NTT Group has been helping prepare clients for such attacks.
Every year, new capabilities to mitigate DoS and DDoS threats enter the security marketplace. From
application layer appliances to the capabilities of content distribution networks, there has been a
great focus on managing the impact of these attacks.
The following sections present analyses of DDoS attacks, and a case study of a DDoS attack which
used a legitimate application feature against the targeted organization.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 56
NTP Amplification Attacks
With 32 percent of all DDoS attacks during 2014, the most common type of attack we observed
was the Network Time Protocol (NTP) amplification attack. In this attack, an attacker changes
the source address of an NTP query to the intended victims address, then sends the maliciously
spoofed query to one or more NTP servers. The NTP servers respond to the IP address of the victim
The most common
(the spoofed source address).
type of DDoS attack
The amplification components of the attack are what make it interesting. A very small query to an observed was the
NTP server can produce a very large response if using particular NTP options. NTP amplification
attack.
TCP SYN Flood Attacks
Another of the largest types of DDoS attacks, with 16 percent of the total, is also one of the oldest
and most consistently observed over the years. The TCP SYN flood attack is performed by flooding
the target network with a large number of TCP SYN requests which results in the exhaustion of
available resources.
If mitigating controls are not put in place, a malicious attacker can use this tactic to create a large
number of partially-open connections to a server. This can exhaust all available sessions, preventing
users from connecting to ports which would normally be accessible for legitimate services.
Attackers can further ensure the success of SYN floods by employing different techniques to
exhaust resources. This may include spoofing the source IP addresses, targeting multiple ports,
attacking from multiple distributed sources, and the use of botnets.
Similar to other attacks such as DNS and NTP amplification, attackers send specially crafted
requests to an SSDP enabled device and direct the response to the targeted system. Although the
service defaults to UDP/1900 it can be directed to send responses to other ports and services.
Since there is no shortage of SSDP enabled devices it is a good candidate for attackers to use
during reflection and amplification based attacks. Several tools allow attackers to identify SSDP
enabled devices and launch attacks.
Botnets capable of performing SSDP DDoS attacks may use compromised home computing,
network and residential applications to conduct attacks. Due to the wide use of SSDP, especially
in residential applications such as network modem/router bundles, wireless access points, and
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 57
many home entertainment appliances and gaming systems, it is likely that SSDP DDoS attacks will
continue.
Unfortunately, most devices which implement SSDP enable this feature by default and it is unlikely
that residential users will patch or disable these services.
Multi-vector attacks
Multi-Vector Attacks can be a powerful
In multi-vector attacks, combinations of different DDoS attack types are used during a single tactic since this
incident. Attackers will often initiate attacks using one method but may adapt their approach during increases the chances
the attack if the primary method of attack is not as effective as anticipated. of success.
Alternatively, attackers may elect to use multiple methods of attack simultaneously to ensure their
success. For example, attackers may start with NTP amplification but then use methods such as
SYN flood, SSDP, application specific or other methods to amplify the effect of the attack.
Multi-vector attacks can be a powerful tactic since this increases the chances of success. These
attacks are also designed to overwhelm defenses and organizational staff. It can be a challenge for
organizations to respond to multi-vector attacks since different attack techniques require different
mitigation and defensive approaches.
Technical Recommendations
ww Organizations should implement a layered approach to DDoS mitigation controls leveraging
multiple technologies.
ww Implement onsite application DoS mitigation services such as a web application firewall.
ww Filter traffic at multiple points of ingress including the upstream ISP and via content distribution
networks or scrubbing services. Third-party traffic scrubbing and filtering services can be
valuable because they often anticipate the need to address multiple types of DDoS attacks.
ww Implement dynamic bandwidth services which can scale bandwidth as an attack unfolds.
This is not optimal as a long term solution but can help absorb some of the initial impact of an
attack.
ww Many network firewalls, load balancers and servers support rate limiting or session timeouts.
Ensure organizational staff understands the environment and tools which are already available.
ww Understand the capabilities of the organization and the ISP to handle TCP SYN flood attacks.
Many ISPs implement detection for spoofed IP addresses and filter these by default.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 58
ww Keep in mind that ISPs often do a great job at filtering high-volume attacks, but smaller
attacks may go unnoticed and not be filtered.
ww Depending on the focus of the attack, host or application-based controls can help mitigate
session or connection exhaustion.
ww Ensure the organization follows system and service hardening guidelines to reduce
misconfiguration issues and limit services running.
Non-technical Recommendations
ww Ensure the organization understands not only its ability to detect a DDoS attack, but its ability
to respond.
ww Account for DDoS attacks in the organizations business continuity and disaster recovery
plans.
ww Evaluate the financial impact a DDoS attack would have on organizational operations and
services.
ww DDoS attacks are often used to mask other criminal activities. In the event of a DDoS attack,
ensure the organization is remaining alert for other malicious activities which may be occurring
(fraudulent wire transfers, other breaches, and data exfiltration from other network segments).
ww Know who to call for support during a DDoS attack (SOC, vendors, ISPs, incident response
teams).
During the first quarter of 2014 DDoS mitigation providers and the general media recognized
significant spikes in NTP based DDoS activity. NTT Group saw the same result in the data we
collected. As depicted in the following chart, the majority of NTP amplification activity for the year
was observed from January through April 2014, with only a small reoccurrence of similar attacks in
the fourth quarter.
One of the primary reasons for this dramatic increase in NTP related attacks was the availability of
toolkits allowing attackers to initiate powerful attacks without requiring extensive skills. One of the
toolkits providing this capability is NTP-AMP.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 59
PERCENTAGE OF DDOS ATTACK TYPES BY MONTH
DNS Amplification
SSDP Amplification
Multi-vector
TCP SYN
NTP Amplification
Other
Jan. Feb. March April May June July Aug. Sept. Oct. Nov. Dec.
FIGURE 33
Not quite as high in volume, NTT Group observed SSDP amplification attacks growing in July and
Percentage of attack types by
continuing to gain momentum during the fourth quarter, peaking in December 2014. month.
The rise of SSDP based attacks in the last quarter of 2014 was rapid and widespread. This jump in
observed attacks is likely due to the increased visibility of reflection-based DDoS capability and the
availability of tools supporting these attack methods. With the global availability of UPnP and SSDP
enabled devices it is likely we will continue to observe SSDP based attacks for the near future.
For specific recommendations and more information on the DDoS attack types covered in this
section, please also read the Distributed Denial of Service Observation section of the report.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 60
Case Study, Web Application DDoS Attack
Timeline of Events
DATE EVENT
Possible application DDoS attack detected
Sanitized details related to the attack traffic are transmitted to DoS prevention
vendor
Elapsed time once logs were received from ISP: 1.5 hours FIGURE 34
Description of Event
During the spring of 2014, NTT Group security analysts in a Security Operations Center (SOC)
detected a DDoS attack by observing anomalous responses from various systems within a single
clients monitored environment. NTT Group initiated further investigations along with XYZ Corp, as
well as XYZ Corps IT service provider and ISP. The team quickly identified that latency experienced
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 61
with application performance was not caused by maintenance or network equipment failures. The
NTT SOC team requested relevant logs, and further investigations indicated attackers were using
legitimate functionality in WordPress called Pingback7 to conduct a DDoS attack. Once NTT Group
security analysts identified the nature of the attack, they developed, tested and deployed a signature
to mitigate future attacks.
Attackers took
Following the successful mitigation, the DoS prevention vendor was informed about the incident and advantage of
how NTT Group mitigated the attack. The vendor created and deployed an official signature, which legitimate third-party
was made available to all of their other customers. servers with good
reputations, creating
Root Cause what appeared to
This attack was an application attack, where the goal was to consume all the resources of the be legitimate HTTP
targeted web application. However, the attack did not affect network access to the website, as the requests directed
volume was low. This is typical of application attacks, and can make it difficult to distinguish them at the victims web
from normal website traffic. The low bandwidth also means other applications sharing the same servers.
Internet access were not affected by the attack.
Using this feature in WordPress, the attackers took advantage of legitimate third-party servers with
good reputations, creating what appeared to be legitimate HTTP requests directed at the victims
web servers. The victims website was not running WordPress.
Pingback is enabled by default on WordPress and is used to cross-reference between blogs. The
attacker can forge the destination URL so the WordPress site will contact the victims website to
check if the pingback in fact originated from that location. The Pingback attack uses legitimate
HTTP requests, but the query contains an arbitrary value which changes for each request. The
arbitrary request is key to the effectiveness of the attack as it forces the website to reload the web
page for each incoming request. This effectively bypasses any buffer storage or caching intended
to reduce the load on the web server. Such reloads are very resource intensive on the application,
and can create a denial-of-service (DoS) condition on the affected website. This is especially true
in cases where the web page requested is media rich with larger file sizes and a large amount of
content.
For this particular type of WordPress attack, legitimate WordPress sites are turned against innocent
victims. WordPress attacks have been observed in the wild, in some cases using more than
160,000 WordPress sites to send pingback requests to a single victim.
A few months later, attackers attempted to use the same type of WordPress DDoS attack against
the same client, along with several financial and transportation businesses. One financial institutions
website was unavailable for over an hour, while other companies experienced varying degrees of
impact for up to 12 hours. NTT Group clients experienced no measurable business impact.
7 https://en.support.wordpress.com/comments/pingbacks/
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 62
Cost of Incident
Based on interaction with the client XYZ Corp, NTT Group estimated that the actual cost of this
event was low since the incident was discovered and mitigated rapidly. Costs associated with the
incident were mostly related to coordination, communication, documentation and lessons-learned
activities.
ITEM COST
FIGURE 35
Actual cost of investigation, remediation and professional incident support as described Less than $2000
Cost of Successfully Mitigated
DDoS Event
Actual cost of legal and public relations support $0
Actual total cost directly related to the event Less than $2000
Actual total cost of the follow-on attack (after signatures had been deployed) $0
ww Conduct an enterprise risk assessment: Identify your organizations important data and
applications, and the potential impact which different attacks could have on your organization.
If an attack could create an outage causing a measurable impact on your business, include
DoS/DDoS mitigation strategies in your organizations security plans.
ww Create a formal DoS/DDoS incident response plan: Ensure that your incident response plan
includes guidance for preparation and response to DoS/DDoS attacks.
ww Deploy a layered DoS/DDoS defense strategy: Consider all aspects of your environment, and
review on-site, cloud and ISP-based solutions. Not all DoS/DDoS attacks are equal; low and
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 63
slow application attacks require a different response tactic than rate-based reflection attacks
which flood the network layer.
ww Understand ISP options: Include an accurate contact list with names and phone numbers for
all ISP and third-party providers so you can readily contact them for assistance. Discuss DoS/
DDoS detection and mitigation support options with your ISP before you actually need the
services.
ww Review lessons learned: After a DoS/DDoS attack, regardless of whether the attack was
successful, review your lessons learned to help you manage future attacks.
ww Test your environment: Test your exposed systems to find, and mitigate, system limits and
weak points before you are subjected to an attack.
ww Leverage monitored and managed security services: Evaluate the offerings of any DoS/DDoS
mitigation and assessment services supported by your managed security services provider. Be
proactive about understanding their capabilities, and understanding how third-party services
can complement other available resources.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 64
NTT GROUP RESOURCE
INFORMATION
About NTT Group Security Companies
Solutionary
Solutionary, an NTT Group security company (NYSE: NTT), is the next generation managed security CONTACT INFO
services provider (MSSP), focused on delivering managed security services and global threat Ph: 866-333-2133
intelligence. Comprehensive Solutionary security monitoring and security device management Email: info@solutionary.com
Visit: www.solutionary.com
services protect traditional and virtual IT infrastructures, cloud environments and mobile data.
Solutionary clients are able to optimize current security programs, make informed security decisions,
achieve regulatory compliance and reduce costs. The patented, cloud-based ActiveGuard MSSP
platform uses multiple detection technologies and advanced analytics to protect against advanced
threats. The Solutionary Security Engineering Research Team (SERT) researches the global threat
landscape, providing actionable threat intelligence, enhanced threat detection and mitigating
controls. Experienced, certified Solutionary security experts act as an extension of clients internal
teams, providing industry-leading client service to global enterprise and mid-market clients in a wide
range of industries, including financial services, healthcare, retail and government. Services are
delivered 24/7 through multiple state-of-the-art Security Operations Centers (SOCs).
See how Solutionary can enhance security, improve efficiency and ease compliance. Contact an
authorized Solutionary partner or Solutionary directly .
security and risk management. By choosing our WideAngle consulting, managed security and Visit: www.nttcomsecurity.com
technology services, our clients are free to focus on business opportunities while we focus on for regional contact information
managing risk.
The breadth of our Governance, Risk and Compliance (GRC) engagements, innovative managed
security services and pragmatic technology implementations, means we can share a unique
perspective with our clients helping them to prioritize projects and drive standards. We want to
give the right objective advice every time.
Our global approach is designed to drive out cost and complexity recognizing the growing value
of information security and risk management as a differentiator in high-performing businesses.
Innovative and independent, NTT Com Security has offices spanning the Americas, Europe
and APAC (Asia Pacific) and is part of the NTT Communications Group, owned by NTT (Nippon
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 65
Telegraph and Telephone Corporation), one of the largest telecommunications companies in the
world.
To learn more about NTT Com Security and our unique WideAngle services for information security
and risk management, please speak to your account representative or visit: www.nttcomsecurity.
com for regional contact information.
Dimension Data
Dimension Data, an NTT Group company (NYSE: NTT), is a USD 6.7 billion ICT solutions and CONTACT INFO
services provider with over 25,000 employees and with operations in 58 countries. Its security Visit: www.dimensiondata.com
business delivers broad technical and integration expertise across a variety of IT disciplines,
including networking, security, communications, data centres, and end-user computing. We
service over 6,000 security clients across all industry sectors, including financial services,
telecommunications, healthcare, manufacturing, government, and education. Our real-time security
information and event management architecture is based on an enterprise-wide risk management
solution that enables our Security Operations Centre (SOC) analysts to centrally manage attacks,
threats, and exposures by correlating security information from multiple security technology controls.
This solution enables them to eliminate clutter such as false positives, while quickly identifying the
real security threats to help them respond effectively and efficiently. Our team of certified security
experts, located in SOCs, brings unmatched cybersecurity experience to augment the knowledge
base of our clients IT organisations. We provide peace of mind with skilled technicians ready to help
clients respond to, and mitigate, all cybersecurity threats. Our certifications include ISO9001, ISO/
IEC 27001:2013, ASD Protected Gateway, PCI DSS, and ASIO T4.
For more information, please contact your nearest Dimension Data office or visit
http://www.dimensiondata.com.
NTT DATA
NTT DATA, an NTT Group security company (NYSE: NTT), is a leading IT services provider CONTACT INFO
and global innovation partner with 75,000 professionals based in over 40 countries. NTT DATA Visit: www.nttdata.com
emphasizes long-term commitment and combines global reach and local intimacy to provide
premier professional services, including consulting, application services, business process and
IT outsourcing, and cloud-based solutions. Were part of NTT Group, one of the worlds largest
technology services companies, generating more than $112 billion in annual revenues, and partner
to 80% of the Fortune Global 100.
Visit http://www.nttdata.com to learn how our consultants, projects, managed services, and
outsourcing engagements deliver value for a range of businesses and government agencies.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 66
NTT Innovation Institute
NTT Innovation Institute, Inc., (NTT i3) is the Silicon Valley-based innovation and applied research CONTACT INFO
and development center of NTT Group. The institute works closely with NTT operating companies Visit: www.ntti3.com
and their clients around the world to develop market-driven, client-focused solutions and services.
NTT i3 builds on the vast intellectual capital base of NTT Group, which invests more than $2.5
billion a year in R&D. NTT i3 and its world-class scientists and engineers partner with prominent
technology companies and start-ups to deliver market-leading solutions which span strategy,
business applications, data and infrastructure on a global scale.
NTT Group gathers security log, alert, event and attack information, enriches it to provide context,
and analyzes the contextualized data. This process enables real-time global threat intelligence and
alerting. The size and diversity of our client base, with over 18,000 customers, provides NTT Group
with a set of security information which is truly representative of the threats encountered by most
organizations.
The data is derived from worldwide log events identifying attacks based on types or quantities of
events. The use of validated attack events, as opposed to the raw volume of log data or network
traffic, more accurately represents actual attack counts. This methodology lends credibility to the
resulting data. Without proper categorization of attack events, the disproportionately large volume
of network reconnaissance traffic, false positives, authorized security scanning and large floods
of DDoS actively monitored by Security Operations Centers (SOCs), would obscure the actual
incidence of attacks.
Ultimately, the inclusion of data from the various NTT Group security companies provides a more
accurate representation of the threat landscape around the world.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 67
global scale. GTIP enables NTT security experts to provide actionable insight which can minimize
cybersecurity threats, mitigate damages, and quickly recover to effectively reduce business
disruption. This threat intelligence enables NTT Group to provide new and enhanced proactive
security services, including threat watch for clouds and applications hosted on NTT cloud servers.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 68
TERMINOLOGY AND
GLOSSARY
The following terminology is used within the GTIR:
0-day (zero-day) Attack: an attack which exploits a previously unknown vulnerability in software.
APT (Advanced Persistent Threat): an attacker with long-term goals who is highly skilled and well-
funded, generally by a government or by organized crime. An APT is usually a complex attack using
multiple techniques for maximum benefit.
Breach: a cyberattack in which an organizations data has been stolen or made public through
compromise of networks or systems.
BYOD (Bring Your Own Device): the practice of enabling employees to use their personally owned
mobile devices in the corporate work environment.
Dark Web: private networks not accessible by the general public. These networks are often used
for nefarious or illegal purposes.
DoS (Denial of Service) and DDoS (Distributed Denial of Service): attacks which make a
machine or network resource unavailable to intended users. A DDoS attack originates from many
devices at once.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 69
Exploit Kit: a malicious toolkit often used in cybercrime to exploit vulnerabilities in software
applications.
Firewall: software or hardware designed to control incoming and outgoing network traffic
by analyzing the data packets and determining whether they should be allowed, based on a
predetermined rule set.
Hacktivist: a hacker whose activity (hacktivism) is aimed at promoting a social or political cause.
Honeypot: decoy systems set up to gather information about an attack or attacker and to
potentially deflect that attack from a corporate environment.
IDS (Intrusion Detection System): typically network based, relying on signatures or heuristics to
detect potentially malicious network anomalies.
Incident Response Program: an organizations plan for reacting to, and managing the impact of, a
cyberattack.
Injection: an attack performed by inserting malicious code or data into what the receiving system
sees as a valid query.
IP Reputation: a database which classifies IP addresses according to whether they are believed to
host malware.
IPS (Intrusion Prevention System): typically network based and similar to an IDS, except it takes
the added step of blocking traffic identified as having potentially malicious characteristics.
Malware: a general term for malicious software including viruses, worms, Trojans, and spyware.
NTP (network time protocol): a protocol for exchanging time-of-day information to keep system
clocks synchronized.
Phishing: attempting to acquire information such as usernames, passwords, and credit card details
(and indirectly, money) by masquerading as a trustworthy entity in an electronic communication
(email).
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 70
Ransomware: malware which encrypts a victims data and demands a ransom payment in
exchange for a decryption key.
Social Engineering: gaining unauthorized access through methods such as personal visits,
telephone calls or social media websites. These attacks primarily target people and take advantage
of human weaknesses associated with security.
Spear-phishing: is a highly targeted phishing attack, using knowledge about a specific person or
organization.
Trojan: a type of malware which masquerades as a legitimate file or helpful program but has been
designed for nefarious acts.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 71