2015 Gtir

TABLE OF CONTENTS
Executive Summary.................................................................................................... 3
Introducing the 2015 Global Threat Intelligence Report.......................................... 3
Key Findings............................................................................................................... 4
Geographic and Vertical Market Trends................................................................. 4
Vulnerabilities, Attacks and Exploitation................................................................. 4
Incident Response and Case Studies.................................................................... 5
The Rise of Global Threat Intelligence in the Digital Business World...................... 7
The Challenge for IT............................................................................................... 7
The Broader View with Threat Intelligence.............................................................. 8
Global Data Analysis and Findings............................................................................ 9
2014 Attack Analysis.............................................................................................. 9
Exploit Kits Operational Lifecycles and Current Trends........................................ 15
Exploit Kit Development and Operation Lifecycles................................................. 15
Vulnerabilities Targeted in Exploit Kits ................................................................... 20
Exploit Kit Detection by Month............................................................................... 26
The User is the Perimeter.......................................................................................... 29
The User is Vulnerable........................................................................................... 30
Weekend Trends.................................................................................................... 32
Case Study, Spear-Phishing Campaign................................................................. 35
Incident Response..................................................................................................... 40
Enterprise Capabilities Mature at Slow Pace.......................................................... 40
Types of Incident Response................................................................................... 40
Incidents by Sector................................................................................................ 41
Five Key Recommendations Based on Incident Review......................................... 44
Threat Intelligence Defined..................................................................................... 49
Distributed Denial of Service Attacks ....................................................................... 56
Distributed Denial of Service Observations............................................................ 56
Calendar View of the Distribution of DDoS Attack Types........................................ 59
Case Study, Web Application DDoS Attack........................................................... 61
NTT Group Resource Information ............................................................................. 65
About NTT Group Security Companies................................................................. 65
The NTT Global Data Analysis Methodology.......................................................... 67
The NTT Global Threat Intelligence Platform (GTIP)................................................ 67
Terminology and Glossary......................................................................................... 69
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2015 NTT Group Global Threat Intelligence Report Copyright 2015 NTT Innovation Institute 1 LLC 2
EXECUTIVE SUMMARY
Introducing the 2015 Global Threat
Intelligence Report
Over the last several years, there has been significant security industry focus on Advanced
Persistent Threats (APTs, or advanced threats), and rightly so. Advanced threats are after
organizations crown jewels, and even the most sophisticated security vendors struggle to detect
advanced attacks in progress. However, without the practical fundamentals, such as mature patch
management processes, incident response procedures, endpoint protection controls, and proper
training for users to detect phishing attacks or malware on their computer, attacks dont need to be
advanced to succeed. If the attacker can successfully exploit an old vulnerability or succeed with a
social engineering attack, they can use their advanced techniques to maintain the attack instead of
initiating it.
This report demonstrates that APTs arent the only attacks with which organizations need to be
concerned. The data gathered by NTT Group in 2014 demonstrates that many organizations are
still not effectively defending against less advanced threats.
As a result, this report focuses on techniques used in less advanced attacks, and the ways in which
organizations can effectively defend against and respond to those attacks. This report also includes
a chapter focused on the risks to end users, who are exclusively the targets of exploit kit and spear
phishing attacks. End users are the perimeter for organizations, and they need to be treated that
way.
It is a common refrain in the security industry that everyone needs to anticipate being compromised,
but we do not see enough organizations taking this advice. NTT Groups observations in 2014 are
that most organizations are not adequately prepared to handle major incidents in their environment. NTT observes that
most organizations
In other research areas, threat intelligence is a hot topic, but there appears to be some confusion in
are not adequately
the market about what threat intelligence is and what it is not. For this reason we have included
prepared to handle
a brief introduction to threat intelligence, how NTT Group defines threat intelligence, and how it is
major incidents in
achieved. Proper threat intelligence is only recently being recognized for the true value it can bring
their environment.
to an organization. While it is being treated as an extension of existing security controls, it is more
appropriate to consider this as a foundational element.
Distributed Denial of Service (DDoS) attacks are attacks from multiple sites which are conducted
with the purpose of making the target unavailable for intended users. We present an overview of the
DDoS attacks NTT Group observed in 2014, with a focus on the rise and fall of specific attacks as
well the distribution of DDoS attack types observed throughout the year.
Each section of this report presents recommendations for organizations to compare what controls
they have in place against techniques which are proven to help mitigate threats.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
KEY FINDINGS
Geographic and Vertical Market Trends
Attacks against
Throughout this years report NTT Group provides insight into the different threats we have observed
business and
against our clients, both by geographic location and alignment with specific business sectors.
professional services
moved from 9% to
ww Finance continues to represent the number one targeted sector with 18% of all
detected attacks. The long-term trend of targeted attacks against the finance sector
continues. Most incident response engagements supporting the finance sector in 2014 were
directly related to wire fraud, phishing and spear-phishing attacks.
15% .
ww Attacks against business and professional services moved from 9% to 15%. Business
and professional services increases are the result of the risks inherited through business-to-
business relationships. The likely implication is that this sector is generally softer, but high value
targets for attackers.
ww Malware related events in the education sector dropped from 42% to 35%. Although
there was a 7% decrease when compared to the 2013 findings, the education sector still
represents over one-third of all malware-related events across all sectors.
ww 56% of attacks against the NTT global client base originated from IP addresses within
the United States. This represents a climb of 7% from 49% identified in 2013 data. Attackers
often leverage systems close to their intended targets, bypassing geo-filtering defense tactics.
The United States is also a highly networked country and there is no shortage of resources for
attackers to use.
Vulnerabilities, Attacks and Exploitation

An exploit kit is a malicious toolkit which bundles exploits so that those exploits can be more readily
and consistently executed against the targeted end-user systems. This years vulnerability data and
analysis of exploit kits provided additional validation of last years findings and also brought into view
the impact which exploit kits can have against organizations.
ww Over 80% of vulnerabilities in 2014 exploit kits were published in 2013 and 2014.
In 2012, the average age of vulnerabilities in exploit kits was slightly less than two years old. In
2013 and 2014, the average age of vulnerabilities in exploit kits was just over one year. Exploit
kit developers are focusing on usability and effectiveness of their kits to ensure successful
compromise of targeted systems. Keeping content and capabilities of exploit kits fresh is a key
factor which supports cybercrime as a business.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww There has been an increase in Adobe Flash exploit usage in exploit kits from 2012
to 2014. The number of Flash vulnerabilities identified in 2014 was the highest ever. This
contributed to the steady increase of Flash-related exploits found in exploit kits. The Angler
exploit kit has included zero-day Adobe Flash exploits, differentiating itself from competition.
ww Network Time Protocol (NTP) amplification attacks contributed to 32% of all DDoS
attacks observed by NTT Group in 2014. During the first quarter of 2014, NTP amplification
accounted for the single largest amount of DDoS activity for the entire year. The simplicity of
76%
of identified
launching these types of attacks and the availability of DDoS tools to support them were key vulnerabilities
contributors. throughout all
systems in the
ww DDoS amplification attacks using User Datagram Protocol (UDP) accounted for 63%
enterprise were more
of all DDoS attacks observed by NTT Group. In addition to the NTP amplification attacks
than 2 years old.
observed, other UDP based attacks (SSDP and DNS) accounted for almost two-thirds of all
attacks.
ww During 2014, 76% of identified vulnerabilities throughout all systems in the enterprise
were more than 2 years old, and almost 9 percent of them were over 10 years old.
Considering the data represents vulnerabilities with a Common Vulnerability Scoring System
score of 4.0 and higher, this should be cause for significant concern about the effectiveness of
patch management solutions. According to the CVSS, a score of 4.0 or higher would include
vulnerabilities rated as medium and high, and would likely result in failing of many compliance
assessments. Many of these vulnerabilities also have exploits available in exploit kits.
ww 26% of observed web application attacks in 2014 were injection-based, up from 9% in

the 2014 GTIR. Injection-based attacks are the injection of malicious code or data into what
the receiving system believes is a valid query. These attacks often allow exfiltration of data
or remote command execution, and will be a significant concern for the foreseeable future.
Contributing to this type of vulnerability is not only the absence of secure coding practices
and quality assurance testing in custom applications, but also applications which inherit the
capabilities of vulnerable third-party code libraries and frameworks.
Incident Response and Case Studies

An organizations ability to identify attacks is not always equal to their ability to respond to an attack.
Detailed findings are provided throughout this report with specific recommendations and case
studies to illustrate some of the challenges faced by organizations today.
ww NTT Group observed incident response efforts focused in three core areas (malware,
DDoS and breach investigations). Although it appears some organizations are realizing the
importance of managing incident response capabilities in-house, there is still a very clear trend
in organizations needing external support for these core areas. Organizations appear to be
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
fairly well suited for day-to-day operational response, but still rely on third-party expertise when
it comes to more complex security events.
ww NTT Group support for DDoS attack response sharply decreased from 31% in 2013 to
18% in 2014. As technology capabilities become more widely available and affordable, and
education about DDoS mitigation becomes more widespread, NTT Group has observed a
decline in external support required for DDoS attacks. Although there was significant focus
on NTP and SSDP DDoS attacks in 2014, mitigation controls are often able to handle these
74%
of organizations
threats, resulting in fewer incident response support events in this area. do not have formal
incident response
ww Incident response engagements involving malware threats increased 9% compared
plans.
to 2013, from 43% to 52%. With the increased capabilities of exploit kits, NTT Group
experienced a steady increase of incident response support for malware threats. A majority of
this was in response to mass distributed malware.
ww Basic controls are still not implemented in all cases. 74% of organizations do not have
formal incident response plans. Proper network segregation, malware prevention controls,
patch management, monitoring, and incident response planning could have prevented or
mitigated a significant portion of the incidents NTT Group saw in 2014. These foundational
controls are absent even in many large organizations.
ww Case Study: Spear Phishing Attack Organization saves over 80% by successful
mitigation. In this case study, NTT Group describes in detail how a spear phishing attack cost
an organization over $25,000 in legal and investigation costs, but could have cost $127,000 or
much more.
ww Case Study: Web Application-based DDoS Attack. Due to rapid detection and response
efforts an organization was able to successfully address DDoS attacks, resulting in significant
reduction of reputation and monetary losses. Proactive DDoS services saved organization
reputation and significant financial impact.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
THE RISE OF GLOBAL
THREAT INTELLIGENCE
IN THE DIGITAL
BUSINESS WORLD
In developing the Global Threat Intelligence Report (GTIR), the NTT Group security team used
extensive data gathering tools and technologies, including managed security services across the
NTT Infrastructure, professional service engagements, customer incidents and NTTs new Global
Threat Intelligence Platform (GTIP). This includes data and analysis from Dimension Data, NTT Data,
NTT Com Security, Solutionary and NTT Innovation Institute (NTT i3).
The Challenge for IT

NTT Group cast a wide data collection net to capture the diversity of attacks which are normal in
the modern security landscape. For this report, NTT Group used that broad dataset to analyze the
attacks. In reality, this same challenge is faced by IT departments on a daily basis, and these groups
must respond to these same types of attacks.
Organizational IT exists in a hybrid model which combines on premise as well as cloud and
SaaS-based services which diversify the attack landscape. At the same time, IT departments in
compliance- and regulation-dominated industries need to maintain high levels of security for their
existing mission-critical systems, thereby establishing a bi-modal world.
This infrastructure diversity creates a dramatic increase in the complexity of managing security
operations and requires analysis which is not just confined to the local infrastructure. Cybercriminals
are globally organized, well-funded, skilled, and easily outnumber security staffers at most
organizations.
The challenge is multi-faceted because of:
ww The burden of learning new technologies

ww Increasing costs with hard-to-factor ROI
ww A world-wide shortage of skilled security engineers and professionals
ww Inconsistent user experiences across the variety of products needed
ww Incompatible or poor integration between the hierarchy of products
Typical conventional frameworks were designed to fight a very different battle. They require a
number of different products, from a variety of vendors, to control and protect a variety of network
access points, processes and products. Security control is accomplished using the hierarchy of
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
networks and products to create a wall around a network to protect endpoints and servers as well
as valuable data and information.
The Broader View with Threat Intelligence

With threat intelligence, corporations can address customers security challenges with verified, live,
and actionable supporting data based on the larger world context. Thanks to close collaboration
with global security communities, customers, vendors, industry forums and governments, the quality
of available security information is improving. What is most needed is a framework which effectively
consumes the available security information, then converts it to genuine intelligence through the
application of context-aware analysis.
This new framework will improve the industrys ability to deliver security controls using an integrated
hierarchy of products, services and intelligence. Organizations will be able to consider intelligence
which is meaningful to them, and when combined with awareness of their own environments, will
enable better management of risk and application of appropriate controls. An ultimate intrusion
resilient framework will deliver the latest in elastic security specifically designed to meet pressures
from todays digital world cybercrime, state-sponsored attacks and hacktivism.
The best threat intelligence establishes security flexibility and integration for:
ww Proactive protection
ww Threat mitigation before attacks even begin
ww Minimal damage if attacked
ww Faster recovery from the damage
ww Continuously improved security operations
Threat intelligence is an evolving capability in security, and many vendors are entering the
marketplace. Vendors utilize data from their respective installed bases or through customer service
engagements. Threat intelligence in the marketplace is constrained by delivery technologies, the
nature of the information sources, trustworthiness of the data and the geographical coverage.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GLOBAL DATA ANALYSIS
AND FINDINGS
This section presents an analysis of global attack data gathered by NTT Group security companies
in 2014. The analysis is based on log, event, attack, incident and vulnerability data from clients and
NTT research sources, including honeypots, sandboxes and DDoS services.
During normal operations, NTT Group gathers security log, alert, event and attack information,
enriches it to provide context, and analyzes the contextualized data. NTT Group processes trillions
of logs and billions of attacks each year. The size and diversity of our client base makes this data
representative of the threats encountered by most organizations.
The data presented in this section is derived from correlated log events identifying attack events.
The use of validated attack events, as opposed to raw log data or network traffic volumes, more
accurately represents actual occurrences of attack. Without proper categorization of attack events,
the disproportionately large volume of untargeted network reconnaissance traffic, false positives,
and large floods of DDoS actively monitored by Security Operations Centers (SOCs), would obscure
the actual incidence of attacks.
2014 Attack Analysis

As shown in the figure below, 56 percent of attacks against the NTT client base originated from IP
addresses from within the United States. This confirms observations made in the 2014 NTT Global
Threat Intelligence report which indicated 49 percent of attacks originated from U.S. based IP
addresses during 2013.
NTT Group security companies continually analyze this data for additional context. The raw data
may suggest the United States is a buzzing hive of digital attackers while the rest of the world sits
56%
of attacks against
idly by, but the reality is significantly different. Due to the ease of provisioning, cheap cost and quality the NTT client base
of U.S. based cloud hosting services, attackers frequently host their attacks on U.S. based servers originated from IP
using these services as a mechanism to hide their actual source address. While the source IP addresses from within
address is based in the U.S., the actual attacker could be anywhere in the world. the United States.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ATTACK SOURCES, 2014
United States
China
Australia
Great Britain
France
Germany
Russia
Netherlands
India
Ukraine
Denmark
Canada
Other
FIGURE 1
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60%
Attack Sources
Percent of events
The next figure documents the distribution of NTT clients contained in the data set, across their
associated industry sectors. For this years report, clients were remapped from 14 verticals
industries to 18 industry sectors, allowing for a more accurate representation of industries. Based
on the analyzed data, NTT Group identifies in this report when this sector redistribution had a
significant impact on the presented findings.
CLIENTS BY SECTOR, 2014

Finance
Manufacturing
Technology
Business & Professional Services
Retail
Healthcare
Government
Media
Insurance
Education
Gaming
Transport and Distribution
Hospitality, Leisure & Entertainment
Non-profit
Telecommunications
Pharmaceuticals
Public
Legal
FIGURE 2
0% 5% 10% 15% 20% 25% 30% Clients by Sector
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The below figure represents the overall distribution of attacks by the targeted industry sector.
With 18 percent of all detected attacks, finance continues to represent the number one targeted
vertical sector. This is essentially unchanged from 2013, when 20 percent of attacks were directed
at organizations in the finance vertical. Due to redistribution of sectors, along with the addition of
new clients and more diverse geographies, many of the details relating to attacks by sectors have
evolved since 2013, making the data difficult to compare.
Considering the changes in client composition and available attack details, attacks against
With 18%
of all detected
manufacturing remained at a level comparable to last year, while attacks against business and attacks, finance
professional services and retail sectors both rose. NTT Group has seen some campaigns specifically continues to
targeting business & professional services. The likely implication is that this sector may not have represent the number
the equivalent security resources as other companies, yet yields high value for attackers as both an one targeted vertical.
end target and a gateway target to strategic partners. The retail sector continues to be an attractive
attack target.
ATTACKS BY SECTOR, 2014

Finance
Retail
Manufacturing
Healthcare
Technology
Education
Government
Pharmaceuticals
Insurance
Transport and Distribution
Gaming
Media
Hospitality, Leisure & Entertainment
Non-profit
Other
FIGURE 3
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% Attacks by Sector

Percent of Events
One of the interesting data points to dive into is the distribution of attack types across all sectors
and countries. Anomalous activity, including privileged access attempts, exploitation software and
other unusual activity, moved from the second position (15 percent) into first, with 20 percent of the
total attack events. Network manipulation, web application attacks, and service specific attacks
all showed marked increases as well. Reconnaissance activity rose from 4 percent in 2013 to 10
percent this year, primarily due to refinement of alerting and reclassification of attacks as less hostile
activity.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This indicates attackers are spending more time and effort to scope out their victims and specifically
target attacks against the devices and applications which exist in the victim environment, and are
likely to be vulnerable. It also speaks to the prominence and effectiveness of exploit kits. Using
actively maintained exploit kits as a piece of the overall delivery mechanism facilitates large-scale
infections of unpatched operating systems and applications. Additional information can be found in
the section on Exploit Kits.
Other categories, such as DoS/DDoS and known bad source, show levels consistent with previous
years reports.
ATTACKS BY TYPE, 2014

Anomalous Activity
Network Manipulation
Web Application Attack
Service Specific Attack
Reconnaissance
Application Specific Attack
DoS / DDoS
Evasion Attempts
Known Bad Source
Other FIGURE 4
0% 4% 8% 13% 17% 22% Attacks by Type
The next figure presents the web application attacks category, which was the third most common
attack category observed by NTT Group in 2014. This is an important category, as it typically
reflects attacks against an organizations Internet-facing applications.
26 percent of observed web application attacks in 2014 were injection-style attacks, such as
SQL injection or LDAP injection. This directly correlates with the OWASP Top Ten Web Application
vulnerability list, where injection is the top vulnerability. It is also a significant increase from the 9
percent identified in the 2013 data. Lining up with OWASP1 ranks four and two, insecure direct
object references and authentication and access control issues both dropped 3 and 4 percent,
respectively. Both of these risk types allow an attacker unauthorized access to data.
Cross-site scripting (XSS) and security misconfigurations both had similar levels of attacks as 2013.
Due to the high level of XSS vulnerabilities in the wild, it is surprising to see such a relatively low
volume of active exploitation.
1 https://www.owasp.org/index.php/Main_Page
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
WEB APPLICATION ATTACK TYPE, 2014
Injection
Other
Insecure Direct Object Ref
Authentication & Access Control
XSS
Security Misconfiguration
Sensitive Data Exposure
Session Management
0% 5% 11% 17% 22% 28%
Vulnerability data for 2014 is generated across multiple organization verticals and sizes, and from FIGURE 5
a wide range of scanning data from multiple scanning vendor products, including: Qualys, Nessus,
In 2014, Injection Attacks Leads
Saint, McAfee, Rapid7, Foundstone and Retina. The next figure represents the top ten vulnerabilities Web Application Attack Types
from external and internal scans. The inclusion of additional data from more distributed global
geographies, along with the data from new clients, makes it difficult to compare 2013 and 2014
vulnerability data.
TOP 10 EXTERNAL AND INTERNAL VULNERABILITIES OF 2014

% of all External % of all Internal
Top 10 External Vulnerabilities Top 10 Internal Vulnerabilities
Vulnerabilities Vulnerabilities
Outdated Java Runtime
Outdated PHP Version 15% 11%
Environment
Outdated Apache Web Server 10% Oracle Java SE Critical Patch Update 10%
Outdated Apache Tomcat Server 9% Multiple Vulnerabilities in Java Web Start 7%
Cross-Site Scripting 5% Missing MS Windows Security Updates 7%
SSL/TLS Information Disclosure 5% Outdated Flash Player Version 6%
Outdated Open SSL Version 3% Outdated Adobe Reader and Acrobat 3%
SSL/TLS Renegotiation
3% Outdated Internet Explorer 3%
Handshakes
Vulnerable 3rd Party Apache
2% Multiple Oracle Vulnerabilities 2%
Plugins
Web Clear Text
2% Outdated/Missing Patches Oracle DB 1%
Username/Password
Outdated OpenSSH Version 2% Outdated OpenSSH Version 1%
FIGURE 6
Top 10 External and Internal

Vulnerabilities of 2014
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NTT Group gathers and analyzes malware samples from a wide range of sources, including NTT
Group security platforms, incident response investigations, malware repositories, malware feeds,
interactions with clients and privately maintained honeypot networks. The analyses performed allow
for development of proprietary detection and prevention signatures to better protect our clients. The
following figure shows the distribution of malware by sector.
While down from last years 42 percent, at 35 percent the education sector still included more than
a third of all detected malware events during 2014. Universities and other educational institutions
have a large body of users connected to a public network with personal systems and a culture
which promotes making information readily available. The use of personal devices, with various
operating systems and patch levels, as well as different levels of end user education and protection
methods, results in an environment of turmoil under the best of circumstances.
Business & professional services sector accounted for 15 percent of the malware observed, a
decrease of 8 percent from the 23 percent in 2013. This decrease closely matches the drop in
the percentage of clients which are members of the business & professional services sector. The
healthcare sector accounted for 24 percent of the malware observed, with a 21 percent increase
from 3 percent in 2013. Since NTT Group added many healthcare clients, and reorganized some
2013 healthcare clients into different sectors, direct year to year comparisons show greater variance
than is typical. It is possible that attackers have increased their targeting of personally identifiable
information available in the healthcare sector, though NTT Group did not detect a significant jump in
the overall attacks targeting healthcare.
MALWARE BY SECTOR, 2014
Education
Healthcare
Government
Manufacturing
Finance
Retail
Other
FIGURE 7
0% 7% 15% 23% 30% 38%
Education Leads 2014 Malware
by Sector
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EXPLOIT KITS
OPERATIONAL
LIFECYCLES AND
CURRENT TRENDS
Software exploits take advantage of unpatched flaws or misconfigurations in operating systems,
applications and supporting libraries or frameworks. These exploits can allow an attacker to install
malicious software on a vulnerable device. Exploit kits are software packages commonly sold in
hacking forums and IRC channels. They include software exploits for known vulnerabilities across a
range of end-user technologies (Internet Explorer, Adobe Flash, etc.). Exploit kits enable their users
(in this section, when we use the term attackers, we are discussing Exploit Kit users) to execute
large-scale attacks against vulnerable systems without the user needing to develop their own
exploits. However, exploit kits dont enable attack capabilities for completely inexperienced criminals
who have decided to become hackers. Successful execution of a large-scale attack campaign
requires considerable knowledge and skill, and an exploit kit is only one component of a successful
attack.
This chapter provides an overview of the exploit kit development process, as well as the role which
exploit kits play in large-scale attacks. These discussions will help the reader understand the
lifecycle of exploit kits and the role they play as a component of large-scale attacks. Appropriate use
of an exploit kit requires skill; exploit kits help automate and manage one component of the attack
process. The development of exploit kits requires an entirely different set of skills, but is key to the
success and longevity of the exploit kit. The proliferation of exploit kits is a result of the increased
commoditization and specialization of the cybercrime economy.
This chapter also provides an analysis of exploit kit trends observed by NTT Group in 2014.
Increased competition between available exploit kits is driving these developers to use newer
exploits in their kits. For example, as one key evolution in exploit kits during 2014, NTT Group
observed an increase in the use of Adobe Flash exploits.
Exploit Kit Development and Operation Lifecycles

This section provides a walkthrough of the lifecycle of an exploit kit (EK), from both a developer and
attacker perspective.
The following diagram presents two exploit kit processes. The first presents the process for
development and maintenance of exploit kits. The second presents the process for use of an exploit
kit by an attacker.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EXPLOIT KIT EXPLOIT KIT USER
DEVELOPER PROCESS (ATTACKER) PROCESS
Exploit Kit Development Attack Campaign
Exploit Kit Payload

Build exploit Exploit kit is Acquisition Identification
delivery offered for sale
infrastructure and Attacker purchases (ransomware,
via IRC/Forums
web application and receives custom spambot,
URL for exploitation banking trojan)
Command
Exploit selection Victim Infrastructure
and Targeting Technique
implementation Infrastructure for
(phishing, drive- payload control
by downloads) and communication
Exploit Kit
Maintenance
Campaign
Exploits are Execution
modified and New exploits
tested to evade acquired
detection
Ineffective X Campaign Conclusion

exploits are When purchased time expires, access to EK is revoked
identified and
removed
FIGURE 8
Exploit Kit Development and

X Exploit Kit End of Life
Operational Lifecycles Rely
Lack of maintenance, merger, on Each Other
law enforcement lead to end of life
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Exploit Kit Developer Process
Building Exploit Delivery Infrastructure and Web Application
Exploit kits are Software as a Service (SaaS) for attackers, and the development cycle for exploit
kits resembles the software development lifecycle used by legitimate organizations. The first
steps in exploit kit development are the creation of the exploit delivery infrastructure, along with
administrative and attacker interfaces. Exploit kits typically include the following components:
ww Attacker access console (Exploit Kit Panel) Attackers who use Exploit kits access the
console via secure login to the exploit kit control panel. This console typically allows the
attacker to monitor the status of exploit attempts and identify the number of compromised
devices, as well as measure rates of exploitation success against different technology profiles,
as shown in the following screenshot of the Fiesta exploit kit2.
FIGURE 9
Fiesta Exploit Kit User Console
2 From http://blog.0x3a.com/post/62375513265/fiesta-exploit-kit-analysis-serving-msie-exploit
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww Administrator console The administrator console is used by the exploit kit developer to
monitor overall application use and exploit effectiveness.
ww Landing page Intended victims are directed to the exploit kits landing page via a custom
URL provided by the developer. This page profiles remote victim systems, and attempts to
execute exploits targeted against the victim system profile.
Exploit Selection and Implementation

Different developers use different approaches for exploit selection. Some scavenge published exploit
code. Others pay for private exploits, or have resources to develop exploits in-house. In some
instances, as with recent exploits included in the Angler exploit kit, they have taken advantage of
zero-day vulnerabilities, sometimes including their own. This can dramatically increase exploitation
success rates (since no patches exist for the vulnerability). Increased success rates allow the
developer to charge significantly higher fees for exploit kit use.
Exploit Kits Offered for Sale

Exploit kits are typically only offered for sale to individuals who have earned a level of trust on the
message boards or in IRC channels frequented by the exploit kit developer. The developer is offering
access to illegal software, and their profit depends on how long their software remains in use.
Allowing unskilled or untrustworthy buyers to utilize their product can pose a significant risk to the
developers business (and their freedom).
Payment for exploit kits can be arranged in a number of different ways. Bitcoin is a popular option.
Alternatively, exploit kit developers may permit user access to their kit as long as developer malware
is installed on victim devices along with user malware. This profit sharing agreement allows the
developer to piggyback their own malware onto victims obtained by exploit kit users. The developer
then takes advantage of the attackers work, giving them greater access to victims with less direct
effort.
Exploit Kit Maintenance and End-of-Life

An effective exploit kit is not just a fixed set of exploits bundled together. Like any product in a
dynamic market, an exploit kit must be actively maintained to maximize effectiveness and value.
Testing and Modification

Once an exploit kit is released and used, the developer monitors success statistics for the exploits
in the kit. If particular exploits have lower success rates than others, they can be modified to
improve effectiveness or better evade detection until the exploit lifespan ends. Evasion techniques
can include detection of installed security software on the client, so that the exploit kit can make
informed decisions about the types of exploits known to be effective against the security profile, as
well as obfuscation and encryption of payloads.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Removal of End-of-Life Exploits
The exploits value to an exploit kit dissipates over time as detection mechanisms are implemented
into endpoint protection technologies and vulnerabilities are remediated. As exploit kit administrators
identify end-of-life exploits, these are removed from exploit kits.
Acquisition of New Exploits

As ineffective or end-of-life exploits are removed, new exploits must be acquired to take their
place. This process proceeds similarly to the initial acquisition of exploits, by purchase or in-house
development of private exploits, or acquisition and customization of public exploit code.
End-of-Life of the Entire Exploit Kit

The exploit kit industry is highly competitive. Exploit kits which do not maintain current or effective
exploits, which are not priced competitively, or which do not offer the features and functionality of
competitors, will rapidly lose users. Exploit kit end-of-life is usually triggered by lack of maintenance,
lack of competitiveness, mergers with other kits, or law enforcement action.
Exploit Kit Attacker Lifecycle

Attack Campaign Requirements
An attacker cant simply purchase an exploit kit, click a button, and start exploiting victims.
Exploitation is just one component necessary for execution of a large-scale attack. The attacker
usually has a clear motive to justify their attack campaign. The primary motivating factor for a large-
scale attack campaign is often one of the following:
ww Profit
ww Botnet Infrastructure
ww Extortion
ww Fame/Notoriety
ww Hacktivism
In addition to exploitation, a large-scale attack requires a mechanism to attract victims, a malicious

payload to be delivered, and a command and control infrastructure to send and receive data from
compromised victim devices. Exploit kits do not provide these resources.
An overview of the components of an effective campaign is presented below. There is no definitive

sequence in which these components must be performed, but all must be in place for a large-scale
exploit-based attack to be successfully executed.
ww Payload identification An attacker needs to identify the malicious payload to be delivered

by an exploit kit to suit the goals of the attack. Most payloads in exploit kit attacks are banking
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Trojans, ransomware, or botnet applications. Exploit kits may or may not provide these
payloads, so attackers may be on their own to obtain, upload, and deploy them.
ww Victim Targeting Attacks using exploit kits require a mechanism to lure users to the exploit
kit landing page. This can be accomplished in a number of ways. The most common are:
ww Phishing emails designed to lure victims to a hostile landing page
ww Compromised public websites which redirect unsuspecting site visitors to the landing page
ww Malvertising, where a malicious or compromised advertisement redirects a website visitor
to the landing page
Exploit kits do not provide target acquisition functionality. However, an attacker could purchase this
functionality from a different malicious software developer, such as a spambot operator.
ww Exploitation and Payload Delivery This is the role played by exploit kits. Once a victim is
lured to the exploit kit landing page, the kit profiles the victim, identifies potentially effective
exploits, exploits the target systems, and delivers the attackers payload.
ww Post Exploitation Once victims have been compromised, the attacker requires a
mechanism to control and retrieve data from victim systems. A command and control
infrastructure is generally not provided by exploit kits and the attacker may have to develop or
purchase this capability as well.
ww Campaign execution and conclusion Purchase of an exploit kit typically grants the user
access to the exploit kit console for a limited period of time. After that period ends, the users
access is revoked, use of the exploit kit stops, and the campaign concludes.
Vulnerabilities Targeted in Exploit Kits

Unique exploits targeted by exploit kits released in years 2012, 2013 and 2014, organized by the
technology targeted, is presented in figure 103. There are four clear trends in this data:
ww Decrease in Adobe Acrobat exploitation

ww Decrease in Java exploitation
ww Increase in Adobe Flash exploitation
ww Consistent exploitation of Internet Explorer
3 This chart includes data from http://contagiodump.blogspot.com, an excellent resource for historical and current exploit kit
data.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PERCENTAGE OF UNIQUE VULNERABILITIES
TARGETED IN EXPLOIT KITS BY TECHNOLOGY, 2012-2014
Java
Adobe Acrobat
Internet Explorer
Adobe Flash
Firefox
Windows
2012
2013
Silverlight 2014
Others
FIGURE 10
0% 10% 20% 30% 40% 50%
Percent of Vulnerabilities Targeted
in Exploit Kits by Technology
The trends observed in this graph are discussed below.
ww Decrease in Adobe Acrobat targeting - Adobe Acrobat exploit usage in exploit kits has
Between 2013 and
steadily decreased from 2012 to 2014. One contributing factor to this drop-off is that Adobe
2014 there has
Acrobat exploits require a higher degree of user interaction than browser or Flash-based
been a 33% drop
exploits. Between 2013 and 2014 there has been a 33 percent drop in Adobe Acrobat
in Adobe Acrobat
vulnerabilities published, as shown in the following graph.
vulnerabilities.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ADOBE ACROBAT VULNERABILITIES
PUBLISHED BY YEAR
2000
2003
2004
36%
decrease in Java
2005
2006 vulnerabilities
2007 identified in 2014.
2008
2009
2010
2011
2012
2013
2014
FIGURE 11
0 10 20 30 40 50 60 70
Adobe Acrobat Vulnerabilities
Published by Year
ww Decrease in Java targeting The number of Java vulnerabilities targeted in exploit kits has
decreased significantly from 2013 to 2014. This is due to the 36 percent decrease in Java
vulnerabilities identified in 2014, as shown in the following graph.
ORACLE JAVA VULNERABILITIES

PUBLISHED BY YEAR

2010
2011
2012
2013
2014
FIGURE 12
0 20 40 60 80 100 120 140 160 180
Oracle Java Vulnerabilities
Published by Year
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww Increase in Adobe Flash targeting There has been an increase in Adobe Flash exploit
usage in exploit kits from 2012 to 2014. Exploit researchers have increasingly focused on
Flash after significant improvements were made to Java and Internet Explorer security in
20144. The number of Flash vulnerabilities identified in 2014 was the highest ever, with a 36
percent increase over 2013 as shown in the following graph.
The number of
Flash vulnerabilities
identified in 2014 was
ADOBE FLASH VULNERABILITIES the highest ever.
PUBLISHED BY YEAR
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 13
0 10 20 30 40 50 60 70 80
Adobe Flash Vulnerabilities
Published by Year
ww Consistent targeting of Internet Explorer Internet Explorer is still distributed as the default
browser on the Windows operating system and is common on end-user systems in the
corporate environment. Internet Explorer continues to be a target of choice, not only because
it is common, but because there has been no shortage of vulnerabilities in Internet Explorer
over the past few years. Even more importantly, a significant number of those vulnerabilities
(71 percent) allow the attacker great control, such as the ability to execute remote code or to
71% of
vulnerabilities found
bypass restrictions. in Internet Explorer
during 2014 gave
the attacker remote
control or bypassed
restrictions.
4 FireEye has recently published a technical discussion of existing Adobe Flash weaknesses at https://www.fireeye.com/blog/
threat-research/2015/03/flash_in_2015.html
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INTERNET EXPLORER
VULNERABILITIES PUBLISHED BY YEAR
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 14
0 20 40 60 80 100 120 140 160 180 200 220 240 260
Internet Explorer Vulnerabilities
Published by Year
Vulnerabilities Targeted in 2014 Exploit Kits by Age of Vulnerability

Exploit kits continue to use recent vulnerabilities. The following figures show the distribution
of vulnerabilities by year included in exploit kits from 2012 through 2014. In 2012, NTT Group
observed the average age of vulnerabilities included in exploit kits was slightly less than two years,
while in 2013 and 2014 the average vulnerability age was just over one year. This trend indicates
that attackers are growing their sophistication and ability to rapidly update exploit kits before
organizations have the chance to react.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CVES IN EXPLOIT KITS BY
YEAR OF RELEASE 2012 - 2014
2006
Exploit Kit
2007 Release Year
2012
2013
2008
2014
2009
2010
2011
2012
2013
2014 FIGURE 15
0 2 4 6 8 10 12 14 16 18 20
Exploit kit development and
Number of CVEs from each year included in exploit kits
operational lifecycles rely on each
other.
Over 80 percent of vulnerabilities in exploit kits released in 2014 were published in 2013 and 2014.
This data is similar to 2013 and this trend is likely to continue due to strong competition in exploit
kits, as developers look to differentiate their product by including newer exploits with a higher
likelihood of success.
Most Popular Vulnerabilities Targeted in 2014 Exploit Kits5
TOP 10 MOST POPULAR VULNERABILITIES IN EXPLOIT KITS

RELEASED IN 20145
Percentage of kits which
CVE Affected Technology
exploit this vulnerability
CVE-2013-2551 62% Microsoft Internet Explorer
CVE-2014-0515 52% Adobe Flash
CVE-2013-0074 38% Microsoft Silverlight
CVE-2013-2465 38% Oracle Java SE
CVE-2013-2460 29% Oracle Java SE
CVE-2014-0322 29% Microsoft Internet Explorer
5 This table also uses data from www.contagiodump.blogspot.com.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
TOP 10 MOST POPULAR VULNERABILITIES IN EXPLOIT KITS
RELEASED IN 20145 FIGURE 16
The 10 most popular
CVE-2012-0507 24% Oracle Java SE vulnerabilities in exploit kits
CVE-2012-1723 24% Oracle Java SE released in 2014, with a tie for
10th place.
In 2013, only one Adobe Flash exploit was among the 10 most popular exploits included in exploit
kits. In 2014, four Adobe Flash exploits were included in the top 10. In 2013, eight of the top 10
exploits were related to Java. In 2014, only four of the top 10 exploits involved Java.
A Microsoft Internet Explorer exploit (for CVE-2013-2551) was the most popular exploit included in
exploit kits in 2014. This vulnerability was originally discovered by Vupen Security. Vupen Security
specializes in discovery of zero-day vulnerabilities, and used an exploit for CVE-2013-2551 to
win the 2013 Pwn2Own hacking competition. Vupen subsequently published a blog post6 which
provided a detailed walkthrough of how the vulnerability was exploited. These published details may
explain its popularity in exploit kits. This was a highly reliable exploit against Internet Explorer, which
likely also accounts for its popularity.
Exploit Kit Detection by Month
EXPLOIT KITS DETECTED BY MONTH, 2014

FIGURE 17
The Monthly trending of the

Sweet Orange top 10 exploit kits detected
Styx by NTT in 2014.
Redkit
Phoenix
Nuclear
Magnitude
Infinity
Fiesta
Blackhole
Angler
Jan. Feb. March April May June July Aug. Sept. Oct. Nov. Dec.
6 http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Exploit kits are difficult to detect reliably. The best exploit kit detection mechanism is identification
of landing pages, which constantly change. There is also a natural ebb and flow to the popularity of
exploit kits, which explains some of the month to month variation observed in detection. Exploit kits
undergo release cycles similar to enterprise applications. An exploit kit may experience a decrease
in popularity as exploits in the kit become stale or ineffective, but once outdated exploits are
replaced with newer and more effective exploits, usage of the kit can increase.
A number of trends can be identified from this data:
ww Final dissipation of Blackhole After the arrest of Blackhole exploit kit creator Paunch
in October 2013, support for Blackhole ended. NTT observed use of the once popular kit
dwindle throughout 2014, and completely disappear during the 4th quarter. Blackhole was the
premier exploit kit for more than two years and was actively maintained to achieve that status.
ww Demise of Phoenix Exploit Kit - Similar to Blackhole, NTT observed the final demise of the
Phoenix exploit kit in 2014. After the arrest of Phoenixs developer in April 2013, NTT observed
a steady decline in Phoenix exploit kit activity. This kit is now considered retired.
ww Increase in Angler usage - Angler appears to be the most active exploit kit due to inclusion
of the latest exploits and retiring older exploits. Angler has also included zero-day Adobe
Flash exploits, differentiating itself from competition. These characteristics led to a rise in its
popularity in the second half of 2014, and this popularity has continued into 2015, with the
release of Adobe Flash zero day vulnerabilities (CVE-2015-0311, CVE-2015-0313) in Angler.
Recommendations to protect against exploit kits

To reduce risks associated with exploit kits, organizations should consider the following steps: Exploit kits typically
use exploits for
ww Ensure effective patch management Exploit kits typically use exploits for vulnerabilities
vulnerabilities where
where patches exist but are not applied. The speed with which exploit kit developers deploy
patches exist but are
new exploits takes advantage of the gap in time between initial vulnerability disclosure and
not applied.
the implementation of patches at the organization. Ensuring that effective patch management
processes exist for end-user devices is a critical first step to protect against exploit kits.
Organizations should pay particular attention to web plugins and technologies such as Java
and Adobe Flash. These technologies do not have the same types of enterprise class rollout
capabilities which are associated with Microsoft technologies, and organizations need to
ensure that there are tools in place to deploy and measure adoption of patches.
ww Social engineering (phishing) training Standard security awareness training alone is not
adequate for organizations, which maintain or access highly sensitive data. Real world social
engineering testing should be implemented for key employees, to confirm their ability to detect
and respond to actual phishing scenarios.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww Ad blocking software Attackers frequently use malvertising to lure victims onto exploit kit
landing pages. Use of ad blocking software, or web proxies with content filtering, can limit the
effectiveness of this attack approach.
ww IP reputation services Use of IP reputation services which can warn or block users
from visiting known bad IP addresses and domains can protect organizational users from
inadvertently accessing those addresses. IP reputation services should only be considered
a supplemental control. Addresses of exploit kits are constantly changing in order to evade
detection, and the services are unlikely to maintain accurate and comprehensive real-time lists
of landing page URLs.
ww Threat intelligence Threat intelligence services can be used to help organizations identify
vulnerabilities which are being actively exploited in the wild. These services can act as a
complementary control to patch management processes, to ensure that patching is prioritized
for vulnerabilities.
ww Endpoint protection Implementation of endpoint protection can help organizations detect

the existence of malware dropped on a device by an exploit kit before significant damage
occurs.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
THE USER IS THE
PERIMETER
Security professionals have long known that what industry thinks of as the security perimeter has
been changing. IT and security management can no longer count on well-defined network security
perimeters to protect an organization from external attacks. Data is distributed across users,
and users exist in highly mobile, dispersed work environments which simply do not readily lend
themselves to centralized enforcement of consistent controls.
Historically, the concept of the changing perimeter has been supported mostly anecdotally,
by stories rather than verifiable facts. During 2014 NTT Group gathered a significant amount
of vulnerability and attack data which supports the concept of the dissolving perimeter; more
specifically, that the user is the perimeter. (Read the article on The User is Vulnerable).
Detailed analysis of attacks on user end points and infection rates from typical Flash, Java and
Adobe vulnerabilities had more predictable profiles than had been recognized in previous years.
Organizational security controls detected a trend in attacks which correlated to user patterns during
the workweek. Malware traffic spikes during the early days of the workweek when workers return to
the office, and similarly shows declines in detected infection rates and attacks on weekends (read
the article on Weekend Trends). Why?
Malware continues to be even more complex and hackers increasingly use exploit kits to help
deliver malware which is highly effective in the targeted environment. But attacks pointed at users
are usually gateway attacks which compromise the user in an attempt to gain access to the
organizational network on which the user works. For instance, some attacks which deployed point
of sale malware during this years attacks against retailers came from phishing attacks targeted at
end users. It seems obvious that business-minded attackers are optimizing their time by placing
greater emphasis on the weakest link in a security system: the end user (see Case Study, Spear-
Phishing Campaign).
Digital business is all about making effective use of available data. Criminal businesses are likewise
in a constant race with their targets to capitalize on the value of that data. As end users become
accustomed to always-on, real-time access to corporate data, they become targets of criminals
who want those same data sources. Worse yet, that user too often becomes the attackers entry
point to the business.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The User is Vulnerable
During 2014, NTT Group observed millions of vulnerabilities on client systems. Looking at the details
of some of these vulnerabilities reveals some interesting information, including that 7 of the top 10
vulnerabilities were on end-user systems, as opposed to servers.
7 of the top 10
TOP 10 VULNERABILITIES vulnerabilities
Outdated Java Runtime Environment
(of 2014) were on
Oracle Java SE Critical Patch Update
end-user systems.
Multiple Vulnerabilities in Java Web Start
Missing MS Windows Security Updates
Outdated Flash Player Version
Outdated Adobe Reader and Acrobat
Outdated Internet Explorer
Multiple Oracle Vulnerabilities FIGURE 18
Outdated/Missing Patches Oracle DB
2014s Top 10 Most Common
Outdated OpenSSH Version
Vulnerabilities
The ultimate impact is that the end-user becomes a liability because their systems are often full of
unpatched vulnerabilities. At the time this report was written there were patches available which
would mitigate the impact of all 10 of the top vulnerabilities seen in 2014. Patching and keeping
systems updated is tedious and can be very difficult, especially in a geographically distributed
organization with a highly mobile, heterogeneous hardware and software environment.
VULNERABILITIES BY YEAR OF RELEASE
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 19
0% 2% 4% 6% 8% 10% 12% 14%
Vulnerabilities by Year of Release,
2014
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
During 2014, 76 percent of identified vulnerabilities throughout all systems in the enterprise were
from 2012 or earlier, making them more than 2 years old, and almost 9 percent of them were over
10 years old. Many are also rapidly incorporated into common and simple-to-use exploit kits so that
attackers can more readily use them as part of their attack suite.
76%
of identified
vulnerabilities... were
from 2012 or earlier,
making them more
than 2 years old, and
almost 9% of them
were over 10 years
old.
FIGURE 20
A page from a website selling

an encryption tool. It includes
support and security.
Fortunately, there is a single best step organizations can take to reduce their exposure to client-
based vulnerabilities. Organizations should improve their vulnerability management programs. More
specifically, ensure that all end-user client systems are included in their patch management process.
Admittedly, this is much more complicated than it sounds, and can include a variety of related
recommendations:
ww Define a set of approved configurations to harden and operate end-user machines. This
should include approved operating systems, applications and utilities, and even which browser
is supported for organizational use. The smaller and more consistent the organization can
make its gold standard, the easier it is to maintain systems using that standard.
ww Clearly inform users what those standards are, and make it clear that unapproved
software is not just unapproved, but unauthorized. Make it clear to all users that the use of
unauthorized software can result in disciplinary action.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww Minimize the use of admin or other accounts which are allowed to change system
configurations, including installation of new, potentially unauthorized software.
ww Actively patch end-user systems on a regular basis, and confirm that patches are installed.
ww Conduct regular internal and external authenticated vulnerability scans to help identify systems
which are out of policy, then patch those systems.
ww Actively manage an exception process which tracks special software as well as users with
elevated permissions.
Weekend Trends
The article The User is Vulnerable discusses how significant vulnerabilities are related to end-user
machines instead of servers. But do vulnerabilities on end-user systems have anything to do with
which systems are being attacked?
The graph below shows Flash/Java/Adobe (Acrobat and Acrobat Reader) exploit attempts detected
by NTT Group in 2014. The chart shows regular activity spread across the year, with shorter periods
of higher attack detection. The large spikes show a combination of events which often overlap,
occurring where alerts were triggered by new vendor signatures on old vulnerabilities, unproven
FIGURE 21
signatures which tended to produce false-positive alerts, and some genuine new vulnerabilities and
The dips in the chart are on
campaigns. If you look closely at the data, however, you can see another interesting trend. The
weekends when users are not
regular drops in detected attacks coincides perfectly with weekends. typically on a corporate network.
DAILY FLASH/JAVA/ADOBE, 2014
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The weekend trend is not just limited to Flash/Java/Adobe exploitation. The next chart shows all
Internet-based attacks through 2014. Much like the detection of Flash/Java/Adobe attacks, this
chart shows a certain amount of regularity throughout the year. The chart also shows the same
regular trends: steady weeklong detection, with drops coinciding with weekends. Does that mean
there are fewer attacks on weekends?
DAILY ATTACKS, 2014
01/02/14 03/25/14 06/02/14 9/15/14 12/31/14
FIGURE 22
Yearly view of Internet-based

We wouldnt expect the days of the week to matter for attacks against websites, e-commerce attacks during 2014
sites, applications and systems historically targeted by cybercriminals. In fact, we might expect an
increase on weekends, when staffing and monitoring levels might be lower.
However, the organizational security infrastructures monitored by NTT Security during 2014
consistently detected considerably fewer attacks on weekends and holidays. On weekends and
holidays, workers are not in the office, and corporate end-user systems are turned off or not being
used. This major drop in weekend attacks demonstrates that organizational controls are detecting
security events related to end users. This involvement of end users has become a major component
of all attacks seen.
Organizations can take action to help mitigate the effectiveness of attacks on end-user
systems.
ww Maintain an active and current anti-virus/anti-malware solution on all end-user devices which
have access to organizational networks or data. Although this is a simple control, properly
maintained anti-virus does detect 40-50 percent of malware.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww Consider extended endpoint protection including file integrity monitoring, endpoint encryption
and event monitoring.
ww Minimize the use of admin accounts. Require the user to log on with a user-level password
which has the minimum level of permissions required to perform their job. Browsing while
using admin access increases risk.
ww Require all work computers to access the Internet through the organizational VPN whether
they are at work or not. Enforce safe browsing habits through the VPN connection, including
blacklisting websites, and actively monitoring security on portable laptops at all times so that
the organization is more likely to detect an attack and compromise.
ww Provide an active security awareness and training program which includes training on attacks
designed for end-user systems. Include social engineering and phishing in the organizational
training program.
ww Maintain offline backups of end-user data to help minimize the impact of local system
compromises, malware and ransomware.
ww Implement and monitor proxies and content-filtering capabilities.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Case Study, Spear-Phishing Campaign
Case Study Moral

Attacks do not have to be technically advanced to succeed.
The campaign used

Overview detailed knowledge of
In August of 2014, Aerobanet (named changed to protect client identity) contacted NTT Group for (clients) internal wire
assistance with a potential spear-phishing attack. transfer request and
approval processes...
NTT Group determined that Aerobanet had been targeted by a skillfully crafted social-engineering/
spear-phishing campaign. The campaign used detailed knowledge of Aerobanets internal wire
transfer request and approval processes to deceive staff into completing bogus wire transfers. NTT
Group security consultants assisted with rapid investigation and response to the attack.
Timeline of Events
The table below shows the chronology of events.
DATE EVENT FIGURE 23

Day 1 Initial phishing emails received which contained instructions on wire transfers
Timeline of Events - Spear
Day 2 Aerobanet transferred funds per the first set of instructions Phishing
Day 5 Second email request for wire transfers received
Day 6 Third email request for wire transfers received

While processing wire transfers Aerobanet became suspicious and contacted
Day 9
NTT Group to initiate an investigation into the fraudulent phishing emails
NTT Group reviewed fraudulent emails, investigated the fake server and initiated
Days 9-11
additional internal review
NTT Group determined the absence of malware, and isolated the attack as
Day 15
social-engineering/spear-phishing attack
Description of Event
In August 2014, after successfully processing several wire transfers, Aerobanet identified potentially
suspicious emails requesting wire transfers of funds. Their suspicions were aroused when staff
detected an unusually high number of wire transfers in a short period of time. Aerobanet contacted
NTT Group to verify their suspicions and to assist in investigation of the attack.
Initial investigations confirmed the attack was executed via phishing emails. The emails were well
crafted, and included several indications that the attacker had detailed knowledge of Aerobanet
internal processes and employee roles:
ww The attacker knew which users to target internally in order to initiate wire transfers.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww The attacker had inside knowledge of users who could authorize wire transfers.
ww The emails included fake email thread histories to make the wire transfers appear sanctioned.
ww The emails included PDF attachments designed to help make the emails appear official.
ww The emails used a properly registered and fully active domain to help make the emails appear
official. This domain was registered via a third-party cloud-based provisioning site.
While employees
The emails were constructed to include information and instructions which were key to the wire- believed they were
transfer process. The fake email thread histories appeared to run for several days, and included responding to email
emails in which authorized employees allegedly requested and approved the transfers. The level of from an internal
detail used to construct the emails suggested the attackers had internal knowledge of Aerobanet user, they were
processes and procedures. NTT Group security analysts were unable to determine whether the actually responding
attackers knowledge of Aerobanet resulted from social engineering attacks or from other sources. to the attackers
NTT Group had been following an increase in similar spear-phishing attacks. This helped onsite
fake external email
analysts to determine the nature of the attack against Aerobanet and verify this was a phishing
account.
attack. Security consultants observed that the domain on the phishing emails was slightly different
from Aerobanets legitimate domain. This attacker used a free trial domain service to create and
register valid domains used in the attack. NTT Group has seen an increase in attacker use of cloud-
provisioned domains, because these sites are cheap (or free), easy to set up, and can be rapidly
provisioned. In this case, the cloud-provisioned domain served as a fraudulent email domain.
For Aerobanet, the attacker provisioned the domain Aerobannet which was very similar to the
actual target of the attack. The phishing email recipients did not identify the extra n in the fake
domain name. This allowed the attacker to be included in an email dialog discussing each wire
transfer. The attackers created an email account on their fake Aerobannet site, using the name
of the real Aerobanet official responsible for approving wire transfers (johndoe@aerobanet.com
vs. johndoe@aerobannet.com). While employees believed they were responding to email from an
internal user, they were actually responding to the attackers fake external email account.
The emails also included PDF attachments which identified mailing addresses and account numbers
for the wire transfers. These attachments added credibility to the wire transfer requests. Analysis of
the PDFs uncovered no malware. The addresses in the PDFs were residential street addresses.
Based on analysis by NTT Group, there was no evidence to suggest the attackers had breached the
Aerobanet infrastructure. Analysts identified no malware and no internal access to the environment.
Attacks which are constrained to social-engineering and spear-phishing techniques are relatively
rare, but can be extremely successful, especially when they are as expertly crafted as this attack.
NTT Group has seen several attack scenarios like this in the past year, and these types of attackers
appear to be increasing their level of precision.
NTT Group security consultants demonstrated how the free trial domain had facilitated the attack,
and provided documentation which helped show the wire transfers were fraudulent. Aerobanet
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
provided this documentation to its bank and obtained refunds of nearly all the funds which had been
fraudulently transferred.
Aerobanet subsequently changed its approval process to require all wire transfers to be manually
verified in person or by phone prior to completion.
Root Cause
This attack was successful because the highly accurate and targeted content of the email chain
helped convince Aerobanet staff that the wire transfer requests were genuine. The fraudulent
domain used in the attack added credibility to the email chain, resulting in the success of the spear-
phishing attacks.
Cost of Incident
Aerobanet provided the actual cost of this event.
ITEM COST FIGURE 24
Actual cost of investigation, remediation and professional incident support as described $15,400 Cost of Event Spear Phishing
Actual cost of legal and public relations support $8,775
Potential loss due to wire transfers $127,530
Wire transfers recovered $(126,630)
Total actual cost directly related to the event $25,075
Case Study Summary

Spear-phishing attacks are usually the first phase of a more sophisticated attack, and rarely
function as an attack on their own. In this case, the highly targeted spear-phishing email thread was
crafted to convince staff to initiate fraudulent wire transfers. Since the emails included appropriate
requesters and reasonable responses, and appeared to be sent from an internal domain, the
internal staff was not immediately suspicious of the requests. As a result, the staff initiated several
wire transfers before suspicion was raised.
Threat Mitigation, Spear-Phishing

Organizations should consider a variety of security controls to help protect against spear-phishing
attacks.
ww Perform targeted security awareness and training: The attacker conducted a successful
spear-phishing attack. If Aerobanet had previously provided security awareness training,
including guidance on actively looking for social engineering and phishing attacks, the attack
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
may have been recognized earlier. Such awareness training must consider the context of the
organization receiving the training. It should be customized to the processes and procedures
of the company, and should use examples of attacks to which employees can relate.
ww Perform social-engineering testing: Personnel who administer critical tasks should be

tested beyond formal training. They should be tested with professional social-engineering
engagements to challenge their skills at identifying an attack in progress. Many major breaches
begin with a social engineering attack. Ensuring that critical personnel are adequately prepared
to detect an attack is just as important as hardening technical systems to withstand attacks.
ww Implement dual controls for critical transactions: The attacker included enough information
in the email thread that it appeared the wire transfer had been authorized. Using an active
confirmation of a second approval, outside of the same email communication path, could have
helped raise a red flag over attempts to initiate the transfers. Active confirmation (via phone,
fax, or paper copy) would have initiated an additional dialog to help verify the transfer was truly
authorized.
ww Configure email DNS verification: In order for a spear-phishing attack to be successful it

must fool multiple layers of infrastructure, which is why it is important to configure Sender ID
Framework in the email server to help ensure the sender is using an appropriate IP address.
Using this technology, when a sender transmits an email to the receiver, the receivers email
server makes a call to the Sender ID Framework. The Sender ID Framework asks the DNS
server to verify that the source IP address matches the domain from which the email was sent.
If the IP address is NOT a match, the email will be blocked/dropped. If the email does match,
it is forwarded to the receiver. This is effective in a case where email addresses are being
spoofed in the mail headers, as is done in many such phishing attacks. However, if an attacker
establishes a domain similar to that of the target and manages DNS records for the similar
fake domain (as the attacker did with Aerobanet/Aerobannet) then DNS verification will not
be effective.
ww Configure email Phishing Confidence Level: Phishing Confidence Level (PCL) is a tool
which is available via the Microsoft Exchange environment. This tool uses a scale of 1 through
8, which reflects the likelihood an email is part of a phishing attack. When PCL is configured,
the sites email administrator can choose how to treat each email according to its rating on
the PCL value scale. Configuring PCL could assist in identifying further threats or stopping an
attack altogether.
ww Implement anomaly/fraud detection: This particular attack was identified when a single staff
member recognized that the wire-transfer pattern was anomalous. He observed a significant
increase in the number of wire transfer requests, and verified the latest request because it fell
outside of expected boundaries. The ability to identify such anomalous behavior is invaluable,
especially in a large organization which may process a high volume of transactions. For an
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
incident such as this, organizations should implement manual and, to the extent possible,
automated checks to help identify when the frequency or size of sensitive transactions
exceeds an expected range. Some financial institutions will also help organizations set and
conform to transaction boundaries.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
INCIDENT RESPONSE
Enterprise Capabilities Mature at a Slow Pace
2014 was a year which prompted both security and business leadership to evaluate how
cyberattacks can impact organizations. The year was full of notable household name brands falling
into the crosshairs of malicious actors.
Although many of these very familiar name brands made headlines, they only account for a fraction
of organizations impacted by similar threats and losses.
One of the major factors determining the impact of a breach is the organizations effectiveness at
identifying, isolating and mitigating the breach. Generally, the faster an organization can respond in a
meaningful way, the greater the chance that the organization can control the impact of the breach.
NTT Group performed incident response engagements in a wide variety of industries, demonstrating
that no industry is immune from attack. Every industry needs effective incident response.
Types of Incident Response

NTT Incident Response engagements in 2014 were primarily the result of three incident categories
An increase in
(malware, DDoS and breach investigations) with few additional types. In 2014 there were slight shifts
malware related
in the observations for the categories of malware and DDoS based responses, however the general
threats was observed
trends are consistent with previous observations.
in 2014.
Malware capabilities continue to evolve, as attackers continue to make advancements in distribution
methods and survivability. Although we observed an increase in malware related threats in 2014,
most malware-related incident response activities involved validation of potential infection impact
and guidance for remediation. This observation clearly indicates that although organizations are
wiser today about malware threats and have invested in mitigation controls, most are still challenged
with understanding how to quarantine and eradicate identified malware and handle malware-related
incidents.
Increased awareness and priority resulted in improved mitigation controls for DDoS attacks during
2014. As DDoS mitigation tools have matured, their reduced cost and wider implementation are
likely contributing factors to the reduction of DDoS attacks observed during 2014. The percentage
of incident response investigations related to DDoS attacks sharply decreased (from 31 percent
in 2013 to 18 percent in 2014, as shown in the graphic below). Lessons learned from previously
observed attacks and mainstream media coverage of DDoS attacks against major brands, and
public discussion of lessons learned from previously observed attacks, has likely had a significant
impact on industries ability to manage these attacks.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PERCENT BY YEAR AND INCIDENT
CATEGORY
55%
50%
2013
45% 2014
40%
35%
30%
25%
20%
15%
10%
5%
0% FIGURE 25
Malware DDos Breach Investigation Other
This figure presents the trending
of NTT Group incident response
engagements for incidents
supported in 2013 and 2014.
Incidents by Sector
Several different market sectors made up NTT Groups 2014 Incident Response engagements, as
depicted in the following chart. Even though some of the sectors are statistically less significant, any
comprehensive enterprise security program should include formal incident response processes and
procedures. The high percentage of finance sector incident response support activity is largely due
to malicious attackers continuing to focus on this vertical market as well as the sectors sensitivity to
attacks.
PERCENT OF INCIDENT RESPONSE

ENGAGEMENTS BY SECTOR
Finance
Technology
Retail
Healthcare
Gaming & Entertainment
Education
Transportation
Energy & Utilites
FIGURE 26
0% 7% 14% 21% 28% 35%
Percent of Incident Response
Engagements by Sector
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The Importance of Incident Response
Although NTT Group has observed some maturation of incident response programs in
organizations, in most cases response capabilities remain reactionary (organizations allocate
resources after a breach has directly impacted them). Based on NTT Group observations, very
few organizations proactively prepare for incidents. As described in last years GTIR, proactive
implementation of core response capabilities can improve an organizations ability to detect, 74%
of the organizations
investigate and respond to incidents, thereby compressing the mitigation timeline and reducing
overall losses for organizations. NTT Group
supported with
How Organizations Are Approaching Incident Response Planning incident response
NTT Group has observed four common approaches for how organizations are approaching their
engagements during
incident response capability. Most organizational incident response planning falls into one of the
2014 had no policy
following four categories:
in place to address a
major incident.
ww No response plan (no external support) Unfortunately, in most cases, organizations are
not spending adequate time developing or testing response plans. Additionally, very few
organizations are allocating budget for external incident response management or support.
Analysis showed that 74 percent of the organizations NTT Group supported with incident
response engagements during 2014 had no policy, plan, procedure, or contracted support to
address a major incident. This trend continued from 2013 when 77 percent of organizations
showed no formal plan.
ww No response plan (with external support) Some organizations realize the value of
incident response and proactively invest in third-party incident response support. Typically,
organizations which have smaller in-house IT resources will contract with incident response
providers who specialize in supporting organizations without response capabilities. This can
be of great value, but the contracting organization must realize they still have a role to play
should an incident occur. It is vitally important to ensure that the organization has a clear
understanding of how incident support capabilities are used and managed during an incident.
ww Currently maturing an existing plan (with external support) A positive trend which NTT
Group has identified over the last year is a slow improvement in how organizations mitigate
the impact of threats. Some organizations have started to invest in development of incident
response capabilities. These organizations are focusing on the development of plans,
processes, procedures, tools and education, and often still rely on third-party providers for
continued support while these capabilities are being built and tested. Additionally, third-party
incident response providers may not only provide support from a technical perspective, but
may also be involved in plan, policy and procedure development. Third-party providers can
share a wealth of experience to help organizations address their incident response needs.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww Mature plan and capabilities (external support when needed) Few organizations have
the capability, talent and financial backing to define, build, mature and maintain an effective
incident response capability. However, in cases where incident response capabilities are
handled by an internal team, NTT Group still observes circumstances where special expertise
is needed to support advanced response requirements. For instance, many internal incident
response teams do not have training in detailed forensic analysis, or reverse-engineering of
malware threats to extract technical indicators which can be used for further detection of
malicious activity. Some organizations will elect to put a third-party incident response service
on retainer to assist in these situations.
Conclusion
For a majority of organizations the NTT Group has worked with over the last several years, incident
response is either not a top priority, or it is simply too hard for organizations to realize the value of an
effective plan. The urgency to prepare and invest in incident response usually occurs only after an
event with significant impact to the business has been experienced.
A successful security program not only includes the capability to detect vulnerabilities and minimize
impact via well-designed architecture and controls, but also the capability to respond when all else
fails.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Five Key Recommendations Based on Incident
Review
During 2014, NTT Group supported response efforts for a variety of incidents. Review of these
engagements revealed some observations and recommendations which were consistent across
Many of the
these incidents. Additionally, NTT Group compared these results to information available from highly
investigated
publicized breaches. This analysis helped identify a set of control areas which suffer from a lack of
breaches originated
detection, investigation and mitigation capabilities in many organizations.
in one segment of
As a result, we recommend organizations evaluate the effectiveness of these five control areas in the network and
their environments. These recommendations describe basic controls which should be implemented propagated across
as a foundational part of an organizations network and security infrastructure. NTT Group analysis the internal network.
identified that many organizations continue to struggle as they attempt to implement these control
areas in an effective manner.
Control Area 1: Network Segmentation

Many of the investigated breaches originated in one segment of the network and propagated
across the internal network as the attack progressed. Attackers compromise laterally throughout
organizations in attempts to find strategically valuable systems, targets of opportunity, or systems
which aid the attacker in maintaining a persistent presence.
NTT Group continues to observe organizational network infrastructures which are internally flat (non-
hierarchical). These networks do not adequately define different functional areas of the environment.
Different network areas can have unique data requirements or access requirements, which have
not been recognized or enforced. Internal network segmentation should ensure that data flowing
between segments is appropriately scrutinized. For example, employees in a call center environment
may not need access to development environments, hence this activity should be restricted via
access control lists (ACL) and administrative segregation of functions between environments.
As well as segmenting networks using router access control lists and Virtual Local Area Networks
(VLANs), organizations should implement detective and preventive controls via firewalls, along with
Intrusion Detection and Prevention Systems (IDS/IPS). These enhance the organizations ability to
provide a detective and defensive capability which can help identify potentially malicious network
traffic, including attempts to bypass segregation controls.
In addition to network segmentation, organizations must ensure that system administration

functions are conducted from specific subnets and segregated networks. This allows more granular
control of who may perform administrative activities, and from which network segment they are
authorized to be conducted.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Additionally, such controls will significantly impact the tempo of an attack, making network
penetration slower, noisier, and more difficult to accomplish. This is especially true if attackers are
forced to repeat the reconnaissance, attack and compromise process every time they wish to
extend their reach within an environment.
Many security and compliance initiatives can be easier to achieve by properly segregating networks,
data and processes. An important part of this is ensuring proper documentation of controls,
network topology and data transmission paths.
Some key considerations and recommendations for network segmentation include:
ww Identify key segments containing critical data, processes and systems.

ww Define security zones which effectively segment critical areas based on sensitivity of data and
access requirements.
ww Segregate and apply access control lists to and from zones which support administrative
functions for the organizations systems
ww Continuously validate that segregation controls are meeting defined goals as the network
environment grows and changes.
Control Area 2: Malware Detection and Prevention Controls

Malware is often used as an initial attack capability to penetrate a network, leveraging a combination NTT Group identified
of both technical and human vulnerabilities. malware installed on
systems which had
Unfortunately, based on instances NTT Group has seen over the past few years, host-based anti-
outdated or no anti-
virus solutions catch, at best, about half of the viruses in the wild. In fact, NTT Group observed
virus installed.
about a 46 percent detection rate while researching malware for the 2014 GTIR. A significant
number of incident response engagements supported by NTT Group identified malware installed on
systems which had outdated or no anti-virus software installed. Malware often disables anti-virus
solutions to help increase its survivability.
Relying solely on host-based security is not a good strategy for managing malware threats.
Organizations must consider technologies which also scrutinize network and email communications
for signs of malicious activity related to malware.
Some fundamental recommendations for deploying malware detection/prevention controls include:
ww Define your organizations malware mitigation strategy and ensure your controls include
multiple points of detection and visibility.
ww Invest in host-based as well as network-based detection and quarantine capabilities.
ww Collect logs from malware product consoles and ensure they are part of your log monitoring
SIEM/MSSP solution.
ww Develop policies and procedures for how malware incidents are handled.
ww Validate malware controls are operating as designed and make adjustments as required.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
It is important to understand that to benefit from even 50 percent protection, host-based anti-virus
solutions must be installed on servers and end points, must be regularly updated, and must scan for
viruses constantly. Network and host-based anti-virus solutions should be continuously monitored
to ensure the solution is providing maximum value.
On average, it
Control Area 3: Patching and Configuration Management
takes organizations
Most breaches analyzed by NTT Group in 2014 included the compromise of unpatched or poorly
without a vulnerability
configured systems. In many cases the compromises were directly related to third-party application
management
vulnerabilities. Malicious attackers seek out systems with unpatched vulnerabilities as a means of
program nearly
200
gaining an initial foothold into a system or network. Many exploit kits are built with the understanding
that attackers can automate exploits faster than target organizations can patch newly discovered
days
vulnerabilities. NTT Group has discovered that on average, it takes organizations without a
to patch
vulnerability management program nearly 200 days to patch vulnerabilities with a CVSS score of 4.0
vulnerabilities.
and higher.
Old, unpatched vulnerabilities can be a relatively easy exploit path for most attackers. During
2014, 76 percent of the vulnerabilities identified in client systems by NTT vulnerability scanning and
management services were from 2012 or earlier, making them more than two years old. Almost 9
percent of vulnerabilities identified by NTT group in 2014 were more than 10 years old.
DETECTED VULNERABILITIES
BY YEAR OF RELEASE
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 27
0% 2% 4% 6% 8% 10% 12% 14%
Many new vulnerabilities in 2014.
But some from as far back as
1999.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Although configuration and patch management are not new concepts, analysis of vulnerability
scanning data illustrates it is something most organizations are still doing poorly. Many organizations
still focus attention on patching critical and public facing servers; however, most attacks today are
focused on the end user and third-party applications.
To mitigate potential losses due to configuration management and patch management issues,
organizations should:
ww Document configuration and change control policies and procedures.

ww Document patch management policies and procedures for operating systems, network
devices and third-party applications.
ww Implement solutions which can expedite configuration and patch management processes,
and document related activities.
ww Ensure that the organization has visibility and awareness of the status of vulnerabilities across
all technologies in the environment.
ww Implement processes for emergency escalation of patches especially in situations where
vulnerabilities which are being actively exploited in the wild exist on organizational devices.
ww Develop test plans and validate which controls and processes are working as anticipated.
Configuration and patch management can be tedious and difficult, especially when managing a
variety of end-user devices in a highly distributed, heterogeneous environment. Implementing an
active, aggressive patch management program can remove common vulnerabilities from both
servers and end-user systems, minimizing the effectiveness of newer exploits and common exploit
kits.
Control Area 4: Monitoring

Some of the breaches analyzed by NTT Group in 2014 had been in process for quite some time. Organizations
Organizations discovered some of the breaches months after the initial compromises occurred and discovered some
after data had already been lost. Attackers often gain a foothold in an organizations network and of the breaches
conduct a patient attack campaign, extending their control through the victims environment while months after the initial
avoiding detection. Some of these breaches had even been reported by malware and IDS systems compromise.
but ignored.
Many breaches included compromise of multiple systems distributed across the organizations
internal network. These compromised systems were often involved in communications related to
the compromise (downloading of malware, exfiltration of data) for an extended period of time. This
included unauthorized communication between internal servers as well as communications with
both internal and external command and control (C&C) servers.
Truly effective monitoring includes not only system logs and alerts, but also behavioral analysis of
an organizations baseline environment. Behavioral monitoring can detect anomalous activity in an
environment. For example:
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww Systems which had never communicated are suddenly exchanging large amounts of
information.
ww Multiple distributed systems are suddenly talking with a few centralized systems.
ww Or more obviously, but often still not detected by many organizations, previously quiet internal
systems are suddenly talking to external systems.
To ensure organizations get the most out of their monitoring investment, NTT Group recommends:
ww Understand your environment, knowing that not all logs are created equal. Security engineers
can help your organization identify the logs, devices and systems which provide the most
value and context.
ww Most environments with strong monitoring are the result of years of maturity and constant
planning and improvement. Define your tactical and strategic plans for monitoring and then
work your plan.
ww Your monitoring plan determines how well you can identify activities which occur during
breaches, but can also help your organization meet compliance requirements. Maximize the
value of monitoring by applying it to multiple use cases.
ww Monitoring, like many other security controls, achieves its maximum value when layered. Log
at the network layer and the application layer. Log externally facing IDS/IPS, firewalls, WAFs,
but also consider directory services, anti-virus, file monitoring, databases, web applications,
proxies and DLP.
ww Consider monitoring key devices at the source as opposed to relying on identifying malicious
activity as it traverses other devices.
Control Area 5: Active Incident Response

During 2014, about 74 percent of organizations which used NTT Group incident response services
had no functional incident response plan. An incident response plan is only effective if it enables the
organization to respond to an incident in an actionable and coordinated manner.
For the incidents analyzed, NTT Group observed many organizations asking themselves the same
questions:
ww Did the alerts actually constitute a breach? Was the organization actually under attack?
ww Who from the organization should respond? Is the organization primarily interested in retaining
evidence of the breach, restoring service, protecting data, or is there another priority?
ww What systems and/or data should receive the highest response priority?
ww Who are the organizations third-party vendors (e.g., their ISP) and who are the contacts (and
what are their contact phone numbers) at those organizations?
These are exactly the types of questions which a mature incident response plan would identify
during development, coordination, review and test.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
During an attack, it will be hard enough to respond to the incident in a planned manner. This failure
will extend the duration and losses associated with an attack. The response process is even more
complicated if the organization tries to figure out what their incident response should be amidst the
chaos of an ongoing breach.
An effective incident response plan will define the following activities before an attack occurs:
ww Define the incident response team, along with their roles and responsibilities.
ww Document contact information for relevant vendors and third-parties, such as ISP tech
support, and define how they fit into the process.
ww Define any required skill sets which do not exist within the organization, and how they will be
obtained and utilized.
ww Define processes to communicate effectively during incidents.
ww Define criteria to declare when an incident has started, as well as when an incident has ended.
This is a drastic simplification of a real incident response plan, which would still have to be
implemented effectively, and include procedures which would be clearly communicated to all
responsible individuals. Unfortunately, NTT Group analysis of incidents in 2014 shows that these
simple concepts are often overlooked by even the most mature organizations.
Conclusion
Not every compromise is a result of missing the fundamental controls discussed in this section.
However, if every breached organization had implemented truly effective controls in these areas,
those organizations would have been more resilient and better prepared to respond to an attack.
Effective implementation of these five control areas can have an immediate, positive impact on the
security of any organization.
Threat Intelligence Defined

Over the past few years, the security industry has applied many definitions to the term Threat
Intelligence. In this section we will provide NTT Groups definition, how it applies to our clients, and
discuss some of the key components and benefits of a comprehensive threat intelligence strategy.
Threat intelligence, at its core, is a specific application of broader intelligence principles which
includes the painstaking collection of data and information from many sources, context-aware
analysis, intelligence production, and delivery to the intelligence consumer.
Core Intelligence Disciplines

According to the Intelligence Community (IC), there are five core intelligence disciplines:
ww Human Intelligence (HUMINT) the collection of information from human sources.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww Open Source Intelligence (OSINT) explores, exploits and enhances generally-available public
information via data mining and advanced search techniques.
ww Signals Intelligence (SIGINT) the collection and exploitation of signals transmitted from
communications systems, radar and weapon systems.
ww Imagery Intelligence (IMINT) geospatial information collected and processed by a variety of
terrestrial, airborne or satellite-based collectors.
ww Measurement and Signature Intelligence (MASINT) a technical branch of intelligence which
uses information gathered by technical instruments such as radars, lasers, passive electro-
optical sensors, seismic and other sensors to identify them by their signatures.
Defining Cyberintelligence
Cyberintelligence (CYINT) is not one of the core intelligence disciplines, but is a hybrid field which
can consist of any combination or all of the five core disciplines. Although it can be used as a
key component of cybersecurity, CYINT operates independently of the cybersecurity mission and
supports a variety of operations across every sector of government and industry.
It is critical for organizations to recognize the broader capabilities of this rapidly emerging field of
intelligence, and how it can be used beyond identifying cyberthreat actors, technical data about
vulnerabilities, malware or IP reputation data. CYINT goes beyond these narrow parameters
and encompasses the analysis of actions and events associated with an organizations physical
environment which can lead to forecasting digital threats.
The Intelligence Cycle

Consumer Needs
At NTT Group, we have helped numerous enterprises around the
Planning,
globe implement successful threat intelligence programs. Our holistic Requirements &
Direction
approach is outlined below.
1
1. Planning, Requirements and Direction Planning and direction
Dissemination Raw Information
for intelligence gathering includes management of the entire of Product Collected Based on
to Consumer 5 2 Requirements
intelligence effort, from Priority Intelligence Requirements
to the final intelligence product.
2. Collection The threat intelligence service gathers potentially
useful raw data from relevant sources. 4 3
3. Processing The collected data is consolidated into a
standardized format suitable for detailed analysis. Intelligence Information
Analysis Processed
4. Analysis and Production The gathered data is analyzed by & Production & Exploited
subject matter experts to identify potential threats to customer
environments and develop threat countermeasures.
5. Dissemination The intelligence analysis is distributed FIGURE 28
to stakeholders to guide appropriate measures. The five steps in the Intelligence

Cycle.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Information vs. Intelligence
Despite what many security threat intelligence vendors may say, data and information are not
intelligence. Lets look at an example:
ww Information
Threat intelligence -
An exploit for a zero-day Java vulnerability is publicly released on a security mailing list. Shortly
information gathered
thereafter, malware is identified utilizing the vulnerability. Security vendors notify clients of this
from a number of
threat and provide recommendations for mitigation. This is threat information and while useful,
disparate sources,
it is not, by definition, threat intelligence.
synthesized by human
ww Intelligence analysts to identify a
A security vendor monitoring exploitation of the Java vulnerability notices infection rates in specific threat to a
Asia are much higher than in the U.S. New strains of malware, which install code associated specific target.
with a botnet command and control system on victim devices, are being observed in the wild.
At the same time, a large financial institution has announced the acquisition of a number of
smaller, regional banks initiating an increase in their non-sufficient funds fee from $20 to $35,
thereby angering consumers. A number of hacktivist groups begin discussing a protest against
the U.S. banking system on Twitter and other social media sites, promising to halt online
transactions for a day at major institutions. One hacktivist Twitter account posts instructions
for using botnet command and control software, which appears to be related to the botnet
client code installed by the Java malware.
Piecing these data points together leads to a clearer picture: U.S. banks are likely going to be
targeted with a DDoS (Distributed Denial of Service) attack by a hacktivist group using botnets
based on the Java vulnerability. Based on what is known about infection profiles, banks can expect
the attacks to originate from Asian source IP addresses. This is threat intelligence information
gathered from a number of disparate sources, synthesized by human analysts to identify a specific
threat to a specific target.
The Importance of Threat Intelligence in Information

Security
There are four principal reasons threat intelligence is becoming recognized as a critical information
security requirement:
1. Change in Cyberthreat Profiles

Organizations must defend against a dramatic shift in security threats and understand that the
attack surface encompasses far more than a narrowly defined technical parameter. Cyberthreat
actors are no longer idiosyncratic or dissident individuals and groups. They now include nation-state
actors or sponsored groups, as well as transnational organized crime groups with considerable
resources, support and expertise at their disposal. Conversely, those tasked with defending
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
organizations often have limited resources and budgets to launch an adequate defense, hence
the asymmetric nature of the threat. The steady rise in documented data loss incidents provides
evidence that recent attacks are increasingly successful. The following chart depicts the increasing
number of documented attacks as identified by http://datalossdb.org/statistics.
NUMBER OF ATTACKS PER YEAR
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 29
0 200 400 600 800 1000 1200 1400 1600 1800
The number of attacks increases
almost every year.
2. The Volume of Information Security Vulnerabilities
4,000
The sheer volume of data which information security personnel must analyze can be overwhelming.
Organizations must react to a daily influx of vulnerabilities, zero-day threats, malware, exploit
Over
kits, botnets, Advanced Persistent Threats (APT) and targeted attacks. The number of Common
new security
Vulnerabilities and Exposures (CVEs) (http://web.nvd.nist.gov/view/vuln/statistics) identified every
vulnerabilities have
year for the last 15 years is shown in the figure below over 4,000 new security vulnerabilities have
been identified
been identified annually since 2005.
annually since 2005.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NEW VULNERABILITIES ANNUALLY
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 30
0 1000 2000 3000 4000 5000 6000 7000 8000
The number of new vulnerabilities
annually is almost unmanageable.
The rate of malware identification has also increased in recent years, as shown in the following
chart. Even a glance at the chart below shows the dramatic rise in the amount of new malware
identified annually since 2011 (http://www.av-test.org/en/statistics/malware/).
NEW MALWARE IDENTIFIED PER YEAR
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
FIGURE 31
0 39 79 119 159
Numbers in Millions The amount of new malware isnt
just rising; it is skyrocketing.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Intelligence about threats targeted to an organizations environment can assist in the prioritization of
remediation actions, so that mitigation efforts and resources are directed to areas with the greatest
need and defensive value.
3. Technology Growth and Usage Changes

The number of technologies in place at most organizations is dramatically higher than it was even
two or three years ago. Bring Your Own Device (BYOD) initiatives, remote workers joining corporate
networks via VPNs, pervasive wireless networking, and the increasing use of virtualization and
cloud computing have all dramatically increased the technologies in use within typical organizational
environments. New technologies dont typically replace legacy technologies they are most often
an addition, resulting in a net increase to the organizations attack surface and vulnerabilities
found within. Homogeneous organizational networks with defined perimeters no longer exist. A
heterogeneous, distributed user and technology base is the new standard. This new reality comes
with more complexities and more potential risks.
4. Affordable Outsourcing of Threat Intelligence

As organizations face increasing risk and higher numbers of attacks from all the factors listed above,
their resources can quickly get stretched thin. Fortunately, many vendors offer threat intelligence
services to help these organizations better prepare for, defend against, and react faster to threats
and attacks.
How Organizations Are Using Threat Intelligence

Every organization has different information security priorities, assets to protect, levels of
expertise, and types of security technology in place. As a result, different organizations can have
different perceptions, needs, and expectations of threat intelligence services. Factors influencing
organizational threat intelligence needs include organization size, alignment with government entities
and key verticals, supply and information chain outside the firewall, and the sophistication of internal
security resources.
For example, organizations with limited public exposure, and not storing or transmitting the types
of data typically desired by attackers, are likely to have different threat intelligence needs than
organizations which are highly visible in the public sphere, maintain highly desirable data, or are
associated with controversial topics. And an international organization involved in highly political
industries may require targeted intelligence on topics such as attacks from activist groups, attacks
on competitors, high-profile conferences and events, and industrial espionage.
Conclusion
The terms intelligence, cyberintelligence and cyberthreat intelligence have been used extensively
and interchangeably, and often incorrectly, in the information security community. They have been
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
used quite inaccurately to describe automated data feed services or data which may be used to
further identify and mitigate threats. However, the very specific nature of each of these terms builds
on the fundamental understanding of what true intelligence is and how it is derived. It is important
to align security industry terminology with that of the traditional intelligence community for a unified
understanding.
The traditional intelligence community has been managing threat intelligence information for a long
time, and has had the opportunity to improve, if not perfect, the process. Industry should apply their
lessons learned to maximize the effectiveness of a newer breed of cyberthreat intelligence.
Changes to the cybersecurity landscape over the last several years have been the primary driver in
the need for threat intelligence services. As organizations seek new sources of threat intelligence,
they need to be aware of the different types of intelligence being delivered by the security industry.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DISTRIBUTED DENIAL
OF SERVICE ATTACKS
Although Denial of Service (DoS) and Distributed Denial of Service (DDoS) have been common
attack techniques used by malicious actors for some time, organizations still struggle to mitigate
these threats. Such attacks can have a significant impact on a victimized organization. For years,
NTT Group has been helping prepare clients for such attacks.
Every year, new capabilities to mitigate DoS and DDoS threats enter the security marketplace. From
application layer appliances to the capabilities of content distribution networks, there has been a
great focus on managing the impact of these attacks.
The following sections present analyses of DDoS attacks, and a case study of a DDoS attack which
used a legitimate application feature against the targeted organization.
Distributed Denial of Service Observations

NTT is one of the largest Internet providers in the world,
with a significant share of the worlds Internet traffic passing
through the global public NTT network. As a provider with DDOS BY TYPE
worldwide coverage managing this much bandwidth, one
of NTTs important tasks is to mitigate distributed denial NTP Amplification
of service attacks (DDoS). These attacks historically have

focused on flooding a victims networks with so much data Other 22%
or activity that legitimate services are rendered unavailable. 32%
These volume-based attacks are very different from

DNS Amplification 6%
application DDoS attacks (such as that described in the
Web Application DDoS Attack case study in this report),
SSDP Amplification 9%
which consume application processing resources.
15%
TCP SYN 16%
The distribution of DDoS attacks (by type of attack)
observed by NTT in 2014 is presented figure 32.
Multi-vector
63 percent of all DDoS attacks observed were related to

UDP based protocols and services (NTP, SSDP and DNS).
Discussions of different DDoS attack types observed in
FIGURE 32
2014 are presented below.
NTP Amplification leads the
number of attacks by type of
attack.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NTP Amplification Attacks
With 32 percent of all DDoS attacks during 2014, the most common type of attack we observed
was the Network Time Protocol (NTP) amplification attack. In this attack, an attacker changes
the source address of an NTP query to the intended victims address, then sends the maliciously
spoofed query to one or more NTP servers. The NTP servers respond to the IP address of the victim
The most common
(the spoofed source address).
type of DDoS attack
The amplification components of the attack are what make it interesting. A very small query to an observed was the
NTP server can produce a very large response if using particular NTP options. NTP amplification
attack.
TCP SYN Flood Attacks
Another of the largest types of DDoS attacks, with 16 percent of the total, is also one of the oldest
and most consistently observed over the years. The TCP SYN flood attack is performed by flooding
the target network with a large number of TCP SYN requests which results in the exhaustion of
available resources.
If mitigating controls are not put in place, a malicious attacker can use this tactic to create a large
number of partially-open connections to a server. This can exhaust all available sessions, preventing
users from connecting to ports which would normally be accessible for legitimate services.
Attackers can further ensure the success of SYN floods by employing different techniques to
exhaust resources. This may include spoofing the source IP addresses, targeting multiple ports,
attacking from multiple distributed sources, and the use of botnets.
SSDP Amplification Attacks

Another type of DDoS traffic observed in 2014 was Simple Service Discovery Protocol (SSDP)
amplification, which made up 9 percent of all DDoS attacks observed. SSDP was created to help
devices discover and connect to each other, and is part of the Universal Plug and Play (UPnP)
protocol. The protocol was first introduced in 1999 and by default uses UDP port 1900 for
communication.
Similar to other attacks such as DNS and NTP amplification, attackers send specially crafted
requests to an SSDP enabled device and direct the response to the targeted system. Although the
service defaults to UDP/1900 it can be directed to send responses to other ports and services.
Since there is no shortage of SSDP enabled devices it is a good candidate for attackers to use
during reflection and amplification based attacks. Several tools allow attackers to identify SSDP
enabled devices and launch attacks.
Botnets capable of performing SSDP DDoS attacks may use compromised home computing,
network and residential applications to conduct attacks. Due to the wide use of SSDP, especially
in residential applications such as network modem/router bundles, wireless access points, and
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
many home entertainment appliances and gaming systems, it is likely that SSDP DDoS attacks will
continue.
Unfortunately, most devices which implement SSDP enable this feature by default and it is unlikely
that residential users will patch or disable these services.
Multi-vector attacks
Multi-Vector Attacks can be a powerful
In multi-vector attacks, combinations of different DDoS attack types are used during a single tactic since this
incident. Attackers will often initiate attacks using one method but may adapt their approach during increases the chances
the attack if the primary method of attack is not as effective as anticipated. of success.
Alternatively, attackers may elect to use multiple methods of attack simultaneously to ensure their
success. For example, attackers may start with NTP amplification but then use methods such as
SYN flood, SSDP, application specific or other methods to amplify the effect of the attack.
Multi-vector attacks can be a powerful tactic since this increases the chances of success. These
attacks are also designed to overwhelm defenses and organizational staff. It can be a challenge for
organizations to respond to multi-vector attacks since different attack techniques require different
mitigation and defensive approaches.
DDoS Mitigation Recommendations

DDoS attacks have been around for some time. Preventive measures have had a chance to mature,
and some measures have proven to be more reliable than others. While they must be evaluated in
each organizations unique environment, NTT Group offers the following recommendations:
Technical Recommendations
ww Organizations should implement a layered approach to DDoS mitigation controls leveraging
multiple technologies.
ww Implement onsite application DoS mitigation services such as a web application firewall.
ww Filter traffic at multiple points of ingress including the upstream ISP and via content distribution
networks or scrubbing services. Third-party traffic scrubbing and filtering services can be
valuable because they often anticipate the need to address multiple types of DDoS attacks.
ww Implement dynamic bandwidth services which can scale bandwidth as an attack unfolds.
This is not optimal as a long term solution but can help absorb some of the initial impact of an
attack.
ww Many network firewalls, load balancers and servers support rate limiting or session timeouts.
Ensure organizational staff understands the environment and tools which are already available.
ww Understand the capabilities of the organization and the ISP to handle TCP SYN flood attacks.
Many ISPs implement detection for spoofed IP addresses and filter these by default.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ww Keep in mind that ISPs often do a great job at filtering high-volume attacks, but smaller
attacks may go unnoticed and not be filtered.
ww Depending on the focus of the attack, host or application-based controls can help mitigate
session or connection exhaustion.
ww Ensure the organization follows system and service hardening guidelines to reduce
misconfiguration issues and limit services running.
Non-technical Recommendations
ww Ensure the organization understands not only its ability to detect a DDoS attack, but its ability
to respond.
ww Account for DDoS attacks in the organizations business continuity and disaster recovery
plans.
ww Evaluate the financial impact a DDoS attack would have on organizational operations and
services.
ww DDoS attacks are often used to mask other criminal activities. In the event of a DDoS attack,
ensure the organization is remaining alert for other malicious activities which may be occurring
(fraudulent wire transfers, other breaches, and data exfiltration from other network segments).
ww Know who to call for support during a DDoS attack (SOC, vendors, ISPs, incident response
teams).
Calendar View of the Distribution of DDoS Attack

Types
NTT Group analyzed DDoS attack data for the most common attack methods witnessed during
2014. UDP protocol based attacks (NTP, DNS, SSDP and others) were observed throughout the
year. The most notable and impactful attack methods observed during 2014 were NTP and SSDP
amplification attacks.
During the first quarter of 2014 DDoS mitigation providers and the general media recognized
significant spikes in NTP based DDoS activity. NTT Group saw the same result in the data we
collected. As depicted in the following chart, the majority of NTP amplification activity for the year
was observed from January through April 2014, with only a small reoccurrence of similar attacks in
the fourth quarter.
One of the primary reasons for this dramatic increase in NTP related attacks was the availability of
toolkits allowing attackers to initiate powerful attacks without requiring extensive skills. One of the
toolkits providing this capability is NTP-AMP.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PERCENTAGE OF DDOS ATTACK TYPES BY MONTH
DNS Amplification
SSDP Amplification
Multi-vector
TCP SYN
NTP Amplification
Other
Jan. Feb. March April May June July Aug. Sept. Oct. Nov. Dec.
FIGURE 33
Not quite as high in volume, NTT Group observed SSDP amplification attacks growing in July and
Percentage of attack types by
continuing to gain momentum during the fourth quarter, peaking in December 2014. month.
The rise of SSDP based attacks in the last quarter of 2014 was rapid and widespread. This jump in
observed attacks is likely due to the increased visibility of reflection-based DDoS capability and the
availability of tools supporting these attack methods. With the global availability of UPnP and SSDP
enabled devices it is likely we will continue to observe SSDP based attacks for the near future.
For specific recommendations and more information on the DDoS attack types covered in this
section, please also read the Distributed Denial of Service Observation section of the report.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Case Study, Web Application DDoS Attack
Case Study Moral

Ensuring you have DoS/DDoS protection in place, before you are attacked, can pay off.
The attack... was

Overview an application
XYZ Corp (name changed to protect client identity), an NTT Group managed security service layer DDoS attack,
client, was subjected to a distributed denial-of-service (DDoS) attack. The attack, which had seen targeting a web
little previous use, was an application layer DDoS attack, targeting a web application at a rate of application at a rate
less than a megabit per second. This was significantly different from many of the large, distributed of less than a megabit
attacks which NTT mitigates every day in the global backbone provided to its customers. per second.
Timeline of Events
DATE EVENT
Possible application DDoS attack detected
Incident escalated to NTT client

Team verified no operational issues were causing delays, confirming indication
of an attack
Logs requested from the clients Internet Service Provider (ISP)
Detailed analysis reveals an attacker maliciously using a WordPress feature as a
focus of the attack
Day 1
Mitigation steps identified and signature is created, tested and deployed
Client fully mitigates the attack
Sanitized details related to the attack traffic are transmitted to DoS prevention
vendor
Total elapsed time for this incident: 5.5 hours
Elapsed time once logs were received from ISP: 1.5 hours FIGURE 34
Day 7 Vendor deploys new official signature Timeline
Description of Event
During the spring of 2014, NTT Group security analysts in a Security Operations Center (SOC)
detected a DDoS attack by observing anomalous responses from various systems within a single
clients monitored environment. NTT Group initiated further investigations along with XYZ Corp, as
well as XYZ Corps IT service provider and ISP. The team quickly identified that latency experienced
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
with application performance was not caused by maintenance or network equipment failures. The
NTT SOC team requested relevant logs, and further investigations indicated attackers were using
legitimate functionality in WordPress called Pingback7 to conduct a DDoS attack. Once NTT Group
security analysts identified the nature of the attack, they developed, tested and deployed a signature
to mitigate future attacks.
Attackers took
Following the successful mitigation, the DoS prevention vendor was informed about the incident and advantage of
how NTT Group mitigated the attack. The vendor created and deployed an official signature, which legitimate third-party
was made available to all of their other customers. servers with good
reputations, creating
Root Cause what appeared to
This attack was an application attack, where the goal was to consume all the resources of the be legitimate HTTP
targeted web application. However, the attack did not affect network access to the website, as the requests directed
volume was low. This is typical of application attacks, and can make it difficult to distinguish them at the victims web
from normal website traffic. The low bandwidth also means other applications sharing the same servers.
Internet access were not affected by the attack.
Using this feature in WordPress, the attackers took advantage of legitimate third-party servers with
good reputations, creating what appeared to be legitimate HTTP requests directed at the victims
web servers. The victims website was not running WordPress.
Pingback is enabled by default on WordPress and is used to cross-reference between blogs. The
attacker can forge the destination URL so the WordPress site will contact the victims website to
check if the pingback in fact originated from that location. The Pingback attack uses legitimate
HTTP requests, but the query contains an arbitrary value which changes for each request. The
arbitrary request is key to the effectiveness of the attack as it forces the website to reload the web
page for each incoming request. This effectively bypasses any buffer storage or caching intended
to reduce the load on the web server. Such reloads are very resource intensive on the application,
and can create a denial-of-service (DoS) condition on the affected website. This is especially true
in cases where the web page requested is media rich with larger file sizes and a large amount of
content.
For this particular type of WordPress attack, legitimate WordPress sites are turned against innocent
victims. WordPress attacks have been observed in the wild, in some cases using more than
160,000 WordPress sites to send pingback requests to a single victim.
A few months later, attackers attempted to use the same type of WordPress DDoS attack against
the same client, along with several financial and transportation businesses. One financial institutions
website was unavailable for over an hour, while other companies experienced varying degrees of
impact for up to 12 hours. NTT Group clients experienced no measurable business impact.
7 https://en.support.wordpress.com/comments/pingbacks/
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Cost of Incident
Based on interaction with the client XYZ Corp, NTT Group estimated that the actual cost of this
event was low since the incident was discovered and mitigated rapidly. Costs associated with the
incident were mostly related to coordination, communication, documentation and lessons-learned
activities.
ITEM COST
FIGURE 35
Actual cost of investigation, remediation and professional incident support as described Less than $2000
Cost of Successfully Mitigated
DDoS Event
Actual cost of legal and public relations support $0
Actual loss due to website outage Low
Actual total cost directly related to the event Less than $2000
Actual total cost of the follow-on attack (after signatures had been deployed) $0
Case Study Summary

Data from NTT Group shows denial-of-service attacks continue to be prevalent and pose a threat
to any business with an online presence. In this particular case, XYZ Corp had proactively invested
in protection against DoS/DDoS attacks. Once the attack was detected, experts were ready to
mitigate the web application attack immediately. Skilled SOC analysts investigated and deployed
effective permanent protection. Later, when new WordPress attacks targeted the business again,
XYZ Corp did not experience any downtime.
Threat Mitigation Web Application DoS/DDoS Attack

Service downtime not only affects customer interactions, but also has a huge impact on the
reputation of any business. DoS/DDoS attacks vary in type and method, so there is no single
solution which will stop them all. However, a proactive, layered defense following sound guidelines
can help prevent these attacks and minimize impact. The following recommendations can help to
mitigate the impact of DoS/DDoS attacks:
ww Conduct an enterprise risk assessment: Identify your organizations important data and
applications, and the potential impact which different attacks could have on your organization.
If an attack could create an outage causing a measurable impact on your business, include
DoS/DDoS mitigation strategies in your organizations security plans.
ww Create a formal DoS/DDoS incident response plan: Ensure that your incident response plan
includes guidance for preparation and response to DoS/DDoS attacks.
ww Deploy a layered DoS/DDoS defense strategy: Consider all aspects of your environment, and
review on-site, cloud and ISP-based solutions. Not all DoS/DDoS attacks are equal; low and
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
slow application attacks require a different response tactic than rate-based reflection attacks
which flood the network layer.
ww Understand ISP options: Include an accurate contact list with names and phone numbers for
all ISP and third-party providers so you can readily contact them for assistance. Discuss DoS/
DDoS detection and mitigation support options with your ISP before you actually need the
services.
ww Review lessons learned: After a DoS/DDoS attack, regardless of whether the attack was
successful, review your lessons learned to help you manage future attacks.
ww Test your environment: Test your exposed systems to find, and mitigate, system limits and
weak points before you are subjected to an attack.
ww Leverage monitored and managed security services: Evaluate the offerings of any DoS/DDoS
mitigation and assessment services supported by your managed security services provider. Be
proactive about understanding their capabilities, and understanding how third-party services
can complement other available resources.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NTT GROUP RESOURCE
INFORMATION
About NTT Group Security Companies
Solutionary
Solutionary, an NTT Group security company (NYSE: NTT), is the next generation managed security CONTACT INFO
services provider (MSSP), focused on delivering managed security services and global threat Ph: 866-333-2133
intelligence. Comprehensive Solutionary security monitoring and security device management Email: info@solutionary.com
Visit: www.solutionary.com
services protect traditional and virtual IT infrastructures, cloud environments and mobile data.
Solutionary clients are able to optimize current security programs, make informed security decisions,
achieve regulatory compliance and reduce costs. The patented, cloud-based ActiveGuard MSSP
platform uses multiple detection technologies and advanced analytics to protect against advanced
threats. The Solutionary Security Engineering Research Team (SERT) researches the global threat
landscape, providing actionable threat intelligence, enhanced threat detection and mitigating
controls. Experienced, certified Solutionary security experts act as an extension of clients internal
teams, providing industry-leading client service to global enterprise and mid-market clients in a wide
range of industries, including financial services, healthcare, retail and government. Services are
delivered 24/7 through multiple state-of-the-art Security Operations Centers (SOCs).
See how Solutionary can enhance security, improve efficiency and ease compliance. Contact an
authorized Solutionary partner or Solutionary directly .
NTT Com Security

NTT Com Security, an NTT Group security company (NYSE: NTT), is in the business of information CONTACT INFO
security and risk management. By choosing our WideAngle consulting, managed security and Visit: www.nttcomsecurity.com
technology services, our clients are free to focus on business opportunities while we focus on for regional contact information
managing risk.
The breadth of our Governance, Risk and Compliance (GRC) engagements, innovative managed
security services and pragmatic technology implementations, means we can share a unique
perspective with our clients helping them to prioritize projects and drive standards. We want to
give the right objective advice every time.
Our global approach is designed to drive out cost and complexity recognizing the growing value
of information security and risk management as a differentiator in high-performing businesses.
Innovative and independent, NTT Com Security has offices spanning the Americas, Europe
and APAC (Asia Pacific) and is part of the NTT Communications Group, owned by NTT (Nippon
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Telegraph and Telephone Corporation), one of the largest telecommunications companies in the
world.
To learn more about NTT Com Security and our unique WideAngle services for information security
and risk management, please speak to your account representative or visit: www.nttcomsecurity.
com for regional contact information.
Dimension Data
Dimension Data, an NTT Group company (NYSE: NTT), is a USD 6.7 billion ICT solutions and CONTACT INFO
services provider with over 25,000 employees and with operations in 58 countries. Its security Visit: www.dimensiondata.com
business delivers broad technical and integration expertise across a variety of IT disciplines,
including networking, security, communications, data centres, and end-user computing. We
service over 6,000 security clients across all industry sectors, including financial services,
telecommunications, healthcare, manufacturing, government, and education. Our real-time security
information and event management architecture is based on an enterprise-wide risk management
solution that enables our Security Operations Centre (SOC) analysts to centrally manage attacks,
threats, and exposures by correlating security information from multiple security technology controls.
This solution enables them to eliminate clutter such as false positives, while quickly identifying the
real security threats to help them respond effectively and efficiently. Our team of certified security
experts, located in SOCs, brings unmatched cybersecurity experience to augment the knowledge
base of our clients IT organisations. We provide peace of mind with skilled technicians ready to help
clients respond to, and mitigate, all cybersecurity threats. Our certifications include ISO9001, ISO/
IEC 27001:2013, ASD Protected Gateway, PCI DSS, and ASIO T4.
For more information, please contact your nearest Dimension Data office or visit
http://www.dimensiondata.com.
NTT DATA
NTT DATA, an NTT Group security company (NYSE: NTT), is a leading IT services provider CONTACT INFO
and global innovation partner with 75,000 professionals based in over 40 countries. NTT DATA Visit: www.nttdata.com
emphasizes long-term commitment and combines global reach and local intimacy to provide
premier professional services, including consulting, application services, business process and
IT outsourcing, and cloud-based solutions. Were part of NTT Group, one of the worlds largest
technology services companies, generating more than $112 billion in annual revenues, and partner
to 80% of the Fortune Global 100.
Visit http://www.nttdata.com to learn how our consultants, projects, managed services, and
outsourcing engagements deliver value for a range of businesses and government agencies.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NTT Innovation Institute
NTT Innovation Institute, Inc., (NTT i3) is the Silicon Valley-based innovation and applied research CONTACT INFO
and development center of NTT Group. The institute works closely with NTT operating companies Visit: www.ntti3.com
and their clients around the world to develop market-driven, client-focused solutions and services.
NTT i3 builds on the vast intellectual capital base of NTT Group, which invests more than $2.5
billion a year in R&D. NTT i3 and its world-class scientists and engineers partner with prominent
technology companies and start-ups to deliver market-leading solutions which span strategy,
business applications, data and infrastructure on a global scale.
To learn more about NTT i3, please visit us at http://www.ntti3.com.
The NTT Global Data Analysis Methodology

The 2014 Global Threat Intelligence Report contains global attack data gathered from NTT Group
security companies from 1 January to 31 December, 2014. The analysis is based on log, event,
attack, incident and vulnerability data from clients and NTT research sources, including honeypots
and sandboxes. It summarizes data from trillions of logs and over six billion attacks. Also contained
at NTTGroupsecurity.com is historical data from 2014 and live data provided by the NTT Global
Threat Intelligence Platform (GTIP) on a daily basis starting in 2015.
NTT Group gathers security log, alert, event and attack information, enriches it to provide context,
and analyzes the contextualized data. This process enables real-time global threat intelligence and
alerting. The size and diversity of our client base, with over 18,000 customers, provides NTT Group
with a set of security information which is truly representative of the threats encountered by most
organizations.
The data is derived from worldwide log events identifying attacks based on types or quantities of
events. The use of validated attack events, as opposed to the raw volume of log data or network
traffic, more accurately represents actual attack counts. This methodology lends credibility to the
resulting data. Without proper categorization of attack events, the disproportionately large volume
of network reconnaissance traffic, false positives, authorized security scanning and large floods
of DDoS actively monitored by Security Operations Centers (SOCs), would obscure the actual
incidence of attacks.
Ultimately, the inclusion of data from the various NTT Group security companies provides a more
accurate representation of the threat landscape around the world.
The NTT Global Threat Intelligence Platform (GTIP)

Within the threat intelligence world, NTT GTIP gathers, analyzes, exchanges, and uses threat
information from across NTTs global infrastructure, threat sensor networks, and partners on a
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
global scale. GTIP enables NTT security experts to provide actionable insight which can minimize
cybersecurity threats, mitigate damages, and quickly recover to effectively reduce business
disruption. This threat intelligence enables NTT Group to provide new and enhanced proactive
security services, including threat watch for clouds and applications hosted on NTT cloud servers.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
TERMINOLOGY AND
GLOSSARY
The following terminology is used within the GTIR:
0-day (zero-day) Attack: an attack which exploits a previously unknown vulnerability in software.
APT (Advanced Persistent Threat): an attacker with long-term goals who is highly skilled and well-
funded, generally by a government or by organized crime. An APT is usually a complex attack using
multiple techniques for maximum benefit.
Botnet: multiple attacker-controlled systems capable of receiving instructions or commands at

the same time. Botnets are often observed being used in DDoS and other types of cybercriminal
activities.
Breach: a cyberattack in which an organizations data has been stolen or made public through
compromise of networks or systems.
BYOD (Bring Your Own Device): the practice of enabling employees to use their personally owned
mobile devices in the corporate work environment.
C&C (Command and Control): communication infrastructure used by attackers to provide

instructions or conduct administrative tasks to bots in a botnet.
CVE (Common Vulnerabilities and Exposures): a catalog of publicly known vulnerabilities.
Cyberattack: an attempt by hackers to damage, disrupt or destroy a computer network system.
Cybercrime: the violation of laws involving a computer or network.
Cybercriminal: an individual or group who commits cybercrime using a computer as a tool or as a

target, or both.
Cyberthreat: the possibility of a malicious attempt to disrupt a computer network or system.
Dark Web: private networks not accessible by the general public. These networks are often used
for nefarious or illegal purposes.
DoS (Denial of Service) and DDoS (Distributed Denial of Service): attacks which make a
machine or network resource unavailable to intended users. A DDoS attack originates from many
devices at once.
Exfiltration: the unauthorized extraction of data from an organization.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Exploit Kit: a malicious toolkit often used in cybercrime to exploit vulnerabilities in software
applications.
Firewall: software or hardware designed to control incoming and outgoing network traffic
by analyzing the data packets and determining whether they should be allowed, based on a
predetermined rule set.
Hacktivist: a hacker whose activity (hacktivism) is aimed at promoting a social or political cause.
Honeypot: decoy systems set up to gather information about an attack or attacker and to
potentially deflect that attack from a corporate environment.
IDS (Intrusion Detection System): typically network based, relying on signatures or heuristics to
detect potentially malicious network anomalies.
Incident Response Program: an organizations plan for reacting to, and managing the impact of, a
cyberattack.
Injection: an attack performed by inserting malicious code or data into what the receiving system
sees as a valid query.
IP Reputation: a database which classifies IP addresses according to whether they are believed to
host malware.
IPS (Intrusion Prevention System): typically network based and similar to an IDS, except it takes
the added step of blocking traffic identified as having potentially malicious characteristics.
IRC: Internet Relay Chat.
ISP: Internet Service Provider.
Malware: a general term for malicious software including viruses, worms, Trojans, and spyware.
NTP (network time protocol): a protocol for exchanging time-of-day information to keep system
clocks synchronized.
OWASP: the Open Web Application Security Project.
Patch Management: a systematic process for installing vendor-supplied software patches.
Perimeter: the interface systems which connect an organization to the Internet.
Phishing: attempting to acquire information such as usernames, passwords, and credit card details
(and indirectly, money) by masquerading as a trustworthy entity in an electronic communication
(email).
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ransomware: malware which encrypts a victims data and demands a ransom payment in
exchange for a decryption key.
Social Engineering: gaining unauthorized access through methods such as personal visits,
telephone calls or social media websites. These attacks primarily target people and take advantage
of human weaknesses associated with security.
Spear-phishing: is a highly targeted phishing attack, using knowledge about a specific person or
organization.
Targeted Attack: an attack aimed at a specific user, company or organization.
Trojan: a type of malware which masquerades as a legitimate file or helpful program but has been
designed for nefarious acts.
Vulnerability Lifecycle Management (VLM): a systematic process for discovering, documenting,

tracking and repairing vulnerabilities.
WAF: Web Application Firewall.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

2015 Gtir

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

2015 Gtir

Загружено:

Авторское право:

Доступные форматы

TABLE OF CONTENTS

Vulnerabilities, Attacks and Exploitation

ww 26% of observed web application attacks in 2014 were injection-based, up from 9% in

Incident Response and Case Studies

The Challenge for IT

The challenge is multi-faceted because of:

ww The burden of learning new technologies

The Broader View with Threat Intelligence

2014 Attack Analysis

CLIENTS BY SECTOR, 2014

ATTACKS BY SECTOR, 2014

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% Attacks by Sector

ATTACKS BY TYPE, 2014

0% 5% 11% 17% 22% 28%

TOP 10 EXTERNAL AND INTERNAL VULNERABILITIES OF 2014

Top 10 External and Internal

MALWARE BY SECTOR, 2014

Exploit Kit Development and Operation Lifecycles

Exploit Kit Development Attack Campaign

Exploit Kit Payload

Ineffective X Campaign Conclusion

Exploit Kit Development and

Fiesta Exploit Kit User Console

Exploit Selection and Implementation

Exploit Kits Offered for Sale

Exploit Kit Maintenance and End-of-Life

Testing and Modification

Acquisition of New Exploits

End-of-Life of the Entire Exploit Kit

Exploit Kit Attacker Lifecycle

In addition to exploitation, a large-scale attack requires a mechanism to attract victims, a malicious

An overview of the components of an effective campaign is presented below. There is no definitive

ww Payload identification An attacker needs to identify the malicious payload to be delivered

Vulnerabilities Targeted in Exploit Kits

ww Decrease in Adobe Acrobat exploitation

The trends observed in this graph are discussed below.

ORACLE JAVA VULNERABILITIES

Vulnerabilities Targeted in 2014 Exploit Kits by Age of Vulnerability

Most Popular Vulnerabilities Targeted in 2014 Exploit Kits5

TOP 10 MOST POPULAR VULNERABILITIES IN EXPLOIT KITS

5 This table also uses data from www.contagiodump.blogspot.com.

Exploit Kit Detection by Month

EXPLOIT KITS DETECTED BY MONTH, 2014

The Monthly trending of the

A number of trends can be identified from this data:

Recommendations to protect against exploit kits

ww Endpoint protection Implementation of endpoint protection can help organizations detect

VULNERABILITIES BY YEAR OF RELEASE

A page from a website selling

DAILY FLASH/JAVA/ADOBE, 2014

DAILY ATTACKS, 2014

01/02/14 03/25/14 06/02/14 9/15/14 12/31/14

Yearly view of Internet-based

Case Study Moral

The campaign used

DATE EVENT FIGURE 23

Day 5 Second email request for wire transfers received

Day 6 Third email request for wire transfers received

ITEM COST FIGURE 24

Actual cost of legal and public relations support $8,775

Potential loss due to wire transfers $127,530

Wire transfers recovered $(126,630)

Total actual cost directly related to the event $25,075