Symantec: The rise of hacktivism and insider threats

The rise of hacktivism and insiders: new tactics, new motives

Andrew HorburySenior Product Marketing Manager

Data sources: ISTR, WSTR, Symantec Security Response

2hacktivism and insiders: new tactics, new motives

Agenda

hacktivism and insiders: new tactics, new motives 3

Why we are here today1

Hacktivism 101

How do they do it?

Web based attacks

Insiders 101

Mediation

Information sources

2

3

4

5

6

7

What is a Hacktivist ?


• Def. haktɪvɪst/ (noun) - a person who gains unauthorised access to computer files or networks in order to further social or political ends.

• The term was coined in 1996 by Omega, a member of the popular group of hackers known as Cult of the Dead Cow

• Hacktivism includes cyber attacks performed to promote (or motivated by) political or social scopes

Source: http://hackmageddon.com/2013-cyber-attacks-timeline-master-index/

From activist to Hacktivist


Anonymous hacks Vatican website


http://www.zdnet.com/blog/security/anonymous-hacks-abortion-clinic-steals-10000-records/10675

So what happens?

• Criminals buy ready-made malware, such as the Sakura toolkit, which is then installed on someone else’s website. It scans visitors’ computers for known vulnerabilities and picks the most effective exploit to infect them.



Vulnerabilities and malware on the rise…..

8

Our Websites are Being Used Against Us

61%of web sites serving

malware are legitimate sites 25%

have critical vulnerabilities unpatched

53%of legitimate websites have unpatched vulnerabilities

9

Our Websites are Being Used Against Us

61%of web sites serving

malware are legitimate sites 25%

have critical vulnerabilities unpatched

53%of legitimate websites have unpatched vulnerabilities5291

vulnerabilities reported in 2012

hacktivism and insiders: new tactics, new motives

Web based attacks on the rise

The number of Web-based attacks increased by

almost a third in 2012. These attacks silently infect enterprise and

consumer users when they visit a compromised website. In

other words, you can be infected simply by visiting a legitimate

website. Typically, attackers infiltrate the website to install their


attack toolkits and malware payloads, unbeknown to the siteowner or the potential victims.

Why are you telling me this? My company is not important – why would anyone attack me?

“C’mon no one will attack my company… will they?”

11


Targeted Attacks by Company Size: 2012

Small businesses say……• 41% have been a victim of cybercrime in past 12 months.• 20% have had a virus infection in their business• 8% have suffered from a hacking incident• 20% have not taken any steps to protect themselves at all! In a

pool of 2000+ that’s at least 400 businesses that are probably at high risk

• Only 36% say they regularly apply security patches• 60% kept their antivirus software up to date



15

Transportation, Communications, Electric, Gas

Aerospace

Retail

Wholesale

Services – Professional

Energy/Utilities

Government

Services – Non-Traditional

Finance, Insurance & Real Estate

Manufacturing

0% 5% 10% 15% 20% 25% 30%

1%

2%

2%

2%

8%

10%

12%

17%

19%

24%Manufacturing

Finance, Insurance & Real Estate

Services – Non-Traditional

Government

Energy/Utilities

Services – Professional

Wholesale

Retail

Aerospace

Transportation, Communications, Electric, Gas

Targeted Attacks by Industry: 2012

0%

5%

10%

15%

20%

25%

30% R&D27%

Senior12%

C-Level17%

Sales24%

Shared Mailbox

13%

Recruitment4% Media

3% PA1%

• Attacks may start with the ultimate target but often look opportunistically for any entry into a company

16

Targeted Attacks by Job Function: 2012


17

Are your employees putting your company’s data at risk?

• Insider theft makes up between 8-14% of confirmed data breaches, compared to the 88 or 92 percent attributed to external actors

• Insider account for 69 percent of all corporate security issues

• UK Information Commissioner’s Office fined & prosecuted more businesses because of insider incidents than they did outsider attacks in 2012


18

Are your employees putting your company’s data at risk?

• More than 30 percent of insiders engaging in IT sabotage have a prior arrest history

• They may brag about the damage they could do to the organisation if they so desired.

• Bitterness about being passed over for promotion

• Considering starting up a competing business and using the organisation’s resources and IP for a new/side business

• The pattern or quantity of the information they retrieve might change drastically, potentially indicating data theft.


19

Malicious Insiders could pose the greatest risk

Areas of Focus…..• Know your people• Focus on deterrence, not

detection• Identify information that is

most likely to be valuable• Monitor ingress and egress• Baseline normal activity


What do they do and what are the threats?

20

Everyone is a target.


21


Anonymous has claimed responsibility for a broad range of actions: publication of bank managers’ details, DDoS attacks on government websites, taking child pornography websites offline, hacking of two MIT websites, publication of the VMware source code and attacks on Israeli websites

Cutting Sword of Justice


Profile of Hacktivist threats


• Hacktivists mainly target the information, public and service sectors.

• They primarily operate in Western Europe and North America.

• Their most common attack methods are SQL injection, using stolen credentials, brute force and DoS attacks, remote file inclusion and backdoors

• The main assets they target are web applications, databases and mail servers

• Their desired data is personal information, credentials and internal corporate data

Insider threats• Unauthorised access to or use of corporate information.• Viruses, worms or other malicious code.• Theft of intellectual property (IP).

The same research found that:

• Insiders often attempt to gain colleagues passwords or gain access through trickery or exploit a relationship

• >70 percent of intellectual property theft cases, insiders steal the information within 30 days of announcing their resignation

• More than half of insiders committing IT sabotage were former employees who regained access via backdoors or corporate accounts that were never properly disabled


Policies Procedures and employee access• Temporary consultant at the Korea

Credit Bureau stole the customer details of up to 20 million South Koreans

• Can beaccidentalas well asdeliberate


What can you do about it?

•Security - assume that you are a target

•Culture - majority of insider attacks are instigated by disgruntled employees

•Education - Educate staff about data protection and the threats posed by hacktivists, cybercriminals and insiders is essential.


Stay informed

• Follow us on twitter @nortonsecured @threatintel @andyhorbury• www.symantec.com/threatreport • go.symantec.com/ssl • Blogs

www.symantec.com/connect/blogs/website-security-solutions

27


http://www.symantec.com/threatreport

http://www.symantec.com/connect/blogs/website-security-solutions

http://www.symantec.com/connect/blogs/website-security-solutions

Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Andrew [email protected]@andyhorbury

Technology

Symantec: The rise of hacktivism and insider threats