Unknown Threat in Finland
Unknown Threat in Finland kpmg.com Contact us Name Surname Sector name T: + 44 (0) 00 0000 0000 E: [email protected] Name Surname Sector name T: + 44 (0) 00 0000 0000 E: [email protected] Name Surname Sector name T: + 44 (0) 00 0000 0000 E: [email protected] Lorem ipsum et www.kpmg.com Legal information. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil et iusto dolore velduipsuscing eriure tat nummodiam quat dolIm in hendio et wis nim alis nulput volor aliquat ullaorting euipsumsan vercidui blaorting eugiamet lor accum iliquisi. Ting essequat. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil et iusto dolore velduipsuscing eriure tat nummodiam quat dolIm in hendio et wis nim alis nulput volor aliquat ullaorting euipsumsan vercidui blaorting eugiamet lor accum iliquisi. Ting essequat. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil et iusto dolore velduipsuscing eriure tat nummodiam quat dolIm in hendio et wis nim alis nulput volor aliquat ullaorting euipsumsan vercidui blaorting eugiamet lor accum iliquisi. Ting essequat. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil 1 | Unknown threat in Finland Report on Study of Unknown Threat in Finland During the recent years, we have heard claims that Finland is somehow an exemplary country in information security. However, it often seems that organisations in Finland think that we are safe and modern IT threats are not a threat to us because we are physically located far North and, in generic terms, have some of the cleanest networks in the world. To find out whether this is true, KPMG arranged a study where we inspected network traffic inside 10 selected Finnish organisations. The goal was to find out whether there is an unknown threat hiding inside the organisations’ infrastructure that current information security solutions or practices do not detect or prevent. The study was started in August 2013 by inviting organisations to participate in the study and the actual data collection was carried out in November the same year. Our conclusion from the study is that in Finnish organisations, there are successful attacks ongoing that organisations are not aware of. FireEye Inc. provided the technology that was used to analyse the network traffic and Cybersec Oy consulted in the study. Our conclusion from the study is that in Finnish organisations, there are successful attacks ongoing that organisations are not aware of and that are not prevented by current security solution, such as virus protection and firewalls. One of the most important things all organisations must do is to improve their ability to monitor and detect unwanted and previously unknown security issues in their networks and IT systems and to be able to act accordingly. Unknown threat in Finland | 2 Main Findings The main finding of the study is that almost half of the participating organisations have been breached. In addition, in half of the organisations end-user devices have been exposed to modern malware despite the fact that there are traditional security controls in place. End-Used Devices Exposed to Malware We inspected network traffic inside organisations in such a topological position where all network-based malware prevention solutions are already applied to the traffic – i.e. where the solutions should already have prevented the threat. The solutions may include firewalls, IPS/IDS solutions as well as gateway level anti-virus solutions. If the existing solutions provided an efficient protection against the threats, we should have seen no malware traffic at this point. We found that in half of the organisations, malicious traffic reached the end-user computers and was able to bypass the current network security solutions altogether. This means that as the final protection mechanism, organisations currently rely heavily on the ability of host based solutions to protect against these threats. It should be noted, that in order for malicious traffic to have an effect on an end-user device so that the exploits are successful and device infected, the device has to be vulnerable to the specific threat and the host based antimalware solution must fail to prevent the infection. Figure 1 - Organisations with Breached Hosts Organisations Are Already Breached When modern malware infects a computer, it usually starts sending messages to servers residing in the Internet. These servers are called Command and Control (CnC) servers and the requests that are sent to servers in the Internet are called callbacks. Messages sent to CnC servers may include for example requests for commands to be executed in the client or some other relevant information that is available for the infected computer. The existence of callback traffic proves that there are infected, compromised computers inside the network. In this study, we identified such traffic in almost half of the organisations. In the rest of the organisations, we were unable to identify any such traffic during the analysis period but this does not guarantee that such traffic will not be present at later stages or that these organisations would not be breached. Figure 2 - Organisations with Malware Reaching the Hosts 3 | Unknown threat in Finland Parameters and Statistics of the Study This study included 10 organisations. The participants were mainly companies which are listed in Helsinki Stock Exchange (NASDAQ OMX HELSINKI). In addition, certain smaller companies with specific interest towards advanced threats were included in the study. The average number of personnel in the companies was 8500 with an average yearly turnover of 3200 million EUR. The 10 participants represented different vertical industries and can therefore be considered as a valid and sufficient sample for the purposes of this study. The focus of the study was to analyse the organisations’ threat posture in Finland. Therefore, FireEye NX 7400 appliances were placed is such locations in companies’ networks that only network traffic originating in Finland was analysed (most, if not all of the participating organizations operate in various countries). However, due to network topology and routing related issues, limited amount of the analysed traffic originated from other countries, where participating organisations operate. The data for the study was collected mainly between 8th of November until 30th of November 2013. In this study, FireEye NX 7400 appliances were placed inside the companies’ networks, in-between the current network security layers and company workstations. Both ingoing and outgoing traffic was mirrored to the FireEye appliance to be analysed. Due to dynamic IP addressing and varying IP address release schemes, the exact number of workstations originating traffic during this study cannot be defined. However, based on the available log data we estimate this figure to be between 29000-31000 individual end-points. The collective peak amount of traffic that was inspected was 1,65Gbit/s. Unknown threat in Finland | 4 Typical Attack Modern advanced threats have an infection lifecycle with the goal of long-term control over the system. Systems are exploited typically over the web, utilising drive-by exploits or watering hole attacks. The initial exploit can also happen via a targeted spear phishing attack, easily bypassing traditional security in many cases. In the next phase, after the callback to a Command and Control Server (CnC), the malware payload is downloaded to the system, establishing control of the host. Modern Malware is now installed at the kernel level, below host-based security software like Anti-Virus and HIPS. Modern Malware may include built-in, long-term controls for data exfiltration, remote access tools and it may have advanced functionalities such as change of location to avoid detection. A typical example of a modern attack is the “RSA breach” (1). An email with a weaponised Excel document was opened by the user thus causing the initial exploit in the client. This was followed by a callback to a CnC server from where a backdoor DLL was dropped to the client. In the last phase the client initiated communications in a secure fashion with the CnC server, thus enabling the attacker to control the system. (1) https://blogs.rsa.com/anatomy-of-an-attack/ It was not tested as part of this study, but KPMG has noted in various security audits that: Roughly 50% of email recipients in Finnish organization click the links in email messages even though the mail and the links clearly is not work-related and seems suspicious. Effective defence against modern threats require broad visibility of the entire attack lifecycle. This visibility provides the background needed for accuracy, and the details needed for forensically understanding the attack. 5 | Unknown threat in Finland Security Events Figure 3 - Security Events by Type We divided the security event to the following categories: • Malware objects: Malware, such as viruses and Trojans • Callbacks: Callback connection from client to CnC server • URL Match: An URL that is known to contain malicious content • Domain Match: DNS request to resolve a domain name (such as www.google.com) that is known to contain malicious content • Browser exploit: Content that tries to take advantage of some browser vulnerability Additionally, we divided malware objects and callbacks to known and unknown categories. Unknown category includes malware objects and callbacks that are not observed previously, but are detected by analysing the behaviour or content. They are also known as zero-day objects. Unknown threat in Finland | 6 We further divided the Malware objects category into the following types: Figure 4 - Malware Objects by Type • Trojan: Malware taking control of the client • Virus: Known Virus/Worm • BackDoor: Malware having full access to the client and can have lateral movement • InfoStealer: Malware typically targeting financial information or users credentials/data • Rogue Exploit Kit: “water holing” websites delivering malware via an exploit • APT: Advanced Persistent threat (Sophisticated and Committed) (2) • FakeAV: Application pretending to be an AntiVirus In figure 4, we summarised the distribution of malware objects into respective categories and it should be noted that the existing security controls have already been applied to the traffic we analyzed. During the data collection period (between 8th and 30th of November 2013), we identified 57 malicious binaries. On 3rd of December 2013, we tested these binaries against virustotal.com that can be used to test whether the 45 different available anti-virus engines can detect the malicious binary. Figure 5 - Antivirus Response Time It is essential for anti-virus product vendors to quickly add new malware signatures to their products so that new threats can be prevented. However, as the figure 5 shows, there were 7 binaries that were not recognised by any antivirus product at all. When analysing the performance of individual anti-virus products, there were many solutions that recognised only few of the related threats. (2) Malware is categorised into APT category based on FireEye’s intelligence information and knowledge of malware usage in APT campaigns 7 | Unknown threat in Finland Figure 6 - Number of security events in organisations that have small or medium amount of events Figure 6 shows the number of security events by the size of the organisation (number of personnel). The figure only shows organisations that have a small or medium amount of security events. From the figure, we can conclude that in this study, covering a limited number of organisations, there is no clear connection between the organisation’s size and the number of security events. However, the organisations that have a large number of security events are amongst the largest in the study. Unknown threat in Finland | 8 Figure 7 - CnC Server Locations Analysis of the Infected Hosts We identified 220 different IP addresses generating alerts (3) within the organisations that were affected by malicious traffic. Having 10859 alerts in total means that each host created 50 alerts on the average. Thus, most organisations have multiple hosts that are affected. Since we only monitored ingress and egress traffic between the organisation’s hosts and the Internet and not the traffic between internal hosts, we were unable to monitor potentially malicious traffic within an organisation’s network, between 2 or more internal IP addresses. Therefore it is possible that there were more infected hosts that did not initiate traffic to the Internet. In order to analyse in detail whether the affected hosts were end-user devices or servers that were located in office network, a deeper analysis would be required. Who Controls the Infected Hosts Once a client in an internal network is infected by malware, it usually initiates a connection to so-called Command and Control (CnC) hosts. The connection can be used for example to inform the attacker of a successful infection, ask for commands to be executed by the client machine or transfer data from an internal network to the attacker. (4) During the study we saw that infected host inside the participating organizations were sending lots of encrypted traffic to Command and Control (CnC) hosts. The content of that traffic is unknown. The computers that are used as CnC servers are not usually owned by the attacker, but are computers that are hacked by this third party. The locations of the CnC servers therefore do not reveal the physical location of the attacker. (4) The identified locations of the CnC servers are summarised in the figure below. More than 80% of the CnC servers were located in Germany while Russia has more than a 8% share. (3) The same host may have a different IP address during the study and can trigger alerts that seem to be originated from multiple hosts even though it is the same hosts creating the traffic. We had no means of reliably differentiating each host. (4) FireEye has threat intelligence information that gives some indication that the main source of attack traffic comes from Eastern Europe, but we do not have any concrete, solid evidence of the source. 9 | Unknown threat in Finland Connections to the Internet As described above, we observed more than 6000 connections from organisations’ internal networks to the Internet (callbacks to CnC servers). Figure 8 shows the number of callback requests in organisations that have such traffic. It should be noted that certain malware types try to stay as silent as possible on purpose. This type of malware very seldom establishes connections to CnC servers. The implication of this is that even though the amount of connections to the CnC server is small, the organisations could still be under a serious attack. Figure 8 - Amount of Callback Events in Organisations Modern malware programs encrypt the callback traffic and hence we were unable to extract clear text examples of the traffic that these callbacks included .(5) As already indicated, such callbacks may include for example requests for further commands or even worse, confidential data leaking out of organisation. In figure 9, we have summarised the target TCP ports used by the malware to connect to the CnC servers. The callback traffic is almost always using port 80 and HTTP connections. This is most probably due to the fact that it is the easiest way to connect outside - port 80 is not usually blocked by firewalls. This is also one of the main reasons why traditional firewalls are becoming obsolete. Figure 9 - Callback Ports (5) There is an amount of data which allows unauthorized transmission of important corporate secrets - such as IPR. However, analysis of the specific data in question was not directly within the scope of this report. Important corporate secrets may consist of e.g. user identities, security management details, plain documents, database dumps etc.. Some of the transmission used encryption to protect data in transit Unknown threat in Finland | 10 The Business Perspective In the chapters above, we have analysed the state of an unknown threat from the technical perspective. In addition to the impact on the technical side, the issue has a significant business impact due to the following key reasons (6): • False feeling of security. The study showed that many organizations are dependent on traditional security controls and believe that those will protect them sufficiently. The study showed that this is not the case. • Direct losses to business functions. Competitors may get valuable information by eavesdropping organisation’s information. It may contain for example R&D information or information of prices during competitive bidding. Additionally, the malware could destroy data inside the organisation, which may be costly to re-create. It is also possible that because of the breach, the company has to pay fines or pay compensation to a third party. The European Union is currently preparing to introduce directives that may lead to significantly more substantial fines, especially in data privacy cases. • Indirect losses to business functions. Information security incidents may lead to loss of reputation which may have an indirect effect on business. • IT costs related to an incident. Even if the incident does not have a direct effect on business functions, it may be costly to remediate. Some IT functions may be limited during the clean-up and it may require many man-days to remove the malware and it will be very difficult to determine when the environment is properly cleaned-up after the incident. From the results of our study, especially in cases of organisations with widespread problems, it is clear that the unknown threat has business implications. Regarding the costs listed above, especially the first three are hard to quantify and it is hard to introduce these types of threats to organisations’ risk management processes. It is therefore possible that even though the IT function would see the benefit of enhancing the protection against unknown threats, justifying the cost can be very hard. The results of this study and recent security breaches and issues covered by the media should help in justifying the security investments. If the unknown threat remains unknown to the business, it may mean that information security is managed by assuming that the organisation does not have any widespread problems and that existing security controls are enough to protect the organization. In addition to identifying the threats, it is important to identify and evaluate the value of business information so that the assets can be properly protected. We acknowledge that even if this sounds easy, it is far from it. (6) In the study, we only obtained technical data and did not even try to correlate it with business losses. For this reason, this chapter gives a general business view from the perspective of the study. 11 | Unknown threat in Finland Solutions to Threats The study shows that there are threats and ongoing attacks in the organisations. It is clear that organisations must better ensure that their protection is up to date and that they have visibility into ongoing attacks. (7) In the study, we identified malware traffic that should have been filtered out by traditional network level anti-virus solutions or prevented by a host-based anti-virus solution. It practically means that the traditional solutions are not up to date or are otherwise incapable of mitigating the threat. In order to prevent attacks, organisations should ensure that basic information security controls are applied in a constant and ongoing manner. (8) In addition to known attack traffic, we identified plenty of zero-day attack traffic. This means that traditional solutions are not sufficient to prevent modern threats. If organisations want to have better control over information assets, they should monitor the network and use modern solutions that do not rely on signatures only. (9) In addition to technical security controls, organisations should teach their personnel how to use computers in compliance with the organisation’s information security policy. If employees use computers without any concern of security, it makes an attacker’s task too easy. It should be noted that adding a technical solution to the organisation’s network is always a risk in itself, even if the purpose of the solution is to improve the information security. Often, the information security solutions have access to a large amount of the organisation’s data. Therefore, when implementing such solutions, organisations should take the risks into consideration and implement only solutions that are used optimally. (10) (7) In this study, we did not correlate the current information security solutions with the attack traffic. This is an interesting area for further research. (8) Basic information security controls include for example secure software, patch management, password policies and such. Example of a list of comprehensive security control is ISO/IEC 27001 (9) Many of the current anti-virus providers claim that their products are not using only signatures but also more advanced methods. However, as this study shows, those methods currently implemented in anti-virus solutions are far from effective. (10) Example of non-optimal use is a solution that is used to monitor the state of information security and no one is actually using the solution actively (inspecting the events and acting on them). Unknown threat in Finland | 12 Conclusions As a summary, all organizations should at least consider and do the following: KPMG arranged a study to clarify the state of an unknown information security threat in Finland. In the study, we monitored the network traffic in 10 organisations and used state-of-the-art technology to find attack traffic. • Verify that basic information security controls are implemented and maintained properly • Verify that end-user devices are properly maintained and updated. This includes also all applications such as Java, PDF readers, media players, browsers and so-on • Raise end-user and C-level awareness on current cyber security threats and their impacts • Improve their ability to detect unwanted actions in their networks and IT systems • Improve their ability to react to unwanted actions they detect • Do not have a false feeling of security due to implemented preventative controls – they fail to mitigate all the risks The main finding of the study is that almost half of the case organisations in the scope of the study are already breached. It means that organisations in Finland cannot trust that their information assets are secured. In the study, we noticed that there is a lot of malicious zero-day traffic that is impossible to detect using traditional information security solutions. In addition to this advanced threat, there is also known malicious traffic that should not exist if already installed solutions would work properly. Organisations should investigate whether their protection mechanisms are sufficient in today’s interconnected world where attacks are growing in complexity. Information security attacks may have significant business impact. Therefore, it is essential that IT and business functions have a regular dialogue on the state of information security and handle information security risks as part of day-to-day risk management. Matti Järvinen Head of Technical Security Services Management Consulting T: +358 (0)20 760 3672 E: [email protected] Mika Laaksonen Head of Information Security Services Management Consulting T: +358 (0)20 760 3337 E: [email protected] www.kpmg.fi © 2014 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks or trademarks of KPMG International Cooperative, a Swiss entity.
© Copyright 2024