Threat trend identification is vital to establishing future security strategy and understanding the significance of the threats to our computing environment. Below are a few of the threat trends we witnessed over the course of 2012. More details are available in the IBM X-Force 2012 Annual Trend and Risk Report.
Distributed Denial of Service
The year began and ended with a series of politically motivated, high-profile DDoS attacks against the banking industry. An interesting twist to the banking DDoS attacks was the implementation of botnets on compromised web servers residing in high bandwidth data centers. This technique assisted in much higher connected uptime as well as having more bandwidth than home PC’s to carry out the attacks.
Speaking in terms of risk, DoS can degrade or deny availability for about 12 hours each year. 24 hour outages from DoS can occur, but are toward the extreme end of the duration spectrum. DoS attacks can easily cost between $600,000 to $1 million each year, mostly in data center costs incurred while losing operations. While there may be a short term financial impact, DoS attacks do not seem to create lasting damage for a business or brand over time.
Injection attacks are identified when data items that contain embedded commands are presented to authorized applications on the target systems, which are tricked into executing the commands. These attempts continue to be a dominant element in the security landscape. Security alert trends identify a fairly steep rise in confirmed injection attacks. It is an easy way for an attacker to gain a foothold on a server. Once that foothold is established, the attacker gains a strategic advantage that provides a launching point for attacking more of the target system, and potentially creating a springboard to reach other systems inside the perimeter defenses.
Two of the most common types of injection attacks are SQL injection and Shell command injection. SQL is more ubiquitous because it interfaces to all types of databases, which entice attacks—from login credentials to confidential enterprise data—though overall injection attacks are showing distinct growth. In previous reports, the SQL_Injection signature ranked second in 2010, climbed to first place in 2011, and retained the number one position for 2012.
In 2012 we observed an upsurge in web browser exploit kit development and activity; the primary driver of which are the new Java vulnerabilities. Web browser exploit kits are built for one particular purpose: to install malware on end-user systems. Exploit kits first began to appear in 2006, and they continue to be popular because they provide attackers with a turnkey solution. Exploit kits are usually advertised via hacker forums and the current rental prices vary from around $500 USD to over $1,000 USD per month or $500 USD to over $3,000 USD to buy.
Users are usually infected by visiting a compromised website or by clicking a link that leads them to a booby-trapped website. To increase the rate of successful infections, exploit kits often attempt to exploit multiple browser or browser plug-in vulnerabilities to compromise a system. In 2012, it was clear that exploit kit authors were favoring the use of exploits targeting newly discovered Java vulnerabilities, so the question is, why Java? It has the advantage of being both cross-browser and cross-platform—a rare combination that affords attackers a lot of value for their investment.
Much more on these topics including our top security incidents, web content trends, and spam and phishing can be found in the 2012 IBM X-Force Annual Trend and Risk Report.