NTT：2016年全球威脅情報報告（74頁）.PDF

1、 Copyright 2016 NTT Group Security2 Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 The NTT Group 2016 Global Threat Intelligence Report . . . . . . . . . . . . . . . . . . . . . .

2、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Key Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Geographic and Vertical Market Trends . . . . . . . . . .

3、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Vulnerabilities, Attacks and Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Incident

4、 Response and Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Global Data Analysis and Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5、 . . . . . . . . . . . .7 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2015 Attack Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Practical Application of Security Controls to the Cyber Kill Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Cyber Kill Chain and Case Study Introduction . . . . . . . .

7、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Case Study Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Cyber Ki

8、ll Chain Phase 1: Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Cyber Kill Chain Phase 2: Weaponization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9、. . . . . . . . . . . . . . . . 27 Cyber Kill Chain Phase 3: Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Cyber Kill Chain Phase 4: Exploitation . . . . . . . . . . . . . . . . . . . . . . . .

10、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Cyber Kill Chain Phase 5: Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Cyber Kill Chain Phase 6: Command

11、 and Control (C2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Cyber Kill Chain Phase 7: Actions on Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 PP

12、FC Case Study - Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Incident Response: Trend Shows Organizations Are Not Prepared . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13、. . . .47 Lack of Investment and Preparedness Continues to Prevail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Types of Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

14、 . . . . . . . . . . . . . . . . . . . . . . . . . 48 Incidents by Vertical Market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Incident Response Example: Emdivi . . . . . . . . . . . . . . . .

15、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Incident Response Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 The Role of the Cybe

16、r Kill Chain in Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 The Threat Intelligence Debate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17、 52 Threat Intelligence and the CKC Intertwined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 External Threat Intelligence Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

18、. . . . . . . . . . . . . . . . . . . . . . . . . 54 The Importance of Attribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Threat Intelligence: Summary . . . . . . . . . . . . . . . . . . . .

19、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Table of Contents Copyright 2016 NTT Group Security3 Global Honeynet Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

20、. . . . . . . . . . . .56 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Attack Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Source Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Providers . . .

22、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 ASNs (Autonomous System Numbers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

23、 . . . . . . . . . . . . . . . . . . . . . 59 Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . .

24、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Geopolitical Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25、. . 61 Global Honeynet: Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Anti-sandbox Techniques Why is your sandbox silent? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26、 . . . . . . . . . . .63 Characteristics of sandboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Anti-sandbox technique taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Anti-Sandbox Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Recommendations . . . . . . . . . . . . . .

28、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 NTT Group Resources Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 About

29、Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 The NTT Global Data Analysis Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30、 . . . . . . . . . . . . . . . . . . . . . . . 69 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Table of Contents Continued Copyright 2016 NTT Group Securit

31、y4 Every day, organizations must decide how to best allocate security budgets and resources . With advances in malware, attacks and technology, that situation is only getting more complicated . In reality, we dont need new point solutions to fix niche problems . If we truly want to move our security

32、 programs forward and manage our limited resources more effectively, we need a comprehensive solution to apply across our entire infrastructure . Defense in depth really does matter . Architecting a comprehensive, integrated and cohesive solution will not only help enable efficiency and effectivenes

33、s, but also support the security life cycle of the entire organization . This years GTIR utilizes the Center for Internet Securitys Critical Security Controls to identify controls that can be effective at each stage of the Lockheed Martin Cyber Kill Chain (CKC) . By ensuring that controls exists for

34、 each stage of the CKC, organizations can increase their ability to disrupt attacks . Weve dedicated an entire section and case study to a Practical Application of Security Controls to the Cyber Kill Chain . An effective security program understands the current threat environment in order to detect

35、what attackers are doing now . To help support this understanding, we have included a summary of hostile activity in this years Global Data Analysis and Findings and an expanded perspective in the Global Honeynet Analysis section . The ultimate goal of a security program is to increase the resilienc

36、e and survivability of the organizational environment . Oddly enough, malware developers have some of the same goals . The Anti-sandbox Techniques section focuses on how malware has incorporated resilience and survivability into its own capabilities . The Role of the Cyber Kill Chain in Threat Intel

37、ligence discusses the significant impact an active threat intelligence program can have on an organizations entire security program . It includes a well-thought-out plan for acquiring properly vetted data, information and intelligence sources, and applying that intelligence to the current environmen

38、t . As the GTIR enters its fourth year, NTT Group has expanded our view of the threat landscape to include findings from some of our key collaborators . We are pleased to include Lockheed Martin, Wapack Labs, Recorded Future and the Center for Internet Security as contributing partners . We hope you

39、 find the NTT Group 2016 Global Threat Intelligence Report insightful and worthwhile . Thanks for reading . Executive Summary THE NTT GROUP 2016 GLOBAL THREAT INTELLIGENCE REPORT “An effective security program understands the current threat environment, to detect what attackers are doing now .” Copy

40、right 2016 NTT Group Security5 Geographic and Vertical Market Trends In the 2016 GTIR, NTT Group evaluated threats against clients and honeynets across industry sectors and geographic regions . The retail sector experienced the most attacks per client of any industry sector . Retail was followed by

41、the hospitality, leisure and entertainment sector, then insurance, government and manufacturing . Retail clients experienced 2 .7 times the number of attacks as finance clients . U .S .-based IP addresses accounted for 65 percent of attacks detected in 2015 . The U .S . remains the largest source of

42、 hostile IP addresses observed by NTT Group in 2015, up from 49 percent in 2013 and 56 percent in 2014 . A U .S .-based attack doesnt mean that the attacker is actually U .S . based non-U .S . attackers often use the U .S . infrastructure to evade geographic IP blocking . Three sources accounted for

43、 38 percent of all non-U .S . based attacks . Attacks from the United Kingdom, Turkey and China made up 38 percent of the non-U .S . based attacks . Attacks from 199 other countries combined to make up the remaining 62 percent . NTT Group observed an 18 percent rise in malware detected for every ind

44、ustry other than education . NTT clients from the education sector tended to focus less on the more volatile student and guest networks, but malware for almost every other sector increased . Vulnerabilities, Attacks and Exploitation Vulnerability and attack details from 2015 reveal much of what exis

45、ts in client environments, and what attackers are taking advantage of . Nearly 21 percent of vulnerabilities detected in client networks were more than three years old . More than 12 percent were over 5 years old, and over 5 percent were more than 10 years old . Results included vulnerabilities that

46、 were from as far back as 1999, making them over 16 years old . This is for vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 4 .0 or higher . The top 10 external vulnerabilities accounted for nearly 52 percent of all identified external vulnerabilities . Thousands of vulner

47、abilities account for the other 48 percent . The top 10 internal vulnerabilities accounted for over 78 percent of all internal vulnerabilities during 2015 . All 10 internal vulnerabilities are directly related to outdated patch levels on the target systems . All of the top 10 vulnerabilities targete

48、d by exploit kits during 2015 are related to Adobe Flash . In 2013, the top 10 vulnerabilities targeted by exploit kits included one Flash and eight Java vulnerabilities . That has changed as new Java vulnerabilities have dropped steadily since 2013 . The number of publicized Flash vulnerabilities j

49、umped by almost 312 percent from 2014 levels . Brute force attacks jumped 135 percent from 2014 levels . Throughout the year, NTT Group detected SSH brute-force attacks across its entire client base, from 75 different source countries . DoS/DDoS attack volume fell 39 percent over levels observed in 2014 . Implementation of better mitigation tools, along with fewer attacks, combined for a drop in detections of denial of service (DoS) and distributed denial o