Unknown Threat in Finland

Unknown
Threat in
Finland
kpmg.com
Contact us
Name Surname
Sector name
T: + 44 (0) 00 0000 0000
E: n.surname@kpmg.com
Name Surname
Sector name
T: + 44 (0) 00 0000 0000
E: n.surname@kpmg.com
Name Surname
Sector name
T: + 44 (0) 00 0000 0000
E: n.surname@kpmg.com
Lorem ipsum et www.kpmg.com
Legal information. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil et iusto
dolore velduipsuscing eriure tat nummodiam quat dolIm in hendio et wis nim alis nulput volor aliquat ullaorting euipsumsan vercidui
blaorting eugiamet lor accum iliquisi. Ting essequat. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco
nsequam, velit, vercil et iusto dolore velduipsuscing eriure tat nummodiam quat dolIm in hendio et wis nim alis nulput volor aliquat
ullaorting euipsumsan vercidui blaorting eugiamet lor accum iliquisi.
Ting essequat. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco nsequam, velit, vercil et iusto dolore
velduipsuscing eriure tat nummodiam quat dolIm in hendio et wis nim alis nulput volor aliquat ullaorting euipsumsan vercidui
blaorting eugiamet lor accum iliquisi. Ting essequat. Volent er ad modions equatum doluptatio dit augrtion sequamet ullan ullamco
nsequam, velit, vercil
1 | Unknown threat in Finland
Report on Study of Unknown
Threat in Finland
During the recent years, we have heard claims that Finland is somehow an exemplary country in information security.
However, it often seems that organisations in Finland think that we are safe and modern IT threats are not a threat to us
because we are physically located far North and, in generic terms, have some of the cleanest networks in the world.
To find out whether this is true, KPMG arranged a study where we inspected network traffic inside 10 selected Finnish
organisations. The goal was to find out whether there is an unknown threat hiding inside the organisations’ infrastructure
that current information security solutions or practices do not detect or prevent.
The study was started in August 2013 by inviting organisations to participate in the study and the actual data collection
was carried out in November the same year. Our conclusion from the study is that in Finnish organisations, there are
successful attacks ongoing that organisations are not aware of.
FireEye Inc. provided the technology that was used to analyse the network traffic and Cybersec Oy consulted in the
study.
Our conclusion from the study is that in Finnish organisations, there are successful attacks ongoing that
organisations are not aware of and that are not prevented by current security solution, such as virus
protection and firewalls.
One of the most important things all organisations must do is to improve their ability to monitor and detect
unwanted and previously unknown security issues in their networks and IT systems and to be able to act
accordingly.
Unknown threat in Finland | 2
Main Findings
The main finding of the study is that almost half of the
participating organisations have been breached. In
addition, in half of the organisations end-user devices have
been exposed to modern malware despite the fact that
there are traditional security controls in place.
End-Used Devices Exposed to Malware
We inspected network traffic inside organisations in such
a topological position where all network-based malware
prevention solutions are already applied to the traffic –
i.e. where the solutions should already have prevented
the threat. The solutions may include firewalls, IPS/IDS
solutions as well as gateway level anti-virus solutions.
If the existing solutions provided an efficient protection
against the threats, we should have seen no malware
traffic at this point.
We found that in half of the organisations, malicious
traffic reached the end-user computers and was able to
bypass the current network security solutions altogether.
This means that as the final protection mechanism,
organisations currently rely heavily on the ability of host
based solutions to protect against these threats.
It should be noted, that in order for malicious traffic to
have an effect on an end-user device so that the exploits
are successful and device infected, the device has to be
vulnerable to the specific threat and the host based antimalware solution must fail to prevent the infection.
Figure 1 - Organisations with Breached Hosts
Organisations Are Already Breached
When modern malware infects a computer, it usually
starts sending messages to servers residing in the
Internet. These servers are called Command and Control
(CnC) servers and the requests that are sent to servers in
the Internet are called callbacks. Messages sent to CnC
servers may include for example requests for commands
to be executed in the client or some other relevant
information that is available for the infected computer.
The existence of callback traffic proves that there are
infected, compromised computers inside the network. In
this study, we identified such traffic in almost half of the
organisations. In the rest of the organisations, we were
unable to identify any such traffic during the analysis period
but this does not guarantee that such traffic will not be
present at later stages or that these organisations would
not be breached.
Figure 2 - Organisations with Malware Reaching the Hosts
3 | Unknown threat in Finland
Parameters and Statistics of the Study
This study included 10 organisations. The participants
were mainly companies which are listed in Helsinki
Stock Exchange (NASDAQ OMX HELSINKI). In addition,
certain smaller companies with specific interest towards
advanced threats were included in the study. The average
number of personnel in the companies was 8500 with
an average yearly turnover of 3200 million EUR. The 10
participants represented different vertical industries and
can therefore be considered as a valid and sufficient
sample for the purposes of this study.
The focus of the study was to analyse the organisations’
threat posture in Finland. Therefore, FireEye NX 7400
appliances were placed is such locations in companies’
networks that only network traffic originating in Finland
was analysed (most, if not all of the participating
organizations operate in various countries). However, due
to network topology and routing related issues, limited
amount of the analysed traffic originated from other
countries, where participating organisations operate. The
data for the study was collected mainly between 8th of
November until 30th of November 2013.
In this study, FireEye NX 7400 appliances were placed
inside the companies’ networks, in-between the current
network security layers and company workstations. Both
ingoing and outgoing traffic was mirrored to the FireEye
appliance to be analysed.
Due to dynamic IP addressing and varying IP address
release schemes, the exact number of workstations
originating traffic during this study cannot be defined.
However, based on the available log data we estimate this
figure to be between 29000-31000 individual end-points.
The collective peak amount of traffic that was inspected
was 1,65Gbit/s.
Unknown threat in Finland | 4
Typical Attack
Modern advanced threats have an infection lifecycle with
the goal of long-term control over the system.
Systems are exploited typically over the web, utilising
drive-by exploits or watering hole attacks. The initial exploit
can also happen via a targeted spear phishing attack, easily
bypassing traditional security in many cases.
In the next phase, after the callback to a Command and
Control Server (CnC), the malware payload is downloaded
to the system, establishing control of the host.
Modern Malware is now installed at the kernel level, below
host-based security software like Anti-Virus and HIPS.
Modern Malware may include built-in, long-term controls
for data exfiltration, remote access tools and it may have
advanced functionalities such as change of location to
avoid detection.
A typical example of a modern attack is the “RSA breach”
(1). An email with a weaponised Excel document was
opened by the user thus causing the initial exploit in the
client. This was followed by a callback to a CnC server from
where a backdoor DLL was dropped to the client. In the
last phase the client initiated communications in a secure
fashion with the CnC server, thus enabling the attacker to
control the system.
(1) https://blogs.rsa.com/anatomy-of-an-attack/
It was not tested as part of this study, but KPMG has noted
in various security audits that:
Roughly 50% of email recipients in Finnish organization
click the links in email messages even though the mail
and the links clearly is not work-related and seems
suspicious.
Effective defence against modern threats require broad
visibility of the entire attack lifecycle. This visibility
provides the background needed for accuracy, and the
details needed for forensically understanding the attack.
5 | Unknown threat in Finland
Security Events
Figure 3 - Security Events by Type
We divided the security event to the following categories:
•
Malware objects: Malware, such as viruses and
Trojans
•
Callbacks: Callback connection from client to CnC
server
•
URL Match: An URL that is known to contain
malicious content
•
Domain Match: DNS request to resolve a domain
name (such as www.google.com) that is known to
contain malicious content
•
Browser exploit: Content that tries to take advantage
of some browser vulnerability
Additionally, we divided malware objects and callbacks
to known and unknown categories. Unknown category
includes malware objects and callbacks that are not
observed previously, but are detected by analysing the
behaviour or content. They are also known as zero-day
objects.
Unknown threat in Finland | 6
We further divided the Malware objects category into the
following types:
Figure 4 - Malware Objects by Type
•
Trojan: Malware taking control of the client
•
Virus: Known Virus/Worm
•
BackDoor: Malware having full access to the client
and can have lateral movement
•
InfoStealer: Malware typically targeting financial
information or users credentials/data
•
Rogue Exploit Kit: “water holing” websites
delivering malware via an exploit
•
APT: Advanced Persistent threat (Sophisticated and
Committed) (2)
•
FakeAV: Application pretending to be an AntiVirus
In figure 4, we summarised the distribution of malware
objects into respective categories and it should be noted
that the existing security controls have already been
applied to the traffic we analyzed.
During the data collection period (between 8th and 30th
of November 2013), we identified 57 malicious binaries.
On 3rd of December 2013, we tested these binaries
against virustotal.com that can be used to test whether
the 45 different available anti-virus engines can detect the
malicious binary.
Figure 5 - Antivirus Response Time
It is essential for anti-virus product vendors to quickly add new malware signatures to their products so that new
threats can be prevented. However, as the figure 5 shows, there were 7 binaries that were not recognised by any antivirus product at all. When analysing the performance of individual anti-virus products, there were many solutions that
recognised only few of the related threats.
(2) Malware is categorised into APT category based on FireEye’s intelligence information and knowledge of malware usage in APT
campaigns
7 | Unknown threat in Finland
Figure 6 - Number of security events in organisations that have small or medium amount of events
Figure 6 shows the number of security events by the size of the organisation (number of personnel). The figure only
shows organisations that have a small or medium amount of security events. From the figure, we can conclude that in
this study, covering a limited number of organisations, there is no clear connection between the organisation’s size and
the number of security events. However, the organisations that have a large number of security events are amongst the
largest in the study.
Unknown threat in Finland | 8
Figure 7 - CnC Server Locations
Analysis of the Infected Hosts
We identified 220 different IP addresses generating alerts (3) within the organisations that were affected by malicious
traffic. Having 10859 alerts in total means that each host created 50 alerts on the average. Thus, most organisations have
multiple hosts that are affected.
Since we only monitored ingress and egress traffic between the organisation’s hosts and the Internet and not the
traffic between internal hosts, we were unable to monitor potentially malicious traffic within an organisation’s network,
between 2 or more internal IP addresses. Therefore it is possible that there were more infected hosts that did not initiate
traffic to the Internet. In order to analyse in detail whether the affected hosts were end-user devices or servers that were
located in office network, a deeper analysis would be required.
Who Controls the Infected Hosts
Once a client in an internal network is infected by malware, it usually initiates a connection to so-called Command and
Control (CnC) hosts. The connection can be used for example to inform the attacker of a successful infection, ask for
commands to be executed by the client machine or transfer data from an internal network to the attacker. (4)
During the study we saw that infected host inside
the participating organizations were sending lots of
encrypted traffic to Command and Control (CnC) hosts.
The content of that traffic is unknown.
The computers that are used as CnC servers are not usually owned by the attacker, but are computers that are hacked
by this third party. The locations of the CnC servers therefore do not reveal the physical location of the attacker. (4)
The identified locations of the CnC servers are summarised in the figure below. More than 80% of the CnC servers
were located in Germany while Russia has more than a 8% share.
(3) The same host may have a different IP address during the study and can trigger alerts that seem to be originated from multiple hosts even
though it is the same hosts creating the traffic. We had no means of reliably differentiating each host.
(4) FireEye has threat intelligence information that gives some indication that the main source of attack traffic comes from Eastern Europe, but we
do not have any concrete, solid evidence of the source.
9 | Unknown threat in Finland
Connections to the Internet
As described above, we observed more than 6000 connections from organisations’ internal networks to the Internet
(callbacks to CnC servers). Figure 8 shows the number of callback requests in organisations that have such traffic.
It should be noted that certain malware types try to stay as silent as possible on purpose. This type of malware very
seldom establishes connections to CnC servers. The implication of this is that even though the amount of connections to
the CnC server is small, the organisations could still be under a serious attack.
Figure 8 - Amount of Callback Events in Organisations
Modern malware programs encrypt the callback traffic and hence we were unable to extract clear text examples of the
traffic that these callbacks included .(5) As already indicated, such callbacks may include for example requests for further
commands or even worse, confidential data leaking out of organisation.
In figure 9, we have summarised the target TCP ports used by the malware to connect to the CnC servers. The callback
traffic is almost always using port 80 and HTTP connections. This is most probably due to the fact that it is the easiest
way to connect outside - port 80 is not usually blocked by firewalls. This is also one of the main reasons why traditional
firewalls are becoming obsolete.
Figure 9 - Callback Ports
(5) There is an amount of data which allows unauthorized transmission of important corporate secrets - such as IPR. However, analysis of the
specific data in question was not directly within the scope of this report. Important corporate secrets may consist of e.g. user identities, security
management details, plain documents, database dumps etc.. Some of the transmission used encryption to protect data in transit
Unknown threat in Finland | 10
The Business Perspective
In the chapters above, we have analysed the state of
an unknown threat from the technical perspective. In
addition to the impact on the technical side, the issue has
a significant business impact due to the following key
reasons (6):
•
False feeling of security. The study showed that many
organizations are dependent on traditional security
controls and believe that those will protect them
sufficiently. The study showed that this is not the case.
•
Direct losses to business functions. Competitors
may get valuable information by eavesdropping
organisation’s information. It may contain for example
R&D information or information of prices during
competitive bidding. Additionally, the malware could
destroy data inside the organisation, which may be
costly to re-create. It is also possible that because
of the breach, the company has to pay fines or pay
compensation to a third party. The European Union is
currently preparing to introduce directives that may
lead to significantly more substantial fines, especially
in data privacy cases.
•
Indirect losses to business functions. Information
security incidents may lead to loss of reputation which
may have an indirect effect on business.
•
IT costs related to an incident. Even if the incident
does not have a direct effect on business functions,
it may be costly to remediate. Some IT functions
may be limited during the clean-up and it may require
many man-days to remove the malware and it will be
very difficult to determine when the environment is
properly cleaned-up after the incident.
From the results of our study, especially in cases of
organisations with widespread problems, it is clear that the
unknown threat has business implications.
Regarding the costs listed above, especially the first three
are hard to quantify and it is hard to introduce these types
of threats to organisations’ risk management processes.
It is therefore possible that even though the IT function
would see the benefit of enhancing the protection against
unknown threats, justifying the cost can be very hard.
The results of this study and recent security breaches and
issues covered by the media should help in justifying the
security investments.
If the unknown threat remains unknown to the business,
it may mean that information security is managed by
assuming that the organisation does not have any
widespread problems and that existing security controls
are enough to protect the organization.
In addition to identifying the threats, it is important to
identify and evaluate the value of business information
so that the assets can be properly protected. We
acknowledge that even if this sounds easy, it is far from it.
(6) In the study, we only obtained technical data and did not even try to
correlate it with business losses. For this reason, this chapter gives a
general business view from the perspective of the study.
11 | Unknown threat in Finland
Solutions to Threats
The study shows that there are threats and ongoing attacks in the organisations. It is clear that organisations must better
ensure that their protection is up to date and that they have visibility into ongoing attacks. (7)
In the study, we identified malware traffic that should have been filtered out by traditional network level anti-virus
solutions or prevented by a host-based anti-virus solution. It practically means that the traditional solutions are not up
to date or are otherwise incapable of mitigating the threat. In order to prevent attacks, organisations should ensure that
basic information security controls are applied in a constant and ongoing manner. (8)
In addition to known attack traffic, we identified plenty of zero-day attack traffic. This means that traditional solutions are
not sufficient to prevent modern threats. If organisations want to have better control over information assets, they should
monitor the network and use modern solutions that do not rely on signatures only. (9)
In addition to technical security controls, organisations should teach their personnel how to use computers in compliance
with the organisation’s information security policy. If employees use computers without any concern of security, it makes
an attacker’s task too easy.
It should be noted that adding a technical solution to the organisation’s network is always a risk in itself, even if the
purpose of the solution is to improve the information security. Often, the information security solutions have access to
a large amount of the organisation’s data. Therefore, when implementing such solutions, organisations should take the
risks into consideration and implement only solutions that are used optimally. (10)
(7) In this study, we did not correlate the current information security solutions with the attack traffic. This is an interesting area for further research.
(8) Basic information security controls include for example secure software, patch management, password policies and such. Example of a list of
comprehensive security control is ISO/IEC 27001
(9) Many of the current anti-virus providers claim that their products are not using only signatures but also more advanced methods. However, as
this study shows, those methods currently implemented in anti-virus solutions are far from effective.
(10) Example of non-optimal use is a solution that is used to monitor the state of information security and no one is actually using the solution
actively (inspecting the events and acting on them).
Unknown threat in Finland | 12
Conclusions
As a summary, all organizations should at least consider
and do the following:
KPMG arranged a study to clarify the state of an unknown
information security threat in Finland. In the study, we
monitored the network traffic in 10 organisations and used
state-of-the-art technology to find attack traffic.
•
Verify that basic information security controls are
implemented and maintained properly
•
Verify that end-user devices are properly maintained
and updated. This includes also all applications such as
Java, PDF readers, media players, browsers and so-on
•
Raise end-user and C-level awareness on current cyber
security threats and their impacts
•
Improve their ability to detect unwanted actions in
their networks and IT systems
•
Improve their ability to react to unwanted actions they
detect
•
Do not have a false feeling of security due to
implemented preventative controls – they fail to
mitigate all the risks
The main finding of the study is that almost half of the
case organisations in the scope of the study are already
breached. It means that organisations in Finland cannot
trust that their information assets are secured.
In the study, we noticed that there is a lot of malicious
zero-day traffic that is impossible to detect using traditional
information security solutions. In addition to this advanced
threat, there is also known malicious traffic that should not
exist if already installed solutions would work properly.
Organisations should investigate whether their protection
mechanisms are sufficient in today’s interconnected world
where attacks are growing in complexity.
Information security attacks may have significant
business impact. Therefore, it is essential that IT and
business functions have a regular dialogue on the state of
information security and handle information security risks
as part of day-to-day risk management.
Matti Järvinen
Head of Technical Security Services
Management Consulting
T: +358 (0)20 760 3672
E: matti.jarvinen@kpmg.fi
Mika Laaksonen
Head of Information Security Services
Management Consulting
T: +358 (0)20 760 3337
E: mika.laaksonen@kpmg.fi
www.kpmg.fi
© 2014 KPMG Oy Ab, a Finnish limited liability company and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG and the KPMG logo are registered trademarks or trademarks of KPMG International Cooperative, a Swiss entity.